There's a lot of noise coming from the senior ranks of the Obama Administration and the U.S. military about cyber espionage by China. Barely a week goes by without a withering assessment of the damage done by Chinese cyber intrusions on U.S. industry, government agencies and contractors.
The latest flare up came this week with the release of the Department of Defense's annual military assessment of the People's Republic of China (PRC). That report directly accused the Chinese government and military of engaging in cyber espionage against the U.S. government, U.S. military and U.S. companies. That followed on the heels of reports last week of a serious breach at the U.S. Department of Labor that showed evidence of the involvement of a group known as "Deep Panda" that is believed to operate out of China, according to an analysis by the firm Cloudstrike.
That report and the DoD assessment also echoed some of the same points made by the security firm Mandiant in a February report that profiled the activities of a hacking unit of the People's Liberation Army (PLA), "Unit 61398," that is linked to around 150 intrusions the company has analyzed.
It's good that Uncle Sam has put offensive computer intrusions and spying atop his list of grievances with The People's Republic of China. But it's equally true that the U.S. government shares some of the blame for the damage wrought by the attacks for close to 20 years.
Let's be frank: China's intent to steal U.S. secrets is no secret. There has been public knowledge of widespread, China-based hacking against the government, military and its key contractors for more than a decade. "Moonlight Maze" was the name given to a large-scale hack of the U.S. Department of Energy, The Pentagon and NASA in the late 1990s and was the subject of a 1999 Newsweek article.
Then, in 2005, there was "Titan Rain," a widespread assault on the U.S. Defense Department that breached "hundreds of unclassified networks," according to a report in The Washington Post. That breach was discovered by someone working outside the government, a Sandia National Labs investigator named Shawn Carpenter, who was investigating cyber breaches at Sandia and other defense contractors. Concerned, Carpenter reported it to federal officials and then leaked the story to the media after he was told to mind his knitting.
A similarly timed intrusion on government networks in 2006 was named "Byzantine Hades," according to leaked State Department documents fingering the PLA as the source of the hack. Then there was the Operation Aurora, a massive attack on prominent U.S. technology, financial services and defense industrial base companies in 2009 and 2010. That attack came to light after Google decided to go public about it. And those are just the attacks that got named.
The truth is, it's hard to know where one stops and the other begins. Better to just assume that the government, military and private sector have been under more or less constant attack since sometime in the late 1990s.
For most of that time, the U.S. government and military's official response has been "no comment." Those who, like Carpenter, stated explicitly that the attacks were linked to the Chinese government and military were hushed. When attacks did make headlines, officials who spoke (always off record) about their devastating impact were countered by others (also off record) who poo-pooed such statements.
This back and forth from Bradley Graham's 2005 article on Titan Rain were pretty typical of the he-said/she-said denial game that went on for much of the early part of this century:
"It's not just the Defense Department but a wide variety of networks that have been hit," including the departments of State, Energy and Homeland Security as well as defense contractors, the official said. "This is an ongoing, organized attempt to siphon off information from our unclassified systems."
Another official, however, cautioned against exaggerating the severity of the intrusions. He said the attacks, while constituting "a large volume," were "not the biggest thing going on out there."
Let the record show that "Another Official" – whoever he or she is - won the battle, but lost the war. Unit 61398 and others like it turned their beachheads on unclassified and classified networks into landing zones and, then, full-fledged ports.
In the meantime, DC lawmakers (and their lobbyists) obsessed about movie and video game piracy in The Middle Kingdom, while Pentagon brass and the defense industrial base adopted the euphemistic term "APT" – or "advanced persistent threat" – to muddy the water and deflect attention from the obvious source of the malicious activity.
The disconnection between what the U.S. government knows and how it acted on what it knows continues to this day, despite the heated rhetoric from The White House and Pentagon.
Take the recent reports from Bloomberg on the years'-long compromise of the UK-based defense technology contractor QinetiQ. Those reports quoted Christopher Day, a former vice president of Verizon's Terremark security division, which was hired to investigate the intrusions. Day said that QinetiQ's corporate network had been wholly owned by Chinese spies for a period of years.
"We found traces of the intruders in many of their divisions and across most of their product lines," said Day. "There was virtually no place we looked where we didn't find them."
Evidence of wholesale theft of QinetiQ technology was also evident – including a Chinese bomb disposal robot that looks suspiciously similar to Dragon Runner, a QinetiQ-developed product, Bloomberg.
And yet, QinetiQ continues to win government contracts, including, perversely, a 2010 Pentagon grant on methods for countering cyber espionage (one thing th company is clearly not good at) and a $4.7m contract, issued in May 2012, to provide cyber security services to the U.S. Transportation Department, Bloomberg noted.
You'll be happy to know that things are moving in the right direction, though. Stinging from the Bloomberg report, the Pentagon responded. A spokesman told reporters on Tuesday that investigators were "working very closely with QinetiQ to determine exactly the scope and breadth of this incident."
The Pentagon retracted the statement later in the day, saying that the DoD isn't "in a position to investigate the security practices of a private company -- including cleared defense contractors." Progress indeed.