article

08.04.11

China’s Secret Cyberwar

Another huge Internet attack targets 72 organizations, including the U.N., and once again it apparently originated in China. Richard Clarke, former head of U.S. cybersecurity, says it’s time to fight back.

On Wednesday, the security firm McAfee revealed that a widespread cyberattack had targeted 72 organizations including the United Nations, governments, defense contractors, and other corporations in what a McAfee executive called “the biggest transfer of wealth in terms of intellectual property in history.” That attack comes on the heels of previous breaches at Google, the Pentagon, Citigroup, RSA, and defense contractors Lockheed-Martin and L-3 Communications.

McAfee won’t say who was behind the newly revealed attack, but as before, this one has Chinese fingerprints all over it. For example, the targets included the International Olympic Committee and several national Olympic committees, which were breached in the months before the 2008 Beijing Olympics.

“What’s going on is very large-scale Chinese industrial espionage,” says Richard Clarke, a former top U.S. government official who held roles in counterterrorism and cybersecurity and now is chairman of Good Harbor Consulting, a security and risk-management company in Arlington, Va. "They're stealing our intellectual property. They're getting our research and development for pennies on the dollar."

Clarke says U.S. officials haven’t even dared to raise the subject with their counterparts in China, which sends the message to China that it's free to keep stealing from us. “We’re doing nothing to penalize them. So from their perspective, why not do it?” Clarke says.

Clarke says it’s time for the U.S. to start fighting back. He says President Obama should “authorize action to go after the computers involved in the attack.” Clarke says we could zap malware across the Internet, “the same way they do it. You can destroy the computers involved in the attack. They can pay a price.”

Clarke admits that doing this would risk escalating tension and might invite retaliation from the Chinese. “But it’s better than lying there prostrate having all your research and development and intellectual property stolen and doing nothing about it,” he says.

Worse yet, these attacks are probably only the beginning, says Joel Brenner, former director of national counterintelligence for the U.S. whose book America the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime and Warfare will be published this fall.

“It would be foolish to assume that there are not going to be more attacks—real bad attacks,” Brenner says.

Huge parts of our infrastructure are susceptible, including our power grid, which now is connected to the Internet. Putting the grid online has made it easier to manage but “is profoundly unwise,” Brenner says. “Rational people buy down risk. We have increased it, and we are continuing to do so in the name of short-term efficiency.”

"We are getting attacked. We are getting our pockets picked."

Brenner says he’s not predicting that terrorists will launch a cyberattack on the U.S. power grid. However, he says, “if there is an attack on the grid, no one should be surprised.”

Brenner says we’re not at war, but we have entered a new era in which “attacks are going to be part of the norm now, and they are going on in what is legally called 'peace.' We are being attacked. It isn’t war. War would be worse. But it’s really a serious problem. It’s operationally threatening, and we are getting our pockets picked.”

The U.S. is a big target simply because most of the world’s cutting-edge tech innovation still takes place here. “There’s just more stuff here to steal,” Brenner says.

Phyllis Schneck, chief technology officer at McAfee, says that in 2009 the company discovered a “command and control” server that was being used to launch the attacks. McAfee collected logs of all the attacks that the server was carrying out, and warned organizations that were targeted. McAfee calls the attack campaign “Operation Shady RAT.” (RAT is an industry acronym for Remote Access Tool, meaning the software that gets installed in a corporate network and is used to extract information.)

Schneck says McAfee announced the attacks publicly because it wants people to realize that this kind of “quiet attack” has become so widespread that virtually every company of any size has been targeted already. “We like to say there are two kinds of companies—the ones who know they’ve been owned, and the ones who don’t know it yet,” Schneck says.

And for now, it seems, there’s not much we can do about it.