Dark Territory (29 page)

Since the start of his presidency, Obama had raised the issue repeatedly but quietly—in part to protect intelligence sources and methods, in part because he wanted to improve relations with China and figured a confrontation over cyber theft would impede those efforts. His diplomats brought it up, as a side issue, at every one of their annual Asian-American “strategic and economic dialogue” sessions, beginning with Obama's first, in 2009. On none of those occasions did the Chinese delegates bite: to the extent they replied at all, they agreed that the international community must put a stop to this banditry; if an American diplomat brought up China's own involvement in cyber hacking, they waved off the accusation.

Then, on February 18, Mandiant, a leading computer-security firm, with headquarters in Alexandria, Virginia, published a sixty-page
report identifying PLA Unit 61398 as one of the world's most prodigious cyber hackers. Over the previous seven years, the report stated, the Shanghai hackers had been responsible for at least 141 successful cyber intrusions in twenty major industrial sectors, including defense contractors, waterworks, oil and gas pipelines, and other critical infrastructures. On average, these hackers lingered inside a targeted network for a full year—in one case, for four years and ten months—before they were detected. During one particularly unimpeded operation, they filched 6.5 terabytes of data from a single company in a ten-month period.

Kevin Mandia, the founder and chief executive of Mandiant, had been one of the Air Force cyber crime investigators who, fifteen years earlier, had nailed Moscow as the culprit of Moonlight Maze, the first serious foreign hacking of Defense Department computers. Mandiant's chief security officer, Richard Bejtlich, had been, around the same time, a computer network defense specialist at the Air Force Information Warfare Center, which installed the first network security monitors to detect and track penetrations of military computers. The monitoring system that Mandia and Bejtlich built at Mandiant was based on the system that the Air Force used in San Antonio.

While putting together his report on Unit 61398, Mandia was contracted by
The New York Times
to investigate the hacking of its news division. As that probe progressed (it turned out that the hacker was a different Chinese government organization), he and the paper's publishers discussed a possible long-term business arrangement, so he gave them an advance copy of the report on the Shanghai unit.
The
Times
ran a long front-page story summarizing its contents.

China's foreign affairs ministry denounced the allegation as “irresponsible,” “unprofessional,” and “not helpful for the resolution of the relevant problem,” adding, in the brisk denial that its officials had always recited in meetings with American diplomats, “China resolutely opposes hacking actions.”

In fact, however, the Chinese had been hacking, with growing profligacy, for more than a decade. A senior U.S. intelligence official had once muttered at an NSC meeting that at least the Russians tried to keep their cyber activity secret; the Chinese just did it everywhere, out in the open, as if they didn't care whether anyone noticed.

As early as 2001, in an operation that American intelligence agencies dubbed Titan Rain, China's cyber warriors hacked into the networks of several Western military commands, government agencies, defense corporations, and research labs, using techniques reminiscent of the Russians' Moonlight Maze operation.

Around the same time, the Third Department of the PLA's General Staff, which later created Unit 61398, adopted a new doctrine that it called
“information confrontation.” Departments of “information-security research” were set up in more than fifty Chinese universities.
By the end of the decade, the Chinese army started to incorporate cyber tools and techniques in exercises with names like “Iron Fist” and “Mission Attack”; one scenario had the PLA hacking into U.S. Navy and Air Force command-control networks in an attempt to impede their response to an occupation of Taiwan.

In short, the Chinese were emulating the American doctrine of “information warfare”—illustrating, once more, the lesson learned by many who found the cyber arts at first alluring, then alarming: what we could do to an adversary, an adversary could do to us.

There was one big difference in the Chinese cyber attacks: they were engaging not just in espionage and battlefield preparation, but also in the theft of trade secrets, intellectual property, and cash.

