Three documents that came out this week lay out the “who,” “how,” “why,” and “why it matters” of Chinese cyber espionage. Unfortunately, we still lack the “what to do.”
The “who” and “how” was contained in a new report, Putter Panda, by the cybersecurity company CrowdStrike [Full disclosure: CrowdStrike helps fund a speaker series at CFR]. The report, like the Department of Justice (DoJ) indictment of five hackers alleged to be part of the People’s Liberation Army (PLA) and Mandiant’s 2013 APT1 report, uses IP addresses, email accounts, and other forensic details to describe attacks on European and U.S. businesses and government agencies, with a particular focus on the satellite, aerospace, and communications sectors. CrowdStrike identified a hacker using the handle “cppy”, and through images posted on a picture sharing website and other clues linked the individual to PLA 3rd Department 12th Bureau Unit 61486 in Shanghai.
The “why” was laid out in a speech Chinese President Xi Jinping made on science and technology to the Chinese Academy of Sciences and Chinese Academy of Engineering on Monday, June 9. As the New York Times notes, Xi hit many of the nationalistic notes that have motivated technology policy over the last twenty years: China was in the past a great science and technology power; China is now too dependent on the West for critical technologies and must spur its own indigenous innovation; and science and technology are key to economic and national security. China is pursuing this goal through massive investments in science, technology, and education; the continued reform of research institutes, state-owned enterprises, and government agencies; and efforts to create incentives for entrepreneurship and innovation. Research and development (R&D) investments have increased by double digits annually for each of the past twenty years, and in 2011 China passed Japan as the world’s second largest spender on R&D. There is, however, a darker side to these efforts. The illicit transfer of intellectual property (IP) through the failure to protect IP in the domestic market, industrial espionage, or cyber theft, also plays a role in efforts to move the economy up the value chain and to bolster the competitiveness of Chinese companies.
The “why it matters” was answered when the Center for Strategic and International Studies (CSIS) and McAfee published their attempt to determine the costs of cyber crime and espionage. They estimated the annual cost to the global economy to be more than $400 billion; this includes crimes like bank fraud and identity theft targeted at individuals and cyber espionage directed at governments and companies. The report argues that the situation will get worse as more businesses move online creating more targets and as countries get more adept at using the IP they have stolen to manufacture competing goods.
Over a three-day period we answered the “who,” “how,” “why,” and “why it matters,” but we’re still struggling with the “what to do about it.” The CSIS-McAfee report suggests that countries will tolerate cyber crime as long as it stays at acceptable levels—less than 2% of GDP. Though the report estimates that the cost of cyber crime to the United States is 0.64% of GDP, the DoJ indictment is certainly escalated the issue in the U.S.-China relationship. George Kurtz, CEO and President of CrowdStrike, hopes to build on the campaign of “naming and shaming” and that Panda Putter “further cast the spotlight on China, and helps encourage the dialogue on dealing with this issue.” The CSIS-McAfee reports argues that there are two possible responses to the rising tide of cyber crime: improved technology and better defenses, and international agreements on law enforcement and state behavior.
Beijing’s response does not give much hope for bilateral agreements. It continues to deny that it engages in cyberattacks and to denounce the United States as a hypocrite, citing the Snowden revelations as evidence that Washington is the “real hacking empire.” Though some argued that more details and evidence might force a change in behavior, the Chinese Foreign Ministry denounced the CrowdStrike report as “accusing others of theft while he himself is the thief.” In a speech last week, Vice Foreign Minister Li Baodong rejected U.S. efforts to distinguish between political or military cyber espionage as expected and defensible, and cyber theft designed to steal intellectual property as bad and against international norms. “An individual country,” said Li, “has exercised double standards on the cyber issue, drawn lines out of its selfish interests and concocted ‘regulations’ only applicable to other countries.”
With little hope for change in Chinese behavior in the short term, the most important “what to do” will remain self help—technological innovation and better defenses.