China's Industrial Espionage Knows No Bounds

china espioinageEvery major company in the United States has already been penetrated by China. So says cyber security expert and former White House counter-terrorism advisor Richard Clarke. In a new Smithsonian Magazine interview, Clarke amplifies what has already been revealed, China is ripping off U.S. and other corporations left and right.

“My greatest fear,” Clarke says, “is that, rather than having a cyber-Pearl Harbor event, we will instead have this death of a thousand cuts. Where we lose our competitiveness by having all of our research and development stolen by the Chinese. And we never really see the single event that makes us do something about it. That it’s always just below our pain threshold. That company after company in the United States spends millions, hundreds of millions, in some cases billions of dollars on R&D and that information goes free to China....After a while you can’t compete.”

Clarke isn't an alarmist or exaggerating. Earlier we've seen report after report proving the same thing. Bloomberg Law gives a solid overview of recent events in the below video clip:

 

 

The U.S.-China Economic & Security Review Commission held a hearing, Developments in China’s Cyber and Nuclear Capabilities. Anyone who has ever run a server knows major attacks happen daily from China. It appears there is a new kid on the block, malware campaigns designed to extract specific information by targeting individuals and certain groups.

Nart Villeneuve, a computer security expert, testified:

There has been dramatic increase in targeted malware attacks. Unlike the largely indiscriminate attacks that focus on stealing credit card and banking information associated with cybercrime, these targeted attacks are noticeably different and are better characterized as malware-based espionage. These highly targeted attacks are computer intrusions staged by threat actors that aggressively pursue and compromise specific targets, often leveraging social engineering or the “art of manipulation”, in order to maintain a persistent presence within the victim’s network so that they can move laterally and extract sensitive information.

While government and military networks have long been targets, these highly targeted attacks have spread to the defense industrial base and high tech companies, the energy and finance sectors, telecommunications companies as well as media outlets, civil society organizations and academic institutions.

These types of attacks, geared to obtain sensitive information are called APT or Advanced Persistent Threat.

The USCC also issued a new report, Occupying the Information High Ground (pdf), which analyzes China's Capabilities for Computer Network Operations and Cyber Espionage. This report, by Northrup Grumman paints a not so pretty picture, simply by describing a few cyber security incidents as examples.

The report describes penetration into defense contractor Lockheed Martin as well as the security and encryption software company RSA. Beyond running phishing emails the report concludes:

Recent developments in Chinese CNO applications and R&D point to a nation fully engaged in leveraging all available resources to create a diverse, technically advanced ability to operate in cyberspace as another means of meeting military and civilian goals for national development.

Richard Bejtlich, the Chief Security Officer for Mandiant, did identify the origin of APT attacks as China. Even more amazing, companies are not aware, do not discover they have been compromised or ripped off until it's way too late or a 3rd party lets them know. Here is Bejtlich's breakdown of compromised 2011 targets:

Most of the APT groups we track target the US defense industrial base (DIB). Some of these groups also target US government agencies, think tanks and political organizations, and other commercial or private targets. Our most recent M-Trends research report described our consulting caseload for 2011 in these terms:

  • Communications companies: 23%
  • Aerospace and defense: 18%
  • Computer hardware and software: 14%
  • Energy or Oil and Gas: 10%
  • Electronics: 10%
  • Other, of which the financial sector was the largest component: 25%

The in depth article Inside the Chinese Boom in Corporate Espionage reads like a 1960's cold war movie. Unfortunately it's all real. The article describes what happened to AMSC, a wind turbine manufacturer. The company expanded in China, received orders from China and was then ripped off by China and undercut to the point their profits and stock price tumbled like a Lehman Brother's horror movie. China's ripoff machine is real and any engineer worth their salt is aware of it and how it is done. Unfortunately executives rarely listen to their engineers.

14 U.S. intelligence agencies issued a report describing a far-reaching industrial espionage campaign by Chinese spy agencies. This campaign has been in the works for years and targets a swath of industries: biotechnology, telecommunications, and nanotechnology, as well as clean energy. One U.S. metallurgical company lost technology to China’s hackers that cost $1 billion and 20 years to develop, U.S. officials said last year.

Just today the FBI called combating hackers unsustainable, a war the U.S. has already lost and there isn't one secure unclassified corporate network in the United States.

