by David Wise
Born in Taiwan, Kuo, short and charismatic, came to the United States in 1972 to attend college in Louisiana on a tennis scholarship. He became a naturalized US citizen eight years later and held both American and Taiwanese passports. Kuo went into business importing Chinese furniture. He lived in New Orleans but traveled regularly to China and had an office in Beijing. His wife, Jane, was the daughter of a high-ranking Kuomintang general, Hsueh Yueh, who fought the Japanese during World War II and fled to Taiwan after the Communists took over the mainland in 1949.
After the FBI arrested Kuo, he sought out Plato Cacheris, a prominent criminal attorney in Washington, renowned for representing defendants in espionage cases, among them Aldrich Ames and Robert Hanssen. According to Cacheris's younger partner, John Hundley, Kuo was first approached by Chinese intelligence in the 1990s.
"He was trying to sell cotton and other products to China and working with an associate on the West Coast," Hundley recounted. "They made several exploratory trips to China to promote their business, and his associate introduced him to Lin Hong as someone Kuo needed to know to do business in China. Lin was described to him as an executive with the Guangzhou Friendship Association, a government organization that helped North American businessmen conduct business in China. It didn't take him long to realize that Lin was in the Chinese government." In fact, Lin Hong was an intelligence officer of the People's Liberation Army.
In the 1990s Kuo had embarked on a new business venture to develop a defense communication system between the United States and Taiwan. Lin Hong pressed him for information about the work, holding out the prospect of a "big project" in China if he delivered what Lin wanted. Over the next several years, Kuo passed defense information to Lin.
And it was in the early 1990s that Kuo developed another reason to travel to Beijing. He met Yu Xin Kang, a slim nineteen-year-old Chinese girl, and their relationship blossomed into an affair. Kuo supported Kang, using her as a go-between with Lin Hong. She met with Lin in Beijing and passed messages between the Chinese spymaster and Kuo, who used her apartment in Beijing for meetings with Lin.
Yu Xin Kang moved to New Orleans in 2007 to work as a secretary for Kuo. In the United States, Kang, now thirty-two, answered to the name Katie and obtained a green card as a legal permanent resident alien. With money from Lin Hong, Kuo continued to support her.
The spy business was proving more lucrative than Kuo's other uncertain enterprises. According to court documents, Lin Hong paid Kuo $50,000, and Kuo in turn entertained Bergersen in the casinos and expensive shows of Las Vegas, and paid him small amounts of cash. Bergersen, in turn, provided Kuo with Pentagon documents and information, some classified. Kuo told Bergersen that the data he provided was going to Taiwan. Bergersen did not know that Kuo passed the information to Beijing.
In April 2007, on a trip to Las Vegas, Kuo handed Bergersen $3,000 in cash to play poker, and Bergersen exchanged the money for casino chips. The next day, Kuo reported to Lin Hong that Bergersen had agreed to provide the Pentagon's projected five-year arms sales to Taiwan. In a phone call to Bergersen in July, Kuo reminded Bergersen it was the Defense Department's document he wanted: "I want your ... paper. I don't want CIA, I got CIA's paper."
Kuo flew to Washington in July, and the FBI managed to plant both audio and video surveillance in the car he rented. As they drove to Dulles International Airport later that day, Kuo put a thick stack of bills into Bergersen's shirt pocket. Bergersen brought along the Taiwan arms sales projection and had cut the "SECRET" markings off the document. He told Kuo he was reluctant to let him have it, "because it's all classified," but Kuo could "take all the notes you want."
If anyone found out, Bergersen warned, "Fuck, I'd go to jail, I don't wanna go to jail."
"I'd probably go to jail, too," Kuo replied, chuckling.
Back in Louisiana the next day, Kuo e-mailed his Chinese handler, Lin Hong, that he was not able to keep a copy of the Taiwan arms sales projection—it was "very, very sensitive"—but he was allowed to take notes about it. He said that Bergersen had also let him look at the plans to improve Taiwan's command-and-control and intelligence capabilities.
