How the US Should Respond to Chinese Cyberespionage

Unit 61398 building

A U.S. cybersecurity company has released details proving beyond any reasonable doubt that the Chinese military, through its Unit 61398, has intruded into at least 141 organizations over seven years, stealing terabytes of data from each. Now that attribution is clear (and, more importantly, public) the U.S. government has its best opportunity in years to take direct action against Chinese cyberespionage and help to create new norms of behavior between nations. 

The report from Mandiant offers details on the group they have tracked as a “APT1” and why it is actually Unit 61398 (also known as the 2d Bureau of the People’s Liberation Army General Staff Department’s 3d Department).  Here is a summary:

  • Nearly 90 percent of APT1’s operations targeted English-speaking countries, primarily the United States.
  • APT1 targets organizations in IT, aerospace, government, satellites and telecommunications, scientific research and consulting, energy, transportation, and other sectors. 
  • They steal a wide range of information but especially product development and use, manufacturing procedures, and business plans.
  • The size and structure of APT1’s operations accordingly implies not a stereotypical hacker group, but a large bureaucracy with dozens, if not hundreds of operators and support staff: fluent English linguists, developers of many variants of malicious software, and more.
  • Mandiant observed APT1 connect to their espionage network nearly 2,000 times and over 97 percent of those connections traced directly back to Shanghai and used systems using simplified Chinese.
  • Unit 61398 is a known cyberespionage unit, operating in Shanghai against English-speaking targets. 
  • Accordingly, Mandiant concludes APT1 is Unit 61398, though concedes the other possibility: somehow “[a] secret organization full of mainland Chinese speakers … is engaged in a multi-year, enterprise scale computer espionage campaign right outside of Unit 61398’s gates, performing tasks similar to Unit 61398’s known mission.”

This Chinese state-executed espionage differs in a critical way from otherwise similar espionage by the United States as China has an industrial policy and uses its national security resources to bolster favored, state-owned companies. U.S. espionage may be omnipresent, as some hope and others fear, but the CIA and National Security Agency pass their secrets only to the U.S. government, not U.S. companies; if they did, then information sharing of threat and other data would not be such a perennial problem.

The U.S. government has a window to take long-delayed action. Of course, the U.S. government should continue to press China behind closed doors, such as at the China-U.S. Strategic Security Dialogue. But as norms are not developed in backrooms, now that the information is public, the government should also respond publicly.

Analysts inside and outside government have known for years of Chinese government complicity and have the D.C. think tank community has already generated a wealth of options. The National Security Council staff should coordinate the following actions:

  • The National Security Council should draft comments for the president to speak against Chinese espionage, as a follow up to his State of the Union speech and recently issued executive order.
  • The intelligence community should follow Mandiant’s lead and release its own public reports on Chinese espionage. This should start with an unclassified version of the latest cyber National Intelligence Report followed by details on specific threat actors, especially declassified corroboration on Unit 61398.
  • The United State Trade Representative should coordinate unilateral sanctions against companies associated with the People’s Liberation Army, especially those most associated with the General Staff Department. The U.S. Trade Representative should also start building a case with the World Trade Organization, since information of commercial value has been stolen, an approach long favored by Dmitri Alperovitch, senior fellow of the Atlantic Council.
  • The Department of State should:
    • Formally demarche the Chinese government for more information on Unit 61398 and demand it cease all activity against the United States or face escalating sanctions.
    • Place visa restrictions on anyone associated with Unit 61398, based on information from the intelligence community. 
    • Coordinate action with other targets of Unit 61398, especially the United Kingdom and Canada, who should implement their own visa and trade sanctions.
    • Convene an unclassified conference of like-minded nations to discuss policy carrots and sticks to stop this espionage. The conference should include the traditional “five-eyes” allies of the United Kingdom, Canada, Australia, and New Zealand, as well as others targeted by Chinese espionage like Japan, France, and Germany.

If China does not respond favorably to these actions, there are options to ratchet up the sanctions. For example, Stewart Baker recommends visa restrictions on students and researchers from Chinese universities tied to other state-sponsored espionage incidents.

Chinese espionage has been a major problem for a decade, largely because the Chinese never faced any penalty for their actions. Now that, again, the private sector has taken the lead, the U.S. government must shake off its reluctance and jump into gear.

Jason Healey is director of the Cyber Statecraft Initiative at the Atlantic Council. You can follow his comments on cyber cooperation, conflict, and competition on Twitter @Jason_Healey. This piece first appeared in U.S. News & World Report. 

Photo credit: Google Earth

Related Experts: Jason Healey

Image: Unit-61398.jpg