Jump to ContentJump to Main Navigation
China and CybersecurityEspionage, Strategy, and Politics in the Digital Domain$

Jon R. Lindsay, Tai Ming Cheung, and Derek S. Reveron

Print publication date: 2015

Print ISBN-13: 9780190201265

Published to Oxford Scholarship Online: April 2015

DOI: 10.1093/acprof:oso/9780190201265.001.0001

Show Summary Details
Page of

PRINTED FROM OXFORD SCHOLARSHIP ONLINE (oxford.universitypressscholarship.com). (c) Copyright Oxford University Press, 2020. All Rights Reserved. An individual user may print out a PDF of a single chapter of a monograph in OSO for personal use.  Subscriber: null; date: 27 October 2020

From Exploitation to Innovation

From Exploitation to Innovation

Acquisition, Absorption, and Application

Chapter:
(p.51) Chapter 3 From Exploitation to Innovation
Source:
China and Cybersecurity
Author(s):

Jon R. Lindsay

Tai Ming Cheung

Publisher:
Oxford University Press
DOI:10.1093/acprof:oso/9780190201265.003.0003

Abstract and Keywords

The rising tide of Chinese cyber espionage has prompted deepening concern in the United States and around the world. Espionage does not translate simply into innovation, however, but rather must be processed by a complex network of government and industrial organizations and translated into successful performance against competitors. Inefficiencies throughout the entire intelligence-to-innovation process can erode the value of stolen data. This chapter provides a framework for understanding illicit acquisition, institutional absorption, and competitive application and then evaluates China’s efforts to overcome the obstacles in each step. But there are reasons to be skeptical that China’s impressive cyber exploitation campaign delivers a meaningful strategic advantage. Overreliance on economic espionage, moreover, may become an impediment in China’s quest to become a leading industrial superpower.

Keywords:   industrial espionage, economic espionage, advanced persistent threat, cyber exploitation, innovation, Chinese industry, China, cybersecurity

The rising tide of Chinese cyber espionage has prompted deepening concern in the United States and around the world that, as a former head of US counterintelligence has pointed out, such espionage “is contributing significantly to the tidal flow of capital, intellectual and otherwise, from West to East.”1 The chairman of the US House Intelligence Committee similarly alleges, “There is a concerted effort by the government of China to get into the business of stealing economic secrets to put into use in China to compete against the U.S. economy.”2 Richard Clarke, special advisor on cybersecurity in the George W. Bush administration, claims that cyber espionage now poses a more pressing danger than cyberwarfare. His “Greatest fear is that rather than having a cyber–Pearl Harbor event, we will instead have this death of a thousand cuts” as “company after company in the United States spends millions, hundreds of millions, in some cases billions of dollars on R&D and that information goes free to China. . . . After a while you can’t compete.”3 General Keith Alexander, former director of the National Security Agency and commander of US Cyber Command, describes cyber espionage dramatically as “the greatest transfer of wealth in history.”4

These claims are hard to evaluate because espionage is by nature a self-hiding activity. It involves secret initiatives to steal classified information, and both the perpetrators and the victims want to protect their reputations. Espionage does not translate simply into innovation, however. Collected data must be processed by a complex network of government (p.52) and industrial organizations and translated into successful performance against competitors. Inefficiencies throughout the entire intelligence-to-innovation process can erode the value of stolen data. This chapter provides a framework for understanding illicit acquisition, institutional absorption, and competitive application and then evaluates China’s efforts to overcome obstacles in each step. While espionage inefficiency cannot be decisively demonstrated, there are real reasons to be skeptical that China’s impressive cyber exploitation campaigns can deliver lasting strategic advantage. On the contrary, overreliance on economic espionage may become an impediment in China’s quest to become a leading industrial superpower.

Unreliable Damage Assessments

General Alexander claims, “Symantec placed the cost of IP theft to US companies at $250 billion per year, global cybercrime at $114 billion annually—$388 billion when you factor in downtime—and McAfee estimates that $1 trillion was spent globally on remediation . . . that’s our future disappearing in front of us.”5 Unfortunately, numbers like these are the result of extrapolations from rare outliers, unrepresentative samples, and surveys with high nonresponse rates.6 Most damage estimates originate from firms in the business of selling cybersecurity products, so there is reason to be wary of threat inflation. Ross Anderson and his colleagues have conducted the most rigorous academic attempt to date to measure financial cybercrime, but they stopped short of totaling UK and US losses across twenty-seven different categories because “it is entirely misleading to provide totals lest they be quoted out of context, without all the caveats and cautions that we have provided.”7 They did not even attempt to include industrial espionage in their analysis because of all the complex and intangible factors involved. The ultimate value of economic secrets, unlike directly monetizable assets like bank accounts, depends not only on the cost of producing them but also on a firm’s ability to capitalize on the information in a competitive marketplace.8 The net value of lost market share, lost jobs, and the overhead of technical and legal defense is a very complicated equation. As a recent US counterintelligence report concedes: “estimates from academic literature on the losses from economic espionage range so widely as to be meaningless—from $2 billion to $400 billion or more a year—reflecting the scarcity of data and the variety of methods used to calculate losses.”9

Some evidence, moreover, points in ambiguous directions. Only twenty-seven of the one hundred largest American companies reported (p.53) having suffered any cyberattacks in 2012 in required disclosures to the US Securities and Exchange Commission, and these attacks caused no significant financial losses.10 James Lewis and Stewart Baker summarize loss estimates for all forms of cybercrime in the United States as ranging from $24 billion to $120 billion, equivalent to 0.4‒1.4% of US GDP, which is comparable to losses from car crashes or traditional pilferage at, respectively 0.7‒1.2% and 0.5‒2% of US GDP.11 The amount lost to cyber espionage alone would, presumably, only be a fraction of this, although it is hard to put a dollar figure on illicitly acquired political and military advantages. Lewis elsewhere calls US losses to espionage “a rounding error in our $15 trillion economy.”12

The history of industrial espionage suggests further reasons for skepticism about its impact on competition. Cyber exploitation is only the most recent manifestation of a centuries-long tradition of economic theft practiced by major countries. Historian J. R. Harris observes that “the main method of taking technology from one European country to another in the eighteenth century seems unquestionably to have been industrial espionage.”13 Yet coal-fuel smelting and the refining of iron presented “the most obdurate technical problem” and “the new skills were not embodied in drawings and manuals.” As late as 1824, “it was still not possible to make good machines abroad from drawings and models alone.”14 Even when France obtained entire pieces of machinery and foreign laborers to operate them, it still faced serious trouble assembling parts into a fully functional factory. Despite prodigious and deliberate French espionage, England maintained its industrial advantage.

Acquisitive countries have always faced challenges absorbing relevant foreign expertise and applying it. It would be surprising if computers changed any of this. On the contrary, the flood of digital data and the complexity of contemporary networked technology might make the intelligence-to-innovation problem even more complicated. Direct measurement of losses to espionage is probably futile, so we pursue an alternative approach here. We will examine the logical requirements for translating intelligence collection into competitive advantage in the marketplace. This enables us to identify assumptions about espionage effectiveness as well as potential obstacles states face in benefiting from it.

A Model of Espionage Effectiveness

It is often assumed that the covert collection of valuable foreign data translates simply into industrial innovation, which in turn provides dramatic advantages in international competition. “The greatest transfer of wealth (p.54) in history” thus leads to “death by a thousand cuts.” This assumption gives rise to three widely held and interconnected beliefs about Chinese cyber espionage: (1) China is running an aggressive industrial espionage campaign to steal Western corporate secrets; (2) cyber espionage is a cheap and effective shortcut for improving industrial innovation; and (3) China is gaining an unfair competitive advantage through cyber espionage at Western expense.

Because Western organizations are directly exposed to Chinese intrusions and can collect data to support attribution, there is ample evidence to support proposition 1. There is less empirical evidence available about China’s ability to absorb stolen data and apply it to improving innovation (propositions 2 and 3). Each of the links between these propositions in reality is embedded within a complex institutional context with potential to generate significant transaction costs, which in turn undermine the efficiency of intelligence collection and industrial digestion.

Figure 3.1 presents a more nuanced articulation of the intelligence-to-innovation process. It depicts institutional gaps across and within a country’s boundaries that pose nontrivial obstacles to effective collection of, and profit from, intelligence. The actors in this model are ideal types in an acquisitive state rather than specific organizations in China. We further divide these actors into inputs and outputs in order to call attention to internal information processing (and pathologies) within bureaucratic entities. Connections from one actor’s output to another actor’s input depict the potential for data to get lost or misinterpreted in transactions (p.55) between organizations as data is acquired from foreign targets, absorbed into the Chinese industrial system, and applied in international competition. The effectiveness of Chinese espionage is thus contingent, in part, on the absorptive capacity of the Chinese science and technology (S&T) system.15

From Exploitation to InnovationAcquisition, Absorption, and Application

Figure 3.1 A Model of Espionage Effectiveness

In the acquisition phase, intelligence collectors must first gain physical access to the foreign target’s valuable data and then recover it back to home base for analysis. As governments and corporations put more of their valuable data into digital form, there are more espionage targets available and more channels to access them at lower risk, as compared to human spies. At the same time, target networks are full of a lot of junk data that is meaningless to people outside the organization (and often inside it). Cyber spies confront a severe needle-in-the-haystack problem, and it is unclear whether the number and quality of valuable “needles” are increasing at the same rate as the size and messiness of digital “haystacks” as data storage capacity explodes. Moreover, a considerable amount of an organization’s vital information is not in electronic format at all, but rather encoded in tacit knowledge, social relationships, physical layouts, and workplace routines.16 Spies can steal digital text, but it is much harder to recover social context.

Intelligence collection also requires administrative infrastructure to identify lucrative targets, craft a covert intrusion, separate data wheat from chaff, analyze the valuable nuggets, and package the results into a format that is meaningful to the industrial or political consumer.

