Fighting China’s Military a Daily Task for US Companies
Economic espionage is the dirty underbelly of globalization. Nation-states—particularly China—steal intellectual property from U.S. companies at an extraordinary pace. And they don’t just use computer hacking to do so: insider spies plant hidden audio devices in light switches, or retrofit smoke detectors with audio and video feeds.
The idea that businesses need to fend off attacks from heavily equipped nation-states makes it “An unfair game … not a balanced fight,” said Michael Oberlaender, the principal security strategist Cisco Systems in the United States.
The focus has thus shifted from outright prevention to mitigation. The joke that’s often told to portray this concept is of two men camping in the woods, one sleeps with his shoes on in case he “needs to run from a bear.” His friend tells him he can’t outrun a bear. He looks at his friend and says, “I don’t need to outrun the bear. I just need to outrun you.”
While cyberespionage is becoming more prominent, “there are also cases where they’ll infiltrate your company with internal spies,” said Oberlaender in a telephone interview from his home in Texas. Oberlaender is also the former chief security officer of German telecom Kabel Deutschland.
Raising the Costs
The tough reality is that no matter the precautions in place, not all attacks can be stopped—even for some of the most critical services. According to a 2012 survey of 172 critical infrastructure organizations by the Ponemon Institute and Bloomberg, companies would have to double their Internet Technology (IT) security spending from $5.3 billion to stop just 84 percent of attacks.
“You don’t have the resources that a nation-state has,” Oberlaender said. He said his focus is on raising the bar as high as possible, so it becomes a numbers game for any would-be attackers. They then need to decide whether his company is worth the time and effort, or if it makes more sense just finding another target.
He said that most of the cyberattacks he has seen were traced back to Chinese, Russian, and Eastern European Internet protocol (IP) addresses.
Due to the opaque nature of cyberattacks—one of its key advantages for espionage—it is nearly impossible to find definite proof of an attack’s origin.
Cybersecurity company Mandiant, however, was able to trace attacks back to the Chinese military’s Unit 61398. The discovery was a double-edged sword. On one side, it gave the U.S. government a strong resource to call out the Chinese regime for its campaigns of economic espionage. On the other side, the prospect for companies of facing a foreign military rather than just a well-organized group of hackers only painted a grimmer picture.
Large companies are required by law to report security breaches when they occur, and U.S. federal agencies also help alert them of attacks. The U.S. Secret Service was also assigned through the 2001 Patriot Act to reach out to companies and help secure their networks.
There are proposals, however, for more direct solutions to stop China’s state-run campaigns of economic espionage.
The U.S.–China Economic and Security Review Commission gave several proposals in its 2013 report to Congress. They range from banning imports from Chinese companies with products made from stolen U.S. intellectual property, to preventing offending companies from using U.S. banks, to making it easier for U.S. companies to file international lawsuits against China.
Other proposals take a more militaristic route. One would allow businesses to “conduct offensive cyber operations in retaliation against intrusions into their networks,” which range from taking back what was stolen to “physically disabling or destroying the hacker’s own computer or network.”
There are also supporters of legalizing counter-cyberattacks. Oberlaender said he finds the idea frightening. “It doesn’t bring you any positive business at the end of the day,” he said. “You don’t become a burglar just because you got robbed. Leave the attack response to those agencies that have the resources for that.”
Companies face a dilemma. They are being attacked on a daily basis, and they have little power to chase down the thieves. Meanwhile, as businesses they’re trying to make money from their products and services—not from fighting off foreign militaries and spy networks.
This is where experts like Casey Fleming come into play. Fleming is CEO of BlackOps Partners Corporation, which does counterintelligence and protection of trade secrets for Fortune 500 companies.
Fleming’s line of work places him on the frontline of a new kind of battlefield. He and his team regularly get called in to uproot any forms of espionage being deployed against businesses, ranging from backdoors to allow hackers on their computers to compromised employees causing trouble from the inside.
“We’ve seen it all,” he said in a telephone interview.
In some companies, his team found devices to record audio hidden inside the light switches of conference rooms—where information is summarized. In several companies, they found copy machines and conference speakerphones that were refitted with “new” parts: “inside them was recording technology, sending the information from the copier to China.”
