Return to Winter: Russia, China, and the New Cold War Against America (16 page)

“We are going to have a cyber event that is catastrophic,” warned retired Vice Admiral Mike McConnell in early 2013, describing an attack that would cripple U.S. banks and financial institutions.
¹⁶
And Tom Donilon called out China directly for cyber theft on “an unprecedented scale,” ending the Obama administration’s long-running public reluctance to identify perpetrators.
¹⁷

It was about time: The attacks have been going on for years.

Item: In March 2012, the Department of Homeland Security warned that a major cyber attack against U.S. gas companies was under way and had in fact been going on for four months. The department called it a “gas pipeline sector cyber intrusion campaign” and warned that it was directed against multiple companies.
¹⁸

Item: In January 2013, servers at the Energy Department’s Washington headquarters were attacked, though department officials said that that no classified information was compromised.
¹⁹
The attackers stole personal employee information of the kind that could be used for criminal purposes, though investigators suspected that the attackers had broader goals, including gaining access to classified information.
²⁰
Americans should be profoundly alarmed that departments of the federal government are being hacked.

Hackers’ most disturbing potential targets are the military and the industrial sectors and national infrastructure that make normal life possible. If adversaries can interrupt industrial functioning, they could make their moves and create chaos before the U.S. could respond. Imagine, for example, hackers bringing down the FAA’s flight computers or sabotaging the U.S. power grid. An attack on water infrastructure could render whole regions uninhabitable, while sabotaging power lines could take out telecommunications, emergency services, and utilities. The American economy and infrastructure are so embedded in technology—more and more of it stored in the so-called cloud—that such actions would be destructive and deadly. That’s why Panetta’s doomsday scenarios focused on infrastructure disruptions. And China has already conducted the necessary network mapping and computer reconnaissance of government and private networks to “cripple infrastructure and military command and control,” say military sources.
²¹

U.S. vulnerability also extends to its $14 trillion economy, and especially the nation’s banking system, through which $13 trillion moves
daily—backed not by gold or physical money but by the system of banking reconciliation.
²²
A targeted, one-day attack on American credit card companies could cost $35 billion, while a full-fledged, sustained cyber assault could cost the United States some $700 billion.
²³
(The 2013 Target hack, meanwhile, has already cost financial institutions more than $200 million, and that is not a final tally.
²⁴
) Mike McConnell, the retired vice admiral quoted above and in the epigraph to this chapter, says that he is “personally acquainted” with people who have the capability of hacking into the banking system and compromising data. Some nation-states have this capability but not the intent, he says, while terrorist groups have the intent, but not the capability—yet.

“How long,” he asks, “before those two come together?”

The danger extends throughout the private sector, beyond the obvious financial-industry targets. Law-enforcement officials weren’t sure who launched the attacks against retailers (Neiman Marcus was another victim) in the 2013 holiday season, but they believe that they originated in Eastern Europe, “which is where most big cybercrime cases have been hatched over the past decade.”
²⁵
Stolen secrets or corporate intellectual capital impose huge costs on the most prominent firms—including Apple, Facebook, Twitter, and Microsoft, all of which reported that their employee computers or systems were hacked in 2012 or 2013. The U.S. has uncovered evidence of cyber attacks against 140 other American companies. Most of these attacks, as we’ll detail later, have been linked to the Chinese military.

Surveying 56 companies and governmental organizations in a 2012 study, the Ponemon Institute, a Michigan cyber-security think tank, found that the average annualized cost of cybercrime to each was $8.9 million and that companies suffered 102 successful attacks per week. These attacks range from hacking into e-commerce platforms to stealing company financial records or customer data to “spear phishing,” in which hackers target specific employees in order to obtain sensitive
company information.
²⁶
A report from 14 U.S. intelligence agencies described a sophisticated espionage campaign by Chinese spy agencies against major industries in the U.S.: biotechnology, telecommunications, nanotechnology, and clean energy. One U.S. metallurgical company lost technology to China’s hackers that had cost $1 billion and 20 years to develop.
²⁷
The Office of the National Counterintelligence Executive estimates that “losses of sensitive economic information and technologies to foreign entities” already represent between 0.1 percent and 0.5 percent of GDP.
²⁸

Clearly, then, the problem is real and serious, and most worryingly, we do not seem ready to combat it. What we do know, however, is the identity of the world’s leading perpetrator: China.

