If the Chinese military is regularly hacking into the computers of U.S. organizations, as an American security firm says, it raises all sorts of questions about how the U.S. should respond.
Is this a job for the military or the intelligence agencies? What role should diplomats and trade officials be playing?
The report issued this week by the IT security consultancy Mandiant says it has traced the hacking activity to the People's Liberation Army's Unit 61398, which has "systematically stolen hundreds of terabytes of data from at least 141 organizations."
As NPR's Frank Langfitt reported, Unit 61398 is headquartered in a nondescript neighborhood in Shanghai's sprawling Pudong district.
The Chinese government has strongly denied the report, but in the U.S., there's been a widespread belief for years that the Chinese have been deeply involved in computer hacking.
Speaking to The Associated Press, Shawn Henry, who now heads security firm CrowdStrike, used a military analogy to describe the current situation.
"If the Chinese government flew planes into our airspace, our planes would escort them away," he said. "If it happened two, three or four times, the president would be on the phone and there would be threats of retaliation."
Mounting Evidence
Martin Libicki, a researcher at the RAND Corp., says while there's still no smoking gun, Beijing's denials have reached the level of "implausible deniability." Even so, he says the hacking can be viewed as essentially an illegal technology transfer.
"How damaging that is to the United States depends on how much the problem is costing us," he says. "It's a policy decision on where you draw the line and why you want to draw the line," Libicki says.
It's difficult to estimate the cost to the U.S. Broad figures have been tossed around, ranging from as much as a trillion dollars, which would be "huge," Libicki says, to maybe a billion dollars, which would put it "very low on the list of issues between the United States and China."
The allegation that the Chinese military may be playing a key role is a vestige of China's evolving economic system in which the government still has a central role promoting industry, he says.
"It may also be that a lot of the same techniques that it takes to steal secrets from Coca-Cola are the same techniques it takes to steal secrets from Lockheed," says Libicki. "And Lockheed, of course, builds military equipment, the nature of which is probably of keen interest to the Chinese."
A Well-Organized Operation
Richard Bejtlich, chief security officer at Mandiant, says the evidence in its report leaves little question about who is behind the spying.
"It's clear that this is not just a few people working in some basement, some patriotic hackers," he says. "This is a military operation with defined goals, with schedules, with tasking. This is a whole new level of activity."
Bejtlich says the U.S. government is "well aware" of the activity, but partly because of concerns about exposing intelligence resources and other secrecy concerns, has been reluctant to talk about it.
Christopher Johnson, who holds the Freeman chair in China studies at the Center for Strategic and International Studies, says that while the Mandiant report may spur the Obama administration to action, the White House has been heading in that direction for some time.
"It's becoming so pervasive that there's a sense that it's time to do something about it," he says. "One way or another, this [Mandiant report] puts tremendous salience on the issue and pressure on the U.S. government to do something about it."
President And Pentagon Address Concerns
Mandiant's Bejtlich says at least some of the information China has garnered through its cybersleuthing program has military utility, and the report comes less than a month after the Pentagon announced it would dramatically expand its Cyber Command to defend against attacks and, if necessary, wage offensive operations.
And last week, the president issued an executive order to improve cybersecurity for critical infrastructure. He also even mentioned cybersecurity concerns in his State of the Union address last week.
Media reports in this country have linked the U.S. government to at least one high-profile cyberattack, the 2010 Stuxnet computer virus that hit networks associated with Iran's nuclear facilities.
So far, there's no evidence that China has done more than snoop, Bejtlich says. But he says it appears to be in a position to do much more.
"By virtue of having access they could just as easily delete information," he says. "So this is an espionage problem now, but if they so decided to hold our assets at risk, they could choose to start destroying data, as we saw in Saudi Aramco last year."
Some analysts say there is a key difference between the Cold War cloak-and-dagger between Washington and Moscow, and the current situation with Chinese spying.
"In the Cold War, the United States had a distinct advantage in the Soviet Union doing worse, and they had a distinct advantage in the United States doing worse," Libicki says. "This is not true with the U.S. and China — we both have an interest in each other's economy doing better."
Although the U.S. has offensive cyberwarfare capabilities, Libicki doesn't see the Pentagon and the U.S. intelligence community engaging in economic espionage on behalf of U.S. companies.
"If, for instance, we were able to take in information on Chery automobiles, a Chinese car company, who do we give it to? It turns out that to give it to GM and not Ford would not only look bad, but would probably set us up for lawsuits," he says.
And, as Johnson of the Center for Strategic and International Studies points out, there is an implied red line between economic espionage against U.S. companies and a cyberattack aimed at larger economic interests.
"In areas like key infrastructure, such as pipelines and power grids, I think even probing is out of bounds," he says. "That's a message that we have been sending and presumably will continue to be sending to the Chinese and other governments."
Copyright 2021 NPR. To see more, visit https://www.npr.org.