Why China Wants Us to Know it is Spying
Introduction Why China spies on us Why so openly? Conclusion Note on “spying” versus “hacking” Introduction Tuesday’s revelation that China’s People’s Liberation Army (PLA) has been systematically spying on American business came as a shock. Although many suspected it, few believed the spying was as widespread and systematic as the privately-authored report revealed. Three aspects of the revelation were particularly surprising. First, the spying’s primary targets were neither government nor military installations. Instead, they were predominantly businesses: privately owned industrial, commercial and banking firms. The targets were an A-list of notable American companies. Second, the spies were most definitely not private actors. They were operating out of a building owned and occupied by the PLA. Not only that: open “clues”—incongruously left by one of world’s most secretive governments—made it relatively easy [search for “unclassified”] to trace the cyber attacks’ origin with a high degree of confidence. It was almost as if the PLA and the Chinese government wanted to be caught in the act. Third, although the cyber attacks were systematic and pervasive, they were not particularly sophisticated. In the main, they used techniques long ago developed by hackers to steal consumers’ money and identities and to steal credit-card numbers and other financial access tools from banks. In short, what the PLA did and is doing is not rocket science. It’s a systematic application of well-known hacking tools for Chinese governmental purposes. Before we can even begin to defend against such attacks, we must understand their purposes and why they were so easy to uncover. This essay examines those questions. In so doing, its attempts to explain these three surprising facts. The next essay in this series will examine what we can and (if we are smart) should do about it. Why China spies on us The first surprising thing about the revelations Tuesday was the targets. We know that China and many others are trying to crack the cyber security of our military and intelligence agencies. But the massive spying revealed Tuesday was focused on our private sector. Why? Four reasons are apparent. First and most obvious, the reporting source, a firm called Mandiant, is itself a private enterprise. Its goal was to produce a transparent, declassified report. Therefore, we can assume that it had no access to sensitive military and intelligence data or, if it did, was not permitted to include classified matter in its published report. In other words, the reporter, for its own purposes, focused on private business to the exclusion of military and intelligence targets, if any, of China’s spying. Therefore the report tells us little or nothing about whether such spying or penetration actually occurs. Undoubtedly attempts do, but nothing in Tuesday’s report tells use anything more about whether they are successful than we already knew. Second, military and intelligence targets are much more hardened than private, civilian ones. The Second World War, the Cold War, 9/11, and even our wars in Afghanistan and Iraq all taught us the importance of secrecy in military and intelligence matters. It’s quite easy, in principle, to protect secrets in those fields from cyberspying. All you have to do is disconnect the machines that store them and the networks that communicate them from the Internet, and keep them disconnected. By and large, that’s what our military and intelligence services have done with their most important secrets. The disconnection can occasion some duplication and inefficiency. But absent inside penetration, it’s foolproof. You can’t “spy” remotely through a connection that doesn’t exist. Third, our military and intelligence services, unlike our private sector, are subject to central command and control. Sure, they are sometimes fragmented and sometimes disorganized and unwieldy, and sometimes they work at cross-purposes. But no lawyer can gum up their security works by going to court with a thousand reasons why greater security infringes private rights or private property. Even patent and copyright infringement cases cannot stop forward progress; the law gives intellectual property owners only a right to sue for damages, after the fact, not the power to stop our government’s unauthorized use of proprietary technology beforehand. IP owners have both rights and that power to assert against the private sector. Finally—and most important for this essay—China’s own probable goals suggest a focus on our largely unprotected private businesses. This is where our analysis of China’s motives comes in. In my view, China has no desire to conquer other nations, let alone the United States. So its most probable interest in how we protect our homeland and people abroad is imitation. China wants to steal any secrets it can use to protect itself and its people, especially from terrorists. But the “hardening” of our military and intelligence sites against spying, especially after 9/11, makes that imitation a costly and difficult project. But China does have an interest in deterrence, well beyond the nuclear variety. As China grows more powerful and hungrier for resources, especially energy, it will inevitably try to expand its sphere of influence. That’s what’s happening right now with respect to the Daioyu/Senkaku Islands and their energy and mineral resources. China doesn’t want or expect war, in my view, but it wants to throw its considerable weight around to get a good bargain. Part of that weight lies in China’s size, population, economic power and growing military resources. Our own technology and military power are counterweights. (We can never best China in population, and perhaps soon not in economic power.) So China wants a credible way of suggesting to us that, if we assert our countervailing power too far or too nakedly, China has relatively costless ways of causing us pain. You might call this the “Straits of Hormuz” strategy. Iran is doing exactly the same thing, but much less subtly. Israel wants us to attack Iran’s nuclear facilities to keep Iran from developing nuclear weapons. Israel wants us to act because we have better weapons and because our action would cause Israel less political pushback than Israel’s own. But Iran ups the ante by saying, in effect,