Five days later, Kuo flew to Beijing, where he was met at the airport by Yu Xin Kang. Kuo personally delivered to Lin Hong the handwritten notes he had taken from the documents that Bergersen had let him see.
In August, there was a domestic scene right out of Fawlty Towers. In a telephone conversation with Kuo, Bergersen lamented that when he returned from a trip, his wife went through his wallet and found an unexpected amount of money. Not wanting to explain its source, he told her that he won it gambling. In that case, his wife said, she was entitled to half the money—and she took it as her share. Kuo offered to make up the difference, but Bergersen declined, saying he could not put it in the bank anyway, because, "I don't want any record."
In March 2008, a month after he was arrested, Bergersen pleaded guilty under the espionage statutes to a single count of conspiracy to disclose national defense information. He was sentenced to just short of five years in federal prison.
Tai Shen Kuo pleaded guilty to conspiracy to deliver national defense secrets to China. He was sentenced to almost sixteen years, later reduced to five for cooperating with prosecutors, and fined $40,000.
Yu Xin Kang received a much lighter sentence of eighteen months in prison for aiding and abetting an unregistered agent of the Chinese government. Prosecutors recognized that she had been used and controlled for years by Kuo, her lover and sole financial support.
Lin Hong was safely out of reach, in China. But an FBI affidavit in the Bergersen/Kuo case made clear that the spymaster also ran the Chi Mak operation on the West Coast. Rebecca Chiu had admitted that Lin Hong and others had provided them with the tasking lists of information Chi Mak was to gather. Lin Hong's name and phone numbers appeared in two of Chi Mak's address books and also on a document in Mandarin Chinese seized from Kuo.
Lin Hong's web of spies on both coasts included a second Pentagon official, James W. Fondren Jr., whom he gave the code name Fang. On the day that Kuo and Bergersen were arrested, Kuo was staying at Fondren's home in Annandale, Virginia. Like Bergersen, Fondren was one of several current and former government employees and contractors cultivated by Tai Shen Kuo.
A lieutenant colonel in the Air Force, Fondren retired in 1996 and two years later set up a consulting business from his home. But his only client was Tai Shen Kuo. With a search warrant issued when Kuo was arrested, the FBI took Fondren's computer and discovered it contained many "opinion papers" containing classified information that he had written and e-mailed to Kuo for payment.
In March 1999 Fondren and Kuo had traveled together to China. Kuo introduced him to Lin Hong, whom he described as a "political researcher" and consultant to the Chinese government.
After the trip, Fondren began exchanging e-mails directly with Lin Hong, who responded cryptically in April: "Everything OK with you? The weather outside is not so kindly, please take care while working."
In May, Fondren assured Lin Hong that he was trying his best to obtain a Theater Missile Defense report before it was released. That same month Kuo gave him a check for $1,150. Fondren would have had to be exceptionally dim not to realize that his new friend Lin Hong was acting for, or an official of, the Chinese government. In fact, Fondren boasted to a friend that "the PRC government ... has already adopted some of my suggestions."
Then in 2001, Kuo and Lin got good news. Fondren was hired by the Pentagon as deputy director of the Washington liaison office of the US Pacific Command (PACOM), the unified armed forces command for the Asia-Pacific region. Now Fondren held a TOP SECRET and Sensitive Compartmented Information (SCI) clearance.
With Fondren on the inside, Lin Hong suggested that Kuo mislead him into thinking the information he was providing was going to the Taiwan military. Fondren kept batting out the classified "opinion papers" for Kuo, who said he would now have to pay him in cash.
In late Octobe
r 2006, Kuo telephoned Fondren asking for a copy of a Pentagon antiterrorism publication. Although marked "For Official Use Only," Fondren agreed to get it. A week later, Lin Hong e-mailed Kuo asking where the publication was. The next day, the FBI intercepted a package sent by Fondren to Kuo with the document.
Then in February 2007, Lin complained to Kuo by telephone that his superior was not pleased with two of the papers Fondren had written and believed they did not reflect what Fang knew. In the future, Lin said, Fang should simply send the documents and not write papers, which took too much time.