In our simple model of absorption, collection inputs come from interface with foreign targets in the international environment, while analysis outputs interface with domestic consumers of the stolen data. Yet incorporation of foreign data into industrial innovation involves further complications. The “hard” factor inputs to national innovation capacity are perhaps most easily measured, to include raw materials, research universities and human capital, factory capacity, research and development (R&D) laboratories and test facilities, and foreign expertise (obtained by whatever means). “Soft” factors are harder to measure but are just as critical for industrial performance, to include guidance and support from national leadership, industrial regulation policies, contract law and enforcement capacity, industrial organization and governance, technical standards and protocols, and other cultural properties. Hard and soft factors interact to shape the identification of needs and requirements, R&D, test and evaluation, factory production, material acquisition, development of marketing plans or doctrines for use, and finally, employment of a capability ready for the market (or battlefield).17 In our stylistic model, hard and soft factors converge in research inputs, while functional products and processes emerge as production output. Because the (p.56) absorption phase is complex and involves a lot of actors, national intelligence guidance and coordination overhead is necessary as well.

Only when the output of industrial innovation interacts and succeeds in a strategic arena can it be truly said to provide a competitive advantage relative to other actors in the market or in a political contest. Some promising products are never fielded or fail to work in practice. Others run afoul of legal and political obstacles. The ultimate fate of market interactions is usually unknowable in advance to the actors involved, not only because of scientific uncertainty but also because of the vagaries of interaction among strategic actors. At best, actors can make better or worse assessments of risk, and even then their most innovative outputs may fail in the crucible of application in the international environment.

This simple model does not definitively measure the efficiency or inefficiency of China’s espionage contributions to innovation, but it does provide a qualitative feel for the significant challenges involved. In evaluating each phase, we can make some educated guesses based on what we do know from open sources about cyber exploitation attributed to China as well as China’s ability to absorb foreign information from any source whatsoever. The remainder of this chapter will focus on the first two of the three gaps, acquisition and absorption. The broader problem of market application is beyond the scope of this chapter, but we will offer some comments.

Illicit Acquisition of Foreign Data

China uses espionage to support its interests in national security, maintenance of the Communist Party’s rule on power, and economic development. Its cyber targets fall into all of these categories. The PLA is modernizing rapidly to meet its goal of “winning local wars under conditions of informatization.” Chinese weapon designers and defense conglomerates strive to build an autonomous innovation system, and they are eager to exploit foreign technologies and expertise to do so.18 Chinese authorities consider the notion of national security to broadly include social order and preventing challenges from political dissidents, human rights activists, and restive ethnic minorities. Cyber surveillance thus complements Internet censorship as a mode of political control.

The motivations for economic espionage, on which we focus here, are captured to some extent in China’s “National Medium- and Long-Term Plan for Science and Technology Development (2006‒2020) (MLP).” The MLP is a self-described “grand blueprint of science and technology development” for the “great renaissance of the Chinese nation.” It promotes a (p.57) policy of “indigenous innovation” (zizhu chuangxin) that involves “enhancing original innovation through co-innovation and re-innovation based on the assimilation of imported technologies.” According to one business analyst, “the plan is considered by many international technology companies to be a blueprint for technology theft on a scale the world has never seen before.”19 It is striking that the chronicle of Chinese cyber espionage depicted in tables 3.1 and 3.2 begins to take off as the MLP is beginning to be implemented, and many targets of Chinese intrusions are in industries explicitly identified in the MLP.

Of particular importance in China’s S&T modernization strategy is the National High Technology Research and Development Plan. Better known as the 863 Program (because it was launched in March 1986), it aims to close the gap between China and the global state of the art in a number of key areas, including information technology and telecommunications, in order to enhance military power and international competitiveness.20 While 863 openly funds a number of military and civilian R&D initiatives, the US Counterintelligence Executive also assesses that it “provides funding and guidance for efforts to clandestinely acquire U.S. technology and sensitive economic information for PLA modernization.”21 Indeed, three of the nine foreign espionage cases prosecuted in the United States (from 1996 to 2011) have had some connection to 863.22

Of the nine foreign espionage cases prosecuted under the US Economic Espionage Act (EEA) of 1996, eight had some connection to China. In all but one of these, the defendant allegedly acted to benefit an entity associated with the Chinese government. Since 2008, moreover, 44% of all EEA cases (i.e., foreign espionage charges as well as the more widely prosecuted trade secrets provision of the law) had some sort of China connection.23 The remarkably high level of EEA cases with a China connection is consistent with Verizon’s finding that 96% of the espionage-related data breaches in 2012 originated from China, although this number is likely exaggerated.24 The most serious EEA case to date resulted in the conviction of Dongfan Chung, an engineer at Boeing from 1979 until his arrest in 2006. Chung transferred hundreds of thousands of pages to the Chinese Ministry of Aviation and the Aviation Industry Corporation of China about the space shuttle program, Delta IV rocket, B-52 and B-1 bombers, F-15 fighter, and Chinook helicopters.25 The physical volume of information Chung passed to his Chinese handlers could have filled four four-drawer filing cabinets, but the same amount of data could now be quickly exfiltrated by cyber means with less hassle and risk. Chinese human espionage persists in the cyber era, as Nigel Inkster points out in his chapter. Indeed, human and cyber intelligence collection operations have become complementary elements of a broad Chinese economic espionage campaign. (p.58) (p.59) (p.60)

(p.61) Advanced Persistent Threat

The term “advanced persistent threat” (APT) emerged within the US Air Force in 2006 as an unclassified reference to intrusion sets traced back to China.26 It has since become a more general term of art for any computer network exploitation—including by the United States—targeting particular organizations on a chronic basis.27 APTs require preparatory intelligence to penetrate target-specific defenses to discover and recover useful data. This focused effort sets APTs apart from retail cybercriminals who prey indiscriminately on millions of users in a one-shot interaction.28 Most APTs achieve an initial compromise of the target’s network through “social engineering” or confidence tricks that play upon the gullibility of human users. Once an initial foothold is gained, the attacker then escalates privileges in the system, reconnoiters the network, and exfiltrates data to command-and-control servers on the Internet.29

Table 3.1 summarizes thirty-seven cases of Chinese computer network exploitation (CNE, as distinguished from disruptive attack, or CNA) from 2005 through 2013. These intrusions have colorful names like “Shady RAT” or “Ghost Net” coined by the Western government agencies or cybersecurity experts that discovered or publicized them. The first significant public disclosure of sustained Chinese cyber espionage was the press reporting of “Titan Rain,” a US intelligence code word for an intrusion into Department of Defense laboratories, NASA networks, and aerospace companies between 2003 and August 2005.30 A great deal more has been learned since then through detailed technical reports such as Mandiant’s exposé of “APT-1” (also known as “Comment Crew”), a reference to PLA Unit 61398, described by Mark Stokes in this volume (chapter 7). This data should be understood as English-language reporting on Chinese APTs, emphatically not of APTs themselves (which are in many respects not measurable insofar as they depend on deception). There is considerable ambiguity in these data. Some items refer to particular, identifiable groups who run many campaigns (e.g., APT-1), while others refer simply to related intrusion phenomenology or even just a particularly high-profile target (e.g., the F-35 Joint Strike Fighter). Multiple intrusion names may in reality be the work of the same group in China, but detected by different Western investigators. Since cybersecurity firms use expert technical analysis as a form of public marketing (security itself is hard to measure and advertise) and because reporters chase popular topics, this dataset tracks the appetite for APT reporting as much as APT activity itself. One should thus be very cautious about drawing any inferences. Nevertheless, this reporting does provide an open-source portrait, even if a sketchy one, of the targets and techniques exploited by (p.62) (p.63) Chinese APTs as well as some evidentiary basis for claims by public officials and private firms about extensive Chinese espionage.31

Table 3.1 Publicly Reported Intrusions Attributed to China

Intrusion

Active

Report

Targets

Significance

Titan Rain82

2003.09

2005.08

US defense orgs and national labs

First public indication of methodical state-sponsored APT traced to PRC

State Dept83

2006.06

2006.07

US State Dept., US Embassy Beijing

Targeted Bureau of East Asian and Pacific Affairs; embassy lost connectivity for 2 weeks

US BIS84

2006.07

2006.10

US Commerce Dept.

Bureau of Industry and Security regulates US export licenses; attributed to PRC

US NWC85

2006.11

2006.11

US Naval War College

PRC APT prompts NWC to shut down network

US Sec Def86

2007.06

2007.09

Computers in the office of US sec. defense Gates

Cabinet-level CNE with confident attribution to PLA

Enfal87

2006

2007.12

US NGOs, defense, govt.

Linked to Byzantine Haydes

US Rep Frank Wolf88

2006.08

2008.06

Office of US congressman Frank Wolf

CNE targeted data on human rights activists and political dissidents; attributed to PRC

POTUS Campaign89

2008.07

2008.11

Obama and McCain campaigns

Targeted candidates’ policy positions; intrusion linked to PRC

Ghost Net90

2007.05

2009.03

Govts., firms in 103 countries; Dalai Lama

First detailed public report on APT methods; interaction with cybercrime ecosystem

F-35 JSF91

2007.10

2009.04

BAE, Lockheed-Martin, Northrop-Grumman

APT compromised nonclassified data on F-35, monitored meetings and technical discussions

Aurora92

2009.07

2010.01

Google and 34 other firms; dissident Gmail accounts

Prompted Google’s exit from PRC and Sec. State Clinton’s Internet freedom speech

Shadows in the Cloud93

2009.01

2010.04

US, UK, India, SE Asian govts. and firms; UN

Exploits of cloud-hosted social media; classified information exfiltrated

Byzantine Haydes94

2002

2010.12

US Defense, State, Energy; IMF, World Bank; international firms, NGOs

US code name for PLA intrusions; subsets Byzantine Candor/Foothold/Anchor cover particular PLA APT actors

Night Dragon95

2009.11

2011.02

Multinational firms in the oil/energy sector

Oil exploration, bidding, and control system data lost to technically unsophisticated attack

RSA96

2010

2011.03

RSA, Lockheed

Compromise of industry standard RSA SecureID tokens enabled Lockheed intrusion

Shady RAT97

2006.07

2011.08

71 govt., corporate, NGO orgs. in 14 countries (mainly US); ASEAN

Targets of interest to PRC including Intl. Olympic Committee and WADA prior to 2008 Beijing Olympics; probably APT1

Lurid98

2011.06

2011.09

Russia, CIS, Tibetan targets

Related to previous Enfal Trojan campaigns

Nitro99

2011.04

2011.10

48 chemical and defense firms

Technically unsophisticated attack traced back to single hacker in Hebei province