In 2006, if not sooner, various cyber bureaus of the Chinese military started hacking into a vast range of enterprises worldwide. The campaign began with a series of raids on defense contractors, notably a massive hack of Lockheed Martin, where China stole tens of millions of documents on the company's F-35 Joint Strike Fighter
aircraft. None of the files were classified, but they contained data and blueprints on cockpit design, maintenance procedures, stealth technology, and other matters that could help the Chinese counter the plane in battle or, meanwhile, build their own F-35 knockoff (which they eventually did).

Colonel Gregory Rattray, a group commander in the Air Force Information Warfare Center (which had recently changed its name to the Air Force Information Operations Center), was particularly disturbed: not only by the scale of China's cyber raids but also by the passivity of American corporations. Rattray was an old hand in the field:
he had written his doctoral dissertation on information warfare at the Fletcher School of Law and Diplomacy, worked on Richard Clarke's staff in the early years of George W. Bush's presidency, then, after Clarke resigned, stayed on as the White House director of cyber security.

In April 2007, Rattray summoned several executives from the largest U.S. defense contractors and informed them that they were living in a new world. The intelligence estimates that pinned the cyber attacks on China were highly classified; so, for one of his briefing slides, Rattray coined a term to describe the hacker's actions: “APT”—for advanced persistent threat. Its meaning was literal: the hacker was using sophisticated techniques; he was looking for specific information; and he was staying inside the system as long as necessary—weeks, even months—to find it. (The term caught on; six years later, Kevin Mandia titled his report
APT1
.)

The typical Chinese hack started off with a spear-phishing email to the target-company's employees. If just one employee clicked the email's attachment (and all it took was one), the computer would download a webpage crammed with malware, including a “Remote Access Trojan,” known in the trade as a RAT. The RAT opened a door, allowing the intruder to roam the network, acquire the privileges of a systems administrator, and extract all the data he wanted.
They did this with economic enterprises of all kinds: banks, oil and gas pipelines, waterworks, health-care data managers—sometimes to steal secrets, sometimes to steal money, sometimes for motives that couldn't be ascertained.

McAfee, the anti-virus firm that discovered and tracked the Chinese hacking operation, called it Operation Shady RAT. Over a five-year period ending in 2011, when McAfee briefed the White House and Congress on its findings, Shady RAT stole data from more than seventy entities—government agencies and private firms—in fourteen countries, including the United States, Canada, several nations in Europe, and more in Asia, including many targets in Taiwan but, tellingly, none in the People's Republic of China.

President Obama didn't need McAfee to tell him about China's cyber spree; his intelligence agencies were filing similar reports. But the fact that a commercial anti-virus firm had tracked so much of the hacking, and released such a detailed report, made it hard to keep the issue locked up in the closet of diplomatic summits. The companies that were hacked would also have preferred to stay mum—no point upsetting customers and stockholders—but the word soon spread, and they reacted by pressuring the White House to do something, largely because, after all these decades of analyses and warnings, many of them still didn't know what to do themselves.

This was the setting that forced Obama's hand. After another Asia security summit, where his diplomats once again raised the issue and the Chinese once again denied involvement, he told Tom Donilon to deliver a speech that brought the issue out in the open. The Mandiant report—which had been published three weeks earlier—upped the pressure and accelerated the timetable, but the dynamics were already in motion.

One passage in Donilon's speech worried some midlevel officials, especially in the Pentagon. Characterizing cyber offensive raids as a violation of universal principles, even as something close to a cause
for war, Donilon declared, “The international community cannot afford to tolerate any such activity from any country.”

The Pentagon officials scratched their heads: “
any
such activity from
any
country”? The fact was, and everyone knew it, the United States engaged in this activity, too. Its targets were different: American intelligence agencies weren't stealing foreign companies' trade secrets or blueprints, much less their cash, mainly because they didn't need to be; such secrets or blueprints wouldn't have given American companies an advantage—they already
had
the advantage.

In NSC meetings on the topic, White House aides argued that this distinction was important: espionage for national security was an ancient, acceptable practice; but if the Chinese wanted to join the international economy, they had to respect the rights of property, including intellectual property. But other officials at these meetings wondered if there really was a difference. The NSA was hacking into Chinese networks to help defeat them in a war; China was hacking into American networks mainly to help enrich its economy. What made one form of hacking permissible and the other form intolerable?

