A year of stunning revelations has made many Americans aware that Chinese hackers, some of them believed to be associated with the country's military, have infiltrated just about every powerful institution in the District, from federal agencies to think tanks to, yes, media organizations. But less well-known are the freelance and industrial hackers operating within China, where they're estimated to have caused $873 million in damage to Chinese economy in 2011 alone.
That estimate is according to a recent study by academics at China's prestigious Tsinghua University, mentioned in a new report by the Financial Times' Kathrin Hille on China's hackers. There are criminal hackers, sure, but also corporate agents taking China's often-cutthroat internal economic competition online. Hille documents what she calls a "booming underground cyber economy in China" that goes way beyond the centralized, military-run hackers who are so much more famous.
“Some assessments seek to create the impression that China conducts cyber espionage in a highly organised way with a tight command structure, but that is just not true,” says an official at a U.S. industry association.
He says the military unit portrayed by Mandiant as a spider at the centre of a giant web is just one actor in a thriving but chaotic Chinese hacking ecosystem with many different private and state actors. “One key driver is a set of national policies that call for innovation and the development and acquisition of new technologies. This means there is an incentive for every company and every government institution to get their hands on [intellectual property], whatever it takes.”
There are probably a number of factors behind China's problem with criminal and corporate hacking; Hille cites bureaucratic infighting and underdeveloped cybersecurity firms. But you have to wonder if the country's notorious state-run hacking might play a role as well. The Chinese military's cyber-espionage would seem to set an internal norm that hacking can be okay.
As the U.S. industry official says above, Chinese corporate espionage is partially a product of national Chinese policy, which emphasizes hyper-competitiveness and acquiring intellectual property. Maybe it's a deliberate product and maybe not, but if Chinese officials even tacitly encourage Chinese firms to steal from foreign competitors, then it's reasonable to wonder whether a culture of cyber-espionage and intellectual theft might lead those companies to turn those same cyber-tricks against one another.
Could official, state-run hacking lead, directly or indirectly, to less-official hacking of the sort that's hurting China's economy? The New Yorker's John Seabrook interviewed a cybersecurity expert named Adam Meyers who walked him though a hypothetical cyberattack of the sort that might blur the lines between state and non-state hacker:
[Meyers] began by noting that many patterns of corporate espionage bear a suspicious resemblance to China's five-year plans for modernizing the country's infrastructure. The scenario he conjured up involved China's South Sea Fleet. ... The Chinese navy is known to be interested in expanding its capabilities from green-water – near to shore – and building up a blue-water, or deep-sea, presence. To do that, it needs to advance its satellite communications, boat building, robotics and other technologies.
"So the P.L.A. naval officer says to his intelligence forces, 'Here's the five-year-plan,'" Meyers said. "He's not using the military's elite hacking crews, because he doesn't want this traced back to the military. But there are plenty of crews for hire that are only loosely affiliated with the government, so he uses one of those. He says, 'Get me everything you can on these technologies.' So they go out and start their operation.
That operation, of course, would likely include some intellectual property theft from foreign firms. But the point here is not that non-state hackers are just secretly being hired by military officers, which seems unlikely. The point is that official government hacking creates a culture of cyber-espionage; it's how things are done. It also supports the freelance hacking economy, those crews who might do a job for our hypothetical PLA officer and then might hire themselves out to a Chinese firm looking to edge out its domestic competition. One branch of the Chinese government might want to clean out the hackers, sure, but as long as other branches rely on them, some hackers (as long as they don't cross certain red lines) are probably going to persist.
That culture of hacking even pervades, as I've previously written, the ranks of the Communist Party itself. Senior officials regularly spy on one another, hiring out hackers and other freelancers to help them survive the party's kill-or-be-killed culture. If you're the party secretary of a particular province and need for-hire hackers to keep that local upstart from getting you jailed or worse on corruption charges, how hard are you really going to work to arrest every known hacking crew?
None of this is to say that China's military-run hackers necessarily mean that the country will be unable to solve its problem with internal, unofficial hackers. The United States, after all, employs a massive cybersecurity force at the National Security Agency but still vigorously prosecutes cybercriminals. But the broader hacking culture, which appears to permeate much of the party in one form or another, is going to make it tougher for China to police its own Web.