Donald Trump made some questionable remarks this week that have rightly caused an almighty backlash. But one thing he did that may have more support, is sign an executive memorandum which will most likely lead to a lengthy investigation into alleged widespread Chinese theft of US IP. This is a big deal in Silicon Valley and something that has irked US business in general for years.
The question is, will this latest strategy actually result in any concrete changes on the Chinese side? As you can see from this new IDG Connect piece, I’m not convinced.
Years of theft
There are few things Democrats and Republicans agree on, but one is that China has had things far too long its own way when it comes to trade. The US trade deficit between the countries grew to $310 billion last year, helped by the growing dominance of Chinese businesses. Many of these have been able to accelerate their growth and maturation thanks to IP either stolen by hackers from US counterparts or take via forced joint ventures and tech transfers. Many of them are selling back into the US or their huge domestic market, undercutting American rivals.
Chinese firms don’t have the same restrictions around forced JVs and tech transfers to enter the US market. In fact, the likes of Baidu even have Silicon Valley R&D centres where they’re able to recruit some of the brightest locals, while government-backed VC firms have been funding start-ups to continue the seemingly relentless one-way IP transfer.
There are, of course, more nuances to the dynamic, but you get the point.
So, will this investigation get us anywhere? After all, it will empower the President to take unilateral action including sanctions and trade embargoes. Well, on the one hand, little gain can be made from stopping Chinese IP hackers, as they have stopped outright theft ever since a landmark Obama-Xi deal in 2015, according to FireEye Chief Intelligence Strategist, Christopher Porter.
“If anything, discontinuing straightforward theft of intellectual property for strictly commercial purposes has freed up Chinese actors to focus more on these other targets than ever before, so the risk to companies before and after the Xi Agreement depends heavily on what industry that company is in and what sort of customer data they collect,” he told me via email.
That’s not to say the Chinese aren’t still active in cyberspace, but it’s less around IP theft, which is the focus of this investigation, Porter added.
“We have seen an increase in cyber threat activity that could be Chinese groups collecting competitive business intelligence on US firms selling their products and services globally—several companies that were targets of proposed M&A activity from would-be Chinese parent companies were also victims of Chinese cyber threat activity within the previous year, suggesting that they may have been targeted as part of the M&A process to give the Chinese company a leg-up in negotiations,” he explained.
Which leaves us with JVs and tech transfers, which have provided Chinese companies with vital “know-how” and “know-why” over the years. To my mind, if there’s any area where the US can and should focus its diplomatic and negotiating efforts, it’s here. However, as reports in the past have highlighted, it took China years to construct a gargantuan, highly sophisticated tech transfer apparatus, and it won’t be looking to bin that anytime soon, especially with the Party’s ambitious Made in China 2025 strategy now in full swing.
Neither side will want to become embroiled in a trade war. The US has too many companies which count China as a major market – it’s Apple’s largest outside the US, for example – and Chinese firms are doing very well selling into the US, as that huge trade deficit highlights.
In the end, my suspicion is that this is just another bit of Trump tough talk which will actually produce very little.
“This long-awaited intervention should also probably be viewed in the larger picture of the way the Trump administration operates: in terms of ‘carrot and stick diplomacy’,” Trend Micro European Cyber Security Strategist, Simon Edwards, told me.
“It is also well documented that the US administration is trying to use trade deals to get action on the situation in North Korea; and perhaps this is more of a stick to be used with the accompanying ‘carrot’ of a greater trade deals?”
Time will tell, but it’s unlikely that US tech companies operating in China, and their global customers, will be any better off after this latest test.
The South China Sea is an increasingly dangerous place to be in cyberspace. And as China is involved in territorial disputes over the area that bears its name with virtually all of its neighbours, there are no shortages of targets for its army of state-sponsored operatives.
F-Secure is the latest security vendor to confirm what most of us know already – that Chinese hackers, most likely working for the state, have been systematically stealing data from organisations with interests in the region for years now. It’s new report, NanHaiShu: RATing the South China Sea, details a new piece of information-stealing malware used in campaigns targeting government and private sector firms. Why? They were all involved, directly or indirectly, in a recent UN tribunal over ownership of a group of rocks in the South China Sea. Victims included the Department of Justice of the Philippines, the organisers of the Asia-Pacific Economic Cooperation (APEC) Summit and a major international law firm involved in the tribunal
F-Secure cyber security adviser, Erka Koivunen, told me he suspects a nation state was behind the attacks, although definitive attribution is always hard.
