June 7 (Bloomberg) -- When Barack Obama meets with President Xi Jinping at a California estate known as Sunnylands today, China’s hacking will be high on the agenda, pushed there by a drumbeat of bad news linking that country’s military to attacks on U.S. companies and defense contractors.
The seeds of the dispute, though, are at least three years old. That’s when a set of key intelligence breakthroughs and devastating attacks, including a breach of Google Inc.’s computers, reshaped the White House view of China’s cyber spying.
Although public information about the breach at Google and almost three dozen other companies was sketchy, that wasn’t the case for the U.S. government, according to a person familiar with the investigation.
Within 24 hours of Google’s January 12, 2010, announcement, U.S. investigators knew the attack had been state sponsored. Within three weeks, they had pinned it on a specific unit of the People’s Liberation Army, the person said. The attacks on Google and the other companies were especially worrisome because they targeted technology that makes up the underpinnings of the Internet.
The attack on Google, dubbed Operation Aurora by McAfee Inc. researchers, came about the same time that U.S. investigators were making a separate breakthrough. After years of trying, they identified several key individuals in the attacks against U.S. companies, placing them at the heart of China’s intelligence apparatus.
The Justice Department’s national security division is now considering criminal indictments against some of those individuals, according to a second person familiar with the matter who asked not to be identified because it wasn’t public.
Prosecutors have virtually no chance of getting China’s spies into a U.S. courtroom. Instead, a criminal indictment would lay out the detailed evidence of China’s involvement in trade secrets theft -- a far more significant step than any the U.S. has taken so far.
“The decision to hold China publicly accountable reflects a high degree of confidence in the intelligence community as to who is responsible for the attacks,” said Paul Tiao, a partner at Hunton & Williams LLP and until recently, senior counselor for cyber security to FBI Director Robert Mueller. “Certainty about attribution enables operational professionals and policy makers to explore different ways to deal with this threat.”
The conflict over China’s hacking puts the White House in a delicate position. The U.S. is trying to draw a bright line around economic espionage while still retaining the right to hack into foreign computer systems as part of more traditional spying efforts, which are focused on military secrets.
American officials also must manage the anger of U.S. companies and voters, on one hand, and China, on the other, as they lay out the case that one of the country’s largest trading partners and a rising power has been caught red-handed rifling the jewels of the U.S. economy.
Over the last three months, that case has mostly consisted of a series of public remarks and visits to Asia by high-level officials, including the secretaries of Defense, Chuck Hagel, and Treasury, Jacob Lew. In a speech in Singapore on June 1, Hagel said growing cyber-attacks on U.S. companies “appear to be tied to the Chinese government and military.”
In the days leading to this week’s summit, China and the U.S. agreed to hold regular meetings, beginning in July, to establish norms when it comes to hacking and economic espionage.
Less visible actions could be more significant in the long run. In February, the Department of Homeland Security released a set of indicators that companies could use to detect China espionage teams in their computers, among them computer IP addresses used by hackers to extract data.
The move was controversial within intelligence circles because it could tip off China to how the much the U.S. knows about the hacking, according to one former intelligence official. The White House intervened and pushed for the release, signaling the administration wanted to make a dent in China’s activities, the former official said.
An indictment of some of China’s cyber spies would go several steps beyond a recent Pentagon report that accused China of stealing weapons technology from U.S. defense contractors.
A detailed criminal indictment typically provides a chain of evidence and an account of why the person is accused of a crime. In this case, prosecutors would probably establish the theft of commercial or military technology and show what information the government has on the hackers’ relationships to China’s military intelligence organizations.
“Anything that we can read ourselves, instead of having to take some official’s word for it, is really powerful,” Stewart Baker, former general counsel for the National Security Agency, said in a phone interview. “The more detail that comes out, the greater the pressure.”
While U.S. spy catchers were zeroing in on Chinese hackers a few years ago, Operation Aurora demonstrated how the line was becoming blurred between traditional espionage and the theft of trade secrets.
Google’s willingness to announce publicly that it had been hacked was unusual. Still, the company kept secret that the hackers had accessed a server containing court orders, which could reveal the identity of U.S. government surveillance targets, including China’ agents in the U.S. and elsewhere. That access was reported five weeks ago by a researcher at Microsoft Corp. and confirmed to Bloomberg News by a senior official involved in the investigation.
The wider list of victims was just as worrying. According to three people involved in the government and private investigations, the list included major defense contractors -- Raytheon Co. and Northrop Grumman Corp. -- as well as a handful of technology companies including Intel Corp., Adobe Systems Inc., Yahoo! Inc., Juniper Networks Inc., Symantec Corp. and Microsoft.
Morgan Stanley, the New York-based investment bank, was attacked, as was eBay Inc., the online auction site.
The investigation involved agents from the FBI, Defense Department and Department of Homeland Security, a response so broad that the agencies had to develop new rules to sort out their roles.
Once U.S. officials linked the attack to the PLA, the information was provided to senior executives of several companies, including Google co-founder Sergey Brin, who was granted a temporary classified clearance to sit in on the briefing, according to a person familiar with the investigation.
In several cases -- including those of Google, Adobe and Intel -- investigators discovered that the attackers had accessed source code repositories.
It’s unlikely the hackers were trying to replicate Adobe or Google products, investigators believe. The real danger is that the hackers were mining for unknown flaws in the software’s programming -- known as zero-day exploits. Those exploits can be used to take over computers, essentially giving China’s cyber spies the keys to millions of computers worldwide as the software was shipped by major manufacturers. In the case of Intel, it would be hard-wired into the chip sets as firmware.
“I don’t think you can come to any other conclusion,” said Stuart McClure, former chief technology officer for McAfee, which aided the government’s investigation.
The seriousness of the attacks steeled the administration’s resolve, while the intelligence breakthroughs provided the necessary proof.
Over the next several months, the administration took several steps to help defend critical networks, including finalizing the Defense Industrial Base pilot project, which provided sensitive intelligence on China’s hackers to defense contractors.
By then, however, administration officials had decided that a purely defensive approach wouldn’t work. The only solution was pushing China to change its behavior. This weekend’s meeting between the leaders of the two countries will be the best indicator so far of whether the plan is working.
“The idea of being victimized over and over again without taking action is not one you can stomach for very long,” said Tiao, the former FBI agent. “After a while you reach this boiling point, and we’re finally seeing the response.”
To contact the reporter on this story: Michael Riley in Washington at email@example.com
To contact the editor responsible for this story: Michael Hytha at firstname.lastname@example.org