How to Catch Chinese Hackers: Look at Who Wants Your Corporate Secrets

Keeping tabs on rivals may help companies foil attacks.
Illustration: 731

Jeffrey Johnson has the stamp of a military man, perhaps as a result of his early career in the U.S. Navy. The part in his hair might as well have been drawn with a ruler; his shirt is tucked as tight as a hospital corner. He looks slightly incongruous striding around his downstairs den in suburban Virginia in his socks and eating Chick-fil-A takeout, as he explains why SquirrelWerkz isn’t just another cybersecurity startup.

His contention is that hacking isn’t a technical issue: It’s a business and competitive issue, and that’s how companies need to approach it. “All this time we’ve been focused on the technology layer, but it’s just a means to an end,” he says. “What we forgot to do was to focus on the business transactions.” Johnson began doing just that as a cyber-risk specialist at EY (formerly Ernst & Young). In 2012 he was called in to examine a breach at a U.S. chemical company. An earlier investigation by the FBI concluded that Chinese hackers had penetrated the company’s network using a phishing e-mail and gained control of servers in Germany and Canada for two months.

As Johnson began digging into the company’s business plans and operational data, it became clear the damage was more extensive and insidious. He uncovered evidence that the hackers were intercepting inbound orders, as well as outbound e-mails with price quotes and other terms. They also tampered with the ordering system for raw materials, causing production delays, and made off with valuable research related to a line of environmental products.

The likely beneficiary of all the malicious activity emerged, Johnson says, when a Chinese firm made a lowball offer for the U.S. company after its performance began faltering. He says the business “has no way of recovering. You’re literally stealing the future.”

Johnson left EY in July and runs SquirrelWerkz out of his house. (On LinkedIn, he lists his current position as Chief Squirrel.) He’s assisted by five analysts scattered across the country. They closely track the activities of Chinese “national champions,” strategically important companies that the Chinese government supports through overt and covert means. Johnson’s analysis has uncovered a correlation between cybercampaigns targeting international heavy equipment makers and spikes in patent filings by a pair of those companies’ Chinese rivals beginning about 10 years ago. Neither had much research and development spending to support the sudden innovation, or capital expenditure to support their rapid growth, according to Johnson. SquirrelWerkz’s model flags that kind of anomaly, including overlapping intellectual property, and can offer recommendations on responses, such as challenging the IP claims.

Johnson says his approach simplifies things. Instead of defending against everyone, companies identify the two or three competitors most likely to target them. Individuals, whether an executive at a partner company or an engineer at an acquisition target, are assigned a risk score based on career history and links to institutions in China that may support hacking and IP theft. “Jeff’s work provides a unique integration of cyber, criminal, competitive, and economic threat intelligence and analytics that hasn’t been done before,” says Bob Rose, an independent cybersecurity expert who advises several government agencies and corporations. “It gives senior decision-makers a tailored view of the risks, findings, and recommendations.”

Johnson has spent the past nine months presenting his model and findings to government agencies, including the FBI. The U.S. government has new tools it can use against hacking, including a sanctions program created by executive order last year. He hopes his cyber-economic model can help build evidence for such cases, and ultimately increase the cost of hacking to China.

The bottom line: SquirrelWerkz says companies investigating hacks put too much emphasis on technology and too little on business analysis.

Before it's here, it's on the Bloomberg Terminal.
LEARN MORE