Everyone knew what China was doing -- now what?

China's cyber spying is no secret, but the magnitude of the data theft may be a wakeup call to secure sensitive corporate info

The report released this week by security firm Mandiant laid out damning evidence linking China to a sophisticated cyber espionage ring and set off an avalanche of alarms and hand-wringing that brings to mind the scene in "Casablanca" where Captain Renault exclaims, "I'm shocked, shocked to find that gambling is going on in here!"

That China engages in cyber spying has been an open secret. InfoWorld's own Roger Grimes has been issuing warnings for more than two years about the dangers of APTs (advanced persistent threats) and detailed the methods used by cyber spies to steadily mine corporations' sensitive data.

What is new -- as delineated in the Mandiant report -- is irrefutable evidence of the magnitude of that espionage. As Ted Samson wrote in his in-depth back story on the Mondiant report, "Mandiant estimated that APT1 steals as much as 6.5 terabytes of compressed data from a single organization over a 10-month time period and estimates the group has likely stolen hundreds of terabytes from its victims."

Mandiant caught the popular press's attention by tracing the espionage to China's People's Liberation Army. But what often becomes obscured in heated talk of "cyber wars" is the fact that this is economic -- the hacking group identified as APT1 has been engaged in stealing business plans, partnership agreements, contact lists, and most importantly intellectual property worth potentially billions of dollars -- not ground warfare. As Gary McGraw, CTO at Cigital, told CSO, "It is a gross exaggeration to call these attacks acts of war. This is not cyberwar. That involves blowing things up, or taking things down for an extended period. This is espionage. There is a big difference, and we should not be conflating the two."

"Cyber war" is a term easily dismissed as a problem for governments and diplomats. But what's really involved is a large-scale cyber espionage operation that corporate America has for the most part ignored. Or as Grimes writes, "Chinese APT likely has unfettered access to every major company you can think of. In fact, I know of only one company that appears to remain uncompromised out of the dozens that have invited me to conduct an investigation."

Obviously, U.S. companies won't drop business with China, nor will they isolate themselves from the Internet. They could take steps to secure sensitive data -- but odds are they won't. Grimes decries the shortfall in security basics: "No company I know of patches correctly or prevents users from running things they shouldn't. Almost every company has no clue about what is really running on each user's system -- and each user's system can contact nearly every other computer in the enterprise, even when there's no reason for it."

Grimes goes on to say:

To stop cyber crime, we need to rebuild the Internet. Nothing short of that will work. No one who has taken the time to really examine the systematic problems would disagree. With existing protocols, we could add the needed protections to the Internet today, and it would be backward compatible. I've even written a fairly detailed plan (PDF) describing how this could be accomplished.

In the meantime, Grimes lays out the five signs you've been hit with an advanced persistent threat, which should be required reading for IT security pros and CSOs at every large enterprise. And business executives who travel to China would do well to check out Bob Violino's tips for securing their laptops. In fact, "you should simply assume your computer will be breached if you go to high-risk countries such as China to conduct business," says Israel Martinez, a private-sector board member at the U.S. National Cyber Security Council, a defense industry group.

Alternatively, we can continue to sit back and view all this cyber espionage and IP theft as a sort of experiment in intellectual freedom. As Bill Snyder wrote in "Save Silicon Valley -- abolish patents now":

Companies like Apple and Samsung waste tens of millions of dollars on ultimately fruitless litigation: Does anyone really think that a rounded corner is an idea that should be covered by a patent? And giants like Google and Microsoft waste billions acquiring a defensive portfolio of patents. With the possible exception of the pharmaceutical industry, no sector of the economy is more embroiled in the patent mess than information technology.

Perhaps APT1 is getting the jump on a world where ideas are more, er, freely shared, whether corporations like it or not.

This article, "Everyone knew what China was doing -- now what?," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow InfoWorld.com on Twitter.

Join the discussion
Be the first to comment on this article. Our Commenting Policies