Taidoor100

2008.03

2012.03

Think tanks involved in US-Taiwan policy

Activity peaks during 2011 US discussions of upgrading Taiwanese air force

Luckycat101

2011.06

2012.03

Defense and commercial firms, Tibetan activists

Linked to hacker working with students at Sichuan Univ. Information Security Institute

Ixeshe102

2009.07

2012.05

East Asian govts., IT firms, German telecoms

Highly targeted, leveraging internal C2 servers, attribution unclear but suggests PRC

VOHO103

2012.06

2012.07

Boston, Washington, DC, activists, defense, educational institutions

“Watering hole” and fake software patch attacks, conducted by Hidden Lynx APT

Elderwood, (Sneaky Panda)104

2009.07

2012.09

Defense, manufacturing, human rights NGOs

Sophisticated Beijing-based APT group; used at least 8 zero-day exploits; multiple attack vectors; includes Aurora/Google hack

Cyber-Sitter105

2009.06

2012.11

CA-based Solid Oak Software

CyberSitter software copied for PRC’s Green Dam censorship software, then aggressive attacks against plaintiff in copyright suit

US News Media106

2012.10

2013.01

NY Times, Washington Post, Wall Street Journal

Targeted journalists covering PRC leaders, politics, and business (e.g., Huawei and ZTE)

HeartBeat107

2009.11

2013.01

S. Korea govt., party, media, research, military

English and Chinese artifacts make attribution ambiguous, DPRK is possible

APT-1 (Comment Crew)108

2006

2013.02

141 English-speaking firms in 15 countries

Most detailed public attribution evidence to PRC to date, exposes Shanghai-based PLA GSD 3rd Dept., 2nd Bureau (Unit 61398)

Beebus, Mutter109

2011.04

2013.02

Aerospace, defense, telecom in US, India

Focus on drone technology and South Asia politics; linked to APT-1

Bit9110

2012.07

2013.02

MA-based cybersecurity firm

Stole digital certificate to sign malware used to attack follow on targets in VOHO campaign

Telvent111

2007

2013.05

Telvent/Schneider Electric

Prime evidence of Obama 2013 State of the Union claim of hackers in the power grid, likely PRC industrial espionage vice attack planning

QinetiQ112

2007

2013.05

CIA venture firm QinetiQ

Numerous advanced technology projects lost over 3 yrs.; inadequate network security

ASIO113

2013

2013.05

Australian Security Intelligence Organization

Obtained blueprints for new ASIO headquarters building

Safe114

2012.10

2013.05

Govt., NGOs, media, firms, academia

Author identified: professional engineer in PRC with access to ISP code repository

SCADA Honeypot115

2012.12

2013.08

Decoy water control systems in 8 countries

APT1 lured into exploiting mock-up plant controls; demos interest in US SCADA

G-20116

2013.05

2013.08

G-20 govt. and financial institutions

Traced to APT-12 (aka Calc Team) responsible for US news media intrusions

Hidden Lynx117

2009

2013.09

100s of firms, focusing on financial services and defense industry

Highly skilled APT, concurrent campaigns, regular zero-day usage, sizable infrastructure, linked to Aurora, potentially “hackers for hire”

Icefog118

2011.08

2013.09

S. Korea, Japan govt., industry, media

Espionage toolkit with Windows and Mac variants; infected Japanese Parliament in 2011

APT targets include defense technology, foreign government policy regarding Chinese interests, positions of US presidential candidates, Chinese dissident activity, and a wide range of industries. Table 3.2 summarizes the number of APTs reported each year, divided into whether the APT emphasized mainly commercial or government targets or a mixture. The duration columns describe the average months elapsed between public reporting and the first reported evidence of infection (i.e., from the “report” to “active” dates in table 3.1), although this does not discriminate between cases where the intrusion remained hidden and those where it was detected but not publicly reported. For instance, APT-1 remained undetected in one organization’s networks for almost five years,32 but by contrast, the report date of “Byzantine Haydes” corresponds to the date of disclosure by WikiLeaks of US intelligence monitoring of Chinese APTs for eight years prior.33 Bearing in mind all the caveats about data quality, it is striking to observe that the earliest public reporting on APTs involves government targets. There is a shift around 2010 or so toward greater reporting on economic espionage (exemplified by the Night Dragon and Shady RAT intrusions), as well APTs indiscriminately attacking government and commercial targets. It is possible that there was a shift in Chinese targeting priorities to increase collection on the industries detailed in China’s MLP. Some support for this possibility can be found in the pattern of APT-1 penetrations against 141 firms reported by Mandiant. APT-1 starts out tentatively in 2006 but becomes highly active across twenty industrial sectors in 2011.34

Table 3.2 APT Targets

Report year

Commercial targets

Government targets

Mixed targets

Total intrusions

Total average months

Intrusions

Average months

Intrusions

Average months

Intrusions

Average months

2005

1

23

1

23

2006

3

2

3

2

2007

1

3

1

23

2

13

2008

2

13

2

13

2009

1

18

1

22

2

20

2010

1

6

2

61

3

43

2011

3

12

2

32

5

20

2012

1

41

5

26

6

29

2013

8

42

2

4

3

23

13

32

Total

14

31

9

7

14

31

37

25

Another possibility—not inconsistent with heightened Chinese activity—is that there has been an improvement in Western firms’ awareness of and ability to respond to network intrusions. Better detection rates by victims or third-party investigators would result in heightened reporting rates. Conversely, heightened media reporting would also improve firms’ awareness of the problem and, presumably, their detection posture. Google’s announcement in 2010 that it had been hacked by mainland Chinese entities was followed by a major speech by secretary of state Hilary Clinton on Internet freedom. These events marked the turning point in public awareness of Chinese cyber espionage as a serious problem.35 Before then, the APT threat was best known to intelligence experts, and thus government targets were more likely to be detected, whatever China was targeting. Throughout 2011 and 2012, there was an increase in public reporting about Chinese intrusions, which may or may not have corresponded with an uptick in Chinese APT campaigns. Additional, albeit tentative, evidence for improved corporate defenses is found in the increasing rate of detection (p.64) of commercial APTs hidden for a long time as seen in the jump in average duration between activity and report date in 2012 and 2013. This increasing detection rate of long duration intrusions can be interpreted to suggest that cyber defenders are getting better at rooting out the toughest APTs.

Attribution to China

Attribution is often considered to be the hard problem of cybersecurity, and mistaken allegations by Western officials would be politically irresponsible. As Chinese authors often point out, “An IP address simply is not a valid proof for the source of a hacker.”36 Therefore, it is striking that US analysts and policymakers have been so willing to confidently attribute responsibility to the Chinese government recently. While each bit of evidence about Chinese involvement may be circumstantial by itself, a diverse mass of clues presents a more convincing picture of Chinese culpability. China has ample political and economic motives for industrial espionage, a documented history of spying in American court records, and the organizational capacity and technical expertise needed to run APTs. Moreover, Chinese APT operators themselves have left a number of clues through sloppy tradecraft. All this data in context enables forensic investigators to follow the attribution thread back to the Chinese government.

APT actors rely on standardized operating procedures, reusable technical infrastructure, a division of labor, and intelligence tradecraft to penetrate and operate undetected in target networks for extended periods of time. It is possible that private-sector corporate intelligence or cybersecurity firms might fit this profile.37 The Ministry of State Security and Ministry of Public Security also fit the profile. Yet the PLA is an especially strong fit for the APT profile. It has doctrine for cyberwarfare as well as functionally and regionally specialized bureaus in the General Staff Department (GSD) Third Department and Military Region Technical Reconnaissance Bureaus (TRBs). The PLA can draw from a large talent pool of university-educated information security talent and a vibrant civilian hacker culture, and it can put them to work in a routinized, regimented, mission-focused institutional structure.38

Technical features of APTs provide much more specific evidence pointing to China and, in some cases, to the PLA. As the researcher who discovered the GhostNet and ShadowNet APTs explains, “The attackers can and do make mistakes. Careful monitoring of their command-and-control infrastructure can reveal the inner workings of their operations. The data obtained from the attacker’s infrastructure often reveals the length of the operation, the number of individual attacks, the identity of the victims, (p.65) additional tools used by the attackers and sometimes even the data that has been ex-filtrated.”39 The February 2013 Mandiant report describes a wide variety of data, including Internet addresses from the Shanghai neighborhood of PLA Unit 61398, simplified Chinese keyboard settings, domain names and phone numbers registered in the Shanghai locale, reliance on Chinese malware like Ghost RAT, characteristic Chinese grammar errors in English phishing emails, and routinely high levels of APT activity during weekday working hours in China Standard Time, complete with mealtime breaks.40

Furthermore, many human APT operators “have made poor operational security choices.”41 Some even check their personal Facebook and Twitter accounts, taking advantage of PLA attack infrastructure situated outside “Great Firewall” censorship restrictions for their personal use. Lax Chinese tradecraft could be the result of naïve operators or brazen indifference given the low risk of punishment for being caught. It is also possible that these easy clues may become harder to come by in the future after the announcement in early 2014 of a reorganization of Chinese cybersecurity policy with Xi Jinping assuming more direct control. One consequence of Xi’s institutional shakeup could include greater enforcement of discipline and discretion in PLA cyber tradecraft.42

Gaping holes remain in our knowledge of who exactly in China is responsible and how APT operations are organized. However, attribution to China by corporate investigators has been corroborated by government analysts as well as academic and non-profit research outfits, notably by the University of Toronto’s Citizen Lab. There is simply no credible alternative explanation for the individually circumstantial but collectively significant evidence for Chinese (and PLA) responsibility. It is commonly held that cyber attribution is very difficult, but in this case, Occam’s razor points to a major institutionalized campaign of cyber espionage.

