Forget The New York Times and The Wall Street Journal. Chinese hackers are on a digital espionage campaign targeting a vast array of pretty much any major American organization "with intellectual property to protect," and now that there's a rare human side to combatting the malware attacks, we know there's not enough being done to stop the hackers yet.
In a new cover story, Bloomberg Businessweek's Dune Lawrence and Michael Riley follow one of the American malware experts attempting to fight the war on hackers, and he reveals a long — even impossible — battle ahead. Since he began tracking Chinese hackers in 2004 at Dell SecureWorks, Joe Stewart has had two big successes in spy hunting, as he unveiled the identities of the hackers "Zhang" and "Cyb3rsleuth."* And he doesn't exactly deny Lawrence and Riley's assertion that the ongoing Chinese malware spying goes straight to the top:
Investigators at dozens of commercial security companies suspect many if not most of those hackers either are military or take their orders from some of China’s many intelligence or surveillance organizations.
Indeed, the Businessweek story builds on growing fears that Chinese hackers might be targeting a whole lot more than just a couple of newspapers in the United States. A secret intelligence estimate described by The Washington Post this week "describes a wide range of sectors that have been the focus of hacking over the past five years, including energy, finance, information technology, aerospace and automotives." That's a lot of trade secrets, and it appears to be the impetus behind an executive order issued on Tuesday by President Obama for government and the private sector to collaborate on cybersecurity threats. Congress is also taking up the Cyber Intelligence Sharing and Protection Act in an effort to shore up what security hawks see as holes in Obama's order. At the State of the Union on Tuesday, the president devoted a surprisingly large part of his address to hacking:
Now, we know hackers steal people’s identities and infiltrate private e-mails. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.
Unfortunately, it may also take years before the full extent of the threat from China can be addressed head-on. As the U.S. government and those major, say, financial institutions start to connect on security issues, our private malware defenders can't even add up their success stories to anything that will actually stop the hacks from growing — or that will actually get China to admit what's going on. From Businessweek:
Outing one person involved in the hacking teams won’t stop computer intrusions from China. Zhang’s a cog in a much larger machine and, given how large China’s operations have become, finding more Zhangs may get easier. Show enough of this evidence, Stewart figures, and eventually the Chinese government can’t deny its role. “It might take several more years of piling on reports like that to make that weight of evidence so strong that it’s laughable, and they say, ‘Oh, it was us,’ ” says Stewart. “I don’t know that they’ll stop, but I would like to make it a lot harder for them to get away with it.”
That's right, it will take years longer for China to even pay attention to the American counter-offensive. As the Bloomberg piece explains, these hacks are a "continuous invasion," and America is totally outnumbered. In the last 10 months, Chinese hackers have doubled their forces, with 10 teams deploying 300 malware groups. "There is a tremendous amount of manpower being thrown at this from their side," Stewart, the face of our anti-malware campaign. told Businessweek. Meanwhile, most American businesses and agencies are "outmatched by an enemy with vast resources and a long head-start," Lawrence and Riley write.
There is one slightly encouraging tid-bit in the Bloomberg piece, however. At least some of our important national security organizations have enough resources to combat the hackers. Lawrence and Riley list the Pentagon and a "handful of three letter organizations" as "possibly" having enough manpower to combat the vast Chinese effort. So, there's that, and that's why Obama is doubling down.
*This post originally stated Cyb3rsleuth was confirmed as a member of the PLA.