Here we are, with malware from the manual human to the beyond belief sophisticated Stuxnet, what hit Iran's nuclear facilities. Yet America's corporations continue to expand in China and it's business as usual even when it means losing billions and even their marketplace dominance.

Meta: 

Comments

Probably right

Clarke is likely right about this, just as he was right about nearly everything. (I have to admit shamefully that I doubted him until raw facts proved him right....)

China doesn't do Pearl Harbors. Never did. China always overwhelms by sheer numbers, and they were already overwhelming our industries and research facilities 25 years ago. This is very old news.

what's new about old

are the techniques, literally they are targeting individuals, more like classic fraud coming out of Nigeria, but with low technology, i.e. phishing emails that look like, sound like something one would see every day associated with their work.

I think Clarke is probably right about this and the real story is this has been going on, as you point out, for 25 years yet administration after administration does nothing. While Iran, N. Korea make the news as the current global threats, cyber threats clearly are doing the most damage to the U.S.

Very old news, very old philosophy

Sun Tzu is often paraphrased as advising that the best victory is without firing a single shot (or dropping a single bomb). E.g., Paul Chappell (West Point graduate) cites to Sun Tsu, as follows:

The most powerful thing, truly, is to win a war without firing a single shot. Sun Tzu once said, “winning a hundred victories in a hundred battles is not the pinnacle of excellence; defeating your enemy without bloodshed is the pinnacle of excellence.”

www.stanford.edu/group/captology/cgi-bin/peaceinnovation/?p=93

Another translation puts it this way: "For to win one hundred victories in one hundred battles is not the acme of skill. To subdue the enemy without fighting is the acme of skill." ----------------- Sun Tzu: Art of War, Chapter 3, translation from
en.wikiquote.org/wiki/Sun_Tzu

This Sun Tzu insight was famously illustrated in the non-fight on the boat out to the island in the Bruce Lee classic, 'Enter the Dragon', when Lee makes a fool out of a minor character who bullies a member of the boat's crew.

Other gems of wisdom from Sun Tzu that could serve the Pentagon and the American public well to study --

"It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle." (Sun Tzu, ibid.)

"What is essential in war is victory, not prolonged operations." (Ibid., Chapter 2)

"In the practical art of war, the best thing of all is to take the enemy's country whole and intact; to shatter and destroy it is not so good."  (Ibid., Chapter 3)

Some portions of the U.S. military have deeply considered the truths of the Sun Tzu philosophy. For the most part, however, we are stuck in the doctrine of air power, with its corollary doctrine of MAD. Inanely, much of our political leadership still believes that our primary 'potential adversary' is the Soviet Union ... and that China poses no strategic-military threat whatsoever, since the Communist Party has gone capitalist.

 

Wait, there's more

And if the espionage isn't enough, the Chinese have infiltrated our infrastructure with malware: power plants, water works, dams, etc. They won't have to declare war on us. They're already winning, and they could cripple us by pushing a button.

Not to mention China-Afghanistan-Iran connection

Here's a clue for you: "This country borders both Iran and China." Doo, doo, doo, doo. "Ooooo, oooo, Alex, I've got it ... uhh ... What is Afghanistan?"

Back when the Afganistan thing first started up (2001-2002), we heard about some supposed North-South pipeline through Afghanistan. That was code for the real deal, which was an East-West pipeline (and power grid) connecting Iran directly with China via Afghanistan. This deal already is seen as "dispensing with Big Oil." (See, below quote from Asia Times.) When China finally gets into Afghanistan, that will be the capstone in an already existing huge integrated gas (as well as an integrated electrical power grid) connecting all of Central Asia, including Iran, with China.

Excerpted for review purposes from Asia Times Online (8 January 2010)

'Russia, China, Iran redraw energy map' (by M K Bhadrakumar)

The inauguration of the Dauletabad-Sarakhs-Khangiran pipeline on Wednesday connecting Iran's northern Caspian region with Turkmenistan's vast gas field may go unnoticed amid the Western media cacophony that it is "apocalypse now" for the Islamic regime in Tehran.

The event sends strong messages for regional security. Within the space of three weeks, Turkmenistan has committed its entire gas exports to China, Russia and Iran. It has no urgent need of the pipelines that the United States and the European Union have been advancing.  ....