Needles in a Haystack

It is clear that Chinese APTs exfiltrate many terabytes from foreign networks. It is less clear how often their take includes valuable data. There is a vast and growing amount of information in cyberspace. According to one academic study, “In 2008, the world’s servers processed 9.57 zettabytes [Zb] of information . . . or ten million million gigabytes.” This translates into a per-company average of “63 terabytes of information annually.”43 A 2012 Symantec study of 4,506 organizations in 38 countries reported a total of 2.2 Zb of data on their networks, valued at $1.1 trillion. Of this vast (p.66) amount, 42% was duplicate data, and 46% resided outside of protected data centers. Respondents reported that 69% had inadvertently exposed confidential information, and 30% said “information sprawl” was a factor in these mishaps.44 Data fragmentation and spillage is thus a normal fact of life even in the absence of APTs. Moreover, the “live” portion of data on an organization’s network—current, valid, meaningful, revisited, operational data—is usually small compared to the amount of data stored. Old versions of documents, working drafts, discarded plans, and normal data errors abound on corporate servers. This mess essentially functions as disinformation for the naïve spy who collects it. Understanding which bits are meaningful requires participation in meetings, ongoing conversations, laboratory interactions, and other embodied moments in the life of an organization.

As not everything valuable is digital and not everything digital is valuable, what is the probability that Chinese cyber intruders actually retrieve something of value from their targets? Do bureaucratic APT collectors even care about the answer, or are they simply rewarded for the number of targets infiltrated and the number of terabytes recovered? This latter possibility could produce a large collection effort with little effect on innovation.

Substantial Infrastructure for the Absorption of Foreign Data

Determining how Chinese cyber-exploitation activities contribute to the country’s advancement in S&T requires an understanding of how information obtained by illicit as well as legitimate means is disseminated, assimilated, and transformed into actual output. China’s S&T development strategy of “indigenous innovation,” described in the MLP, can be more precisely characterized as a four-part process known as “introduce, digest, assimilate, and re-innovate” (yinjin, xiaohua, xishou, zai chuangxin) or IDAR, which refers to the steps required to turn foreign technology into a remade domestic variant. The IDAR strategy is most clearly articulated in a supplementary document to the MLP that calls for encouraging the introduction of advanced foreign technology that can be digested and absorbed for re-innovation.45

A central Chinese goal is the building of a sophisticated apparatus that brings in foreign technology and allows for the effective absorption and re-innovation of products that China can effectively claim to be homegrown. The MLP highlights a number of industrial sectors that would benefit from this approach, including information and communications (p.67) technology, biotechnology, civilian aviation and aerospace, advanced materials, and machinery manufacturing.46 Key initiatives in the document include actively seeking bilateral and multilateral technical cooperation, expanding open-source international information services that can be disseminated to local actors, encouraging firms to go abroad to gain access to foreign R&D knowledge, and attracting more multinational firms to set up R&D institutes and facilities in China. Espionage, which is not mentioned, unsurprisingly, is thus only one small part of a much larger Chinese effort to acquire and absorb foreign expertise. This has two important implications for our topic: 1) China has many alibis for the legitimate acquisition of foreign technology to deflect charges of espionage; and 2) the contribution of espionage is only one small part of an ambitious foreign technology transfer effort, so spying cannot be given exclusive credit for Chinese advances.

Defense Research, Development, and Acquisition

A full study of Chinese absorptive capacity would consider defense and non-defense state-owned and private corporations. In the interest of brevity, we will look primarily at China’s defense research, development, and acquisition (RDA) system. Many APTs focus on defense firms, and thus RDA is a useful starting point for understanding the more general challenges. The history of the Chinese defense economy has been a dueling tale of foreign imitation and autonomous innovation. Reliance on external sources has been a defining characteristic of the sprawling conventional weapons establishment from its origins in the early 1950s right up to the present day. By contrast, the smaller and more specialized strategic (nuclear, space, and ballistic missiles) arms complex forged a more independent development path because it was shut off from outside assistance. These two sectors were eventually consolidated in the 1980s, and the defense economy has sought to pursue a twin-tracked imitation-innovation approach ever since.47

An important turning point in China’s industrial espionage efforts took place in the early 1990s with the collapse of the Soviet Union. This allowed China to take advantage of the economic chaos in Russia and former Soviet republics and gain access to their defense industrial facilities and scientific and engineering personnel. Hundreds of Russian defense scientists and engineers were recruited and brought over to China to provide expert advice.48 The largest case of Chinese clandestine defense technological activity against Russia was the surreptitious (p.68) non-authorized reverse engineering of the Sukhoi Su-27 combat jet to create the J-11B.49 This led to a major rupture in the two countries’ defense S&T cooperation, as Russia demanded that China halt intellectual property rights infringements and guarantee not to further engage in these practices.50 Beijing and Moscow eventually settled their differences in the early 2010s, which allowed for the resumption of negotiations for major weapons packages. This access to former Soviet defense technology may have helped select portions of the Chinese defense industry to advance by at least one or more generations. The most significant contributions have been in fighter aircraft programs, air-to-air missiles, radars, fire-control systems, aircraft carrier and other naval systems, and manned space.

Nonetheless, foreign imitation remains the primary focus of Chinese RDA, notwithstanding a growing effort to promote original innovation, especially incremental and architectural innovation. Leadership and management are hierarchical and top-down in nature, and the insular system has restricted interactions with the outside world. The state plays a dominant role in setting priorities, providing strategic direction, and overseeing management of the system. These factors shape China’s absorptive capacity in a number of important ways. First, there is heavy reliance on imitative techniques and processes such as copying and reverse engineering. Second, the Chinese defense innovation system is dependent on foreign technology and knowledge to make major advances in technological development. As much of this technology and know-how is off-limits to China, especially defense and dual-use capabilities from the West, the use of covert means to gain access to this information is a critical source for ensuring the country’s continuing technological progress.

Table 3.3 provides a list of major Chinese weapons systems that have benefited from foreign technology. These data show foreign dependency across all of China’s defense industrial sectors. To the extent that these systems improve China’s relative advantage against its military rivals, this advantage is due in part to foreign assistance. While most acquisitions have been licitly obtained, it is striking that illicit gains are concentrated in sophisticated technology sectors, particularly fighter aircraft, where Chinese reliance on foreign content is considerable. These data can be interpreted to suggest that espionage is only a small part of China’s overall foreign technology transfer strategy, but it is important for areas where China needs to catch up. We now turn to the actual process of foreign technology absorption in China.

Table 3.3 Chinese Weapons System Dependence on Foreign Technology

Platform

Sector

Country of origin

Foreign content

Illicitly obtained material

J-20

Aviation

Russia, United States?

5-High?

Unknown

Liaoning Aircraft Carrier

Maritime

Russia, Ukraine, United States

5-High

Unknown

J-11B

Aviation

Russia

5-High

Yes: Reverse- engineered Su-27SK

J-16

Aviation

Russia

5-High

Yes: Reverse- engineered Su-30MK2

J-15

Aviation

Russia, Ukraine

5-High

Yes: Reverse- engineered Su-33

Donghai-10 LACM

Space

Russia, Ukraine, United States

5-High

Yes: Reverse- engineered missiles

Y-20

Aviation

Ukraine, Russia

4-Medium-High

No

Zhi-10

Aviation

United States, Canada

4-Medium-High

No

KJ-2000 AEW

Electronics

Russia, Israel

4-Medium-High

No

Type 039A/B SS

Maritime

Russia, Germany

3-Medium

No

Type 039G

Maritime

Russia, Germany

3-Medium

No

Type 052B Luyang I destroyer

Maritime

Russia, Ukraine, France

3-Medium

No

Type 054A Jiangkai II frigate

Maritime

Russia, France

3-Medium

No

Type 053H3 Jiangwei II frigate

Maritime

Russia, Germany, France, Italy, United Kingdom

3-Medium

No

Nuclear reactors

Nuclear

United States, Japan, France, Russia, Finland, Germany

3-Medium

No

Hongqi 9 (HQ-9) SAM

Ordnance

United States, Russia, Israel?

3-Medium

No

Shenzhou-10

Space

Russia, United States

3-Medium

No

Chang’e 2

Space

Germany, United States

3-Medium

No

DF-31

Space

United States, Russia?

2-Low-Medium

No

CBERS

Space

Brazil, United States

2-Low-Medium

No

Type 052C Luyang II destroyer

Maritime

Russia, Ukraine, Germany, France, United States

2-Low-Medium

Yes; German engine design

J-10 Fighter

Aviation

Russia, Israel

1-Low, Critical

No

FC-1

Aviation

Pakistan, Russia, Italy, United States

1-Low, Critical

No

JH-7

Aviation

United Kingdom

1-Low, Critical

No

H-6

Aviation

Russia

1-Low

No

J-8II

Aviation

Russia, Israel

1-Low

No

KJ-200 AEW

Electronics

Sweden, United States, Ukraine

1-Low

No

Type 94 SSBN

Maritime

Russia, Ukraine

1-Low

No

Type 93 SSN

Maritime

Russia, Ukraine

1-Low

No

Type 051C Luzhou destroyer

Maritime

Russia, United States

1-Low

No

Type 99 MBT

Ordnance

Russia, Germany, United States

1-Low

No

Type 96 MBT

Ordnance

Pakistan, Russia

1-Low

No

WZ752 AFV (Type 89)

Ordnance

Germany

1-Low

No

PTL02 Self-Propelled Arty

Ordnance

Germany, United Kingdom

1-Low

No

Julang-2

Space

United States, Russia?

1-Low

No

DF-15

Space

United States (potential)

1-Low

No

Beidou

Space

Switzerland

1-Low

No

Ziyuan

Space

Brazil

1-Low

No

Changzheng (LM-5)

Space

United States, Russia

1-Low

Yes: US engine designs

Source: Data compiled in Tai Ming Cheung, “‘Standing on the Shoulders of Past Pioneers’: The Role of Foreign Technology Transfers in China’s Defense Research, Development, and Acquisition Process,” presented at IGCC 2013 Annual Conference on the Chinese Defense Industry: Understanding the Structure, Process, and Performance of the Chinese Defense Research, Development, and Acquisition System, La Jolla, California.

(p.69) (p.70)

(p.71) Introduce

The initial role for defense S&T organizations in the IDAR process would be to provide technical targeting requirements to guide the work of intelligence collection units. Little is known about how this targeting process works, but the notoriously hierarchical and compartmentalized nature of the Chinese defense establishment would support an assumption that targeting requests by S&T organizations go up through their respective chains of command. Entities affiliated with the defense industry report to the State Administration for Science, Technology, and Industry for National Defense (SASTIND), while PLA units would go through their own departments and service arms. Requirements by military units belonging to the armaments system, for example, would go up through the hierarchy of the PLA General Armament Department (GAD).

