Who Gets to Define the Terms of Hacking?

An U.S. attempt to stem Chinese cybersecurity breaches was thwarted by the revelation that the two countries were actually doing similar things.

Kacper Pempel / Reuters

On March 11, 2013, Thomas Donilon, President Obama’s national-security adviser, gave a speech at the Asia Society on Manhattan’s Upper East Side. Much of it was boilerplate: a recitation of the administration’s policy of “rebalancing its global posture” away from the battles of the Middle East and toward the “dynamic” region of Asia-Pacific as a force for growth and prosperity.

But about two-thirds of the way through the speech, Donilon broke new diplomatic ground. After listing a couple of “challenges” facing U.S.-China relations, he said, “Another such issue is cybersecurity,” adding that Chinese aggression in this realm had “moved to the forefront of our agenda.”

American corporations, he went on, were increasingly concerned “about sophisticated, targeted theft of confidential business information and proprietary technologies through cyber-intrusions emanating from China on an unprecedented scale.”

Then Donilon raised the stakes higher. “From the president on down,” he said, “this has become a key point of concern and discussion with China at all levels of our governments. And it will continue to be. The United States will do all it must to protect our national networks, critical infrastructure, and our valuable public and private-sector property.”

The Obama administration, he said, wanted Beijing to do two things: first, to recognize “the urgency and scope of this problem and the risk it poses—to international trade, to the reputation of Chinese industry, and to our overall relations”; second, to “take serious steps to investigate and put a stop to these activities.”

The first demand was a borderline threat: Change your ways or risk a rupture of our relations. The second was an attempt to give Chinese leaders a face-saving way out, an opportunity for them to blame the hacking on hooligans and “take serious steps” to halt it.

In fact, Donilon and every other official with a high-level security clearance knew that the culprit  in these intrusions was no gang of freelance hackers, but rather the Chinese  government itself—specifically, the Second Bureau of the Third Department of the People’s Liberation Army’s General  Staff, also known as PLA Unit 61398, which was headquartered in a white, 12-story office building on the outskirts of Shanghai.

Since the start of his presidency, Obama had raised the issue repeatedly but quietly—in part to protect intelligence sources and methods, in part because he wanted to improve relations with China and figured a confrontation over cyber theft would impede those efforts. His diplomats brought it up, as a side issue, at every one of their annual Asian-American “strategic and economic dialogue” sessions. On none of those occasions did the Chinese delegates bite. To the extent they replied at all, they agreed that the international community must put a stop to this banditry; if an American diplomat brought up China’s own involvement in hacking, they waved off the accusation.

On February 18, a few weeks before Donilon’s speech, Mandiant, a leading computer-security firm with headquarters in Alexandria, Virginia, published a 60-page report identifying PLA Unit 61398 as one of the world’s most prodigious cyber hackers. Over the previous seven years, the report stated, the Shanghai hackers had been responsible for at least 141 successful cyber intrusions in 20 major industrial sectors, including defense contractors, waterworks, oil and gas pipelines, and other critical infrastructures. On average, these hackers lingered inside a targeted network for a full year—in one case, for four years and 10 months— before they were detected. During one particularly unimpeded operation, they filched 6.5 terabytes of data from a single company in a 10-month period. The company also shared an advance copy of the report with The New York Times, which ran a long front-page story summarizing its contents.

China’s foreign affairs ministry denounced the allegation as “irresponsible,”  “unprofessional,” and “not helpful for the resolution of the relevant problem,”  adding, in the brisk denial that its officials had always recited in meetings with American diplomats, “China resolutely opposes hacking actions.”

In fact, however, the Chinese had been hacking, with growing profligacy, for more than a decade. A senior U.S. intelligence official had once muttered at an NSC meeting that at least the Russians tried to keep their cyber activity secret; the Chinese just did it everywhere, out in the open, as if they didn’t care whether anyone noticed.

As early as 2001, in an operation that American intelligence agencies dubbed Titan Rain, China’s cyber-warriors hacked into the networks of several Western military commands, government agencies, defense corporations, and research labs, using techniques reminiscent of the Russians’ Moonlight Maze operation.

Around the same time, the Third Department of the PLA’s General Staff, which later created Unit 61398, adopted a new doctrine that it called “information confrontation.” Departments of “information-security research” were set up in more than 50 Chinese universities. By the end of the decade, the Chinese army had begun extensively training its soldiers in hacking techniques; one training scenario had the PLA hacking into U.S. Navy and Air Force command-control networks in an attempt to impede their response to an occupation of Taiwan. The United States military had been conducting similar exercises for years, under the rubric ‘Information Warfare.’ The Chinese were now following suit.

By 2006, various cyber bureaus of the Chinese military were hacking into a vast range of enterprises worldwide. The campaign began with a series of raids on defense contractors, notably a massive hack of Lockheed Martin, where China stole tens of millions of documents on the company’s F-35 Joint Strike Fighter aircraft. None of the files were classified, but they contained data and blueprints on cockpit design, maintenance procedures, stealth technology, and other matters that could help the Chinese counter the plane in battle or build their own F-35 knockoff (which they eventually did).

Colonel Gregory Rattray, a group commander in the Air Force Information Warfare Center (which had recently changed its name to the Air Force Information Operations Center), was particularly disturbed—not only by the scale of China’s cyber-raids, but also by the passivity of American corporations. Rattray was an old hand in the field: He had written his doctoral dissertation on information warfare at the Fletcher School of Law and Diplomacy, worked on Richard Clarke’s staff in the early years of George W. Bush’s presidency, then, after Clarke  resigned, stayed on as the White House director of cybersecurity.

