A private security company on Tuesday accused China's military of launching cyberattacks on 115 U.S. companies, including defense contractors, highlighting the need for a more robust response to China's suspected role and security procedures.
Mandiant Corp. of Alexandria traced the attacks to a secret unit of the People's Liberation Army (PLA) General Staff's 3rd Department — which is known as Beijing's equivalent of the National Security Agency in the U.S. Tuesday's release of the report prompted calls for criminal cases against Chinese officials and an official U.S. government response.
"Prosecutions are critical because what we're doing now [to stop Chinese state-sponsored hacking] isn't working," said Stewart Baker, who held senior positions at the National Security Agency and the Department of Homeland Security. "We're trying to defend our way out of this problem when the reality is that only by deterring, by imposing a cost on, the attackers, will we be able to begin making ourselves secure."
The Chinese Defense Ministry repeated Beijing's standard denials of any involvement in hacking, saying Chinese law forbids any activities harming Internet security.
"Statements to the effect that the Chinese military takes part in Internet attacks are unprofessional and are not in accordance with the facts," it said.
But analysts around the world consider China a major player in economic cyberspying, and the White House is reportedly ready to fight back.
Officials familiar with the Obama administration's plans told The Associated Press that a White House report to be released Wednesday would recommend steps that the U.S. could take against China or other countries, including fines and trade sanctions.
White House spokeswoman Caitlin Hayden said the Obama administration has "substantial and growing concerns about the threats to U.S. economic and national security posed by cyberintrusions, including the theft of commercial information."
She noted that President Obama raised the issue in his State of the Union address and signed an executive order requiring government agencies to share more information about cyberthreats with the private sector.
The 76-page report by the Mandiant Corp. outlines exactly the kinds of crimes that a new Justice Department task force should prosecute, some former officials and legal analysts say.
Daniel McWhorter, Mandiant's director of threat intelligence, said his firm traced the source of the cyberattacks to the Chinese army.
"We followed the bread crumbs," Mr. McWhorter said, adding that his firm's security specialists got permission from the victimized companies to monitor their networks. Almost all of the Internet addresses from which the hackers logged on came from a small area in the Shanghai suburbs that houses the PLA's 3rd Department, he said.
The Mandiant report was sufficiently thorough as to draw humanizing portraits of some of the biggest hackers — who have such names as Ugly Gorilla and SuperHard. One hacker, named Dota, revealed himself to be a big fan of the Harry Potter novels, because his security questions were references to the J.K. Rowling children's books and/or the movies made from them.
The tightness with which China controls Internet access makes it inconceivable that such a large operation could be going on in Shanghai without official connivance, national security scholars say.
Late last year, the Justice Department quietly began training a nationwide network of national security prosecutors to focus on state-sponsored hacking.
The nearly 100-member National Security Cyber Specialists network will explore "investigations and prosecutions as viable options for deterrence and disruption as part of the government-wide response to these threats," the Justice Department said in a statement.
The online intrusions identified by their sophistication, persistence and scale as state-sponsored generally target commercially vital or security-sensitive information — stealing military or trade secrets.
It is significant that the new cyber lawyers are in the National Security Division — the secretive part of the Justice Department that deals with espionage and terrorism cases, a former senior U.S. prosecutor told The Washington Times.
"Generally, [hacking] would be investigated as a national security case if we believed it was state-sponsored," said Michael DuBose, former head of the department's computer crime section that prosecutes criminal hackers.
The department has worked with foreign law enforcement to indict and prosecute Eastern European cybercrime gangs for fraud and other financial crimes. Even Chinese authorities have cooperated — in a recent joint investigation into a child-torture pornography ring based in China and New York.
But no indictments have been brought for state-sponsored hacking, a fact that Mr. DuBose said is not surprising. "The level of evidence required is quite high," he said.
The cooperation of Chinese investigators and courts would be needed "to get the kind of evidence you need to prove who was actually at the keyboard" carrying out the attack, said Mr. DuBose, now an executive at the global security company Kroll Advisory Services. "The likelihood of a successful prosecution is small without the cooperation [in gathering evidence] of the Chinese government."
However, Mr. Baker, now a partner at the Steptoe & Johnson law firm, said that evidence could be acquired in other ways.
"That's a job for the intelligence community," he told The Times, using the term of art for the government's 16 spy agencies. "It's well within their competence and jurisdiction. It's simply a matter of priorities and their willingness to take a degree of risk."
In the 1990s, federal prosecutors from the Southern District of New York worked with the CIA and other intelligence agencies to get evidence for cases against al Qaeda terrorists that eventually were made public.
"You've got to find ways to protect [intelligence] sources and methods, but that is simply a matter of applying sufficient energy and ingenuity to the problem," Mr. Baker said.
He said U.S. agencies should be embarrassed that a private company had been able to do such an excellent job of tracking the hackers.
'It's a black box'
Mandiant's Mr. McWhorter said security specialists were able to track the stolen data as the hackers copied it from the compromised computers and digitally shipped it to Shanghai. The Mandiant team even watched some of the hackers use their cyberattack infrastructure to log on to personal email or Facebook accounts — revealing their names and phone numbers.
"We're pretty sure we know who some of these people are," Mr. McWhorter said.
He added, however, that it is hard to know what happened to the stolen information once it arrived in Shanghai. "Once the information has gotten back to the PLA, it is very difficult to track it," he said. "It is a black box."
Although no indictments for state-sponsored hacking have been made public, Mr. DuBose said, such documents generally are kept under seal until the alleged perpetrator can be arrested or otherwise apprehended.
"It's possible that there are indictments out there already" but being kept under wraps in case the indicted suspects travel to America or a third country with an extradition treaty with the U.S., he said.
Mr. Baker suggested that another tack might be more profitable than waiting for senior Chinese military officials to take a vacation in the wrong country.
He advocated building cases against the companies that profited from the thefts — the state-owned or state-supported Chinese enterprises that were able to leapfrog their U.S. competitors by stealing their research and development.
"The companies [that benefit] are the softest targets and the easiest ones to reach," Mr. Baker said, noting that any company that had received stolen data would be chargeable as a co-conspirator or accessory. Unlike senior PLA officers, "they must do business in jurisdictions other than China, in jurisdictions where they are reachable," he said of such companies.
Besides the mention in Mr. Obama's State of the Union address, the issue of cyberespionage also has elbowed its way into diplomatic and military relations between China and the U.S., according to the administration.
"We have repeatedly raised our concerns at the highest levels about cybertheft with senior Chinese officials, including in the military, and we will continue to do so," said Ms. Hayden, the White House spokeswoman.
Federal prosecutors have charged companies that benefited from economic espionage by China -- but so far, only of the offline variety.
In one case opened last year, prosecutors brought criminal conspiracy charges of economic espionage against five Chinese companies alleged to have obtained proprietary information about chemical processes from DuPont by bribing employees to steal it.
"To charge it as economic espionage," said one federal official, prosecutors "have to show a government is behind it."
This article is based in part on wire service reports.
© Copyright 2015 The Washington Times, LLC. Click here for reprint permission.