How much do you think Chinese state-sponsored cyber spies steal from the US each year? No, you’re way off. It’s in the region of $5 trillion – 30% of GDP – according to one expert interviewed in a new exposé of Beijing-backed cyber attacks by the Epoch Times.
I covered this one for Infosecurity and IDG Connect because although most of the info for the article came from publicly available sources, it had some interesting insight from various industry experts and tied together the whole shadowy web of guanxi-tinged goings-on in the Middle Kingdom very well.
Particularly illuminating were claims that there are hundreds of state-backed “tech transfer centres” whose mission is to earmark IP they want, send scientists abroad to study in relevant industries and then reverse engineer products from stolen IP. It’s China investing in state-sanctioned theft because it’s quicker, easier and way cheaper than doing R&D the legal way. It’s happening on an industrial scale, to feed the country’s military aspirations and economic growth – many of the products are produced cheaply and sold back to the West at a fraction of the cost of the originals.
It’s thoroughly depressing but fascinating stuff and will make for frustrating reading if you’re a US tech CEO. If you haven’t been breached yet, you will be – or maybe you just haven’t found out about it yet.
China can do this, of course, because there’s a very fine line between government, academia, military, state-owned enterprise and even private business. All organisations must have a CCP committee which some believe sits even higher than the board. And all are expected to pull together for the betterment of Team China. But while the report calls out state-owned enterprises, there is in fact little in the way of evidence that private businesses have capitalised on stolen IP to accelerate R&D and produce cheap kit with which to flood Western markets.
Report author Josh Philipp told me that evidence was hard to find – even the US indictment of five PLA hackers last year referenced only SoEs. IP theft does happen, however, especially by contract manufacturers making products for US firms, although this is slightly different from the cyber espionage/tech transfer cycle mentioned in the report.
“Any private company involved would likely be running a small-scale counterfeit operation, which would be hard to pin down,” Philipp told me.
What is clear is that despite recent exhortations from the top to create an “innovation driven” country – an admission in itself that hitherto China’s economic growth and military might has been built on theft – the Chinese communist regime is unlikely to change things around anytime soon.
Western firms must get better at deflecting these attacks – and in so doing force up the size of investment needed by Beijing into cyber espionage activity, so that attack campaigns are just not worth the return in many cases. If they don’t, we can expect the same old breach headlines to continue ad infinitum.
Schneier, if you haven’t come across him, is BT’s chief security technology officer, author, cryptographer extraordinaire and philosopher-cum-infosecurity out-of-the-box-thinker.
Basically, what he says in info-security circles is usually listened to, although his propensity to tackle the subject more from a socio- or even biological perspective than a mere discussion of bits and bytes can make quotable extracts from a conversation with him pretty thin on the ground.
That said, Schneier was on form last night, focusing on the topic of trust and the notion that all systems, be they sociological, biological and so on, need co-operation to work. These systems also feature, inevitably, ‘defectors’, who don’t obey the rules and require security to keep their activities to manageable levels.
All fine and dandy, but what about the future? Does Schneier think we’re all doomed?
Well he certainly believes that the gap between the bad guys profiting from new technologies and the good guys catching up is greater than at any point in the past thanks to the sheer volume of new tech and the huge social change it is spurring, which is somewhat worrying.
However, there is hope that all is not lost. For one, he declared the bad stuff that happens online still a “tiny percentage” of the whole.
“I’m a short term pessimist but a long-term optimist,” he added.
As the older generation dies out things will gradually change too, he explained, as new norms around things like privacy come into play, and even the music industry is eventually be forced to change.
“The internet is the greatest generational gap since rock n roll,” he declared.
“People stealing music now are doing what will be normal in ten years’ time, they just figured it out first. The business model of scarcity doesn’t work.”
In less reassuring news, he argued that the balkanisation of the internet is likely to continue as national governments seek to establish their own controls – particularly appropriate given we were sitting in the Conrad Hong Kong, just a few miles from mainland China and the Great Firewall.
“It turns out the internet does have boundaries,” Schneier concluded. “Governments are enforcing their rules more and more and it makes for a less stable internet but it is the geopolitical future.”