Chinese Hackers Indicted: Experts Weigh In

Earlier today, Deputy Attorney General Rod Rosenstein announced that the Department of Justice indicted two computer hackers associated with the Chinese government.  Our experts weighed in about the implications of these charges 

December 20, 2018

Megan Brown – NSI Associate Director of Cybersecurity and Senior Fellow; Partner, Wiley Rein

Kudos to DOJ for its collaboration with other countries and its work to call out cybercrime and advance norms. While some may think these indictments are theatre without real consequences, they are a key part of US leadership that can shape expectations for international behavior.

The tactics of these and other cyber criminals hurt companies and citizens in the US and around the world.  Actions like today’s serve as a reminder that companies suffering breaches are themselves victims of criminal activity. Sophisticated companies with robust defenses are being attacked and compromised by persistent and savvy criminals who are well resourced and protected.  Like minded governments must work with the private sector to respond to these threats and build resilience across the global economy. 

Dr. Nicholas Dujmovic – NSI Visiting Fellow; Former Staff Historian, Central Intelligence Agency

With all the recent news about Russian intelligence activities, this Justice Department announcement is welcome as it brings forward the even greater Chinese threat.  But even here, we’re looking at just the tip of the iceberg.  Chinese intelligence activities against the United States and the West run the gamut from collection (technical and human) to ruthless counterintelligence to covert influence operations that are breathtaking in scope.

As Michael Hayden noted in his memoir, ‘I stand in awe (as a professional) at the depth, breadth, and persistence of [Chinese intelligence] efforts against the United States.’  These efforts involve technical access programs through IT, relentless hacking linked to the People’s Liberation Army, stealing US Navy contractor data on weapons systems, trying to recruit American and French government officials and industry leaders involved in national security through LinkedIn, subtle and not so subtle attempts to mold Western thinking about China through mechanisms like the Confucius Institutes on college campuses.  The list is seemingly endless.  Make no mistake, China is using its considerable human and technical resources to achieve intelligence dominance over the West.

Jamil N. Jaffer – NSI Founder; former Chief Counsel and Senior Advisor for the Senate Foreign Relations Committee and former Associate Counsel to President George W. Bush

“Today’s indictment of two Chinese nationals that worked with the Chinese Ministry of State Security is another strong step by the Justice Department to pursue those who would target our economic and national security through cyber theft of core American technology.  That being said, significantly more needs to be done to staunch the bleeding and to prevent American intellectual property being repurposed abroad.  It is simply not enough just to indict individuals, we must also track them down and bring them to justice.

More importantly, we must also punish such activity directly when it happens in order to deter further activity going forward.  We can best do so by taking strong military, intelligence, and foreign policy actions, where appropriate.  Such actions will work better to deter foreign cyber activities than indictments standing alone.

Moreover, the government must take action now to work directly with the private sector to empower it with the type of information it needs to defend itself against such threats going forward.  Sharing threat information after an indictment is announced is helpful, but needs to happen sooner when a threat is detected, not after hundreds of millions of dollars in research and development dollars have already walked out the backdoor.

Indeed, if there ever was a case where something more than an indictment was necessary, this is it.  Here, 45 technology companies and government agencies in over a dozen states had hundreds of gigabytes of data stolen including technologies related to computers, satellites, oil drilling, and other highly sensitive and national security matters.  The victims included the Navy, where sensitive data on over 100,000 Navy personnel was stolen, the Department of Energy’s Lawrence Berkeley National Laboratory, the NASA Goddard Space Center, and the Jet Propulsion Laboratory.

Given all this, it is critical that the U.S. government not only continue to take the kind of strong actions it has today, but that it should also do more now to address the very real threat posed to our economic and national security by aggressive Chinese cyber activity.  First, it should share information about such threats in real time, as they are detected, rather than weeks and months later when an indictment is announced.  Second, it should open the door wider to take significantly stronger action against foreign nation-states, including keeping all military, intelligence, and foreign policy options on the table.  Finally, if we are ever to truly deter such activities going forward, the government must, when appropriate, actually take such actions in response to such foreign cyber threat activities and not simply rely on an indictment in federal court.”


Dr. Andrea Little Limbago –NSI Associate Director of Emerging Technologies and Senior Fellow; Chief Social Scientist, Virtru

“Since 2014 the Department of Justice has issued a series of indictments that link Chinese government-backed personnel to economic espionage. However, this year has seen an uptick in indictments and public naming of China as a core violator of the rule of law.  In the past few months alone, China has been linked to the Marriott mega-breach, ten Chinese intelligence agents were indicted for compromising aviation technology, two other officers were indicted for conspiring to steal rice production technology, and a Chinese spy was extradited from Belgium for commercial theft. 