That same month, Kuo asked Fondren to snag an advance copy of the Defense Department's annual report on the Chinese military. Early in March, Kuo called Fondren at home and asked if he had obtained the draft. Fondren replied, "I can't talk about uh—that stuff over the phone." So Kuo flew to Washington, stayed at Fondren's home, and Fondren gave him the report, saying: "Let people find out I did that, it will cost me my job."
***
In August, the FBI conducted a pretext interview of Fondren, saying they were talking to government employees familiar with Asia. Fondren told them he knew and had worked with Kuo, but he smelled a rat. He sent an e-mail to Kuo reporting that the agents "wrote down only that information and didn't take notes when I talked about Vietnam and other Southeast Asia countries."
Despite the suspicious FBI visit, Fondren continued to send classified data to Kuo. Then on May 13, 2009, the prosecutors acted. Fondren was charged with conspiring to disclose classified defense information to an agent of China. He surrendered to federal authorities and was released with electronic monitoring.
Fondren's trial in federal district court in Alexandria opened in September 2009. The chief witness against him, appearing in a green prison jumpsuit, was Tai Shen Kuo. At the end of the five-day trial, the jury, on September 25, convicted Fondren on one count of unlawfully communicating classified data to an agent of a foreign government and two counts of making false statements to the FBI. In January 2010 Fondren was sentenced to three years in federal prison.
By the fall of 2009 Red Flower, Fang, and the other players in the bicoastal spy drama were history. Chi Mak and four other members of his family, as well as Dongfan Chung, Tai Shen Kuo, Gregg Bergersen, Katie Kang, and James Fondren—ten people in all—had been caught and convicted. Lin Hong's spy network had been broken.
Chapter 21
THE CYBERSPIES
IN THE TWENTY-FIRST CENTURY, spies have finally achieved what practitioners of their ancient craft could only dream of in the past: thanks to the Internet, they have become truly invisible.
From the Pentagon to the State Department, from the Sandia nuclear weapons laboratory to the Department of Homeland Security, intruders have managed to hack into US government computers with increasing frequency. Many of the attacks appear to have originated in China.
In 2009 a group of Canadian researchers at the University of Toronto called "Chinese cyber-espionage" a "major global concern." Their report strongly implied that the Chinese government, not just individual hackers, was behind widespread computer attacks aimed at the United States and 102 other countries.
The Chinese hackers, the researchers said, broke into computers in the United States, Taiwan, India, and other nations, directing them to download a Trojan horse—a destructive program masquerading as useful software—called Ghost Rat. As in typical hacker assaults, the program then allowed the attacker to gain real-time control over the computers, turning them into zombies or proxies, unknown to their owners.
Once the computers were controlled, the intruders could search and download files, and even covertly operate "microphones and web cameras," the Canadian report noted. According to Nart Villeneuve, one of the authors of the report, that Orwellian capacity means that if a computer has a webcam, it can peer into a bedroom or office and allow the attacker secretly to watch what is happening, with sound. If a computer only has a microphone, that can be activated to eavesdrop on the room where the PC is located.
Beginning in 2003, a series of attacks on the Pentagon and other government agencies from websites in China was given the code name TITAN RAIN by US investigators. The government classified the attacks and has said very little about them. The veil was partially lifted on TITAN RAIN, however, by an extraordinary episode at the Sandia National Laboratories site in Albuquerque, New Mexico.
In 2004 Shawn Carpenter, a thirty-six-year-old computer security analyst at the nuclear weapons lab, studied a series of break-ins at Sandia and tracked them to servers that appeared to be located in Guandong Province in southern China. On his own time he continued to trace back the technologically sophisticated, rapid intrusions to their source, sharing his information first with Army counterintelligence and later the FBI.
Instead of appreciating what Carpenter had done to protect the lab, Sandia yanked his Q clearance and fired him for going outside established channels. Carpenter sued, and in 2007 won a whopping $4.7 million jury award in a New Mexico court. The jury found that his firing by Sandia was "malicious, willful, reckless, wanton, fraudulent or in bad faith."