Military targeting requests would eventually make their way to the PLA General Staff Department’s Third Department in charge of signals intelligence. APT collectors and analysts would have to work together to discover potentially meaningful intelligence out of all the terabytes recovered. Then they would have to package it in a way that customers would be able to use. The effective management of these coordination and transmission channels is crucial to the performance of the acquisition process. Entities that are likely to play influential roles in providing targeting requirements include the Science and Technology Committees that belong to the GAD, SASTIND, each of the ten major defense industrial corporations, and S&T research organizations.51

Digest

A key mechanism that China has cultivated since its formative years has been an S&T information analysis and dissemination (IAD) apparatus. While the IAD system has close affiliations with the intelligence collection system, the two apparatuses are organized and operated separately. The historical rationale for the development of the IAD system was to provide information on global S&T developments to civilian and military S&T and academic organizations that were largely isolated from the outside world between the 1950s and 1970s. The output of this system consisted of the acquisition, collation, and translation of foreign S&T literature but also of specific technical information that was of direct utility to R&D organizations, especially for nuclear, space, and computational outfits.52

(p.72) A number of major IAD entities were established within the S&T system, such as the Institute of Scientific and Technical Information of China, which belongs to the Ministry of Science and Technology, and the Electronics Science and Technology Intelligence Research Institute, affiliated with the Ministry of Industry and Information Technology (MIIT). The IAD system presently consists of around four hundred analysis and diffusion centers with around 50,000 personnel, according to a 2006 assessment.53 However, only around thirty-five belong to central government agencies, and the rest are affiliated with provincial or lower-level institutions.54 Each of the country’s six defense industrial sectors also has its own IAD organization; these act as clearinghouses for specialized S&T information. These organizations, which range in size from two hundred to five hundred researchers, are attached to one of the principal conglomerates responsible for their sectors.55

The vast majority of the external information that IAD organizations analyze comes from open sources such as media, online, and academic outlets.56 The classified intelligence collected by PLA intelligence agencies is likely to be available only for the military component of the IAD system, which is centralized under the China Defense Science and Technology Information Center (CDSTIC) affiliated with the GAD. CDSTIC has grown rapidly over the past few decades, especially since the end of the 1990s, to cope with intensive demand for its S&T information and analysis services from the defense innovation system, military organizations, and the country’s leadership.57 Concerted efforts have been made to improve the ability of the IAD system to assimilate and disseminate information in a timely and organized fashion. This includes the development of Internet-based and closed intranet S&T databases and information retrieval networks. CDSTIC, for example, operates an engineering technology information network, an all-army equipment S&T information network, a GAD-specific S&T intelligence network, and an online digital library.58

Assimilate

Chinese authorities are investing heavily in building up an extensive technology and engineering ecosystem to support efforts to combine digested foreign and local technologies. This includes the establishment of an extensive array of entities such as national engineering research centers, enterprise-based technology centers, state key laboratories, national technology transfer centers, high-technology service centers, and the recruitment of foreign technical experts through organizations such as the State (p.73) Administration of Foreign Expert Affairs. National engineering research centers are one of the most important types of institutions designated by the Chinese government for transforming the acquired and digested external technology into actual output.59 There were nearly three hundred of these research centers in operation in 2013.

China’s “combine and integrate” strategy figures prominently in the MLP and is being actively pursued by defense and high-technology-intensive industries that have major gaps in their technological capabilities that can best be addressed from external technology transfers. This strategy is carried out through collaborative joint ventures as well as through illicit transfers and unauthorized reverse engineering. The commercial and military aviation and high-speed rail sectors are at the forefront. For China’s first narrow bodied jet airliner, the C919, the external technology absorptive process is occurring throughout the entire RDA cycle from initial design through to manufacturing.

Chinese expenditures on the acquisition of foreign technology and of the in-house assimilation of technology have grown strongly over the past past decades, as shown in table 3.4. Official Chinese statistics for spending on foreign technology acquisition (which almost certainly excludes defense-related acquisitions) shows a nearly fivefold increase between 1991 and 2011, from RMB 9.02 billion ($1.47 billion) to RMB 44.9 billion ($7.3 billion), although around half this total comes from acquisitions by foreign-owned firms based in China.60 Strikingly, in the same period of time, expenditures for assimilation have grown faster relative to (p.74) expenditures for acquisition, from 5% to 45%. This suggests that assimilation is neither automatic nor easy and, in fact, is getting harder as China targets more sophisticated foreign technology. Whatever success China enjoys from licit and illicit transfer depends on a very expensive and extensive IDAR effort.

Table 3.4 Chinese Expenditures for Acquisition and Assimilation of Foreign Technology

Year

Expenditures for acquisition of foreign technology (RMB billion)

Expenditures for assimilation of technology (RMB billion)

Assimilation versus acquisition (%)

1991

9.02

0.41

5

2000

24.54

1.82

7

2007

45.25

10.66

24

2008

46.69

12.27

26

2009

42.2

18.2

43

2010

38.61

16.52

43

2011

44.9

20.22

45

Source: Data from State Statistics Bureau and Ministry of Science and Technology, China Yearbooks on Science and Technology Statistics, 1991–2011 (Beijing: China Statistics Press).

Re-innovate

One of the major challenges for the Chinese defense economy is how to turn all these efforts into actual output. While there is a growing list of advanced weapons projects from fifth-generation combat aircraft to turbofan jet engines at various stages of the RDA process, a major bottleneck is the underdeveloped state of advanced manufacturing capabilities that are critical for the precision production of high-technology products. In its five-year program in 2012 providing a detailed outline of the development of the country’s high-end equipment manufacturing industry, MIIT noted that China’s advanced manufacturing industry lagged well behind the global frontier, that its innovation ability was “weak,” and “core technologies and core key components are in the hands of others.”61 Revenue from high-end equipment manufacturing accounted for only 8% of total revenues of the country’s equipment manufacturing industry in 2012. While Chinese S&T development plans stress the importance of nurturing homegrown S&T capabilities, the reality is that China can only make major progress through gaining access to foreign technologies and know-how.

Industrial and cyber espionage activities and other illicit and gray acquisition strategies thus figure prominently in China’s efforts to achieve its development goals in priority areas as well as sensitive defense and dual-use technologies. This approach has worked especially well in the building of its high-speed rail sector, which is one of the priorities in its high-end equipment manufacturing development plan. European and Japanese firms provided significant amounts of high-speed rail technology transfers to China during the 2000s that allowed the Chinese rail industry to replicate and improve upon these capabilities within five years and produce what they insisted were brand-new generations of “re-innovated” trains. Many of the foreign firms involved in these technology deals have been reluctant to publicly criticize the Chinese for reverse engineering their products, although Japanese firms have been more vocal in their protests.62 The PRC’s Twelfth Five-Year Development Program for the Rail Transportation Equipment Industry published in 2012 acknowledged that its high-speed (p.75) rail sector was based on “secondary innovation of absorbed technology introduced from abroad.”63

Foreign rail firms were surprised at how quickly their Chinese counterparts were able to absorb and reverse-engineer these advanced technologies. While the Chinese rail industry benefited greatly from the extensive level of technology transfers, it also invested heavily in building a robust absorptive capacity infrastructure that included the establishment of a state-of-the-art national rail transportation research laboratory, a state engineering technology research center, a state engineering research center, and more than a dozen national-level enterprise technology centers.64 These research, development, and engineering bases are also being laid down in many other industrial sectors, and they are an essential component of China’s growing absorptive capacity.

In sum, China has taken deliberate steps for decades to improve its capacity to absorb foreign technology and expertise. Intelligence collection, much less cyber espionage, is only one of many channels through which China accesses foreign technology, many of which are perfectly legitimate.65 The secrecy of cyber espionage, moreover, surely complicates the bureaucratic problem of connecting APT collectors and intelligence analysts to the proper industrial customer in a way that open acquisition does not. When assessing the marginal effects of espionage on technological absorption, one must also consider these other important pathways that can contribute far more complete and detailed information and mentorship. There is no doubt that all of this ambitious activity—including espionage in some cases—has enabled China to catch up in many areas. However, it has also built a severe foreign dependency problem into the Chinese S&T system. By relentlessly seeking shortcuts to becoming a world-class innovator, China has actually become over-reliant on foreign imitation. We return to this theme in the chapter’s conclusion.

The Uncertainty of Application in International Competition

Even if China does manage to acquire secrets and absorb them efficiently, advantage cannot be guaranteed in a market where future interactions are uncertain. Western firms may be able to innovate new data faster than China can digest old data. Some scholars find evidence that the US advantage in S&T will endure despite China’s rise.66 Similarly, China may not be able to absorb very efficiently at the most lucrative end of the value chain. Studies of innovative regions like Silicon Valley or Cambridge, Massachusetts, (p.76) suggest that social factors like personal relationships among entrepreneurs, open legal institutions, supportive research universities, the availability of local venture capital, expert knowledge in the labor force, and even recreational opportunities are key for promoting innovation.67 Cyber spies might steal technical data, but without the social context to nurture it, the data could be useless for cutting-edge innovation. If data is easy to copy and products are easy to imitate, then the market is likely to price such products lower than goods that are better designed, marketed, and have greater appeal. Not all cyber theft has the same implications for all sectors.68

Figure 3.2 describes how different levels of acquisitive performance or absorptive capacity can affect a state’s ability to apply espionage for market advantage. Acquisition is simple when an APT can easily access and exfiltrate data that can be readily understood out of context. Standardized databases, finished engineering blueprints, or negotiating positions on well-defined deals are examples of corporate secrets that could potentially be useful. If an acquirer has inefficient absorption institutions, then stolen secrets could potentially aid improvement if the utility of the secrets is straightforward. If the acquirer has advanced absorptive capacity, then there is a much better chance that simple secrets can be put to work to realize a competitive advantage. We assess that most of China’s IDAR successes that leverage espionage are in this category.