In April 2007, Rattray summoned several executives from the largest U.S. defense contractors  and informed them that they were living in a new  world. The intelligence estimates that pinned the cyber attacks on China were highly classified, so for one of his briefing slides, Rattray coined a term to describe the  hacker’s actions: “APT,” for  advanced persistent  threat. (The term caught on; six years later, Kevin Mandia, the CEO of Mandiant, titled his report APT1.)

The typical Chinese hack started off with a spear-phishing email to the target company’s employees. If just one employee clicked the email’s attachment, the computer would download a webpage crammed with malware, including a “Remote Access Trojan,” known in the trade as a RAT. The RAT opened a door, allowing the intruder to roam the network, acquire the privileges of a systems administrator, and extract all the data he wanted.

They did this with economic enterprises of all kinds: banks, oil and gas pipelines, waterworks, health-care data managers—sometimes to steal secrets, sometimes to steal money, sometimes  for motives that couldn’t be ascertained.

McAfee, the anti-virus firm that discovered and tracked the Chinese hacking operation, called it Operation Shady RAT. Over a five-year period ending in 2011, when McAfee briefed the White House and Congress on its findings, Shady RAT stole data from more than 70 entities—government agencies and private firms—in 14 countries. The affected nations included the United States, Canada, several nations in Europe, and more in Asia, including many targets in Taiwan—but, tellingly, none in the People’s Republic of China.

President Obama didn’t need McAfee to tell him about China’s cyber spree; his intelligence agencies were filing similar reports. But the fact that a commercial anti-virus firm had tracked so much of the hacking, and released such a detailed report, made it hard to keep the issue locked up in the closet of diplomatic summits. The companies that were hacked would also have preferred to stay mum—no point upsetting customers  and stockholders—but the word soon spread, and they reacted by pressuring the White House to do something. Largely because, after all these decades of analyses and warnings, many of them still didn’t know what to do themselves.

This was the setting that forced Obama’s hand. After another Asia security summit, where his diplomats once again raised the issue and the Chinese once again denied involvement, he told Donilon to deliver a speech that brought the issue out in the open. The Mandiant report—which had been published three weeks earlier—upped the pressure and accelerated the timetable, but the dynamics were already in motion.

One passage in Donilon’s speech worried some mid-level officials, especially in the Pentagon. Characterizing cyber offensive raids as a violation of universal principles, even as something close to a cause for war, Donilon declared, “The  international community cannot afford to tolerate any such activity from any country.”

The Pentagon officials scratched their heads: “any such activity from  any country?” The United States engaged in this activity, too, and everyone knew it.

The targets were different, though: American intelligence agencies weren’t stealing foreign companies’ trade secrets or blueprints, much less their cash. In NSC meetings on the topic, White House aides argued that this distinction was important: Espionage for national security was an ancient, acceptable practice, but if the Chinese wanted to join the international economy, they had to respect the rights  of property, including  intellectual property.

But other officials at these meetings wondered if there really was a difference. The NSA was hacking into Chinese networks to help defeat them in a war; China was hacking into American networks mainly to help enrich its economy. What made one form of hacking permissible and the other form intolerable?

Even if the White House aides had a point (and the Pentagon officials granted that they did), wasn’t the administration flirting with danger by going public with this criticism? Wouldn’t it be too easy for the Chinese to release their own records, revealing that the U.S. was hacking them, too, and thus accuse the Americans of hypocrisy? Part of what the U.S. was doing was defensive: penetrating Chinese networks in order to follow the Chinese hacking into U.S. systems. On a few occasions, the manufacturing secrets that the Chinese stole weren’t real secrets at all; they were phony blueprints that the NSA had planted on certain sites.

But, to some extent, these cyber operations were offensive in nature: The United States was penetrating Chinese networks to prepare for battle, to exploit weaknesses and exert leverage, just as the Chinese were doing—just as every major power had always done in various realms of warfare.

In May, Donilon flew to Beijing to make arrangements for a summit between President Obama and his Chinese counterpart, Xi Jinping. Donilon made it clear that cyber would be on the agenda and that, if necessary, Obama would let Xi in on just how much U.S. intelligence knew about Chinese practices. The summit was scheduled to take place in Rancho Mirage, California, at the estate of the late media tycoon Walter Annenberg, on Friday and Saturday, June 7 and 8, 2013.

On June 6, The Washington Post and The Guardian reported, in huge front-page stories, that in a highly classified program known as PRISM, the NSA and Britain’s GCHQ had long been mining data from nine Internet companies, usually under secret court orders—and that, through this and other programs, the NSA was collecting telephone records of millions of American citizens. These were the first of many stories, published over the next several months by the Guardian, the Post, Der Spiegel, and eventually others, based on a massive trove of beyond-top-secret documents that the NSA systems administrator Edward Snowden had swiped off his computer.

The timing of the leak, coming on the eve of the Obama-Xi summit, was almost certainly happenstance—Snowden had been in touch with the reporters for months—but the effect was devastating. Obama brought up Chinese cyber theft; Xi took out a copy of the Guardian. From that point on, the Chinese retort to all American accusations on the subject shifted from “We don’t do hacking” to “You do it a lot more than we do.”


This article has been adapted from Fred Kaplan’s book, Dark Territory: The Secret History of Cyber War.