Ongoing Chinese cyber espionage could be putting US cloud services and those who use them at risk, according to the US-China Economic and Security Review Commission in its 2013 Annual Report to Congress.
According to the USCC report, China’s Ministry of State Security, the country’s main foreign intelligence collection agency, is closely connected with the Chongqing Special Cloud Computing Zone, representing a potential espionage threat to foreign companies that might use cloud computing services provided from the zone or base operations there.
Microsoft, for instance, is planning on linking the cloud services provided by Chinese service provider 21Vianet to Microsoft data centers in other parts of Asia, Europe, and North America could inadvertently make international subject to surveillance. Chinese law allows the government to ‘‘inspect the electronic communication instruments and appliances and other similar equipment and installations’’ of organizations operating in China. 21Vianet and similar providers could potentially be conduits for international espionage.
The USCC report also suggests that Chinese domain registrars and Internet service providers could be exacerbating the threat of hackers by generally taking an ambivalent attitude towards the use of their services to carry out nefarious activities against computers outside China. Also, networking hardware from Chinese companies with widely acknowledged security weaknesses could constitute an additional vulnerability in clouds using this infrastructure.
Hints of current large-scale espionage
According to a research report (PDF) released in February from US cybersecurity firm Mandiant, the People’s Liberation Army’s “Unit 61398” is the most likely behind an organized effort has penetrated the networks of at least 141 organizations including companies, international organizations, and foreign governments. The vast majority of the organizations targeted (81 percent) were either located in the US or had US-based headquarters.
Revelation of China’s likely involvement in a large-scale cyber espionage campaign mostly against the US was followed by the US Department of Defense’s accusation that the Chinese government and military are conducting cyber espionage against US networks. Despite this public outing, the USCC report notes there has been no indication that China has changed its attitude toward the use of cyber espionage, but has perhaps led it to change its methods to make future intrusions to be harder to detect and attribute.
“It is clear naming and attempting to shame will not be sufficient to deter entities in China from engaging in cyber espionage against US companies,” says the USCC report.
Critics have pointed out that the NSA’s PRISM project, revealed by Edward Snowden in June, weakens the US’s legitimacy in the espionage arena and as an advocate of privacy. The US government, however, makes a distinction between its acts of government espionage which it argues are essential to state security, and online acts aimed at economic espionage and theft of trade secrets.
The next possible steps
Some of the measures proposed include blocking goods from entering the US market that incorporate stolen intellectual property, blocking Chinese firms using stolen US intellectual property from barring them from entering the US and accessing US banks, and reducing the hurdles that make it difficult for US companies to pursue legal action against Chinese commercial espionage.
While it is difficult to estimate the annual impact of cyber espionage in a dollar figure, McAfee and CSIS released an report in July (PDF) that estimated the burden of cyber crime and cyber espionage targeting US citizens and entities could be anywhere from $24 billion to $120 billion.
China’s covert cyber activity could also have national security implications. Information gained from infiltrating US military contractors could be used to develop develop new military technologies and countermeasures. The espionage efforts could also be shifted towards offensive cyber operations, and or even be used to place latent capabilities in US equipment that might be employed if a conflict were to arise between the US and China.
The USCC report states: “There is an urgent need for Washington to take action to prompt Beijing to change its approach to cyberspace and deter future Chinese cyber theft.”