Within a day of each other over in America, the Washington Post published a shocking list of US defence programs which have reportedly been stolen by Chinese cyber-attacks, and ABC News said the plans for Australia's spy headquarters were also stolen by Chinese hackers. It makes China sound like a secret-sucking cyber-espionage machine, but is that really the case?
What was taken
The Washington Post gets its information from a confidential report prepared for the Pentagon by the Defence Science Board. A public version of the report is also available. The Post says that the report does not single out China, but that interpretation comes from "senior military and industry officials with knowledge of the breaches [who] said the vast majority were part of a widening Chinese campaign of espionage against US defence contractors and government agencies."
Among the compromised programs listed are the PAC-3 Patriot missile system, the Terminal High Altitude Area Defence used by the Army for intercepting missiles, the Navy's AEGIS missile defence system, the F/A-18 jet fighter, the tilt-rotor V-22 Osprey, and the Black Hawk helicopter. Two very new programs were also among those reportedly affected: The Navy's Littoral Combat Ship and the F-35 Joint Strike Fighter.
However, the picture is not as complete as it seems. The Post wrote that the list of intrusions "did not describe the extent or timing of the penetrations. Nor did it say whether the theft occurred through the computer networks of the US government, defence contractors or subcontractors."
The Post goes on to note that there have reportedly been frustrations with contractors and sub-contractors for having classified information stolen on their watch.
China: The evil cyber-espionage empire?
The knee-jerk interpretation to this disclosure (and others) is that China is a powerhouse of cyber-espionage capable of stealing whatever secrets they want and that the US or other countries are powerless to stop them. This seems very unlikely.
Last week, the New York Times ran a piece which delved into China's hacker culture, revealing a disparate band of private contractors and not a team of highly trained hackers operating in lock-step with the government.
"Another former hacker said the monolithic notion of insidious, state-sponsored hacking now discussed in the West was absurd," wrote Edward Wong for the Times. "The presence of the state throughout the economy means hackers often end up doing work for the government at some point, even if it is through something as small-scale as a contract with a local government office."
Some of these pilfered secrets have made their way back to the central Chinese government, but it's just as likely that they were taken by individuals or companies and then sold to someone else. As is the case with other forms of cybercrime, the hackers are generally trying to make money off the information, not use it themselves. It also suggests a piecemeal approach to these attacks, with hackers working different angles and grabbing what they can – not a concerted effort for specific programs to build up a larger picture of the American weapons programs.
Furthermore, determining who is behind a cyber-attack is famously difficult. In the case of the Australian attack, the report says "the attack came from a server in China." Maybe it was from someone in China, or maybe that was just the last point investigators were able to trace.
There's been a glut of media attention on China's cyber-espionage activity, and a lot of research to back it up, but that might not reflect reality. In its 2012 Data Breach Report, US network Verizon found a massive increase in cyber-espionage attacks from China but presented that information with a major caveat. At the time, Verizon's principal on the risk management team noted that looking for year-over-year trends in the data was problematic because so many new sources were added in 2012. "It throws off the data a bit," he explained. "It's an inherent statistical bias from changing data sets from year to year."
The increased information on Chinese espionage activity is just as easily attributed to an increased interest in information on Chinese espionage. It's a topic that has gotten a lot of press, and the Pentagon is clearly interested, perhaps spurring researchers to look closer at this specific activity. That doesn’t mean that China is the monster hacker of our imaginations.
It is, after all, an open secret that allies spy on each other all the time (witness the recent ejection of a US operative by Russia). The Times report pointed out that "many Chinese hacking attacks that have been discovered do not appear very sophisticated. American cyber-security experts say attacks from Chinese groups often occur only from 9 to 5 Beijing time." Quoting FireEye's Darien Kindlund, the Times continued: "And unlike, say, the Russians, Chinese hackers do not tend to cloak their movements."
Should you be afraid?
In short, you personally should not be afraid; it's very unlikely that Chinese hackers are after you.
These headlines are scary, and they are certainly indicative of how nations will interact in the digital age: Countries will hack one another, secrets will be stolen (and likely sold). Retired US Lieutenant General Harry Raduege said as much at the RSA conference this year, when he described a kind of cyber "warm war" with a few major hacks hitting the front page of newspapers from time to time.
But it's also important to take this news with some large grains of salt. Over in the States, the Department of Defence is facing the possibility of huge cuts while the nation wrings its hands about the deficit. In an age of sequestration, it's a good idea to have a reason to spend billions and trillions on new and better defence programs. And with the war in Iraq over, while operations in Afghanistan are coming to a close, the search is on not just for future threats but also the justification for future spending.
Cyber-security is a huge issue, one with ramifications we don't even understand right now. The big takeaway from these reports is likely that China had the incentive to invest and engage in cyber-espionage activities, and that the US has not. Hopefully the folks in Washington will respond by making prudent investments where it matters – like training low-level employees in basic security practices – and not chasing after the phantoms of worst-case scenarios.