In one of the more bizarre cases, they found a Chinese spy was retrofitting smoke detectors in a building and fitting them with video and audio feeds. “They tapped into the Internet connection above the ceiling panels,” Fleming said. “Nobody could know. Nobody would ever know.”
Despite the buzz around cyberattacks and digital espionage, Fleming and many others with direct knowledge of global espionage said that cyber is a comparatively lesser threat when compared to conventional “insider” spies.
“Cyber is just the canary. Immediately addressing the human element is paramount,” according to former CIA director of Office of Central Cover and BlackOps Board member, Eric Qualkenbush.
• 1. 141 since 2006: Businesses and government agencies targeted by China’s cybermilitary Unit 61398
(Source: Mandiant )
• 2. $13 billion to $500 billion a year: Estimated cost of economic espionage against the United States
(Source: FBI, BlackOps Partners, Office of the National Counterintelligence Executive)
• 3. $300 billion to $1 trillion a year: estimated cost of global cyberattacks
(Souce: McAfee and the Center for Strategic and International Studies )
• 4. 96%: Cyberintrusions carried out by state-affiliated actors from China
(Source: Verizon RISK Team, Data Breach Investigations Report )
For foreign governments there are strong benefits to having insiders rather than hackers who merely have access to compromised computers. Hackers suffer from tunnel vision, and are limited to whatever network they’re on. Insiders have 24/7 access to the company, and can also infect networks, hard copy information, and compromise other employees directly.
With Chinese spies, acts of actual espionage are usually carried out not by official spies, but rather by individuals recruited by trained spies. The trained spies, typically working as “agents of influence,” often try to draw little incriminating evidence against themselves, and instead focus on recruiting or “compromising” targeted people.
With all the elaborate tricks aside, old-fashioned bribery and blackmail are still very common. There are four defining motives for someone to conduct espionage: money, ideology, coercion, and ego (MICE). According to Fleming, Chinese agents have well-developed methods to target people based on these motives, based on four weaknesses in character: fame, profit, lust, and anger.
If a person is angry at an employer, or feels underappreciated, a Chinese spy will feed that person’s ego, praising their work and showing deep interest in their skills. A lustful person may be coerced by women then blackmailed with a scandal. Scholars and politicians will often be invited to China and enjoy the company of friendly, well-educated people who will then try to defame America and defend their own communist ideology. People interested in profit may get business offers and have money laundered to them by discounts in international shipments.
“Americans participate in an open society. They love bragging when they lead innovation, and they become a huge target when they do,” Fleming said.
Fleming referenced a training video typically given by the FBI on Chinese espionage. The video, “Game of Pawns: True Story of a Student Traveling Abroad,” tells the story of Glenn Duffie Shriver, who was a U.S. student at Grand Valley State University in Michigan.
Shriver was coerced into working as a spy for the Chinese regime in 2004 while he was studying abroad in Shanghai. They started by asking him to write papers, praised him for his work, paid him, and slowly brought him closer. Shriver was caught when his Chinese controllers tried getting him to join the CIA and he failed a lie detector test. He was arrested while trying to flee to China and was sentenced to four years in prison.
Fleming said in his own work, he has encountered students who they found had been recruited to spy for China. He said, “We’ve seen where students came in who were Chinese nationals or were compromised U.S. citizens, extorted to be in the company.”
The core problem, according to Fleming, is that most Americans aren’t aware of the threats of espionage or the unwanted interest their work gathers abroad.
“Corporate America has been acting like we’re still in Mayberry,” he said. “We’ve been the technology innovators, we’ve been the innovative leaders, and we’ve never had a security practice and a security policy in place to protect our innovation and trade secrets, and therefore our competitive advantage.”
Under the current situation, he said, “If you want to steal trade secrets from U.S. companies, unfortunately, we’re wide open for business.”
Fleming states we live in a digitally advanced world, and that businesses can no longer be only reactive in dealing with economic espionage. He said, “Companies today have evolved through a reactive-only posture, and for companies to properly combat this evolving threat, they must adopt a proactive strategy or at the very least, a hybrid strategy.”