“Admittedly the malware itself may not be the most sophisticated piece of code there is. That doesn’t however mean that the operation wasn’t sophisticated,” he said via email. “The lack of zero-days and bleeding edge alien technology may admittedly seem a bit boring, but in fact is a sign of cold calculation and professionalism on the level of execution.”
This report is the latest of a long line of similar intelligence highlighting extensive cyber espionage in the region related to Beijing’s interests in the South China Sea and the rocks, reefs and islands that dot the landscape. Late last year a ThreatConnect report revealed an alleged PLA cyber espionage campaign dating back five years and targeting the Philippines, Singapore, Thailand, Vietnam and many others in the region. US interests have also been attacked.
William Glass, threat intelligence analyst at FireEye, believes this is just the beginning, as China begins to flex its muscles in the region.
“More recently, we have seen the list of targets expand to energy companies, legal firms, and even GitHub, targeted by China’s Great Cannon in March 2015,” he told me. “Beyond simply stealing information, Beijing has found there are benefits to using cyberspace to propagandise and attempt to influence behaviour.”
He claimed that the army’s new Strategic Support Force may see disputes in the area as the perfect opportunity to test its significant capabilities, which could range from range from “typical cyber espionage to learn of plans and intentions of commercial companies to efforts designed to influence companies’ decisions to invest or operate in the South China Sea.”
“Recently, the Chinese media has singled out Australia and Japan for particularly harsh criticism following the tribunal ruling,” Glass explained.
“It’s possible that China-based groups—with or without official government backing—will target Australian and Japanese commercial interests in retaliation for perceived interference or in an attempt to force Canberra and Tokyo to more carefully consider any follow-on action.”
For starters, firms working in the energy, logistics and shipping, and political and legal advocacy sectors in the region would do well to redouble their cyber security efforts. But the truth is that any organisation that deals with China or works in an industry where Chinese companies have interests – which is virtually every organisation – should consider the threat of state-sponsored attacks from the East. Yes, it’s more likely they’ll encounter ransomware than an info-stealing RAT guided by the PLA. But the threat is there, and as UK organisations increasingly look to the Middle Kingdom in this post-Brexit world, it’s one they should all take seriously.
I’ve just been putting together a piece for IDG Connect on tech predictions for China and Hong Kong in 2015. It’s always difficult to fit in all the comment I manage to get on these pieces, so here’s a bit more on the cyber security side of things, from FireEye threat intelligence manager Jen Weedon.
The long and the short of it is “expect more of the same” from China. The US strategy of naming and shaming PLA operatives ain’t really doing much at all.
“In the next six to twelve months, targeted data theft by China-based actors is likely to remain consistent with patterns we have observed in the past,” Weedon told me by email.
“We expect Chinese threat groups to conduct espionage campaigns that are in line with the Chinese central government’s political and development goals.”
So what exactly will these goals be in 2015? Well, according to Weedon we can expect data theft to focus on climate change and the tech sector.
“China’s ongoing pollution challenges provide strong incentive for threat actors to steal data related to technologies that can help China stem the environmental impact of its heavy reliance on coal,” she said. “We also expect cyber espionage activity against governments and policy influencers in the run-up to the 2015 UN Climate Summit as China seeks intelligence to enhance its negotiating position on global climate policy issues.”
As for the tech sector, China is stepping up its efforts to develop homegrown computing and semiconductor policies – ostensibly for reasons of national security, ie to close down the risk of NSA backdoors in US kit.
“As the country pursues these goals, we anticipate Chinese actors will leverage data theft to supplement knowledge acquired through legitimate channels such as joint ventures with experience foreign partners,” Weedon told me.
“We regularly observe China-based threat actors target firms engaged in joint ventures with Chinese enterprises.”
Territorial disputes in the South and East China Seas will also continue to drive cyber espionage activity, she said.
As for beyond that, we’ll just have to wait until after the National Development and Reform Commission (NDRC) outlines development priorities for the 13th Five Year Plan.
“As the central government solidifies its goals for the 2016 to 2020 timeframe, we expect further clues to emerge about which topics are likely to enter threat groups’ cross hairs in 2015 and beyond,” said Weedon.
It’s very much a question, therefore, not of whether China will continue its blatant state-backed cyber espionage campaigns, but where it will focus its considerable resources.
