Up to $400 billion in U.S. industrial secrets is stolen each year, damaging the prospects of companies and sapping the strength of the American economy, according to the Office of the National Intelligence Executive. Yet, while company CEOs seeking to stop the theft often blame cyberattacks from China, the hacking may actually be covering the tracks of someone on the company’s, and China’s, payroll.
Instead of the data being stolen by an anonymous hacker on the other side of the world, a trusted member of the company’s engineering or technology teams may download the information and carry it out in a CD or flash drive, take physical copies, or simply infect the company’s computers so a hacker will have access.
The insider working for the Chinese regime may steal with a certain confidence, knowing a cyberattack will be timed to look as though it were responsible for stealing the data—this is standard modus operandi in Chinese espionage.
The issue is well known in the intelligence community, according to Jarrett Kolthoff, president of cyber counterintelligence company SpearTip and a former special agent in U.S. Army counterintelligence.
“You run into this quite a bit,” Kolthoff said, noting that Chinese espionage usually aims to steal all information possible. “For them it comes down to quantity first, quality second. Then they can always do the analysis later on to see how everything patches together.”
China’s use of spies often comes down to basic effectiveness. Kolthoff said they look for the easiest road to get their target.
“They then determine that it’s much easier to obtain the information through a rogue insider, or a trusted insider who is working for someone else,” Kolthoff said. “At the same time, they combine that with cyber.”
Once the spy is in, the hackers on the outside work to ensure the spy stays hidden. He said they’ll “use other means as a ruse to make it show that the information was collected through maybe zero-day malware, or through some other means or methodology, so that the bad insider is never identified and that insider can continue to collect.”
“It’s very, very effective,” he said.
Gang Liu, a former vice president at Morgan Stanley, and a former leader of China’s Tiananmen Square student movement, said he encountered the issue of Chinese spies working with Chinese hackers first-hand.
He said the concept is simple. If you want to get away with stealing something, “just put someone else’s fingerprints on it, and they’ll chase someone else.”
“The Chinese government is already doing this. They use Chinese spies to steal all the useful data, but once they want to use it they just use their computer hackers to hack it,” he said. “Then when they investigate it, they think it was just from hackers and they stop there.”
Gang Liu said the general tactic has a long history, and even appears in various Chinese stories and films. In a war, for example, a spy may set off an explosion and Chinese forces would cover the tracks by firing artillery at the general area.
When spying went digital, they replaced the artillery with hackers.
A key difference between Chinese espionage and spying done by most other countries in the world is the intent of intellectual property theft.
Representative Billy Long said during a June 2012 congressional hearing that “China and Russia have official government policies of stealing U.S. assets for economic gain.”
Long said, “the true size of this threat could be massively undervalued because this activity often goes unreported to law enforcement.”
Dana Tamir, director of enterprise security at Trusteer, an IBM company in cybercrime prevention, said the insider threat is a large problem that is too often overlooked by businesses when addressing economic espionage.
“I think a lot of organizations trust their employees, and they don’t recognize the insider threat,” Tamir said.
The lack of focus on insiders also makes it appealing as an approach for espionage. She said the thinking in economic espionage is, “If you know an organization is not looking at this threat, why not utilize it?”
Despite the broad access that can be gained by hackers, insiders still have a lot more at their fingertips and can also infect networks more easily and more effectively.
Hackers need to worry about various security layers and attention from a company’s security experts. Tamir said with insiders, however, “You may even be able to compromise a legitimate user account and use that account to actually log onto all kinds of corporate systems.”
Also, according to both Tamir and Kolthoff, catching insiders is not an easy job.
Kolthoff said when it reaches the extent of China’s cyberattacks and insiders, “there is no one way to completely stop them.”
He said like the attacks, the solution needs to be adaptive and ongoing. Systems need to be in place to monitor for threats and collect evidence of their activities, and more fundamentally, companies need to extend their security beyond cyber to include the human element—the insider threat.