The U.S. is the target of a major, sustained cyber espionage effort that threatens the country’s economic competitiveness. Every year, hackers break into U.S. government systems, corporations, and research institutions and steal tens of billions of dollars in intellectual property, technology, and trade secrets. The energy, finance, information technology, aerospace and automotive industries have all been compromised. The primary culprit: China. Many states engage in cyber attacks and cyber espionage, but most threats pale in comparison to the level of Chinese espionage. In short, China is using cyberspace to wage economic warfare against the U.S.
In February, Mandiant, a computer security firm in Virginia, released a report about Chinese cyber attacks on the U.S. The report, called APT1 (which stands for Advanced Persistent Threat 1), is about the group (also called APT1) that is responsible for stealing more information from the U.S. than any other cyber hacking group. APT1 manages an extensive global network of computer systems involved in the attacks, which focus on English-speaking countries and have demonstrated the ability to steal from multiple organizations at once. According to the report, APT1 originates in China and is believed to be operated by a special unit of the Chinese People’s Liberation Army (Unit 61398). It is responsible for conducting cyber espionage on a massive scale, stealing from over one hundred organizations in the U.S. alone.
The news is not that China is engaged in cyber attacks; that much has been evident for quite a while. The real value of the report is in that it highlighted the intricacies and complexities of globally distributed, state-sponsored cyber operations against the U.S. It also provided strong circumstantial evidence of Chinese government involvement, detailed the activities and location of the hackers, and released key information to help bolster defenses against their attacks.
Even with this information, the U.S. has few courses of action. Beijing denies responsibility for the attacks and for APT1, and claims that any cyber attacks coming from China are the work of criminals and are not associated with the Chinese government. Without definitive evidence—particularly the publically releasable kind—it has been difficult to hold China accountable for the cyber attacks that it has long been suspected of launching.
So what is to be done? Unfortunately, not much. The international community has not yet created an international law for cyberspace. As such, criminal activities in cyberspace must be dealt with under existing treaties or agreements, many of which are not suited to deal with cyber crimes. In addition, espionage is not against international law; it may be against domestic laws, but in cases like this where information is stolen by people outside of the United States, the U.S. has very little leverage or recourse.
As for bilateral relations, this does not change a lot between the U.S. and China. The U.S. has long known that the Chinese were conducting cyber attacks, and the Chinese have long denied it. Even with this new evidence, the best the U.S. government can do is to ask China to stop; it is hard to threaten your banker, and nearly impossible to put sanctions on a major trade partner.
However, the Mandiant report succeeded in accomplishing three things. First, it put China on notice that these kinds of attacks are traceable and it is only a matter of time before the perpetrators will be held criminally liable. It also let other hacker groups and state-sponsors know that they cannot expect to have anonymity or plausible deniability in the cyber realm forever. Second, the report provided the first public evidence of Chinese attacks on U.S. corporations, catalyzing an unclassified, open-source conversation about the nature of Chinese cyber attacks, how to identify them, and how to defend against them. We can assume that discussions of this nature have been taking place behind locked doors at the NSA and Cyber Command for a while, but now Chinese tactics, techniques, and procedures can be discussed in the unclassified realm with a new level of detail. Third, the report released more than 3,000 indicators associated with APT1 to help the public bolster defenses against APT1 attacks.
This report should lead to improvements in private sector security, both in the U.S. and worldwide, as it highlights major cyber threats to the country and provides tools for mitigating them. Nevertheless, there is still much more work to be done in terms of holding hackers responsible for their actions and developing an international code of conduct for cyberspace. A code of conduct or “rules of the road” is essential for mitigating the proliferation of cyber threats, determining acceptable boundaries of state and non-state actions, and protecting open access to cyberspace.