From Exploitation to InnovationAcquisition, Absorption, and Application

Figure 3.2 Competitive Potential of Espionage

However, acquisition will be more difficult if the critical target data is hard for an APT to identify or extract from its local social context. Gregory Treverton distinguishes between intelligence “puzzles” and “mysteries.”69 Puzzles are problems that can be solved by finding the missing pieces that are (p.77) simply hidden from view because the target wants to keep them confidential. Mysteries, by contrast, turn on intangibles of context and intention that may even be poorly understood by the target itself. The acquisition of advanced technology trades in mysteries. An acquirer with weak absorptive institutions will most likely not be able to obtain and interpret complex target data. An acquirer with robust absorptive capacity has a better chance at understanding and adapting complex target data to productive ends, but it will still take a lot more work and the outcome will be uncertain. We assess that China will face continuing difficulties in this category no matter how much it spends on IDAR because the innovation targets are that much more sophisticated.

Further downstream factors could also affect the outcome of a strategic interaction, even if performance in acquisition and absorption does promote advantages. For instance, the victim state may take counteractions to blunt the utility of espionage. American officials have long insisted that the United States, unlike France or China, “does not, should not, and will not engage in industrial espionage.”70 Yet at the same time, “Economic intelligence has been a topic of concern to the CIA from the very beginning of its existence.”71 One former CIA director, Stansfield Turner, even argued that US agencies should directly assist US firms against foreign competitors: “Some argue that when it comes to specific data such as competitive bids, the government should not become a partner of business and distort the free enterprise system. The United States, however, would have no compunction about stealing military secrets to help it manufacture better weapons.”72 US intelligence has also provided special technical assistance to firms as, for example, when the National Security Agency reportedly aided Google in the wake of Chinese hacking.73 Americans often attempt to take the moral high ground against China for economic espionage, but US intelligence support to industry is a more nuanced question of degree rather than an all-or-nothing relationship.74 The important implication for espionage application is that robust two-sided intelligence competition—with US intelligence aiding US defense firms and monitoring Chinese S&T progress—should be expected to blunt whatever advantage for relative competitiveness that Chinese espionage might provide. This is to say nothing of fully above-board countermoves by firms and Western governments to compete with Chinese initiatives in the international marketplace.

Conclusion: Soviet Lessons for China?

In early 2013 the US intelligence community reportedly produced a classified National Intelligence Estimate concluding that China, as part of its (p.78) economic development strategy, is running a major espionage campaign to acquire American technology and gain competitive advantages.75 A classified Defense Science Board report to the Pentagon allegedly concluded that “designs for many of the nation’s most sensitive advanced weapons systems have been compromised by Chinese hackers.”76 Yet what do these compromises mean for China’s quest to become a world-class science, technology, and military power?

As we have seen, there is very good evidence that China is indeed running an aggressive industrial espionage campaign to acquire corporate secrets from abroad. However, some secrets, and some of the most important ones, may be hard to extract from their localized context. There is also reason for cautious optimism that Western defenses are improving against Chinese intrusions, even as sloppy APT tradecraft is sure to improve in response. The belief that cyber espionage is a cheap and effective shortcut to improving industrial innovation is harder to substantiate. China has probably been able to use espionage to improve its S&T performance level, but this has happened in the context of an ambitious and expensive effort to absorb foreign expertise through any means possible. Absorption has not been cheap for China, and it has resulted in more imitation than true innovation. There are further reasons to be skeptical of the claim that espionage has given China a decisive competitive advantage at Western expense.

One of the most systematic and sustained campaigns of economic espionage in recent history was conducted by the Soviet Union against the United States throughout most of the twentieth century. Stalin relied heavily on illicit technology transfers prior to World War II. According to one historian, “the United States, as well as its wartime allies, became an important target for Soviet espionage of military industrial technology before the Cold War. This effort materially supported the industrial and technological development of the Soviet Union, particularly in the area of aircraft and weapons technology, and vitally assisted the war effort.”77 Soviet efforts continued and intensified during the Cold War. A 1985 assessment from the CIA, based on classified Soviet documents describing their technology transfer program, detailed “a massive, well-organized campaign by the Soviet Union to acquire Western technology illegally and legally for its weapons and military equipment projects. . . . Virtually every Soviet military research project—well over 4,000 each year in the late 1970s and over 5,000 in the early 1980s—benefits from these technical documents and hardware.”78 The implications of American losses for Soviet power were summarized with dramatic flair: “The assimilation of Western technology is so broad that the United States and other Western nations are subsidizing the Soviet military buildup.”79

(p.79) The Soviet effort was comparable in its scale and intensity to China’s present cyber espionage campaign. The Soviets had thoroughly institutionalized industrial espionage by implementing a system of collection requirements, technical analysis, customer dissemination, and performance analysis. Given the central role that state, Party, and military institutions play in coordinating China’s S&T development, it is reasonable that China has set up a similar program for systematic absorption of data from cyber operations as part of its IDAR system. The CIA judged that stolen Western technology had reduced Soviet weapons RDA by up to two years for research projects in an advanced stage of development. For projects in an earlier stage of research, the cycle could be lessened by as much as five years. The report concluded that espionage “considerably shrinks overall research time, reduces the amount of resources devoted to weapon systems research, and allows diversion of those resources to other Soviet military research projects.”80 China, likewise, appears to have been able to accelerate its RDA through cyber espionage, and certainly through broader foreign technology transfer.

However, the Soviet case also contains a cautionary tale for Chinese officials and Western analysts alike. Ironically, the Soviet Union’s very success became a liability. It optimized its RDA system for imitation rather than innovation. Because the Soviets designed foreign dependence into the heart of their S&T apparatus, truly disruptive innovation was priced out of reach. The Soviets became trapped in a frantic game of catch-up with the West. The CIA thus concluded:

in spite of the several decades of massive investment in indigenous R&D, the prospects are small that the Soviets can reduce their dependence on a large variety of Western products and technology in this decade and the next without allowing the technological gap to widen. The main reasons for this continuing need are endemic to the Soviet system: the lack of adequate incentives, inflexible bureaucratic structures, excessive secrecy, and insularity from the West.81

The Soviet system required its Western competitors to be more technologically advanced than it was. It institutionalized second place. China is not the Soviet Union, and the Sino-American relationship is not the militarized hostility of the Cold War. The economies of both states are highly interdependent, and they have many reasons to seek mutual gains around the world. At the same time, however, the comparison between China and the Soviet Union with respect to systematic industrial espionage is suggestive. Espionage helped the Soviet Union to catch up, but it also contributed to its undoing. Chinese S&T leaders would do well to learn from this example. If China is to become the first-rate S&T power it aspires to be, it (p.80) will have to perform on a level playing field without recourse to illicit technology. Whether China can actually give up its addiction to industrial espionage remains to be seen, but it certainly will not happen anytime soon.

(p.82)

(p.83)

(p.84)

(p.85)

(p.86)

Notes:

(1.) Economist Intelligence Unit, “Cyber Theft of Corporate Intellectual Property: The Nature of the Threat,” 2012, 14.

(2.) Jennifer Schlesinger, “Chinese Espionage on the Rise in US, Experts Warn,” CNBC Investigations, Inc., July 9, 2012.

(3.) Ron Rosenbaum, “Richard Clarke on Who Was behind the Stuxnet Attack,” Smithsonian Magazine, April 2012.

(4.) General Keith Alexander, keynote address at the American Enterprise Institute, Washington, DC, July 9, 2012, http://www.aei.org/events/2012/07/09/cybersecurity-and-american-power/.

(5.) Ibid.

(6.) Dinei Florêncio and Cormac Herley, “Sex, Lies, and Cyber-Crime Surveys,” Workshop on the Economics of Information Security, 2010; Peter Maass and Megha Rajagopalan, “Does Cybercrime Really Cost $1 Trillion?” ProPublica, August 1, 2012.

(7.) Ross Anderson, Chris Barton, Rainer Bohm, Richard Clayton, Michel J. G. Van Eeten, Michael Levi, Tyler Moore, and Stefan Savage, “Measuring the Cost of Cybercrime,” Workshop on the Economics of Information Security, June 2012.

(8.) Even monetizing stolen digital assets, like compromised bank accounts and credit cards, turns out to be a difficult problem for cybercriminals because their crimes, if detected, are so easily reversible. See D. Florêncio and C. Herley, “Is Everything We Know about Password Stealing Wrong?” IEEE Security & Privacy 10, no. 6 (November 2012): 63–69.

(9.) Office of the National Counterintelligence Executive, Foreign Spies Stealing US Economic Secrets in Cyberspace, Report to Congress on Foreign Economic Collection and Industrial Espionage 2009–2011, October 2011, 4.

(10.) Chris Strohm, Eric Engleman, and Dave Michaels, “Cyberattacks Abound Yet Companies Tell SEC Losses are Few,” Bloomberg, April 3, 2013.

(11.) James Lewis and Stewart Baker. “The Economic Impact of Cybercrime and Cyber Espionage,” McAfee and the Center for Strategic and International Studies, July 2013.

(12.) James Lewis, “Five Myths about Chinese Hackers,” Washington Post, March 22, 2013.

(13.) J. R. Harris, Industrial Espionage and Technology Transfer: Britain and France in the Eighteenth Century (London: Ashgate, 1998), 564.

(14.) Ibid., 559.

(15.) Absorptive capacity in the fields of business management and organizational economics refers to the ability of an organization to recognize, assimilate, and utilize new knowledge. The primary focus for economists and management experts has been on the role of firms in developed markets, but many of the same forces at play are also relevant for examining the Chinese defense S&T system. Wesley Cohen and Daniel Levinthal, “Absorptive Capacity: A New Perspective on Learning and Innovation,” Administrative Science Quarterly 35, no. 1 (March 1990): 128–52. The (p.81) framework presented here is similar to that developed by Shaker Zahra and Gerard George, “Absorptive Capacity: A Review, Reconceptualization, and Extension,” Academy of Management Review 27 (April 2002): 185–202, which distinguishes potential absorptive capacity (acquisition and assimilation) from realized absorptive capacity (transformation and exploitation). Our framework for espionage breaks out “acquisition” separately to focus on the intelligence problems, while we use “absorption” as a covering term for all the complex processes Zahra and George discuss as assimilation and realized absorptive capacity.

(16.) John Seely-Brown and Paul Duguid, The Social Life of Information (Cambridge, MA: Harvard Business School Press, 2000); Claudio Ciborra, The Labyrinths of Information: Challenging the Wisdom of Systems (New York: Oxford University Press, 2002).

