What Punishment for Chinese Cyber Attacks?

The report focuses on a series of “advanced persistent threats” (APT) identified as APT1. Mandiant makes two observations about APT1. The first:

APT1 is a single organization of operators that has conducted a cyber espionage campaign against a broad range of victims since at least 2006. From our observations, it is one of the most prolific cyber espionage groups in terms of the sheer quantity of information stolen.

And the other:

Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China’s cyber threat actors. We believe that APT1 is able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government support. In seeking to identify the organization behind this activity, our research found that People’s Liberation Army (PLA’s) Unit 61398 is similar to APT1 in its mission, capabilities, and resources. PLA Unit 61398 is also located in precisely the same area from which APT1 activity appears to originate.

The goal of these attacks is to steal intellectual property. Since 2006, Mandiant has observed APT1 compromise 141 companies spanning 20 major industries.

A court of law might say that the evidence in the report is circumstantial, but it is also terribly damaging.

The APT1 trouble is not any different in scope or seriousness to other long-simmering issues between the United States and China, including currency manipulation, trade practices and the long history of intellectual property theft by the government and businesses in the People’s Republic. Stealing electronic secrets from companies may appear different from counterfeiting hundreds of thousands of copies of Microsoft (NASDAQ: MSFT) Windows. The arguments about the related nature of all these violations might appear to be attenuated because they run across large parts of the economic, trade and policy sectors, but all originate from the same set of dynamic battles between the United States and the People’s Republic. China will steal what it cannot obtain or is unwilling to pay for. It is willing to tempt the American government to punish it for the infractions. The U.S. government never does, at least not in any meaningful way. The Chinese use the lack of reaction as a reason to up the ante and increase the scope of the offending behavior.

Federal officials and the leaders of private enterprises that face compromises of their most valuable assets can use the Mandiant report in one of two ways. It can be ignored, once the press is done with it, in the hope that the problem can be quietly solved by cyber security experts. That has not worked at all so far. Or the government might do what it should, which is to challenge China on the matter in a policy reaction so severe as to shake the People’s Republic enough to seriously consider ending the work of APT1 organization.

Without such a challenge, the APT1 problem will get much worse. It is the Chinese way.