No letup seen in Chinese cyber spying

A ‘historic’ agreement in September between the U.S. and China to curb economic espionage hasn’t made much difference yet. Some experts hope that, over time, it will decline, but if it doesn’t, there isn’t much the U.S. can do

A deal announced two months ago between China and the U.S. was pitched as bringing an end to economic espionage.

But if any business leader thinks that means their organizations are no longer a target, they haven’t been paying attention.

That is the unanimous conclusion of a number of experts who have been tracking cyber attacks from China in the two months since Chinese President Xi Jinping and U.S. President Barack Obama announced that, “neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property (IP), including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”

A number of experts pointed to major holes in the language of the agreement as soon as it was announced, most notably that it refers only to the governments of both countries – not their private sectors.

[BACKGROUND: U.S. readies sanctions against China for cyber spying ]

Also, saying the government will not “knowingly support” something is obviously not a promise that it will take steps to stop it.

And it hasn’t stopped. Michelle Van Cleave, former National Counterintelligence Executive (NCIX) and a board member of AFIO (Association of Former Intelligence Officers), put it bluntly. “Agreement or no agreement, China hasn’t changed its behavior. By all accounts it is still as heavily engaged in cyber espionage against American business and industry as ever before.”

She added that since the Chinese public and private sectors are so intertwined, there is no reason to believe that the government is, “impotent or uninvolved when it comes to these lucrative cyber operations.”

Security vendor CrowdStike issued a report in mid-October saying it had detected seven attempted intrusions since the agreement, “where the primary benefit of the intrusions seems clearly aligned to facilitate theft of intellectual property (IP) and trade secrets, rather than to conduct traditional national-security related intelligence collection,” which is conducted by all nations and is not covered in the agreement.

CrowdStrike cofounder and CTO Dmitri Alperovitch said the company had not yet released any new findings since that report.

But the conclusions were similar at RiskAnalytics, according to Wayne Crowder, director of threat intelligence. “Our intelligence shows (economic) attacks have stayed consistent since September of this year,” he said.

[ ALSO ON CSO: Defensive tactics against sophisticated cyberspies ]

The same is true at Fidelis Cybersecurity, where CSO Justin Harvey said, “we are still working large-scale breaches where we suspect that China state-sponsored cyberespionage is being conducted.”

And William Munroe, vice president of marketing at Interset, said the firm’s customers report that attacks from China, “remain the same.”

This may not mean the agreement is worthless, according to Alperovitch, who said at the time of his company’s October report that it would likely take time for the agreement to have an effect. “The fact that there is some time delay between agreement and execution is not entirely unexpected,” he said, adding that, “I continue to have hope that meaningful progress can be made to turn the corner and establish norms of behavior for nation-states in cyberspace.”

He noted this past week in an interview that, “the fact sheet that was made public by the White House didn’t specify the timeframe for execution.”

Harvey agreed, noting that just because a breach is discovered after the agreement does not mean that is when it happened.

“The Chinese could have stopped, and firms like ours and CrowdStrike are still responding to the historical breaches pre-agreement,” he said.

Munroe said a delay should be expected, for two reasons: First, China is an enormous bureaucracy, and any major change takes time. Second, “there are significant political differences between the Chinese ruling party and the Chinese military leadership.

“Taking that into account, it is likely to be a four- to six-month process, if it actually occurs,” he said.

But Neal Dennis, cyber threat analyst at Arbor Networks, pointed out that China has never admitted to conducting economic espionage, and therefore, “the concept of a timeline between agreement and execution is moot. There is no timeline from China's perspective, because establishing one would be tantamount to admitting that the government did in fact support corporate espionage efforts.

“Until recently, China never even openly acknowledged they had a cyberwarfare," he said.

Harvey said he thought China should be able to demonstrate progress in curbing economic espionage within 60 days, “especially since President Xi was the former No. 2 commander of the military.”

He said another six weeks beyond that should be more than enough. “If I were working in the U.S. government, I would demand and expect full cooperation and adherence to the agreement by Jan 1,” he said.

[ ALSO: Hackers inside Chinese military steal U.S. corporate trade secrets ]

But the U.S. may not have many options beyond “demanding and expecting” if the Chinese don’t abide by the agreement. The U.S. has threatened economic sanctions for years, but has never imposed them.

And Harvey does not expect any in the future. “They will not be imposed and they won’t work,” he said, pointing to a blog post he wrote prior to Xi’s visit to the U.S. in September, noting that the U.S. economy is heavily dependent on China – the U.S. imported $466 billion worth of goods from China in 2014.

Munroe agreed. “Outside the European Union, China and the U.S. are the world’s largest trading partners,” he said, adding that it is in China’s strategic interests to steal R&D data from U.S. businesses, “to increase their competitiveness and lower their costs.”

In short, sanctions would not damage only China. “If the U.S. imposes sanctions, China has the ability to affect the growth of our economy through the manipulation of their currency or manufacturing,” Crowder said. “It is a very difficult task given the relationships of our two countries.”

It is not just a matter of economic codependency either. “Sanctions are unlikely,” Dennis said. “China has far more to gain monetarily from corporate espionage than losses due to sanctions, given the ease by which attribution can be skirted, and the fact that government sector espionage, not addressed by the agreement, is so intertwined with commercial interests.”

Also, Harvey noted that the catastrophic breach of the U.S. Office of Personnel Management (OPM), in which the personal information of about 21 million current and former federal employees was compromised, was attributed to China, which would give it some leverage if the U.S. threatens sanctions.

Munroe added that the Chinese military oversees the notorious Deep Panda cyber warfare team, “while telling the ruling party they are not. The Chinese have trained a large number of hackers who have since moved on onto the dark web, giving the military a valid cover that these hackers and not the military are actually carrying out the attacks.”

The bottom line, experts say, is that organizations can’t rely on an agreement between the two governments to protect their IP – it is up to them.

Dennis said any company that does business with China or is viewed as a competitor should expect to be attacked. He said a primary attack technique is spear phishing, “so educating end users is critical, as has been said over and over again.”

Alperovitch added that security executives, “should focus on gaining full visibility into their environment and adapting their capabilities to detect all attacks, including even those that don't involve any malware.”

Harvey said if the U.S. reduced its economic reliance on China through investments in other countries like Mexico, Brazil, Philippines, Vietnam, India and others, “then we could impose sanctions without destroying our own economy.”

He also recommended focusing on human intelligence, “to conduct real-world espionage operations against the People’s Liberation Army units responsible for these attacks.

But Munroe said until U.S. companies invest more in security, it will be, “cheap and easy for China to steal our data. U.S. investment in security products and training is between 10% and 15% of IT spend for an average company,” he said.

“When we start making it really difficult and costly for the Chinese to steal data, the problem will start to subside. It will never go away, but it can be managed to reasonable levels.”

Join the CSO newsletter!

Error: Please check your email address.

Tags China

More about Arbor NetworksCrowdStrikeCSOPanda

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place