A deal announced two months ago between China and the U.S. was pitched as bringing an end to economic espionage.
But if any business leader thinks that means their organizations are no longer a target, they haven’t been paying attention.
That is the unanimous conclusion of a number of experts who have been tracking cyber attacks from China in the two months since Chinese President Xi Jinping and U.S. President Barack Obama announced that, “neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property (IP), including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”
A number of experts pointed to major holes in the language of the agreement as soon as it was announced, most notably that it refers only to the governments of both countries – not their private sectors.
[BACKGROUND: U.S. readies sanctions against China for cyber spying ]
Also, saying the government will not “knowingly support” something is obviously not a promise that it will take steps to stop it.
And it hasn’t stopped. Michelle Van Cleave, former National Counterintelligence Executive (NCIX) and a board member of AFIO (Association of Former Intelligence Officers), put it bluntly. “Agreement or no agreement, China hasn’t changed its behavior. By all accounts it is still as heavily engaged in cyber espionage against American business and industry as ever before.”
She added that since the Chinese public and private sectors are so intertwined, there is no reason to believe that the government is, “impotent or uninvolved when it comes to these lucrative cyber operations.”
Security vendor CrowdStike issued a report in mid-October saying it had detected seven attempted intrusions since the agreement, “where the primary benefit of the intrusions seems clearly aligned to facilitate theft of intellectual property (IP) and trade secrets, rather than to conduct traditional national-security related intelligence collection,” which is conducted by all nations and is not covered in the agreement.
CrowdStrike cofounder and CTO Dmitri Alperovitch said the company had not yet released any new findings since that report.
But the conclusions were similar at RiskAnalytics, according to Wayne Crowder, director of threat intelligence. “Our intelligence shows (economic) attacks have stayed consistent since September of this year,” he said.
[ ALSO ON CSO: Defensive tactics against sophisticated cyberspies ]
The same is true at Fidelis Cybersecurity, where CSO Justin Harvey said, “we are still working large-scale breaches where we suspect that China state-sponsored cyberespionage is being conducted.”
And William Munroe, vice president of marketing at Interset, said the firm’s customers report that attacks from China, “remain the same.”
This may not mean the agreement is worthless, according to Alperovitch, who said at the time of his company’s October report that it would likely take time for the agreement to have an effect. “The fact that there is some time delay between agreement and execution is not entirely unexpected,” he said, adding that, “I continue to have hope that meaningful progress can be made to turn the corner and establish norms of behavior for nation-states in cyberspace.”
He noted this past week in an interview that, “the fact sheet that was made public by the White House didn’t specify the timeframe for execution.”
Harvey agreed, noting that just because a breach is discovered after the agreement does not mean that is when it happened.
“The Chinese could have stopped, and firms like ours and CrowdStrike are still responding to the historical breaches pre-agreement,” he said.
Munroe said a delay should be expected, for two reasons: First, China is an enormous bureaucracy, and any major change takes time. Second, “there are significant political differences between the Chinese ruling party and the Chinese military leadership.
“Taking that into account, it is likely to be a four- to six-month process, if it actually occurs,” he said.
But Neal Dennis, cyber threat analyst at Arbor Networks, pointed out that China has never admitted to conducting economic espionage, and therefore, “the concept of a timeline between agreement and execution is moot. There is no timeline from China's perspective, because establishing one would be tantamount to admitting that the government did in fact support corporate espionage efforts.
“Until recently, China never even openly acknowledged they had a cyberwarfare," he said.
Harvey said he thought China should be able to demonstrate progress in curbing economic espionage within 60 days, “especially since President Xi was the former No. 2 commander of the military.”
He said another six weeks beyond that should be more than enough. “If I were working in the U.S. government, I would demand and expect full cooperation and adherence to the agreement by Jan 1,” he said.
But the U.S. may not have many options beyond “demanding and expecting” if the Chinese don’t abide by the agreement. The U.S. has threatened economic sanctions for years, but has never imposed them.
And Harvey does not expect any in the future. “They will not be imposed and they won’t work,” he said, pointing to a blog post he wrote prior to Xi’s visit to the U.S. in September, noting that the U.S. economy is heavily dependent on China – the U.S. imported $466 billion worth of goods from China in 2014.
Munroe agreed. “Outside the European Union, China and the U.S. are the world’s largest trading partners,” he said, adding that it is in China’s strategic interests to steal R&D data from U.S. businesses, “to increase their competitiveness and lower their costs.”
In short, sanctions would not damage only China. “If the U.S. imposes sanctions, China has the ability to affect the growth of our economy through the manipulation of their currency or manufacturing,” Crowder said. “It is a very difficult task given the relationships of our two countries.”
It is not just a matter of economic codependency either. “Sanctions are unlikely,” Dennis said. “China has far more to gain monetarily from corporate espionage than losses due to sanctions, given the ease by which attribution can be skirted, and the fact that government sector espionage, not addressed by the agreement, is so intertwined with commercial interests.”
Also, Harvey noted that the catastrophic breach of the U.S. Office of Personnel Management (OPM), in which the personal information of about 21 million current and former federal employees was compromised, was attributed to China, which would give it some leverage if the U.S. threatens sanctions.
Munroe added that the Chinese military oversees the notorious Deep Panda cyber warfare team, “while telling the ruling party they are not. The Chinese have trained a large number of hackers who have since moved on onto the dark web, giving the military a valid cover that these hackers and not the military are actually carrying out the attacks.”
The bottom line, experts say, is that organizations can’t rely on an agreement between the two governments to protect their IP – it is up to them.
Dennis said any company that does business with China or is viewed as a competitor should expect to be attacked. He said a primary attack technique is spear phishing, “so educating end users is critical, as has been said over and over again.”
Alperovitch added that security executives, “should focus on gaining full visibility into their environment and adapting their capabilities to detect all attacks, including even those that don't involve any malware.”
Harvey said if the U.S. reduced its economic reliance on China through investments in other countries like Mexico, Brazil, Philippines, Vietnam, India and others, “then we could impose sanctions without destroying our own economy.”
He also recommended focusing on human intelligence, “to conduct real-world espionage operations against the People’s Liberation Army units responsible for these attacks.
But Munroe said until U.S. companies invest more in security, it will be, “cheap and easy for China to steal our data. U.S. investment in security products and training is between 10% and 15% of IT spend for an average company,” he said.
“When we start making it really difficult and costly for the Chinese to steal data, the problem will start to subside. It will never go away, but it can be managed to reasonable levels.”