by Bill Gertz
The companies hit in the cyberattacks included Westinghouse Electric; SolarWorld AG; United States Steel; Allegheny Technologies; the United Steel, Paper and Forestry, Rubber, Manufacturing, Energy, Allied Industrial, and Service Workers International Union; and Alcoa.
The indictment “will scare the PLA hackers, at least for a few months, while they try to find out how they were detected,” said Michael Pillsbury, the Pentagon consultant and specialist on China. “Much stronger medicine will be needed next time,” added Pillsbury, a senior fellow at the Hudson Institute.
The Justice Department prosecutor in the case explained later that the indictment came out of Chinese government demands for proof of U.S. government charges of widespread Chinese cyberattacks. John Carlin, assistant attorney general for national security, told a security conference in Colorado that after years of ignoring or playing down the Chinese cyber threat, the government was seeking to deal with Beijing’s nefarious data theft and network penetrations the way it dealt with terrorism after the September 11 terrorist attacks. “We heard directly from the Chinese, who said, ‘If you have evidence, hard evidence that we’re committing this type of activity that you can prove in court, show us.’ So we did,” Carlin said, adding that the indictment was a first step in what he called a multipronged strategic approach that set up a “red line” for the Chinese that was designed to dissuade future attacks. Carlin threatened further action, despite the White House’s general lack of interest in effective countermeasures. “We will continue to increase the cost of committing this type of activity on American soil where it is occurring, where they are taking the information, until it stops, and we need to maintain that commitment,” he said.
The commitment was not maintained. And one of the most damaging Chinese cyberattacks against the United States would follow shortly: the theft of federal employee records in the Office of Personnel Management (OPM). That took place after an earlier private sector cyber strike against millions of medical records held by the major health-care provider Anthem.
On June 4, 2015, the OPM posted a message to the 2.7 million federal employees on its website revealing that in April 2015 the agency detected a cyber intrusion on its networks affecting some 4 million current and former federal workers. Within weeks of that disclosure OPM released further news that the cyberattack was far more damaging than originally assessed. Instead of the initial 4 million people involved in the data theft, the total had increased to 21.5 million. Worse, the agency delicately announced that among those millions of stolen records was “an incident” affecting background investigation records, among some of the most sensitive information in the government’s possession used in determining eligibility for access to classified information. “OPM has determined that the types of information in these records include identification details such as Social Security Numbers; residency and educational history; employment history; information about immediate family and other personal and business acquaintances; health, criminal and financial history; and other details,” the agency said. “Some records also include findings from interviews conducted by background investigators and fingerprints. Usernames and passwords that background investigation applicants used to fill out their background investigation forms were also stolen.”
It was a security disaster for the millions who held security clearances and were now vulnerable to Chinese intelligence targeting, recruitment, and neutralization. A senior U.S. intelligence official briefed on the classified details of the OPM told me that the early technical intelligence analysis of the data theft revealed that it was part of a PLA military hacking operation. “It is fair to say this is a Chinese PLA cyberattack,” said the official, adding that the conclusion was based on an analysis of the software operating methods used to gain access to the government network.
Intelligence officials believe the source behind the attack is the PLA’s Unit 61398 and that it was carried out in retaliation for the May 1 indictment of the five hackers. Months before the OPM hacking was discovered, Chinese hackers also carried out one of the largest data thefts of a health-care provider in history, targeting Anthem and stealing an estimated 80 million records. The breach, made public in February 2015, included names, birthdates, Social Security numbers, medical identification data, street and email addresses, and employee data, including income, the company announced.
A staff report by the House Committee on Oversight and Government Reform concluded the data breach could have been prevented had government officials heeded numerous warnings about the danger of cyberattacks.
Cyberattacks against the State Department, White House, and Nuclear Regulatory Commission and other compromises pale in comparison to the damage done by the OPM attack.
“As a result, tens of millions of federal employees and their families paid the price,” the report said. “Indeed, the damage done to the Intelligence Community will never be truly known. Due to the data breach at OPM, adversaries are in possession of some of the most intimate and embarrassing details of the lives of individuals who our country trusts to protect national security and its secrets.”
The Department of Homeland Security (DHS) and its National Cybersecurity and Communications Integration Center revealed in an internal bulletin that the OPM and Anthem hackings were just the tip of the iceberg in a major Chinese data collection operation that stretched from July 2014 to June 2015. Sticking to the White House policy of not naming China as the culprit, to avoid upsetting Beijing, the DHS bulletin outlined the major theft of what is called personally identifiable information (PII). It stated that the U.S. Computer Emergency Readiness Team had outlined the details of the attacks. “US-CERT is aware of approximately nine major security incidents in which PII was stolen from private sector companies, U.S. government agencies, and a cleared defense contractor,” the bulletin stated. “The cyber threat actors involved in each of these incidents demonstrated a well-planned campaign and high level of sophistication.”