(17.) Tai Ming Cheung, “The Chinese Defense Economy’s Long March from Imitation to Innovation,” Journal of Strategic Studies 34, no. 3 (2011): 325–54.

(18.) Ibid.

(19.) James McGregor, “China’s Drive for ‘Indigenous Innovation’: A Web of Industrial Policies,” U.S. Chamber of Commerce, Global Intellectual Property Center, 2010.

(20.) Evan A. Feigenbaum, China’s Techno-Warriors: National Security and Strategic Competition from the Nuclear to the Information Age (Stanford, CA: Stanford University Press, 2003), 162–64.

(21.) Office of the National Counterintelligence Executive, Foreign Spies Stealing US Economic Secrets in Cyberspace, 7.

(22.) Rich Bell, J. Ethan Bennett, Jillian R. Boles, David M. Goodoien, Jeff W. Irving, Phillip B. Kuhlman, and Amanda K. White, “Estimating the Economic Costs of Espionage,” paper prepared for CENTRA Technology by the George Bush School of Government and Public Service, Texas A&M University, May 3, 2010; BBC News, “Chinese Scientist Huang Kexue Jailed for Trade Theft,” December 21, 2011, http://www.bbc.co.uk/news/business-16297237.

(23.) Peter Toren, “A Report on Prosecutions under the Economic Espionage Act,” Trade Secret Law Summit, AIPLA Annual Meeting, Washington, DC, October 23, 2012, 6–7.

(24.) Verizon, 2013 Data Breach Investigations Report, 21, www.verizonenterprise.com/DBIR/2013. It must be stressed that this high number may reflect a higher propensity for Chinese intrusions to get caught or reported, not an absence of other countries involved in cyber espionage. Indeed, Verizon (2014 Data Breach Investigations Report, 39, www.verizonenterprise.com/DBIR/2014) reports an increase in Eastern European cyber espionage, up to 21%, while East Asia (China and DPRK) account for 49%, and 25% was unattributed. Chinese tradecraft may be improving even as other actors are getting in on the game.

(25.) United States v. Dongfan “Greg” Chung, No. SACR 08-00024-CJC (2008).

(26.) Richard Bejtlich, testimony before the U.S.-China Economic and Security Review Commission Hearing “Developments in China’s Cyber and Nuclear Capabilities,” March 26, 2012. US Intelligence has tracked Chinese APTs in the classified domain at least since 2002 according to James Glanz and John Markoff, “Vast Hacking by a China Fearful of the Web,” New York Times, December 4, 2010.

(27.) The Flame and Gauss intrusions discovered on computers in the Middle East, and assessed to be part of the US/Israeli Olympic Games family of malware that includes Stuxnet, can also be considered APTs. Ellen Nakashima, Greg Miller, and Julie Tate, “U.S., Israel Developed Flame Computer Virus to Slow Iranian Nuclear Efforts, Officials Say,” Washington Post, June 19, 2012; Kaspersky Lab, “Gauss: Abnormal Distribution,” Kaspersky Lab White Paper, August 2012.

(28.) Industrial-scale cybercriminals seek to be profitable at scale against thousands or millions of potential victims (or customers), and they are usually successful against only a tiny fraction of them; by contrast, APTs invest effort against each particular target to increase their odds of success. Low-grade, automated, scalable attacks—the majority of online crime—encounter a reasonably effective sum-of-effort defense, but high-end, customized, nonscalable APTs face a weakest-link defense that is much harder to defend against. Cormac Herley, “When Does Targeting Make Sense for an Attacker?” IEEE Security & Privacy 11, no. 2 (2013): 89–92.

(29.) Mandiant, APT1: Exposing One of China’s Cyber Espionage Units, White Paper, January 2013, 27–38, provides an accessible description of one APT’s “lifecycle.”

(30.) Nathan Thornburgh, “The Invasion of the Chinese Cyberspies (and the Man Who Tried to Stop Them): An Exclusive Look at How the Hackers Called TITAN RAIN Are Stealing U.S. Secrets,” Time, September 5, 2005.

(31.) This dataset has been cross-checked against other compiled lists of Chinese cyber activity such as Laura Saporito and James A. Lewis, “Cyber Incidents Attributed to China,” Center for Strategic and International Studies, March 14, 2013. But there will inevitably be some Chinese intrusions reported in English and (more likely) non-English media that are not included here. This dataset does not include reports about Chinese cyber espionage aggregated across intrusion sets such as the 2011 report, Office of the National Counterintelligence Executive, Foreign Spies Stealing US Economic Secrets in Cyberspace; 2009 or 2012 Northrop Grumman reports for the U.S.-China Economic and Security Review Commission; or the many general alarms about widespread Chinese espionage that do not reveal new specific intrusions.

(32.) Mandiant, APT1, 3.

(33.) Glanz and Markoff, “Vast Hacking by a China Fearful of the Web.”

(34.) For a timeline of APT1 intrusions by industry see Mandiant, APT1, 23.

(35.) Ariana Eunjung Cha and Ellen Nakashima, “Google China Cyberattack Part of Vast Espionage Campaign, Experts Say,” Washington Post, January 14, 2010.

(36.) Zhang Yixuan, “US Finds an Excuse for Expanding Its ‘Cyber Troop,’” Renmin Ribao Online (overseas edition), February 4, 2013.

(37.) A State Department cable commented on Chinese use of commercial firms: “TOPSEC Network Security Technology Company . . . China’s largest provider of information security products and services . . . provides services and training for the PLA and has recruited hackers in the past. . . . While links between top Chinese companies and the PRC are not uncommon, it illustrates the PRC’s use of its ‘private sector’ in support of governmental information warfare objectives, especially in its ability to gather, process, and exploit information.” Secretary of State, “Diplomatic Security Daily,” June 27–29, 2009, Wikileaks cable posted in New York Times, http://www.nytimes.com/interactive/2010/11/28/world/20101128-cables-viewer.html#report/china-09STATE67105.

(38.) Pollpeter, chapter 6 in this volume; Stokes, chapter 7 in this volume; Sheldon and McReynolds, chapter 8 in this volume.

(39.) Nart Villeneuve, testimony before the U.S.-China Economic and Security Review Commission Hearing “Developments in China’s Cyber and Nuclear Capabilities,” March 26, 2012.

(40.) Cyber exploitation has become such a matter of bureaucratic routine that one young Chinese hacker wrote on his blog, “If we’re lucky enough we might be able to complete this year’s target and earn a year-end bonus for everyone.” He also despaired over long hours of hacking drudgery: “How can passionate young people like us handle a prison-like environment like this?” Barbara Demick, “China Hacker’s Angst Opens a Window onto Cyber-Espionage,” Los Angeles Times, March 12, 2013.

(41.) Mandiant, APT1, 51.

(42.) According to Mandiant (M-Trends: Beyond the Breach, 2014 Threat Report, April 2014), major APTs paused and altered their tradecraft after their compromise in early 2013.

(43.) James E. Short, Roger E. Bohn, and Chaitanya Baru, How Much Information? 2010 Report on Enterprise Server Information, Global Information Industry Center, School of International Relations and Pacific Studies, UC San Diego.

(45.) “Opinions to Encourage Technology Transfer and Innovation and Promote the Transformation of the Growth Mode in Foreign Trade” was issued by a group of eight powerful government economic, financial, and planning agencies that included the National Development and Reform Commission, Ministry of Finance, and Ministry of Commerce.

(46.) For an example of how one industry implemented this strategy, see “Railway Ministry: Our Country’s Railway Is about How to Introduce, Absorb, and Re-innovate,” Xinhua, April 29, 2007.

(47.) For detailed analysis of China’s defense economy, see Tai Ming Cheung, Fortifying China: The Struggle to Build a Modern Defense Economy (Ithaca, NY: Cornell University Press, 2009).

(48.) Interview with senior Russian Defense Ministry official, Moscow, April 1993 and reported in Tai Ming Cheung, “China’s Buying Spree,” Far Eastern Economic Review, July 8, 1993, 24‒26. See also Tai Ming Cheung, “Ties of Convenience: Sino-Russian Military Relations in the 1990s,” in China’s Military: The PLA in 1992/1993, ed. Richard H. Yang (Boulder, CO: Westview Press, 1993), 61‒77.

(49.) “China’s Imitation of Su-27SK and Its Impact,” Kanwa Asian Defense Review, May 2008.

(50.) “China ‘Cloning’ Russian Weapons Despite Intellectual Property Agreement,” Nezavisimoye Voyennoye Obozreniye, December 3, 2010.

(51.) On the role of the GAD S&T Committee, see Eric Hagt, “The Science and Technology Committee: PLA-Industry Relations and Implications for Defense Innovation,” in Forging China’s Military Might: A New Framework for Assessing Innovation, ed. Tai Ming Cheung (Baltimore, MD: John Hopkins University Press, 2013), chap. 3, 66‒86.

(52.) See William C. Hannas, James Mulvenon, and Anna B. Puglisi, Chinese Industrial Espionage: Technology Acquisition and Military Modernization (London: Routledge, 2013), chap. 2.

(53.) Xu Guanghua, “The Development of the S&T Information Industry in the Building of an Innovation Country,” speech at the Fiftieth Anniversary of the Institute of Scientific and Technical Information of China, October 16, 2006.

(54.) Hannas, Mulvenon, and Puglisi, Chinese Industrial Espionage, 22.

(55.) See http://www.dstpc.org for introductions to most of these entities.

(56.) One study suggests that 80% or more of S&T technical information requirements can be obtained from open-source publications, while the remainder needs to be collected from “special means.” Huo Zhongwen and Wang Zongxiao, Sources and Techniques of Obtaining National Defense Science and Technology Intelligence (Beijing: Science and Technology Literature Press, 1991), 84–85.

(57.) “Science and Technology Vanguard, Think Tank for Decision-Making,” Zhongguo Jungong Bao, November 17, 2012.

(58.) Ibid.

(59.) National Development and Reform Commission, “Administrative Measures on National Engineering Research Centers,” National Development and Reform Commission website, March 2007.

(60.) “China Has over $10b Tech Trade Deficit,” China Daily, December 6, 2012, and “China Signs More Technology Import Contracts in 2005,” People’s Daily, January 9, 2006.

(61.) MIIT, “12th Five-Year Program for Development of High-End Equipment Manufacturing Industry,” July 9, 2012.

