Chinese hackers pose a growing threat to U.S. firms


The scale and sophistication of the cyber attacks on Google Inc. and other large U.S. corporations by hackers in China is raising national security concerns that the Asian superpower is escalating its industrial espionage efforts on the Internet.

While the U.S. focus has been primarily on protecting military and state secrets from cyber spying, a new battle is being waged in which corporate computers and the valuable intellectual property they hold have become as much a target of foreign governments as those run by the Pentagon and the CIA.

“This is a watershed moment in the cyber war,” James Mulvenon, director of the Center for Intelligence Research and Analysis at Defense Group Inc., a national-security firm, said Thursday. “Before, the Chinese were going after defense targets to modernize the country’s military machine. But these intrusions strike at the heart of the American innovation community.”

The attacks on Google and several dozen other companies have alarmed government officials and lawmakers who warned that the U.S. may already be losing the battle to protect the nation’s besieged cyber infrastructure.

“The recent cyber intrusion that Google attributes to China is troubling and the U.S. government is looking into it,” White House spokesman Nick Shapiro said Thursday.

Rep. Anna Eshoo (D-Menlo Park), a senior member of the House Select Committee on Intelligence, called China a pervasive hacker. “This behavior is unacceptable. We used to use the term ‘highway robbery.’ This is high-tech robbery.”

The cost has been huge, according to a recent study by a congressional advisory panel, the U.S.-China Economic and Security Review Commission. While it is hard to quantify the value of the intellectual property that is stolen by the Chinese each year -- because many businesses do not like to report getting hacked -- Dan Slane, chairman of the commission, estimated it was in the hundreds of billions of dollars.

Hacker strategy

Alan Paller, director of research at the SANS Institute, a Bethesda, Md., security firm, said Chinese hackers target Western companies with an approach dubbed “1,000 grains of sand,” meaning they go after every piece of information in search of competitive intelligence. Most companies keep silent about the attacks, but they draw heavy scrutiny from law enforcement officials.

“The odds of the 25 biggest companies in California not being fully compromised by the Chinese is near zero,” Paller said. “That is true of companies across the country.”

China defended its Internet policies at a news conference Thursday. Jiang Yu, spokeswoman for China’s Ministry of Foreign Affairs, said China’s Internet is open and welcomes foreign companies. She also said Chinese law prohibits hacker attacks but declined to say whether the Chinese government is bound by the law.

Google on Tuesday revealed that it had fallen prey to a series of cyber attacks originating from China. The Mountain View, Calif., Internet giant said it believed the attackers wanted access to the e-mail accounts of Chinese human rights activists. But the incursions, which also included theft of intellectual property, raised the possibility that the hackers were also attempting economic espionage.

Google took the bold stance of making the attacks public, catching the Chinese government off guard. The company’s defiance of the world’s most populous country stunned observers. It also prompted questions about the scope and nature of the attacks.

“For a big multinational company to consider leaving a critical market means the overall damage to its operation and assets is likely to be greater than the benefits,” said Oded Shenkar, a professor of business management at Ohio State University and the author of “The Chinese Century.” “Google is not only making a human rights statement; my educated guess is that there is much more to it than that.”

It is unclear exactly where the attacks came from, and Google was careful not to directly accuse the Chinese government of orchestrating them. But Chinese cyber spying has been a persistent problem for years with dozens of attacks on commercial, government and military targets, analysts say.

A growing menace

The attacks against the U.S. are ramping up, according to the congressional U.S.-China commission, which noted in October that Chinese espionage was “straining the U.S. capacity to respond.”

The report focused on an attack on one company, concluding that it was supported and possibly choreographed by the Chinese government. The report also alleged that China’s military, the People’s Liberation Army, is responsible for aspects of cyber spying and has created cyber warfare units.

McAfee Labs, which has analyzed the attacks on Google and other companies, said Thursday that the hackers had deployed highly sophisticated “advanced persistent threats” that in the past were primarily used against governments. The attacks targeted individuals with known access to valuable corporate information.

Google may have been particularly vulnerable because all of its technology is online and networked, said Marc Rotenberg, executive director of the Electronic Privacy Information Center.

On Wednesday, Google said it would improve security for Gmail users by encrypting data to its servers. Such steps are crucial for Google, whose business hinges on its ability to protect its users’ privacy and maintain their trust, said Collins Stewart analyst Sandeep Aggarwal.

“Commercial organizations can rarely defend themselves against sophisticated government attacks,” said Phil Lieberman, chief executive of Lieberman Software, a Los Angeles security software firm.

Last week, a Santa Barbara software maker filed a $2.2-billion lawsuit against the Chinese government and several Chinese technology firms, accusing them of conspiring to steal and disseminate the U.S. firm’s Internet filtering technology.

The Los Angeles law firm representing Cybersitter in the lawsuit said Thursday that it was besieged by similar cyber attacks originating in China. On Monday evening its lawyers began receiving 10 different Trojan horse e-mails designed to retrieve information from its computers, said Gregory Fayer, an attorney at Gipson Hoffman & Pancione. The law firm has turned over the e-mails to the FBI, which is investigating, Fayer said.

After Google’s announcement, Adobe Systems Inc. and Rackspace Hosting Inc. also reported attacks.

A national priority

Early last year, President Obama identified protecting computer networks in the private and public sectors as a national security priority. But bureaucratic infighting among law enforcement and intelligence agencies and disagreements with business interests about the role of government in controlling the Internet delayed naming a White House cyber-security “czar.”

In December, Obama appointed Howard Schmidt, a former chief security executive at Microsoft with 31 years’ experience in law enforcement and the military, to the post.

How to protect the nation’s cyber infrastructure, largely in private sector hands, from alleged state-sponsored attacks has become a matter of intensifying debate in Washington, analysts say.

The U.S. has no formal policy for dealing with such attacks. Renewed attention could help shape policy and smooth passage of legislation, analysts said.

“This highlights a core dilemma for the U.S. cyber strategy,” Mulvenon said. “What can the U.S. government do to defend Google? Really not very much.”

Times staff writer W.J. Hennigan contributed to this report.