The Chinese stole the records in what the commander of the U.S. Cyber Command, Admiral Mike Rogers, described as big data mining for use in future cyberattacks, and for counterintelligence purposes—the identification of American intelligence officers operating undercover overseas. Once identified, the American spies can be co-opted and neutralized, or worse, fooled into reporting back deliberately provided false information—all in support of the Beijing information warfare campaigns. William Evanina, a senior counterintelligence official within the Office of the Director of National Intelligence, warned that big data mining could disclose “who is an intelligence officer, who travels where, when, who’s got financial difficulties, who’s got medical issues, [to] put together a common picture.” Asked by the Los Angeles Times if foreign adversaries have used data to glean information on U.S. intelligence operatives, Evanina bluntly replied, “Absolutely.”
The threat was not theoretical. In the months after the OPM breach, several former intelligence officials began receiving threatening telephone calls that authorities believe stemmed from the compromised information obtained from OPM background investigation data hacked by the Chinese.
The response by the Obama administration to the Chinese hacking was to ignore it, despite appeals from both national security officials and private security experts that immense damage was being done to American interests and that something needed to be done to stop the attacks.
The White House, however, under Obama had adopted a see-no-evil approach to Chinese hacking that would endure throughout his administration and border on criminal neglect. On several occasions, Obama and his key White House aides were presented with proposals for proactive measures against the Chinese designed to send an unmistakable signal to Beijing that the cyberattacks would not be tolerated. Intelligence officials revealed to me that beginning in August 2011, a series of policy options were drawn up over three months. They included options for conducting counter-cyberattacks against Chinese targets and economic sanctions against key Chinese officials
and agencies involved in the cyberattacks. The president rejected all the options as too disruptive of U.S.-China economic relations. Obama never explained why he refused to take action against China, but he clearly rejected anything that might make the United States appear as a world leader and power.
The White House seemed more concerned that U.S. offensive cyberattacks might upset relations with a major trading partner that was holding $1.2 trillion in U.S. Treasury debt. The secret plans were proposed by civilian and military officials who were part of the White House Interagency Policy Committee. The committee is made up of representatives from the Pentagon, intelligence community, law enforcement, homeland security, and foreign affairs agencies.
By the summer of 2015, the group of sixteen U.S. intelligence agencies—including the CIA, DIA, and NSA—that make up what is called the intelligence community weighed in on the growing threat of strategic cyberattacks against the United States. In their top-secret National Intelligence Estimate, the consensus was that as long as the continued policy of not responding remained in place, the United States would continue to be victimized by increasingly damaging cyberattacks on both government and private sector networks. A strong reaction was essential.
The intelligence assessment was produced as the president and his advisers debated what to do to China in response to the OPM and other hacks. The assessment was reflected in comments made by Obama and other officials weeks before the assessment was disclosed. The president said at a summit meeting of world leaders on June 8, 2015, that he expected additional cyberattacks like the OPM hacking to continue. “We have known for a long time that there are significant vulnerabilities and that these vulnerabilities are going to accelerate as time goes by, both in systems within government and within the private sector,” the president said while refusing to publicly blame China for the attacks. A week earlier, Admiral Rogers warned that the increase in state-sponsored cyberattacks was due in part to the perception by the attackers that “there’s not a significant price to pay” for conducting large-scale cyber intrusions and stealing large quantities of private information.
Retired army lieutenant general and former DIA director Michael Flynn has criticized the failure to understand Information Age threats and respond to them forcefully. “Until we redefine warfare in the age of information, we will continue to be viciously and dangerously attacked with no consequences for those attackers,” he told me. “The extraordinary intellectual theft ongoing across the U.S.’s cyber-critical infrastructure has the potential to shut down massive components of our nation’s capabilities, such as health care, energy, and communications systems. This alone should scare the heck out of everyone.” James Lewis, a cybersecurity expert at the Center for Strategic and International Studies, agreed. “Unless we punch back, we will continue to get hit,” Lewis said, suggesting that among the responses would be leaking details of a Chinese Communist Party leader’s bank account. “We’re all coming to the same place—that a defensive orientation doesn’t work,” he said.
Chinese cyberattacks have been massive and have inflicted extreme damage to U.S. national security. A sample of the internal U.S. government assessment of the toll became public in some of the 1.7 million highly classified documents stolen from the NSA by Edward Snowden. An NSA graphic on Chinese theft of government and private sector secrets, labeled “secret,” bore the headline “Chinese Exfiltrate Sensitive Military Technology.” The cyber-spying operation was code-named “BYZANTINE HADES” and the NSA concluded that it resulted in “serious damage to [Defense Department] interests.” The statistics were nothing short of alarming. Under “resources” used in the operation, the agency found at least 30,000 incidents, of which more than 500 were “significant intrusions of DoD systems.” At least 1,600 network computers were penetrated; at least 60,000 user accounts were compromised; and the attacks cost more than $100 million to assess damage and rebuild compromised networks.
