The Dragon of the East Goes Spear-Phishing

THE INDICTMENT

Are you sitting down?  Good, because I have some troubling news.  The Chinese are spying on us!  Yes, the sarcastic tone detracts from the gravity of the situation, but the media has been awhirl with the merely symbolic indictment of PLA Unit 61398.  The recent incident involving several Pittsburgh-based companies demonstrates that national security hits home.  The question that remains is: So what?  We spy on allies and companies of interest, and our allies certainly steal our trade secrets.  There is a reason people call espionage the second oldest profession.  But what concerns policymakers and intelligence analysts in the long-term is the shear alacrity and overtness of Chinese cyber espionage targeting American industry.

First, it is important to define terms as scholars, governments, and companies have various definitions.  While there are permutations of each definition, industrial espionage is simply one private company stealing from another; on the other hand, economic espionage involves foreign government-backed activity.  For instance, IBM stealing from Google would be industrial espionage, but China stealing U.S. trade secrets is economic espionage; this article focuses on the latter.   The issue becomes increasingly muddled with state-owned enterprises and private defense contractors, but the concepts remain the same.

Another key distinction is between cyber war and cyber exploitation or spying.  Although there is little differentiation in academia, cyber war is more about offensive penetration capabilities.  Stuxnet, the U.S./Israeli virus that attacked Iranian nuclear centrifuges is an example of cyber war.  Cyber espionage or exploitation is also penetrative, but involves the covert collection of data rather than attack or destruction of systems.  This is the type of operation PLA Unit 61398 is accused of committing.  The difference is subtle, but the policy and strategic implications, subsequently addressed, are significant.

THE COSTS

In 2001, the FBI released a report claiming that 22% of the industrial “suspicious activity” was government-sponsored.  However, a deeper look at the pilfering of American technology illustrates a graver threat to national security; the cost is potentially staggering.  The Center for Strategic and International Studies produced this table in 2013 to illustrate the potential damages:

tableCSIS estimates that global and U.S. cyber-crime at most costs 1.4% and .8% of GDP or $1 trillion and $120 billion, respectively.   Conversely, the FBI testified during a House subcommittee on Counterterrorism and Intelligence that the loss to U.S. companies is approximately $13 billion.  Nevertheless, the disparate estimates illustrate a key point:  there are significant barriers to quantifying the costs of economic espionage.  In the end, loss of intellectual property is difficult to calculate.   Simply assessing the opportunity cost of research and development does not tell the whole story.

This problem is pertinent to national security as well.  Chinese military officers stealing Alcoa’s aluminum trade secrets has the potential to damage the economy and U.S. companies.  But what if China stole secrets that can enhance nuclear weapons?  Well it did, albeit over fifteen years ago.  Defense contractors and military technology is on the top of the list for foreign governments.  A recent commission by defense contractor Northrop Grumman to assess China’s capacity to conduct cyber warfare and espionage labeled it as the “…single greatest threat to U.S. technology…”  Countless examples of Chinese cyber espionage operations and subsequent investigations, cat and mouse games, and code-names such as Ghost Net, Aurora, and Shady Rat epitomize Sino-U.S. cyber relations.  There are myriad sources detailing Chinese industrial and economic espionage in books, reports, and house review, yet this is nothing new.

Some researchers argue that the Chinese ethos embodies intelligence collection. Military and strategic intelligence is ingrained in Chinese culture, originating with Sun Tzu’s Art of War (sunzi bingfa).  This is not an ethnocentric accusation, but merely an observation held by scholars and intelligence analysts.  Intelligence and the Art of War is applicable in various facets of Chinese culture.  Four years ago I studied Chinese business culture at Fudan University in Shanghai.  We were required to memorize lines from Sun Tzu and apply it to contemporary business models.  Yet the claim that Chinese steal more aggressively due to cultural propensities is unfounded.  In the past, some of the greatest perpetrators of economic espionage against the United States were the French and Israelis.  The shift is simply because China is a rising power, no different from the expansion of Soviet espionage during the Cold War.  In this case, however, the high-tech advancements in information and communication technologies (ICTs) create attribution problems and permit government agents to operate thousands of miles away. In sum, as long as there is a technological gap or economic advantage, countries will spy and steal, and China is no different.

THE IMPLICATIONS

This does that change the fact that China is presently the consummate pilferer of U.S. technology and something must be done.  First, we need to know how much economic espionage is truly hurting the U.S. economy.  There is no doubt that stealing military secrets from a defense contractor will weaken the U.S. relative to other nations, but the jury is still out on the impact of cyber spying on U.S. companies.  The House Committee on Counterterrorism and Intelligence claims that foreign government-backed corporate espionage is costing U.S. jobs and billions of dollars.  There are many examples of companies going under after Chinese, French, and Israeli stole secrets, but, as previously mentioned, the estimates range greatly.  The U.S. needs to enhance its ability to articulate, quantify, and communicate losses due to economic espionage.

American security policy also includes the enhancement of cyber capabilities, but the investment in resources is misplaced.  The establishment of U.S. CYBERCOM is one way the U.S. beefs up its attack and defense capabilities.  But the enlistment of cyber-warriors, as necessary as it is, is the incorrect response to cyber espionage.  Cyber-warriors are for cyber-war, not necessarily cyber exploitation or espionage. The Chinese are not looking to engage the U.S. in a cyber-war, or a war on any battlefield in the near future.  American military prowess and technological capabilities are unequalled. So the Chinese (and other nations) will continue to steal in an attempt to level the playing field.  The U.S. needs cyber spies, not warriors, and the FBI is falling behind.  In fact, the agency has begun to recognize this after the recent indictment of the PLA Unit.  Several days after the announcement, the FBI is considering changing its drug policy to encourage young hackers and computer programmers to apply. Explicit cyber-war is a long way away, but cyber spying has been here for quite some time and there is no indication it is going anywhere. China has become increasingly aggressive and more overt it its tactics, but, in the end, art of war has not changed.