The release of the Mandiant report on “Advanced Persistent Threat 1” (APT1) marked a watershed in US-China relations on cybersecurity. We are glad the security company released the report: it is good that we are now discussing specific allegations backed with specific items of evidence instead of vague accusations about “Chinese hackers” and pro forma denials by the Chinese government.
The evidence convinces me that the cyber-espionage documented by the Mandiant report came from the physical location of Pudong, Shanghai, and that the IP address blocks allocated to China Unicom and China Telecom are indeed the source of many of the break-ins documented. It is also pretty clear that there is an organized unit operating there, and it is unlikely it could operate without at least the tacit approval of the Chinese government. I am not yet convinced of the specific attribution to PLA unit 61398. I reserve judgment because China, like the US, has a military-industrial complex and people move across its boundaries in ways that are not so simple.
Indeed, Mandiant’s principals ought to know all about that. Kevin Mandia, the founder and CEO, served as a computer security officer in the 7th Communications Group at the Pentagon, and later as a Special Agent in the Air Force Office of Special Investigations (AFOSI). Richard Bejtlich, the Chief Security Officer of Mandiant, began his career as a military intelligence officer at Air Force CERT, then went on to work at the Air Force Information Warfare Center and Air Intelligence Agency before going private. Travis Reese, the Chief Operating Officer of Mandiant, worked at ManTech International Corporation where he “built one of the fastest growing and highly-regarded business units in the classified government contractor sector.” Mandiant’s offices are in the Washington, DC area. So Mandiant is as close to the US military as UglyGorilla and his colleagues probably are to the Chinese military. While nominally private sector actors, we do not know for sure the extent to which they are agents of some US government actors (“agents” in the sense of principal-agent theory or contractors, not in the sense of James Bond-style “secret agent”).
The issue now is what to make of this information. While the report is a valuable contribution to the discussion, there are several ways in which Mandiant overstates their case. These overstatements, unless exposed and understood, might lend themselves to inappropriate responses or bad policies.
Let’s begin with the accusation that the organizations targeted by the espionage correspond to the 7 strategic emerging industries identified in China’s 12th Five Year Plan. Mandiant would have us believe that the objectives of the 5-Year plan are so perfectly communicated and so well-executed that a small PLA unit’s break-in priorities are guided by it, and that the results of these gigantic data dumps are communicated perfectly to the right person at the right time to affect negotiations over the price of nuts and bolts.
With this accusation, Mandiant steps out of its role as computer security/forensics expert and become intelligence interpreters. The interpretation plays into fears that China is a monolithic, well-oiled machine that will suck the life out of our economy unless we stop them. This in turn contributes to related narratives about how free, open societies are helpless in the face of authoritarian juggernauts and must abandon key aspects of their freedom and openness and start emulating hierarchically organized regimes if they are to survive. We heard the same story about the Soviet Union decades ago – and of course behind the scenes the Soviet economy was a decaying mess, their bureaucracy stifling, inefficient and corrupt. Disturbingly, cold warriors in the free world sometimes believe more strongly in the efficacy of authoritarianism and planning than the communists themselves.
But there is one obvious flaw in Mandiant’s framing of the evidence. Only 4 of the 7 strategic sectors mentioned in the 5-year Plan were targeted – i.e., one over half. Not only are 3 of 7 sectors missing, but a lot of other sectors are included. Now, wait a minute: if the PLA unit is using the 5 yr plan as its guide, it would be a simple and direct matter for it to target organizations in all 7 of those sectors. Why would it leave any out? If they had a list derived from The Plan, nothing would stop them from following it. So the idea of a linkage is absurd; it is obviously a case of what social scientists call a spurious correlation. So why is Mandiant bringing it into the discussion at all?
What really seems to have happened is the Chinese hackers scanned any and every organization that seemed interesting, broke in wherever they could and took whatever they could take.
Mandiant also overstates its case when it characterizes the scale of the operation. When sticking to the facts, it documents the use of about 850-950 IP addresses and 937 servers – many of which are hijacked and used as a “hop infrastructure” to disguise the origins of break-in attempts. It goes on to repeatedly refer to this as a “vast” or an “immense” infrastructure. Vast? Immense? If our point of comparison is a script kiddie operating out of his parents’ basement, perhaps. If we compare it to US CyberCommand facilities, or a typical botnet, or an enterprise network, its size and scope is modest. In terms of the address resources involved, we are talking about blocks adding up to something between a /23 and a /22, which are the second- and third-smallest IP number block that the regional address registries will allocate. By way of comparison Syracuse University uses two /16 blocks, which contain over 120,000 IP addresses. Botnets that we call “large” compromise tens of thousands or even millions of captive computers, not hundreds. The infrastructure and operations documented by Mandiant could be established and run by 20-30 people. It would not require hundreds or thousands as the report suggests.
Again, not to deny that something nasty is going on, but the intepretation Mandiant imposes on the facts seems designed to hype the problem and polarize and militarize responses. What we see here is not a world terrorized by an “immense” infrastructure run by the Chinese military as part of a well-coordinated plan to target strategic technology sectors. It would be more accurate to say that we see an organized, well-supported but modestly-sized cyberespionage operation run with the assent or direct orders of some part of the Chinese government.
To further keep things in perspective, keep in mind also that we are less likely to hear about what the US is doing to China. As Jeffrey Carr, a security expert, put it, “Mandiant refuses to consider what everyone that I know in the Intelligence Community acknowledges — that there are multiple states engaging in this activity; not just China.”
I say “some part” of the Chinese government because I am still puzzled as to why the PLA would be so broadly focused on economic espionage of this sort. Why is this unit alleged to be in the PLA? Why would it not be in a special unit of the State Council or the Information Security commission or some other part of the PRC government more directly linked to economic and technological security, espionage and development? If it really is a PLA unit (as opposed to a team of contractors in proximity to PLA facilities, perhaps making use of facilities and skills aggregation in the area) why wouldn’t it be more focused on military targets? I am not an expert on the inner workings of China’s military and intelligence capabilities, and do not mean to suggest that it is inherently wrong to conclude that a PLA unit could be focused on economic espionage, but we need to ask those questions. Mandiant could be right about the attribution or it could be wrong. Most of the links to PLA unit 61398 are indirect and inferential. Clearly, attribution to a military agency gives the whole conflict a military flavor, when in fact it all seems to be about economic espionage.
There are reasons to be concerned about equating economic rivalry, even in its dirtiest form, and war or military conflict. Spying and thefts of information are not “uses of force” as the laws of war or U.S. policy define them. As Mandiant’s own report acknowledges, the China-based information thieves were careful not to destroy or break the systems they broke into. Overuse of the word “attack” again seems to conflate military activity and thievery.
It is noteworthy that on p. 52 of the report, when Mandiant displays its fascinating information about UglyGorilla’s encounter with a Chinese expert on “network warfare,” it quotes the Chinese hacker as saying “It is said that the U.S. military has set up a dedicated network force referred to as a ‘cyber army.’ Does China have a similar force? Does China have cyber troops?” We need to be aware of the possibility of blowback. One reaps what one sows.