The 2015 agreement between Xi and Obama produced only a lull in Beijing’s economic espionage.
The Chinese theft of U.S. intellectual property remains a “critical” threat, with perpetrators who have adapted to evade the structures of a 3-year-old ban on such hacking, according to a top-secret report intelligence officials sent to Congress this week.
It wasn’t supposed to be this way. In 2015, the U.S. and China signed an agreement to curb Chinese economic espionage over the Internet. That produced a “lull” in Chinese cyber theft, but did not stop it, William Evanina, the director of the National Counterintelligence and Security Center, told reporters Thursday. As the digital ecosystem continues to expand so does the threat posed by Chinese industrial cyber theft to America’s long-term economic power.
Evanina’s office made a shorter, unclassified version of the report available to journalists and to the public. It lists a variety of known cases of recent Chinese economic espionage, as well as other perpetrators of cyber economic espionage. But officials both during their briefing and in their report highlighted China.
“Most Chinese cyber operations against U.S. private industry that have been detected are focused on cleared defense contractors or IT and communications firms whose products and services support government and private sector networks worldwide,” it reads.
One such product, the report says, is CCleaner, a popular consumer application that removes unwanted files from computers. Chinese cyber actors penetrated its production process and pasted malicious code into the application before it shipped, potentially compromising the computers of its 2.3 million customers.
“We are not prepared as a nation to deal with the supply chain threat, holistically,” said Evanina.
“We believe that China will continue to be a threat to U.S.proprietary technology and intellectual property through cyber-enabled means or other methods. If this threat is not addressed, it could erode America’s long-term competitive economic advantage,” says the nonclassified version of the report.
Among the industries in which China and other foreign nations have the most interest are: energy and alternative energy; biotechnology; defense technology; environmental protection; a high-end manufacturing, and information and communications technology.
Evanina said the good news is that detection and reporting of cyber espionage has gotten much faster than it was a few years ago.
“Last year represented a watershed in the reporting of software supply chain operations. In 2017, seven significant events were reported in the public domain compared to only four between 2014 and 2016. As the number of events grows, so too are the potential impacts,” notes the report.
Michael Moss, the deputy director of the Cyber Threat Intelligence Integration Center, noted that reporting still isn’t keeping up with rapidly adapting hackers. “They’ll surprise me with how quickly they’ll move… how fast it continues to accelerate.”
The other piece of good news in the officials’ estimates: only a tiny slice of the exploits and vulnerabilities that hackers are using to conduct economic espionage are fancy zero-days that no one has ever seen, the sorts of bugs that you need a gymnasium full of cracker-jack military hackers to find. In fact, most are bugs and vulnerabilities that the public, and network managers, should already know about because they’re on the National Vulnerabilities Database, a massive public list of software bugs maintained by the National Institute of Standards and Technology. Software manufacturers will usually issue patches once a vulnerability in their software shows up on the list. But it’s up to individual IT managers at different companies and enterprises to then make sure that every machine is up to do date on all those patches.
“The trend is actually towards use of the less sophisticated, less expensive [publically known exploits.] That presents some second- and third-order complications, as well,” said Moss. ”One of the reasons that a nation state might be inspired to do that, since everybody’s using that tool, it’s harder to prove it was me that did it, right? Whereas if I have written custom code and I’ve used a certain tradecraft, I’ll do it a certain way, right? I’ll start to develop a…signature, right? I can be identified. Folks can say, ‘Hey, that looks like that. That’s usually used by country X, or country Y.’ But if I’m using that exploit tool that I downloaded, well, heck, the high school hackers are using that, too. So how do you know it was me? So the trend actually is towards the more widely-available…tools.”
A case in point, though not related to industrial espionage, theWannaCry attacks that crippled hospitals in 2017. Microsoft issued a patch in March, but slow adoption allowed the worst attacks to occur in June.
It’s one big reason Evanina is reaching out to Congress, and to industry, which owns the treasured and the buggy machines that make it vulnerable.
Patching continues to be “problematic,” he said, urging industry leaders to move toward “an enterprise-level solution.”