I seem to have chosen the wrong time to come back from Hong Kong. Just a fortnight after landing back in Blighty, the US raised the stakes between the two superpowers, and mortally offended China’s honour, by indicting five PLA soldiers on charges of hacking US firms for economic gain.
I’ve written enough about it here and here already, so I won’t go into the pros and cons of this high risk strategy again. Safe to say that Beijing already appears to be retaliating in the most effective way possible; by making things decidedly difficult for US tech firms in the Middle Kingdom. Already reports have emerged that Cisco and IBM could be in trouble.
Is a new Cold War about to begin?
Well, if it does, one company it might be worth keeping an eye on is threat intelligence firm Cyber Squared. The firm’s ThreatConnect Intelligence Research Team has an interesting and very thorough analysis of new APT-style cyber attack campaigns in the disputed South China Sea (SCS) region, as I wrote about here.
“What’s that got to do with us?” you might ask. Well, potentially quite a lot, according to Cyber Squared chief intelligence officer, Rich Barger.
“There is a risk of increased data loss for Western firms that routinely work with Vietnamese, Filipino, and other SCS region companies,” he told me. “Unit 61398/APT1 operates on the whim of the PRC, and cyber espionage has been adopted as the preeminent ‘low risk – high payoff’ medium for strategic intelligence collection.
“We typically see companies that are infrastructure related being targeted. Industries such as energy, oil & gas, mining, and transportation may find themselves directly or indirectly impacted.”
The message is loud and clear; if you have any military, economic or geopolitical stake in the SCS region, be aware that Chinese cyber operatives are increasing their activity.
“China has had a long standing national and regional interest within the South China Seas region,” explained Barger.
“It offers them a strategic economic advantage in terms of regional and global energy development and trade. From a military perspective, a strong Chinese presence within the SCS also counters the US pivot to South East Asia where China’s military modernisation, especially its navy, and regional assertiveness have come to an intersection.”
Barger argued that the various disparate groups at risk in the SCS need to start sharing information on attacks and “observing both the technical picture and the geo-political context”.
“It is important for those within these targeted industries to actively invest in threat intelligence processes as a standard business practice that supports internal information security operations,” he concluded.
“It is equally important that technical leaders effectively interpret and articulate regional threats and the context surrounding them to corporate business leaders.”
Verizon’s annual Data Breach Investigations Report is out and several headlines have pointed to it highlighting China once again as the biggest source of global cyber espionage threats, however we need to be careful drawing such conclusions.
The report revealed that when it comes to cyber espionage, the majority (87%) is state affiliated rather than committed by organised crime (11%) and is targeted at victim organisations outside of the country of origin.
When it comes to “victim countries”, the US (54%) accounts for by far the majority, followed by South Korea (6%) and Japan (3%), although this is more of a reflection of the intelligence sources that inform the report than anything else.
More interestingly, it pegged “external actors” operating from Eastern Asia – mainly China and North Korea – as the most prolific worldwide, accounting for 49%.
Eastern Europe was next (21%), followed by Western Asia (4%), while North America and Europe were way down with just 1% each.
So what does this tell us? Well, those looking to prove that China is once again the arch bogeyman when it comes to global state-sponsored attacks should think twice, according to Verizon.
Report co-author and senior analyst, Kevin Thompson, told me that the results reflect the fact that large numbers of North American companies participate in the study and relatively few hail from East Asia – with none from China and Japan.
“We have been trying to recruit a partner organisation from China, Japan, or South Korea to increase our visibility into that part of the world,” he added. “Since many of our partners that investigate cyber espionage are based in North America they tend to only see attacks that are aimed at North American companies.”
Also, out of 511 total cyber espionage incidents recorded, more than half (281) were removed because no country could be attributed as the source of an attack.
“East Asia is the most commonly seen espionage actor when our partners are able to identify the country at all, which is not even half of the time,” Thompson explained.
“There tends to be more research around East Asian espionage than other countries, especially among North American partner organisations. Since there is more research in that area, it is easier for a partner to identify espionage from those regions while espionage from North America or Europe might be labelled ‘Unknown’ and would not be included in figure 59 of the report.”
If the NSA revelations have taught us anything it’s that the 1% figure for North America-based attacks is likely to be way smaller than in reality.
Verizon also claimed in the report that “the percentage of incidents attributed to East Asia is much less predominant in this year’s dataset”.