The damage included some of the most strategically important information, such as air refueling schedules for the U.S. Pacific Command. Knowing the schedules is critical information that allows an enemy to learn the range of military aircraft. The information would assist the Chinese military in targeting enemy warplanes and transports with increasingly sophisticated air defenses. The compromise involved the details of how the command moves jet fighters, such as the frontline F-22 fighter, over long distances by following the jets with aerial refueling tankers. The missions are known as Coronet missions. A Coronet refueling operation is a delicate and complex aerial ballet requiring the traveling jets to meet tanker aircraft at precise coordinates and altitudes at exact times. The jet fighters also are required to conduct air-to-air refueling several times during the long flights. Knowing Coronet details would allow China’s growing fleet of sophisticated aircraft to conduct similar maneuvers.
Additional data theft involved the compromise of 33,000 general and field-grade officer records from the U.S. Air Force; more than 300,000 user identifications and passwords for the U.S. Navy; and navy missile navigation and tracking systems information and navy nuclear submarine and antiaircraft missile designs. Export-controlled sensitive technology information taken by the Chinese included data limited under the U.S. International Traffic and Arms Restriction regulations and defense contractor research and development. Activity included defense industrial espionage against some of the military’s most advanced systems, including the B-2 bomber, F-22 and F-35 fighter aircraft, the space-based laser, and others. The NSA estimates that the amount of data stolen by Chinese cyber spies amounts to an extraordinary fifty terabytes of data—the equivalent of five times all the information contained in the nearly 161 million books and other printed materials held by the Library of Congress.
On the positive side, the Snowden documents disclosed that despite the damaging attacks, NSA in the past has succeeded in disrupting Chinese cyberattacks. The method was outlined in a PowerPoint slide revealing how NSA cyber spying “discovers adversary tools” used for cyberattacks as they are being developed. The malware tools are then studied and a “tailored countermeasure [is] developed and deployed” so that when the Chinese begin the cyberattack, NSA’s “SIGINT [signals intelligence] discovers adversary intentions” and blocks the attacks. Unfortunately, the Snowden betrayal revealed to the Chinese just how proficient NSA was in gaining access to Chinese computer networks, a capability that was effective only so long as it remained secret.
Stefan Halper, editor of the Pentagon study on China’s Three Warfares, says the Chinese are using cyber along with information operations in the South China Sea and elsewhere. Information warfare is “a natural inheritor to party deliberations which took place as early as 1923 when they started talking first about information warfare and is built into Chinese strategic thinking.”
• • •
Chinese media have been conducting media warfare for the past decade but have been ignored completely in that respect by the U.S. government. On October 30, 2013, an official publication of the Communist Party of China published a chilling reminder of the true nature of the People’s Republic. The Global Times newspaper disclosed in minute detail how China’s People’s Liberation Army developed plans for nuclear missile attacks on the western United States. The newspaper is no ordinary publication, like the scores of officially sanctioned news outlets produced in China. Global Times is a tightly controlled organ of the Chinese Communist Party and a subsidiary of its flagship People’s Daily newspaper. Nothing published in Global Times is produced by chance or accident. Any editors and writers who slip up in even the slightest way by publishing unsanctioned content find themselves behind bars.
The headline in bold Chinese characters did not signal what was coming in the article. “China Has Undersea Strategic Nuclear Deterrent Against United States for the First Time” was not news to those who have watched the PLA develop its conventional and strategic nuclear forces over the past two decades. But at the top of the seven-thousand-word articl
e the authors disclosed that China’s long-range Ju Lang–2, or Giant Wave–2, missiles would rain death and destruction on the United States. Imposed over a map of the western United States, a red shaded area from Seattle south to San Francisco Bay revealed the destruction of a nuclear strike, with additional shaded areas stretching from Montana south to Las Vegas and Los Angeles and narrowing eastward to a point at Chicago. The caption read “Speculated Overall Destructive Effect Assessment of China’s Intercontinental Nuclear Missiles Hitting Seattle” in phases of three days, a week, and a month after the blast.
“In general, after a nuclear missile strikes a city, the radioactive dust produced by 20 warheads will be spread by the wind, forming a contaminated area for thousands of kilometers,” the publication said. “Based on the actual level of China’s one million tons TNT equivalent small nuclear warhead technology, the 12 JL-2 nuclear missiles carried by one Type 094 nuclear submarine could cause the destruction of 5 million to 12 million people, forming a very clear deterrent effect.” The report added that to increase the casualties in the sparsely populated U.S. Midwest, the proposed strikes would be designed to spread radiation using west to east winds, and stated: “So to increase the destructive effect, the main soft targets for nuclear destruction in the United States will be the main cities on the west coast, such as Seattle, Los Angeles, San Francisco, and San Diego.” As if to indicate the Chinese military believes the death of millions of Americans in a nuclear missile attack is more than theoretical, a second graphic of the Los Angeles area included five black circles representing blast zones over the heart of the city. “The picture shows the overall destructive effect assessment of an intercontinental missile strike against Los Angeles,” the caption noted dryly.
The article is classic Chinese information warfare—the use of nonkinetic, information-based programs and activities as surrogates for military conflict to achieve strategic objectives, an approach generally outlined centuries ago by famed strategist Sun Tzu. It was Sun Tzu who declared that the acme of skill is defeating your enemy without firing a shot. His is the guiding thought behind China’s aggressive information warfare today.