Even if the White House aides had a point (and the Pentagon officials granted that they did), wasn't the administration skirting danger by going public with this criticism? Wouldn't it be too easy for the Chinese to release their own records, revealing that we were hacking them, too, and thus accuse us of hypocrisy? Part of what we were doing was defensive: penetrating their networks in order to follow them penetrating our networks; and we were penetrating these networks so deeply that, whenever the Chinese tried to hack into Defense Department systems (or, lately, those of several weapons contractors, too), the NSA was monitoring every step they took—it was monitoring what the Chinese were seeing on their own monitors. On a few occasions, the manufacturing secrets that the Chinese
stole weren't real secrets at all; they were phony blueprints that the NSA had planted on certain sites as honey pots. But, to some extent, these cyber operations were
offensive
in nature: the United States was penetrating Chinese networks to prepare for battle, to exploit weaknesses and exert leverage, just as the Chinese were doing—just as every major power had always done in various realms of warfare.

The whole business of calling out China for hacking was particularly awkward, given the recent revelations about Stuxnet, to say nothing of Obama's recent (though still highly classified) signing of PPD-20, the presidential directive on cyber operations. Some of Obama's White House aides acknowledged a certain irony in the situation; it was one reason the administration refused to acknowledge having played a role in Stuxnet, long after the operation had been blown.

In May, Donilon flew to Beijing to make arrangements for a summit between President Obama and his Chinese counterpart, Xi Jinping. Donilon made it clear that cyber would be on the agenda and that, if necessary, Obama would let Xi in on just how much U.S. intelligence knew about Chinese practices. The summit was scheduled to take place in Rancho Mirage, California, at the estate of the late media tycoon Walter Annenberg, on Friday and Saturday, June 7 and 8, 2013.

On June 6,
The Washington Post
and
The Guardian
of London reported, in huge front-page stories, that, in a highly classified program known as PRISM, the NSA and Britain's GCHQ had long been mining data from nine Internet companies, usually under secret court orders and that, through this and other programs, the NSA was collecting telephone records of millions of American citizens.
These were the first of many stories, published over the next several months by
The Guardian
, the
Post
,
Der Spiegel
, and eventually others, based on a massive trove of beyond-top-secret documents that NSA systems administrator Edward Snowden had swiped off his
computer at the agency's facility in Oahu, Hawaii, and leaked to three journalists before fleeing to Hong Kong, where he met with two of them, Laura Poitras and Glenn Greenwald. (The other reporter, Barton Gellman, couldn't make the trip.)

The timing of the leak, coming on the eve of the Obama-Xi summit, was almost certainly happenstance—Snowden had been in touch with the reporters for months—but the effect was devastating. Obama brought up Chinese cyber theft; Xi took out a copy of
The Guardian
.
From that point on, the Chinese retort to all American accusations on the subject shifted from “We don't do hacking” to “You do it a lot more than we do.”

One week after the failed summit, as if to bolster Xi's position, Snowden—who, by this time, had revealed himself as the source in a dramatic video taped by Poitras in his hotel room—said, in an interview with Hong Kong's top newspaper, the
South China Morning Post
, that the NSA had launched more than 61,000 cyber operations, including attacks on hundreds of computers in Hong Kong and mainland China.

The
Morning Post
interview set off suspicions about Snowden's motives: he was no longer just blowing the whistle on NSA domestic surveillance; he was also blowing foreign intelligence operations.
Soon came newspaper stories about NSA hacking into email traffic and mobile phone calls of Taliban insurgents on the eastern border of Afghanistan; an operation to gauge the loyalties of CIA recruits in Pakistan; email intercepts to assist intelligence assessments of events in Iran; and a surveillance program of cell phone calls “worldwide,” intended to find and track associates of known terrorists.