The real growth in activity is actually coming from Eastern European attackers, it said, adding the following:
At a high level, there doesn’t seem to be much difference in the industries targeted by East Asian and Eastern European groups. Chinese actors appeared to target a greater breadth of industries, but that’s because there were more campaigns attributed to them.
Malicious email attachment (78%) and web drive-by (20%) are still the most popular method of gaining access to a victim’s environment.
As for advice on how to lower the risk of a compromise, Verizon reiterated the basics.
These include: patch all systems and software so they’re fully up-to-date; use and keep an updated anti-malware solution; maintain user training and awareness programs; segment your network; log system, network, and application activity; monitor outbound traffic for data exfiltration; and use 2FA to stop lateral movement inside the network.
Earlier this week David Cameron signed a deal designed to elevate the Indo-British relationship to an “unprecedented level of co-operation” on cyber security issues. It came as part of the PM’s three day trade mission to India and is certainly to be welcomed, but the agreement also implies some rather worrying things about the cyber readiness of the country’s big outsourcing firms.
The deal will essentially mean two things. Firstly, UK technical know-how and expertise in the cyber security sphere will be shared with Indian outsourcers, essentially to help protect the vast amounts of data from UK consumers and businesses which are now held on servers in the country.
Secondly, the agreement will see the two countries share relevant threat intelligence in order to thwart attacks on their systems, whether they’re coming from the UK, India or elsewhere.
Now, as mentioned, any kind of international co-operation on cyber threat protection is a step in the right direction, and Cameron certainly can’t be faulted for his assertion that “other countries securing their data is effectively helping us secure our data”.
My surprise is that big name outsourcers like Wipro, HCL, Mahindra and Infosys – firms which have built their business presumably on the quality (and security) of their BPO offerings – need an extra hand.
Any CIO worth his salt would surely relegate to the scrap heap a potential outsourcing provider who could not satisfy his or her list of pre-determined security requirements.
Sure, the smaller outsourcers will benefit most from this deal, but the big boys too?
Well, yes, according to Forrester’s New Delhi-based analyst Katyayan Gupta.
“Even larger Indian firms like Infosys, TCS, etc. will also benefit because now they will have an additional layer of security against cyber criminals,” he told me.
“This is not to say that these firms do not have good security right now. But the question really is – is it enough to keep all attackers out? Probably not.”
Now I know in this age of APTs and highly targeted attacks no firm can claim to be impervious, but it’s slightly worrying when those with huge resources – in an industry where reputational damage following a data breaches could hit hard – are apparently getting expertise flown in from the UK that they haven’t obtained anyway.
Also, as Gupta argued, the deal will still do nothing to stop perhaps the biggest threat to UK data residing on these firms’ servers: corrupt insiders.
It may be time to revisit those SLAs.
In a startlingly refreshing display of honesty, RIM CEO Thorsten Heins has come out and said the firm is steering clear of China when it comes to manufacturing to reduce the risk of IP theft which could cripple its business.
It’s a bold statement, given that in my experience most tech firms – and even analysts – are very reluctant to discuss China in anything approaching critical terms, especially when cyber security is mentioned.
It’s certainly a valid point. I’ve reported in the past for The Register how many multinationals are suffering IP loss from their Chinese business units.
As RIM is teetering on the brink financially and seems only to be able to differentiate competitively from its rivals by virtue of the superior security capabilities of its handsets and infrastructure, any breach would be a huge blow.
That’s not to say it is necessarily safer anywhere else, but eliminating China from the supply chain could be a wise move.
Kenny Lee, a forensics expert with Verizon Business, sat down with me on Thursday to explain what hacking activity he’s seeing inside Hong Kong and Chinese firms.
Interestingly, while he did admit there was a fair amount of “low level” IP theft from firms in the region, mainly due to employees looking to set up their own businesses, there is a more insidious data leakage problem – technology transfers.
These agreements are usually foisted on foreign multinationals wanting to expand into China. The deal is that they have to partner up with a local Chinese firm by law to sell into the country’s huge market, and in doing so will usually need to share IP with them.
After a certain point, Lee explained, the Chinese partner usually has enough knowledge to pull out of the venture, having sucked all the IP it needs from its foreign partner.
There’s the rub for foreign firms such as BT, who can’t gain direct access to the market but equally reject the idea of handing over their hard-earned IP.
There’s no chance of things changing from the top anytime soon, so foreign firms will continue to have to weigh the risks and make that judgement.