CHINA’S MULTIFACETED CYBER WAR

“We can physically locate anyone who spreads a rumor on the Internet,” bragged a salesman at a Beijing trade show, pushing his company’s Web-monitoring services, which included highly advanced capabilities for tracking online postings and identifying who made them. Another official at the same trade show boasted that his company could hack into anyone’s computer, “download the contents of the hard drive, record the keystrokes, and monitor cellphone communications, too.”
²⁹

In America, such boasts would constitute a scandal; in China, they are a staple of public conversation at business conferences and in general media, part of a broader culture that accepts and endorses hacking. Chinese universities sponsor hacking competitions with businesses; talent scouts from the army attend, looking for fresh recruits. Chinese companies openly hire hackers to spy on their competitors and steal trade secrets. This is what the United States is up against when it comes to China’s cyber-war practices: an adversary that is not
only skilled at the tactic, but that also supports its use in government, spycraft, commerce, and crime.

China’s status as the No. 1 cyber threat to the U.S. was confirmed in the 2013 National Intelligence Estimate, which warned that the U.S. faced an ongoing challenge from a massive, coordinated campaign of cyber espionage. Although the NIE identified three other countries—France, Israel, and Russia—as practitioners of economic hacking, the report concluded that these countries’ efforts paled beside those of China. Few critics dispute this assessment. China is clearly at the cyber-war forefront, both in terms of the sophistication of its capabilities and the breadth of its targets.

Those targets can be grouped into three fundamental areas of American life: defense, business, and communications.

Hacking the Pentagon

Bob Gates has seen it all as a defense secretary and CIA chief, but Obama’s Pentagon boss probably never thought he’d see the day that a visit to China would coincide with Beijing’s first test flight of a stealth fighter—the Chengdu J-20. That’s what happened when Gates went to Beijing in January 2011 to meet with former President Hu Jintao.
³⁰
The visit was intended to help mend contentious U.S.–Chinese relations, but any attempt at diplomacy was immediately overshadowed by news of the test flight, stories and photos of which papered the normally highly censored Chinese media. Thus it could be reasonably construed that the Chinese (or at least the military) wanted Gates to know all about it. Amazingly, Hu seemed unaware of the test flight, or at least he affected to be. More disturbingly, the J-20 bore a striking resemblance to American designs.

Imagine if, during the Cold War, the Pentagon announced that the Soviet Union had stolen secrets to dozens of military programs,
weapons systems, and battle plans. In an era of fallout shelters and nuclear-readiness drills, that news would probably have caused a national panic. Thankfully, nothing on that scale occurred.

But now it has.

Chinese hackers have gained access to design information for more than two dozen U.S. weapons systems, from missile-defense systems for Europe and Asia to combat aircraft and ships. These include many of the Pentagon’s flagship weapons and technology programs: the Patriot missile system, the Navy’s Aegis ballistic-missile-defense system, the F/A-18 fighter jet, the V-22 Osprey, Black Hawk helicopters, and the F-35 Joint Strike Fighter. It’s not clear how much information on each the Chinese obtained. But American officials believe that the Chinese have at least two ways of exploiting what they obtained: first, to knock out communications and corrupt data in the event of a conflict; and second, to modernize their own weapons systems, a clear goal of the Chinese leadership, as shown by Beijing’s massive increases in military spending.
³¹

Most disturbingly, in a series of infiltrations that apparently went on for years, the Chinese stole enormous quantities of data concerning Lockheed Martin’s F-35 Lightening II—the costliest, most complex jet fighter ever produced.
³²
They may have already put the information to good use, as the world discovered in January 2011 when China tested the Chengdu J-20. To be sure, the J-20 is not yet at operational capacity—it cannot participate in real-world missions—but it emerged well ahead of schedule, and its appearance kicked up a storm of questions.
³³
Secretary Gates had believed that the Chinese would not develop such a fighter until 2020; Chinese analysts put the date around 2017 or 2018. So the J-20 test flight surprised everyone.
³⁴