The 182-kilometer Turkmen-Iranian pipeline starts modestly with the pumping of 8 billion cubic meters (bcm) of Turkmen gas. But its annual capacity is 20bcm, and that would meet the energy requirements of Iran's Caspian region and enable Tehran to free its own gas production in the southern fields for export. The mutual interest is perfect: Ashgabat gets an assured market next door; northern Iran can consume without fear of winter shortages; Tehran can generate more surplus for exports; Turkmenistan can seek transportation routes to the world market via Iran; and Iran can aspire to take advantage of its excellent geographical location as a hub for the Turkmen exports.

We are witnessing a new pattern of energy cooperation at the regional level that dispenses with Big Oil. Russia traditionally takes the lead. China and Iran follow the example. Russia, Iran and Turkmenistan hold respectively the world's largest, second-largest and fourth-largest gas reserves. And China will be consumer par excellence in this century. The matter is of profound consequence to the US global strategy.

(Emphasis added)

 

www.atimes.com/atimes/Central_Asia/LA08Ag01.html

China oil

We overviewed China buying up oil futures, oil supply earlier but haven't seen how much of a factor they are in this run up. My impression is this run is speculators (at least 15%, but I suspect much higher).

This overview is from 2009, China's quest for oil.

I thought there was a huge oil pipeline scheduled to run through Afghanistan.

Thanks for link to 2009 article!

Back in 2003, there was considerable talk in the blogosphere about the 'real' reason for the Afghan adventure was that someone (Big Oil?) would stand to make a killing from a North-South pipeline through Afghanistan, connecting central Asia energy resources to some seaport in Pakistan (and also into India).

IMO, the supposed North-South pipeline was a beard for the actual concern (for USA national/global interests/security), which was or is the prospect of China constructing an East-West pipeline and otherwise bringing Iran within their central Asia infrastructure. (I assume Iran-centered PNAC Doctrine analysis of Iraq/Afghanistan War.) Of course, preventing the China venture and constructing the North-South pipeline could be seen as two sides of a single coin. Russia clearly fits into the picture, but it's unclear exactly how or on which side.

What did "American" multinationals think was going to happen?

Come on, this was so predictable as to be laughable that anyone in the world is shocked. Of course US companies and the government are "shocked, shocked I tell you."
Hmmm, let me see, let them move all their R & D and manufacturing facilities overseas in countries that had no particular allegiance to the US ever (and in some cases fought us - e.g., Vietnam, PRC in Korea, etc.). And for the operations that remain in the US, let them bring in millions of H-1B visa applicants from India, the PRC, and other countries that, again, owe us no allegiance ever. Meanwhile, let them claim that they simply cannot find any qualified Americans who actually owe their allegiance to America who can fill these roles (even thought there are literally millions of Americans who have PhDs, BSs, are veterans, engineers that literally built rockets, missile defense systems, supercomputers, etc., etc.). And then, let them spread their lies in the media so that the unemployed Americans can be deemed "idiots," "lazy," etc. Finally, when the secrets are stolen and the US has just wasted raw talents and billions of dollars and years of research weakening our nation while multinationals and our enemies got richer and stronger, they can blame everyone else but ridiculous short-sighted MNC policies and the policies of their puppets in state capitals and DC. Is that what we're talking about here? Yeah, no one could have seen that coming - except for those people with an IQ over 80 (but that would exclude corporate boardrooms and politicians). This country was sold out - it's that simple. The average, intelligent, hardworking American owes these folks and their minions nothing ever again.

agree with this

It's pretty clear the Chinese are nationalistic, yet Academia welcomes foreign nationals into sensitive research labs with almost no security and background checks pop up fraud of credentials in a huge percentage of foreign nationals.

While MNCs refuse to recognize loyalty to a nation, other countries sure as hell are.

That said, this overview is on cybersecurity, they don't need to hire anyone, they are breaking into networks, putting in malware into chips, components (something we've railed about for years, beyond stupid to offshore outsource HW/firmware manufacturing overseas on sensitive COTS)....

Point is they are just simply breaking into networks and I must say, on this site, just fighting good old fashioned spam and attacks sometimes comes down to chasing down one IP address is one log, from thousands of entries and putting an absolute top level block. In other words, tools available to systems to block out and identify hacking attempts to me are still very crude.