“If you attack us, we’ll close the Straits of Hormuz, which carries 20% of the world’s crude oil. We maybe not be able to close it entirely, but we’ll do enough damage to precipitate a global economic crisis.”China’s leaders are much too smart and too subtle to say this sort of thing out loud. If you pay careful attention to China, you will discover that its leaders never make threats. Stability is their paramount goal, and threats don’t produce stability. They can cause miscalculation and tragedy, which China has seen many times in its five-millennial history. So China’s leaders don’t make threats. Yet they do act, and sometimes they make their acts known in subtle ways. Just so, China appears to be tacitly saying,
“If you get in a fight with us over the Daioyu/Senkaku Islands, or even Taiwan, we can disrupt your privately run civilian infrastructure. We can throw a monkey wrench into your banking, industry, power grid and transportation systems. Not only will that make it harder for you to fight us, but your economy will have to bear costs that perhaps you would rather not bear. Don’t make us do it. At least think twice about it first.”Why so openly? Now we can begin to understand another puzzling aspect of the private spying revelation. Why was it so easy for Mandiant, the previously unknown private reporter, to discover the extent and authorship of China’s massive spying program? You might think the PLA would have better security and privacy than that. After all, it’s the military and intelligence arm of one of the world’s most closed and secretive societies. I submit that China wanted the program to be discovered. It did so for two reasons. First, a deterrent weapon is no good unless your opponent knows you have it. The last thing China wants is war, for war disrupts stability. But China’s leaders are hard bargainers, willing to use every advantage, real and perceived, to strike a bargain that’s good for them. Before we even start to throw our weight around in regional disputes in China’s area, China wants us to know, or to think, that it might cause us a lot of pain just by giving a bunch of hackers in a windowless room somewhere carte blanche in cyberdisruption. The second reason why China wants us to know is legal. The reported spying involved private companies and private trade secrets. When secrets are stolen, we Yanks have laws to provide redress. Our Uniform Trade Secrets Act, a version of which exists in every state, allows aggrieved trade-secret owners to sue trade-secret thieves for damages and injunctive relief. We also have a criminal statute at the federal level, called the Economic Espionage Act of 1996. It authorizes criminal prosecution for theft of trade secrets and other acts of economic espionage, with huge fines and imprisonment as penalties. It also authorizes injunctive relief, but only on petition by our Attorney General. But there’s a problem with the PLA. It’s China’s army, an arm of China’s government. An internationally accepted legal doctrine called “sovereign immunity” prevents any private party from suing a foreign government or any branch or agency of it. So owners of trade secrets stolen by the PLA can’t just sue the PLA for damages or injunctive relief, even if they could get jurisdiction in the United States. Likely this is one reason why China put its commercial cyberspying program there; the PLA, like our own army and the army of every foreign country, is immune from suit, even here in the United States. What if, as appears likely, the PLA hands off stolen secrets to a state-owned enterprise or to a privately-owned Chinese company, to enhance its commercial advantage? Then there would be two potential problems. First, the injured trade-secret owner would have to investigate the chain of possession, inside China, in the process dealing with the formidable security apparatus that protects China’s military. Second, if the recipient is a state-owned enterprise, the doctrine of sovereign immunity might cover it, too. Only if the stolen secret’s user is a fully private party and if the plaintiff can trace the stolen secret’s chain of possession inside China can the plaintiff have a chance for redress in an American court. Good luck. Similar analysis applies to criminal prosecution or injunctive relief under the Economic Espionage Act. While the Act lets us prosecute agents of foreign powers involved in trade-secret theft, we can’t prosecute them here if they stay in China. And the very same doctrine of sovereign immunity protects the PLA, as such, from both criminal prosecution and injunctive relief under the Act. Conclusion As I have reasoned at some length, I do not think China is a warlike power. With every historical reason, its leaders see stability as their paramount goal. War does not promote stability. But China is as serious and uncompromising about trade as most other countries are about war. It wants to participate, and it wants to win. And it’s quite practical and relentless—even ruthless—in reaching that goal, as long as doing so doesn’t threaten to upset the apple cart of stability. So China has turned Von Clausewitz’ famous pronouncement in a new direction. For China, war is not politics by other means. Trade is both politics and war by other means. China’s leaders understand that trade is a primary source of economic power, especially for a still-developing country, and that economic power is both the source of military power and the source of influence in the world—as well as a guarantee of fulfilling lives for a nation’s people. For about a decade now, China has also understood that innovation is an important facet of trade, plus an independent source of economic power. It knows it starts from behind in science and technology and has a long way to go to catch up. But it’s trying hard to do so, with all the élan and capability of an authoritarian government run by smart and well-educated technocrats. China is building huge universities to train its students, and huge technological institutes for research and study. For some time, it also has been trying to pry trade secrets out of foreign private businesses through ordinary business negotiations, using China’s huge market as a lever. China’s firms, with the support and connivance of China’s government, often require disclosure of our technology and trade secrets as a condition of doing profitable business in China. Sometimes that condition is explicit, sometimes implicit. But it is nearly always there. And our private businesses, salivating over the prize of that huge market, often give in too easily. The