US trade report lays bare Chinese government cyber-espionage
Report charges Chinese attacks service strategic objectives that are aligned with national industrial policies. Plausible deniability is maintained
China’s government is engaged in a systematic program of cyber attacks on American and foreign companies, according to a US government trade report made public last week.
The cyber intrusions into corporate networks are one of four areas identified by the office of the US Trade Representative as unfair trading practices. These have prompted the administration of US President Donald Trump to impose tariffs on Chinese products in the coming weeks.
The other areas outlined in the USTR report include restrictions on businesses operating in China designed to induce technology transfers, and systematic acquisitions of technology companies to obtain advanced commercial know-how.
The report is the result of a special USTR investigation initiated last August.
American officials say that in response to China’s unfair practices the Trump administration will seek to narrow the trade deficit between the countries by imposing tariffs on up to US$60 billion worth of still-to-be-identified Chinese goods.
“It’s a very conservative estimate of harm, because it does not include one of the other four points of the USTR compass, which is the cyber theft,” said Peter Navarro, White House director for trade and industrial policy and a key architect of the new tariffs.
He added: “Estimates of the losses of cyber theft alone are in the hundreds of billions of dollars.”
On cyber attacks, the 215-page report states that for over a decade “the Chinese government has conducted and supported cyber intrusions into US commercial networks targeting confidential business information held by US firms.”
It adds that: “Through these cyber intrusions, China’s government has gained unauthorized access to a wide range of commercially-valuable business information, including trade secrets, technical data, negotiating positions, and sensitive and proprietary internal communications.”
The report concludes that the cyber intrusions and information exfiltration poses “a grave threat” to the economy and competitiveness of the US.
“Through these cyber intrusions, China’s government has gained unauthorized access to a wide range of commercially-valuable business information, including trade secrets, technical data, negotiating positions, and sensitive and proprietary internal communications”
This is the first time the US government has called out the Chinese government for its cyber activities, despite intrusions that have grown in scale and sophistication since at least 2008.
The report charges Chinese cyber attacks service strategic objectives that are aligned with national industrial policies. As part of its overall strategy, the Chinese government denies any role in the attacks.
“As the global economy has increased its dependence on information systems in recent years, cyber theft became one of China’s preferred methods of collecting commercial information because of its logistical advantages and plausible deniability,” the report says.
The Chinese cyber thefts have continued despite an agreement reached in 2015 between Chinese President Xi Jinping and US President Barack Obama to curtail government-sponsored cyber espionage.
The report concludes that in contravention of the agreement “the evidence indicates that China continues its policy and practice, spanning more than a decade, of using cyber intrusions to target US firms to access their sensitive commercial information and trade secrets.”
Chinese cyber targeting has included harvesting sensitive corporate secrets from oil and gas companies.
China’s military, the People’s Liberation Army, is aggressively engaged in the cyber economic espionage effort. For example, the PLA’s General Staff Third Department, known as 3PLA, operates Unit 61398, which was first revealed in 2013 as a major cyber information collector.
The secret unit, located in an office building in Shanghai, is staffed by hundreds or perhaps thousands of cyber technicians.
The report notes that several private security companies have linked China to most of the thousands of cyber intrusions detected annually. 3PLA, for example, is linked to data stolen from at least 141 organizations around the world in 20 different business sectors, including aerospace, information technology, and satellites and telecommunications.
The report for the first time identifies five Chinese hackers indicted by a US federal grand jury in May 2014 as having been part of 3PLA’s Second Bureau, which directs Unit 61398.
“The stolen trade secrets and technical information would permit a competitor to build a power plant without having to invest in associated research and development costs that had been borne by Westinghouse in the past”
One of their targets was the computer networks of Westinghouse Electric Company, which were hit by major cyber attacks that netted 3PLA 1.4 gigabytes of data – around 700,000 pages of email messages and attachments. The data included trade secrets, technical and design specifications and sensitive emails from senior company officials.
The report notes that during the period of the thefts – December 2010 to January 2011 – Westinghouse was building four of its AP1000 power plants in China and was negotiating terms for construction, including making technology transfers to China’s State Nuclear Power Technology Corporation (SNPTC).
“At the same time, a 3PLA actor stole confidential and proprietary technical and design specifications for pipes, pipe supports, and pipe routing within the AP1000 plant buildings,” the report says.
“The stolen trade secrets and technical information would permit a competitor to build a power plant without having to invest in associated research and development costs that had been borne by Westinghouse in the past.”
Moreover, at the same time in 2010 and 2011 that Westinghouse was conducting other business ventures with SNPTC, a 3PLA cyber attacker stole sensitive e-mails from senior officials at Westinghouse who were engaged in talks with the Chinese nuclear power entity. The decision-makers were responsible for the company’s business relationship with SNPTC.
In January 2011, as 3PLA was infiltrating Westinghouse’s servers and exfiltrating its information, Westinghouse announced the signing of two agreements with SNPTC, the report notes.
The use of 3PLA for economic cyber espionage is part of what the report says is a policy of “military-civil fusion” programs that involve China sharing resources between science and technology entities and the PLA.
“Indeed, the US government has evidence that the Chinese government provides competitive intelligence through cyber intrusions to Chinese state-owned enterprises through a process that includes a formal request and feedback loop, as well as a mechanism for information exchange via a classified communication system,” the report says.
An example is the China National Offshore Oil Corporation (CNOOC), a state-owned enterprise that tasked Chinese intelligence services with collecting intelligence on several US oil and gas companies and on US shale gas technology.
This tasking was detected in January 2012 during commercial negotiations between a US company, CNOOC and China’s Ministry of Agriculture, regarding oil leaks that had occurred at a facility jointly owned and operated by the company and CNOOC in June 2011.
According to the report, Chinese intelligence provided CNOOC with information ahead of and during the talks with the US company, including internal company information on the company’s negotiating position.
The PLA-CNOOC intelligence sharing was approved by Maj. Gen. Liu Xiaobei, 3PLA’s political commissar, the report says.
In a second case, 3PLA operatives provided CNOOC with information on five American oil and gas companies, including data on company operations, development of shale gas technology and lab procedures, fracking technology and fracking formulae.
“The US government has evidence that the Chinese government provides competitive intelligence through cyber intrusions to Chinese state-owned enterprises through a process that includes a formal request and feedback loop”
A recent case of Chinese cyber espionage involved a front company posing as a cyber security firm called the Guangzhou Bo Yu Information Technology Co. Ltd., or Boyusec. Three Chinese nationals from Boyusec were indicted for cyber thefts against American companies, including Moody’s Analytics, Siemens AG, and Trimble Inc.
Boyusec has been linked by US intelligence agencies to the Ministry of State Security, China’s civilian intelligence services.
The trade report rejects the claims of critics who say American cyber practices are similar to those of 3PLA and the MSS.
“China’s cyber intrusions are unique from those of Western market economies because the intrusions occur within the framework of China’s extensive state-driven economic development model, which has no parallel in Western market economies,” the report says.
The report concludes that “Beijing’s cyberespionage against US companies persists and continues to evolve.”
“The US Intelligence Community judges that Chinese state-sponsored cyber operators continue to support Beijing’s strategic development goals, including its S&T advancement, military modernization, and economic development,” the report says.