Nine months after President Barack Obama and President Xi Jinping of China agreed to a broad crackdown on cyberespionage aimed at curbing the theft of intellectual property, the first detailed study of Chinese hacking has found a sharp drop-off in almost daily raids on Silicon Valley firms, military contractors and other commercial targets.
But the study, conducted by the iSight intelligence unit of FireEye, a company that manages large network breaches, also concluded that the drop-off began a year before Obama and Xi announced their accord in the White House Rose Garden. In a conclusion that is largely echoed by U.S. intelligence officials, the study said the change is part of Xi’s broad effort to bring the Chinese military, which is considered one of the main sponsors of the attacks, further under his control.
As a result, the same political forces that may be alleviating the theft of data from U.S. companies are also responsible for Xi’s stunningly swift crackdown on the Chinese media, bloggers and others who could challenge the Communist Party.
“It’s a mixed bag,” said Kevin Mandia, founder of Mandiant, now part of FireEye, which first detailed the activities of a People’s Liberation Army cyberarm, called Unit 61398, that had been responsible for some of the most highly publicized thefts of U.S. technology. “We still see semiconductor companies and aerospace firms attacked.”
But the daily barrage of attacks has diminished, which Mandia attributed to “public pressure” from, among others, the Justice Department’s decision to indict five members of the PLA unit about a year after its activities were exposed.
Today, Unit 61398 appears to be largely out of business, its hackers dispersed to other military, private and intelligence units. Many China scholars and legal experts remain skeptical that the Chinese are deterred by U.S. indictments, since the PLA officers are unlikely to see the inside of an American courtroom. But John P. Carlin, the assistant attorney general for national security, said the report validated his strategy.
“The lesson is that when you figure out who has done this kind of theft, don’t fear making it public,” he said. “This is a slow process, but we are beginning to make people realize that even in cyberspace, laws and norms are applicable.”
Obama and Xi drew up their agreement narrowly. It covers intellectual property theft — Chinese cybercriminals have stolen everything from designs for the F-35 fighter jet to the design of gas distribution networks — but not ordinary espionage against government targets.
So, for example, the administration has not publicly talked about penalizing China for the theft of personal data on roughly 22 million Americans, whose security-clearance information was taken from the Office of Personnel Management. In fact, the administration has never publicly blamed China for that theft, although the director of national intelligence, James R. Clapper Jr., did talk about China’s role once, before he was told by the administration not to refer to any specific country.
As recently as last week, senior administration officials were in Beijing trying to flesh out the agreement between the two presidents. Participants say that among the points of discussion was how to set up a hotline through which the two countries can alert each other to malicious software they have detected in global networks, with the expectation that Chinese and U.S. investigators would work to find its source.
Establishing such norms of behavior is far more likely to be effective than attempting to negotiate a treaty, according to outside experts who have been trying to devise the cyberequivalent of arms-control agreements.
“Treaties are not verifiable in the cyberarena,” said Joseph Nye, a Harvard professor known for his studies of how nations use “soft power,” who in recent years has turned to the problem of regulating activity in cyberspace. “The same code can be benign or a weapon depending on the user’s intent,” he said. For example, a six-digit code that unlocks a cellphone is a protection for the user — and a potential weapon for a hacker.
“So instead of focusing on the weapons, you have to focus on targets,” Nye said. “You start by saying that you don’t target something that has a clearly civilian use, like a power grid.”
Nye and Michael Chertoff, the secretary of Homeland Security during the Bush administration, who now runs a private firm that is deeply involved in cybersecurity, were among the lead authors of a report to be published Tuesday by the Global Commission on Internet Governance that will describe those norms to the United Nations and other groups.
Just how fundamentally the Chinese are changing is a matter of debate. There is some evidence, U.S. intelligence officials say, that while the People’s Liberation Army is not stealing as much on behalf of Chinese state-owned firms, much of the hacking activity has been shifted to the intelligence agencies, which can make the case that they are stealing national security secrets, not commercial information. Often, the difference is blurry, especially when the target is, say, the design of a satellite or a ship.
Even after Obama and Xi announced their agreement last fall, U.S. officials have said they have discovered malware in power grids, cellphone networks and other purely civilian targets. But it is unclear whether that malicious software is intended to collect information about users, shut the system down or both.
The FireEye study concluded that as early as 2014, around the time of the indictment of the PLA’s officers and hackers, the Chinese government had been modifying its approach to cyberoperations.
The study of 72 Chinese hacking groups showed a sharp drop-off in the volume of attacks. But as recently as March, FireEye saw efforts to obtain information on U.S. military projects by stealing access credentials to a contractor, and there has been continual theft of personal information from health care providers. The Chinese hacking groups have also focused on non-American targets, including Russia, South Korea and Vietnam, and have sometimes aimed at targets related to the disputes over Chinese claims in the South China Sea.
The report concludes that Chinese attacks have decreased in volume, but increased in sophistication. The result is that Chinese hackers are now acting more like Russian hackers: They pick their targets more carefully, and cover their tracks.
“We see a threat that is less voluminous but more focused, calculated, and still successful in compromising corporate networks,” the report said.