However, today’s indictment is unique for several reasons. First, the degree of international coordination, including reinforcing statements from allied governments, supports a global norm against cyber-enabled commercial theft.  Second, the Department of Justice publicly rebuked China for violating the 2015 agreement against cyber-enabled commercial theft. The rebuttal joins this year’s report from United States Trade Representative on China’s corporate espionage, and reaffirms China’s non-compliance to an agreement that was similarly made with other countries, including Australia and Canada.  Finally, while much of the focus is on the vast range of commercial espionage, it is important to also remember China’s role in the major theft of the personal data of US citizens, including the OPM and Anthem breaches. Today’s indictment notes the theft of 100,000 Navy personnel, including salary information and personal phone numbers. The indictment is yet another reminder that China’s theft is not only detrimental to U.S. commercial innovation, but it also infringes upon the privacy of U.S. citizens through a broad range of personal data theft, including health, travel, and financial data, and personally identifiable information such as social security numbers and birth dates.”

Bob Stasio – NSI Visiting Fellow; Former Cyber Operations Lead, National Security Agency

“Today’s announcement regarding the U.S. Department of Justice (DOJ) indictment of two Chinese hackers appears to be a continuation fo the ‘name and shame’ strategy which began under President Obama. I am of two minds when it comes to this approach.  I applaud the DOJ for taking an aggressive stance against the Chinese strategy to exploit the U.S private sector with state-backed resources – most commercial entities are struggling to deal with advanced persistent threats, and this indictment gives a real signal that these type of actions will not be tolerated.

Alternatively, charging Chinese espionage actors that will likely never be extradited does nothing to practically stop hacking against the U.S. The ‘name and shame’ strategy against state actors may actually endanger current and former U.S. intelligence officials traveling overseas, as belligerent nations may seek retribution.  In my view, a more effective alternative would be using our offensive cyber capabilities under the Department of Defense to send a message versus the continual reliance on law enforcement. “

Dan Wagner – NSI Visiting Fellow; Legislative Liaison, U.S. Special Operations Command

China is the greatest threat to US National Security, period.  The next likely catastrophic event on the US will come from the Chinese in the cyber realm.  The DOJ charging two Chinese hackers for attacking multiple companies is one of many tools the US should be employing on a regular basis to stress to the Chinese this is not acceptable and there are now consequences.

For too long the Chinese and Russians have gone unchallenged, experiencing few repercussions for their constant cyber hacks and attacking.  Perhaps it was out of fear of starting WWIII.  Primarily because many senior US officials did not understand cyber or were focused exclusively on the counterterrorist fight as the greatest threat.

Countries like China and Russia continue to hack US companies and information, with the latest target being Marriott, and have openly pledged to not only not stop, but to increase.  China and Russia are starting with a leg up on the US, no thanks to Snowden.  The amount of data that countries like China, Russia, and Iran are compiling on US policy makers, as well as corporate and government leadership and technology, is scary.  What they can or intend to do with that data may be even more scary.  The US must respond by bolstering their Cybersecurity capability and prosecuting those countries and people who conduct operations against the US and our allies.

The Administration has recently released new cyber guidance in the form of a Presidential Directive granting more power to conduct cyber operations.  Recently though, the top commander in the Middle East and Central Asia authored a paper stating that the new authority is not enough.

The head of U.S. Central Command, Gen. Joseph Votel, wrote in his paper that the Pentagon must ‘normalize’ electronic warfare and cyberattacks and incorporate them into daily operations.  He went on to state, ‘We need to proactively execute cyberspace and information operations early in ‘Phase 0 / steady state’ of the planning process — well before operation execution. Only then can we shape the [information environment], hold our adversaries’ capabilities at risk and execute at the speed of war.’  I have to agree.

Russia China Iran and North Korea have all conducted offense of cyber operations around the world and it has not resulted in World War III yet.  It is not a secret that the United States has offensive cyber capabilities and such capabilities will likely also not result in World War III if executed with precision and diligence when provoked.

Taking the restraints off of US offensive cyber capabilities through the administration’s new cyber policy may be the next right step in proving our cyber superiority in the newest domain.  This is not a capability to be taken lightly.   Restraint and target vetting, as well as high level approval should be maintained.  As the article points out, there is great Intel value in cyber ISR versus cyber attack.  However, just as we flex our muscles through ‘shows of force’ to Russia, China, Iran and North Korea by conducting flyovers and moving aircraft carriers into areas in the ocean, the US must also conduct the equivalent of a ‘show of force’ in the cyber domain. The trick is we must now figure out what that looks like.

Disclaimer: The views and opinions expressed in this analysis are those of the authors and do not necessarily reflect the official policy or position of the National Security Institute or any agency of the U.S. government. Assumptions made within the analysis are not reflective of the position of the National Security Institute or any U.S. government entity.