So much so, in fact, that China was accused of copying the designs for the plane. Military officials in China have dismissed these claims as a “smear campaign.” A test pilot, Xu Yongling, boasted that the “J-20
is a masterpiece of China’s technological innovation.”
³⁵
Innovative it may well be, but is the innovation native to China? Some analysts called the J-20 a “kludge,” or a machine assembled from mismatched parts.
³⁶
Others suggested that the Chinese borrowed the design from the Russians, while still others wondered whether they might have copied it from an American stealth fighter downed in Serbia during the 1999 U.S. military operations there.

The most troubling possibility—although one that is not proven—is that a series of cyber attacks on the Pentagon gave the Chinese the necessary know-how to construct the plane. These cyber attacks targeted the Pentagon’s $300 billion Joint Strike Fighter program, a multinational project headed by the United States, between 2007 and 2009. The JSF program researched and designed the F-35 Lightening II. Although it has proved difficult to trace the origins of the attacks with certainty, former U.S. officials believe that the cyber attacks originated in China.
³⁷

The hackers were able to capture several terabytes of information about the electronic systems and design of the F-35, though precisely what they stole is not known. The most important computer-weapons systems were not touched; they are stored on hard drives not accessible from the publicly accessible Internet.
³⁸
Only relatively unimportant parts of the F-35’s coding were ever on the Internet, the Pentagon insists. “They’ll have very little information other than how you maintain the aircraft,” Jim McAleese, a former consultant for Lockheed Martin, said. “They’d know, for example, at what number of hours do the engines get checked, or the procedures for maintaining the stealth coding . . . they wouldn’t have information about key parts.”
³⁹

Is McAleese’s relative calm about the situation well founded, or does he seriously misjudge what occurred? It’s hard to know. Even if he’s right, the program’s multinational nature offered attackers multiple avenues for penetration: Turkey, for instance, suffered heavy data losses.
Moreover, some parts of the enormous project were contracted out to private companies. These, too, were targeted.
⁴⁰

In sum, we don’t have a definitive reading on what hackers stole from the Defense Department in their attacks from 2007 to 2009; nor do we know what effect these attacks had on the development of the Chinese J-20. But consider that in March 2012, BAE systems, Britain’s largest defense contractor, acknowledged that Chinese cyber attacks had successfully penetrated its network and that data on the F-35 project had been stolen.
⁴¹
And remember that, even by the estimates of Chinese analysts, the J-20, even in its not-quite-ready form, appeared years in advance of anyone’s expectations.

“American U.A.V. technology is very sophisticated,” Xu Guangyu, a retired military general and director of the China Arms Control and Disarmament Association, said in late 2013. “We can only envy their technology. Right now, we’re learning from them.”
⁴²
His statement came as Comment Crew, a Chinese hacking group that has been linked to the People’s Liberation Army, spearheaded a hacking operation dedicated to stealing our drone technology. The Chinese government is striving to put China at the forefront of drone manufacturing—something they seemingly can’t accomplish without lifting our drone designs. More like “stealing from” the United States than “learning from” us.

The Chinese military has not released statistics on the size of their drone fleet, but analysts say they have thousands, making their drone force second only to the United States’ 7,000.
⁴³
And China’s domestic-security apparatus—with a budget of $124 billion this year—has become keenly interested in drones, suggesting that they could become an integral part of China’s surveillance system. All of this spells bad news not only for the U.S. but also for China’s neighboring nations. Indeed, in early September 2013, China’s navy sent a surveillance drone into the disputed Diaoyu Islands (called the Senkaku Islands by Japan), the first time China had ever deployed a drone into the
East China Sea. But it surely won’t stop there. The Chinese will use drones to secure maritime sovereignty but, according to a report from the security think tank Project 2049, Chinese strategists have also discussed using drones in attack situations in the event of war with the U.S. breaking out in the Pacific.
⁴⁴
The Chinese will take what they want. And they want our drone technology.