Crossroads Blog | CYBER SECURITY LAW AND POLICY

Cyber Exploitation

More on Mandiant, PLA Unit 61398, USG response to cyberexploitation

I’m sure you’ve already heard the news, but just in case you haven’t, the NYT reported that Mandiant (a cybersecurity/incident response firm) tracked certain cyber intrusions back to a PLA Unit in Shanghai.  You can find the Mandiant report here, it is absolutely worth reading.

News that PLA-related Chinese hacker units have broken into US systems is rather unremarkable; if you’re interested in cyber, you’ve known this for a while.  However, it is remarkable that Mandiant’s report has generated such a flurry of activity from the USG.  Apparently the White House will release a “Strategy to Mitigate the Theft of U.S. Trade Secrets” today.  That strategy, according to an AP report, will make use of penalties/fines/sanctions to slap China’s hand on cyberexploitaiton.  From the White House:

The Administration is focused on protecting the innovation that drives the American economy and supports jobs in the United States. I am pleased to announce that tomorrow we will be releasing the Administration’s Strategy to Mitigate the Theft of U.S. Trade Secrets. I will be joined by senior officials in the Administration to discuss this important issue, as noted in the agenda below. You can watch live on WhiteHouse.gov/live beginning at 3:15pm [today].

Now, just because the White House intends to issue a cyberexploitation response Strategy does not mean that the USG will actually respond to Chinese cyberexploitation (and it certainly doesn’t mean that fines/penalties/sanctions will work to deter the Chinese).  Nevertheless, it’s an encouraging step.

I wonder why it took the White House so long to issue such a strategy.  Did the Mandiant report put pressure on the White House?  I mean, it’s odd timing that this Strategy would come out little over a day after the Mandiant report, especially considering that the underlying cyberexploitation has been covered in the news media for the past two years.  Did the Mandiant report force the White House to find its spine?  I think so.

***

A few follow-ups to the Mandiant news . . .

The Washington Post’s Max Fisher reported that Unit 61398 hackers may have outed themselves by going on Facebook and Twitter (this was originally explained in the Mandiant report).

Brad Stone & Michael Riley wrote a nice article for the San Francisco Chronicle on the rise of Mandiant.  Sounds like a fun company to work for, especially with the Air Force connection.  I initially thought the New York Times hacking was Mandiant’s coming out party, but I think its safe to say that this got them a lot more attention.

I think it will be interesting to watch the rise of both Mandiant and Crowdstrike.

Arthur Bright reports for The Christian Science Monitor on the Chinese response.  I was actually pleasantly surprised we didn’t get the same form “China is a victim of hacking too, etc. etc” response.  The Chinese Ministry of Defense, via the CSM article:

The report, in only relying on linking IP address to reach a conclusion the hacking attacks originated from China, lacks technical proof . . . Everyone knows that the use of usurped IP addresses to carry out hacking attacks happens on an almost daily basis.  Second, there is still no internationally clear, unified definition of what consists of a ‘hacking attack’. There is no legal evidence behind the report subjectively inducing that the everyday gathering of online [information] is online spying.

Maybe I’m reading too much into this, but the Ministry’s second point sounds like an admission that they do engage in cyberexploitation.  I read that statement as saying ‘even if we do engage in this activity, it’s not illegal.’  I take issue with their simple characterization of pervasive cyberexploitation as “everyday gathering of online [information],” and I don’t believe pervasive cyberexploitation is legal under international law, but that second point is a far cry from the usual outright denials we get from these schlubs.

Finally, Jason Healey penned an interesting article on how the U.S. should respond to Chinese cyberespionage for US News.  He suggests Presidential confrontation, public released of previously classified intel community reports, sanctions against companies associated with the PLA, formal demarches, visa restrictions, and “an unclassified conference of like-minded nations to discuss policy carrots and sticks to stop this espionage.”  Definitely a good start, though it may not be enough.

Leave a Reply