recent spying revelation now suggests that China is not above simply stealing Western trade secrets. Undoubtedly a significant part of the spying was an attempt to discover hidden vulnerabilities of our mostly-private civilian infrastructure. As this post discussed above, those vulnerabilities can give China much-needed leverage in diplomacy and international power politics. Some of us, I am sure, will call China’s spying “acts of war.” (I can almost hear John McCain and Lindsey Graham on the Senate floor now.) But war is not China’s goal, and war is not the answer. The Chinese are far smarter and more subtle than that. We have to match their finesse. We cannot neglect the possibility that another significant purpose of the spying was to steal Western secrets where economic leverage cannot buy them, thereby jump-starting China’s push for technological and industrial supremacy. As this post shows, legal means of curtailing China’s cybertheft of trade secrets are weak. The best we might do with legal action, as a nation, is to bring a national case against China before the WTO, for violating trade-secret norms to which China itself has subscribed. But winning such a case would take years. And the prize, even if won, would just be the legal right to retaliate against China with trade sanctions. In other words, after several years of litigation we might win the right to start a trade war legally. I don’t think we want a trade war any more than a real war. A trade war between the world’s first and second largest economies would cause everyone on the planet real pain. We don’t need saber rattling. We don’t need war. We don’t even need a trade war. What we need is real, practical means to protect our privately-held trade secrets going forward. That goal is and should be much broader than China. Protecting our valuable trade secrets is just common sense. China is unlikely to be the only rival nation seeking to get them by means fair and foul. But if we protect our secrets well, doing so may have the pleasant consequences of reducing China’s ability to intimidate us and increasing its willingness to pay honestly for secrets of value. Reaching that goal will not be easy. Our most valuable secrets reside in a private sector that has been lazy, negligent, improvident, short-sighted and sometimes even recalcitrant in protecting them. My future essay in this series will be about that. Note on “spying” versus “hacking.” Throughout this essay, I use the term “spying” for what Mandiant’s private report revealed. That term tracks Mandiant’s own usage, which reports “cyber espionage” and the systematic theft of “hundreds of terabytes of data.” In contrast, many inexpert news organizations use the less precise term “hacking,” which has two meanings. Its most common meaning is just gaining unauthorized access to a computer system by cyber wizardry, as distinguished from a physical break-in. This is what a nerd means when he says, “I hacked into my former employer’s computer.” This first form of hacking, of course, is a prerequisite to stealing any data. You can’t steal data unless you can hack into the system. But hacking also has a much darker meaning: the intentional modification or deletion of data or programs, including intentional insertion of viruses and other malware. Hacking of this sort can render computer systems inoperative. In more diabolical cases, it can turn them into destroyers of physical property or even killers of people, like the rogue computer “HAL” in the movie 2001. (Imagine, for example, a rogue computer in a petroleum cracking plant that dumps toxic substances on workers inspecting or repairing vats, or a virus that opens a dam’s spillway fully while people are swimming or boating in the placid river below. Don’t even think about a virus intentionally causing a meltdown at a nuclear power plant.) “Hacking” of this second sort is the ultimate in cyber warfare. But it’s not nearly as easy to accomplish as stealing data. In order to accomplish hacking of this more dangerous sort, you have to gain access not just to data, but to a computer system’s programs and operating systems. You also have to overcome software-security and physical barriers, which good engineers design into systems to prevent these sorts of disasters from happening. Most computer systems store data in places separate from programs and operating systems. Some even use entirely separate storage systems. Normal user privileges, even of high executives, rarely include access to programs and operating systems. Only computer personnel normally have access to those things, and even their access is layered and structured on a need-for-access and priority basis. Web-based “apps” using Java and similar online programming languages are an exception to this rule. Their whole purpose is to let a remote party—even an unknown one—control your computer, at least in part, to let you do things you couldn’t do otherwise. But it’s possible to protect against destructive Java-based malware in at least three ways: (1) isolating the Java programming environment from the rest of the programs and operating system, i.e., limiting what Java can do, (2) disabling Java for critical user accounts (and perhaps giving critical users two accounts, one—for critical functions—with Java disabled and the other with it enabled), and (3) disconnecting critical functions from Web access entirely. The security barriers between and among users are among the most difficult to break. So control of even a high executive’s personal account does not necessarily compromise programs or operating systems. Only control of a system administrator’s administrative account (not just his or her e-mail password) could do that. As long as key systems administrators are competent, only something like bribery or extortion could extract their administrative account passwords. And bribery and extortion are hard (but not impossible) to accomplish remotely, over the Internet. Mandiant’s report revealed no instance of destructive hacking of the type that might cause property damage, personal injury or death. Therefore “spying,” not “hacking,” is the better term. As cyber warfare develops, this second form of hacking may become a threat. But nothing in Mandiant’s report suggests we are there yet, or that China has developed that capability. The issue raised by Mandiant’s report is the systematic theft of trade secrets from our private sector, which is bad enough. permalink