The attacks on the Defense Department and other government computers are ongoing. Air Force general Kevin P. Chilton, head of the US Strategic Command, said in 2008 that defense networks were taking a million suspicious "hits" a day. Without pinpointing China, he said he believed the break-ins could be attributed to "espionage work."
It is not only defense-related targets that are vulnerable to computer attacks. The Wall Street Journal reported in 2009 that cyberspies from China, Russia, and elsewhere had penetrated the power grid in the United States, and inserted malware, or malicious software, programs that could be used to disrupt the system. It quoted unnamed officials as saying that water, sewage, and other infrastructure systems were also at risk.
Later that year, former CIA director James Woolsey drew a stark portrait of what could happen. "Taking down the grid for months comes as close to a nuclear attack with many weapons on the United States as anything could. You'd have mass starvation and death from thirst and all the rest."
A year earlier, Tom Donahue, the CIA's chief cybersecurity official, told a meeting in New Orleans of security officials from utility and energy companies that hackers had in fact breached the computers of power companies in another country and caused a power outage in several cities, a report later questioned.
In 2008 the Tennessee Valley Authority, which provides power to nine million people in seven southern states, was criticized by the Government Accountability Office for lax security. The chairman of the House panel on cybersecurity said that the TVA, the nation's largest generator of electric power, "risks a disruption of its operations as the result of a cyber incident."
And the nation's electrical grid is vulnerable. Researchers at DOE's Idaho National Laboratory demonstrated in 2007, in an experiment called the Aurora Generator Test, that a cyberattack could in fact knock out a power system. In a startling video released by the Department of Homeland Security, a power turbine like many in use across the United States was forced to overheat and shut down after receiving computer commands in a simulated hacker attack. In the video, the huge turbine shakes and shudders and belches black-and-white smoke as pieces fly off.
President Obama confirmed in 2009 that "cyber intruders have probed our electrical grid" and "in other countries cyber attacks have plunged entire cities into darkness." Although he did not elaborate, CBS News reported that an attack in Brazil in 2005 affected three cities and another in 2007 in that country caused blackouts affecting more than three million people, but the CBS report was disputed by Brazilian officials, who blamed the blackouts on sooty insulators .
China has vehemently denied responsibility for any computer attacks directed against the United States or other countries. In answer to reports that Beijing had broken into the Pentagon's computers, for example, Jiang Yu, the spokesman for the Chinese Foreign Ministry, declared: "The Chinese government has always opposed any Inter
net-wrecking crime, including hacking, and cracked down on it according to the law."
The denials are frequent but not entirely persuasive. The Chinese government tries to tightly control all aspects of the Internet in that country, sharply restricting the web content that its citizens may view. In recent years, Internet activists outside China have provided software that has enabled a relatively small percentage of Chinese computer users to circumvent the government's firewall. Even so, it is not credible that large numbers of private Chinese hackers, supposedly acting on their own, could engage in repeated attacks on US defense and intelligence agencies—unless the government of China either organized, directed, or encouraged those intrusions, or at the very least condoned them.
In a book published more than a decade ago, two Chinese Internet specialists acknowledged that "using hackers to obtain military information from computer networks is a very effective method." A more recent book published in China in 2003, Deciphering Information Security, discusses a university specializing in computer security, a sort of "Hacker U," with courses on "Computer Virus Program Design and Application," and "A Study of Hacker Attack Methods."
Efforts to prove that the Chinese government might be behind the TITAN RAIN-type attacks on the United States run up against what computer security experts call the problem of "attribution." Because it is relatively easy for hackers to disguise their country of origin and precise location, today's cyberspies can hide behind a virtual cloak, and their dagger is electronic. A hacker in eastern Europe can make it appear that his e-mail has been sent via a server in Shanghai.
For that reason, when Google early in 2010 revealed attacks on its e-mail service and on thirty-four American companies, many of them engaged in defense work, it did not pinpoint the precise source but made clear that it believed the intrusions had originated in China. Later, some investigators thought the attacks could be traced to two schools in China, one with close ties to the military.