That said, this report to explain it better, is saying Chinese hackers are targeting say the CTO of security at Fortune 500 corporation x. They fire off emails that look like they came from internal, or are directly related to business. The link or embedded info in the email loads up malware, bots, to search through the internal documents, servers and extracts out sensitive information, designs, code, firmware. Or puts a keystroke logger or a remote desktop image capture and so on to capture designs that have taken years and years to create.

Which also shows not only do these corporations not realize the value of their U.S. engineers, designers, they also do not seem to realize, beyond patent war games, the value of their own intellectual property. They should know, better than anyone, if someone dominates the market with a "stolen" design, the damage is done and profits lost vastly outweigh whatever compensation a court would order later.

Why Block IP By Individual Addresses

Bob, the high level nodes in the 4 part IP address show the geographic area.
Why don't you and others just get a simple clue where the attacks are coming from
and just block the bastards? Next, we deal with PNTR trade the same way.

MNCs think?

My impression is that MNCs have been making a killing since the 1960s or earlier through aggressive international labor arbitrage. If they ever did any thinking about this stuff, there was no thinking involved ... more like just 'Keep on doing that highly profitable thing, it'll never stop'. It's the same as when a fishery is fished out, when the water table runs dry, when Peak Oil arrives, when the clear-cut has left nothing more to cut  ...

And even now, following EP, what do we see all the time? MNCs hoping for yet greater profits through labor arbitrage.

Humans are just like any other resource in today's world of finance capitalism -- expendable. And the way to increase corporate profits and get a big bonus is .... exploit that resource!

USA competitive disadvantage due to endemic insanity?

According to Ian Bremmer, China has a great advantage over USA because, unlike the American people, the Chinese people are not crazy. By way of illustrating his point, Bremmer notes that on visits to China, he has never spoken to anyone who doesn't believe in evolution or global warming, whereas he has found climate skepticism and lip-service to anti-evolution views common among the American people and even in the USA ruling elite.

Bremmer appeared on the NPR show, 'Intelligence Squared', which currently features a debate on this question: 'Does China Do Capitalism Better Than America?'

Two guys on each side, with little or no attempt at an agreement on whether either country is "doing capitalism" or on what "capitalism" is or should be ... but whatever capitalism really is, two guys said China does it better, and two said no they don't.

On the pro-China side, there appeared to be an attempt to include both a 'liberal' and a 'conservative'. There was Orville Schell representing (IMO) the view of the Council on Foreign Relations, of which Schell is a member.  Then there was Peter Schiff, who was Ron Paul's economic adviser in 2008. Maybe Schiff would be better described as anti-USA than as pro-China, although he would claim that he is pro-USA in such views as that minimum wage laws are a pernicious feature of USA economy, the root cause of unemployment. (China has been undertaking minimum wage reforms for a few years now, so how Schiff's view of that issue relates to the debate question was unclear.)

On the con side of the question, there wasn't really any conservative or liberal -- rather, we had two interesting and rational views presented. It's not surprising that, based on audience response, the con side won by a landslide.

There was Minxin Pei, born in China and a professor at Claremont McKenna College. Pei is author of the book, China's Trapped Transition: The Limits of Developmental Autocracy.

Then there was Ian Bremmer, who has a doctoral degree in political science from Stanford and teaches at Columbia. Bremmer is founder and president of Eurasia Group, a global political risk research and consulting firm. He has written several books, including the bestseller The End of the Free Market and The J Curve. Bremmer's next book, Every Nation for Itself, is to be available soon.

I am giving NPR good marks for this show. They managed to maintain the NPR approach to the problems of bias by including a 'liberal' and a 'conservative' but put them where they belong -- on the same side. Then they actually went on to present two interesting and rational views, not clearly identifiable as 'liberal' or 'conservative'.

Bremmer more than once made his point that the American people and their elected representatives are ... like ... certifiable (my choice of words). As a risk analyst trying to evaluate issues presented by Numerian in recent blog, 'Ben Bernanke Runs Out of Options', Bremmer finds wide-spread irrationality to be troubling.

Webpage to the show (with link to podcast)

 

another "massive" credit card # "breach"

This is somewhat related but it just shows the crisis point going on with identity theft and credit card fraud/breaking in problems.

Cyber theives broke into the credit card data processing center, the motherlode of numbers.