(62.) “Train Makers Rail Against China’s High-Speed Designs,” Wall Street Journal, November 17, 2010.

(63.) “12th Five-Year Development Program for the Rail Transportation Equipment Industry,” which is contained in MIIT, “12th Five Year Program for Development of High-End Equipment Manufacturing Industry.”

(64.) Ibid.

(65.) Only two of the ten chapters in Hannas, Mulvenon, and Puglisi, Chinese Industrial Espionage, are actually about espionage. The other chapters describe legitimate forms of technology transfer such as open-source analysis, students abroad, and joint ventures.

(66.) Michael Beckley, “China’s Century? Why America’s Edge Will Endure,” International Security 36, no. 3 (2011): 41–78.

(67.) AnnaLee Saxenian, Regional Advantage: Culture and Competition in Silicon Valley and Route 128 (Cambridge, MA: Harvard University Press, 1996); AnnaLee Saxenian, The New Argonauts: Regional Advantage in a Global Economy (Cambridge, MA: Harvard University Press, 2006).

(68.) Allan A. Friedman, Austen Mack-Crane, and Ross A. Hammond, “Cyber-Enabled Competitive Data Theft: A Framework for Modeling Long-Run Cybersecurity Consequences,” Center for Technology Innovation Working Paper, Brookings Institute, December 2013.

(69.) Gregory F. Treverton, Reshaping National Intelligence in an Age of Information (New York: Cambridge University Press, 2001), 11.

(70.) George Lardner, “U.S. Demands for Economic Intelligence Up Sharply, Gates Says,” Washington Post, April 14, 1992, A5.

(71.) Glenn Hastedt, “Seeking Economic Security through Intelligence,” International Journal of Intelligence and Counterintelligence 11, no. 4 (1998): –387. For example, “the creation of economic profiles for such newly-independent states as Kazakhstan and Uzbekistan; predictions of the direction which Chinese macroeconomic policy would take; studies on the effectiveness of economic sanctions against Iraq; surveys of the scope of the Third World debt problem; predictions regarding the Mexican peso crisis of 1994; monitoring the operations of international financial institutions such as the Bank of Credit and Commerce International (BCCI); and recognizing and uncovering unfair business practices on the part of other nations and foreign companies” (388).

(72.) Stansfield Turner, “Intelligence for a New World Order,” Foreign Affairs 70, no. 4 (Fall 1991): 152.

(74.) Joseph C. Evans, “U.S. Business Competitiveness and the Intelligence Community,” International Journal of Intelligence and Counterintelligence 7, no. 3 (1994): 353–62; Kristen Michal, “Business Counterintelligence and the Role of the U.S. Intelligence Community,” International Journal of Intelligence and Counterintelligence 7, no. 4 (1994): 413–27.

(77.) Katherine A. S. Sibley, “Soviet Industrial Espionage against American Military Technology and the U.S. Response, 1930–1945,” Intelligence and National Security 14, no. 2 (1999): 94–123.

(78.) Central Intelligence Agency, Soviet Acquisition of Militarily Significant Western Technology: An Update, September, 1985, abstract.

(79.) Ibid.

(80.) Ibid., 8.

(81.) Ibid., 1.

(82.) Nathan Thornburgh, “The Invasion of the Chinese Cyberspies (and the Man Who Tried to Stop Them): An Exclusive Look at How the Hackers Called TITAN RAIN Are Stealing U.S. Secrets,” Time, September 5, 2005.

(83.) Associated Press, “Computer Hackers Attack State Dept.,” New York Times, July 12, 2006; Ted Bridis, “Agency Hacking Said to Originate in Asia,” Washington Post, July 12, 2006.

(84.) Alan Sipress, “Computer System under Attack,” Washington Post, October 6, 2006.

(85.) “Chinese Hackers Prompt Navy College Site Closure,” Washington Times, November 30, 2006.

(86.) Demetri Sevastopulo, “Chinese Hacked into Pentagon,” Financial Times, September 3, 2007.

(87.) Maarten Van Horenbeeck, “Crouching Powerpoint, Hidden Trojan,” Twenty-Fourth Chaos Communications Congress, Berlin, December 27, 2007; Maarten Van Horenbeeck, “Is Troy Burning? An Overview of Targeted Trojan Attacks,” SANSFire 2008, Washington, DC.

(88.) “Wolf Reveals House Computers Compromised by Outside Source,” Congressman Frank Wolf, press release, June 11, 2008.

(89.) Demetri Sevastopulo, “Cyber-Attacks on McCain and Obama Teams ‘Came from China,’” Financial Times, November 7, 2008.

(90.) Information Warfare Monitor, Tracking Ghostnet: Investigating a Cyber Espionage Network, Secdev Group and University of Toronto Citizen Lab, March 29, 2009.

(91.) Siobhan Gorman, August Cole, and Yochi Dreazen, “Computer Spies Breach Fighter-Jet Project,” Wall Street Journal, April 21, 2009.

(92.) Ariana Eunjung Cha and Ellen Nakashima, “Google China Cyberattack Part of Vast Espionage Campaign, Experts Say,” Washington Post, January 14, 2010; McAfee Labs, “Protecting Your Critical Assets: Lessons Learned from ‘Operation Aurora,’” 2010.

(93.) Information Warfare Monitor, Shadows in the Cloud: An Investigation into Cyber Espionage 2.0, Joint Report of the Information Warfare Monitor and Shadowserver Foundation, April 6, 2010.

(94.) James Glanz and John Markoff, “Vast Hacking by a China Fearful of the Web,” New York Times, December 4, 2010; Brian Grow and Mark Hosenball, “Special Report: In Cyberspy versus Cyberspy, China Has the Edge,” Reuters, April 14, 2011; Michael Riley and Dune Lawrence, “China Hackers Hit EU Point Man and D.C. with Byzantine Candor,” Bloomberg, July 26, 2012.

(95.) McAfee Labs, “Global Energy Cyberattacks: Night Dragon,” February 2011.

(96.) Christopher Drew, “Stolen Data Is Tracked to Hacking at Lockheed,” New York Times, June 3, 2011; Uri Rivner, “Anatomy of an Attack,” RSA Blog, April 1, 2011.

(97.) Dmitri Alperovitch, “Revealed: Operation Shady RAT,” McAfee Labs, 2011.

(98.) Nart Villeneuve and David Sancho, “The ‘Lurid’ Downloader,” Trend Micro Inc. Research Paper, September 2011.

(99.) Eric Chien and Gavin O’Gorman, “The Nitro Attacks: Stealing Secrets from the Chemical Industry,” Symantec, 2012.

(100.) Stephen Doherty and Piotr Krysiuk, “Trojan.Taidoor: Targeting Think Tanks,” Symantec, March 2012.

(101.) “Inside an APT Campaign with Multiple Targets in India and Japan,” Trend Micro Research Paper, 2012; “The Luckycat Hackers,” Symantec, March 2012.

(102.) David Sancho, Jessa dela Torre, Matsukawa Bakuei, Nart Villeneuve, and Robert McArdle, “IXESHE: An APT Campaign,” Trend Micro Inc. Research Paper, May 2012.

(103.) Alex Cox, Chris Elisan, Will Gragido, Chris Harrington, and Jon McNeill, “The VOHO Campaign: An in Depth Analysis,” RSA FirstWatch White Paper, RSA, July 2012.

(104.) Mark Clayton, “Stealing US Business Secrets: Experts ID Two Huge Cyber ‘Gangs’ in China,” Christian Science Monitor, September 14, 2012; Gavin O’Gorman and Geoff McDonald, “The Elderwood Project,” Symantec, 2012.

(105.) Michael Riley, “China Mafia-Style Hack Attack Drives California Firm to Brink,” Bloomberg, November 27, 2012.

(106.) Nicole Perlroth, “Hackers in China Attacked the Times for Last 4 Months,” New York Times, January 31, 2013; Nicole Perlroth, “Washington Post Joins List of News Media Hacked by the Chinese,” New York Times, February 1, 2013; Nicole Perlroth, “Wall Street Journal Announces That It, Too, Was Hacked By the Chinese,” New York Times, January 31, 2013.

(107.) Roland Dela Paz, “The HeartBeat APT Campaign,” Trend Micro Inc. Research Paper, January 2013.

(108.) Mandiant, APT1.

(109.) “Chinese Ties Suspected in APT Targeting Aerospace and Defense Industries,” Infosecurity Magazine, February 4, 2013; “Fresh Operation Beebus Attack Targets Military Drone Technology,” Infosecurity Magazine, April 22, 2013.

(110.) Harry Sverdlove, “Bit9 Security Incident Update,” Bit9 Blog, February 25, 2013.

(111.) Nicole Perlroth, David E. Sanger and Michael S. Schmidt, “As Hacking against U.S. Rises, Experts Try to Pin Down Motive,” New York Times, March 4, 2013.

(112.) Michael Riley and Ben Elgin, “China’s Cyberspies Outwit Model for Bond’s Q,” Bloomberg, May 2, 2013.

(113.) John Kerin and Christopher Joye, “Chinese Hackers Steal ASIO Building Plans: Report,” Australian Financial Review, May 28, 2013.

(114.) Nart Villeneuve and Kyle Wilhoit, “Safe: A Targeted Threat,” Trend Micro Inc. Research Paper, May 2013.

(115.) Tom Simonite, “Chinese Hacking Team Caught Taking Over Decoy Water Plant,” MIT Technology Review, August 2, 2013; Kyle Wilhoit, “The SCADA That Didn’t Cry Wolf: Who’s Really Attacking Your ICS Devices Part Deux!” presentation at Black Hat 2013, Las Vegas, Nevada, August 1, 2013.

(116.) Claudio Guarenieri, “Upcoming G20 Summit Fuels Espionage Operations,” Rapid7 Security Street Blog, August 26, 2013.

(117.) Stephen Doherty, Jozsef Gegeny, Branko Spasojevic, and Jonell Baltazar, “Hidden Lynx: Professional Hackers for Hire. Security Response,” Symantec, September 17, 2013.

(118.) Kaspersky Lab Global Research and Analysis Team, “The ‘Icefog’ APT: A Tale of Cloak and Three Daggers,” Kaspersky Lab, September 2013.