Last week, Mike McConnell, who served as director of national intelligence under U.S. President George W. Bush, and who is now a high-ranking advisor to Booz Allen Hamilton, delivered a dire assessment on the state of the U.S. private sector’s cyber defenses vis-à-vis Chinese cyber espionage activities.
“The Chinese have penetrated every major corporation of any consequence in the United States and taken information. We’ve never, ever not found Chinese malware,” he said during a speech at the University of Missouri, according to CNN. He also explained that throughout his last year of serving in the Bush administration, China employed 100,000 hackers whose singular purpose was to infiltrate computers and networks.
McConnell, who also was director of the National Security Agency (NSA) in the 1990s, has been known as a hardliner when it comes to the competition of the United States and China in cyberspace, openly calling the latter’s behavior “cyber thievery.”
McConnell’s statement is similar to a remark made by former U.S. official Richard Clarke, author of the book Cyber War, in March 2012: “Every major company in the United States has already been penetrated by China. My greatest fear is that, rather than having a cyber-Pearl Harbor event, we will instead have this death of a thousand cuts. “
More recently, in October 2014, FBI director James Comey joined the chorus of worried American policymakers by stating that “there are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese.”
Yet are these allegations accurate? And if so, does it really constitute the largest illicit transfer of wealth in human history, as some prominent Americans have labeled it? In short, I think the assertion that China is the biggest (yet not the most sophisticated) perpetrator of cyber espionage worldwide is beyond a doubt at this stage.
However, it is much more questionable whether China has hacked into every single large U.S. corporation and, more importantly, whether it actively converts the data it extracts to benefit its civil sector companies.
My colleague at the EastWest Institute, Greg Austin, has his doubts. In a short analysis of China’s cyber espionage priorities, he argues that Beijing does not attach high importance to “the analysis of its intelligence product on non-military foreign intellectual property rights with a view to passing it out to Chinese corporations to make a profit.”
He does note that China is engaged in intellectual property theft via cyberspace; however, Austin points out that the scale of it may be a lot smaller than the larger public has been made to believe.
“At most, I would estimate that the Chinese government has only a small office, with somewhere around 20 people actively involved in that. In fact, I have seen no information in the public domain that such an office even exists. There are few organizations in China unknown to public domain analysts outside the country,” he states.
Austin also notes that “stealing of IP through cyber means by Chinese actors with a view to replicating it for the market is mainly a private activity in China, perhaps with intelligence officials involved on an unauthorized basis.”
Commercial espionage is a fact of life for global companies, and Austin emphasizes that “collection of technical and economic intelligence is as a high priority for China as it is for other major powers.” However, “[w]hether the purpose of that is to pass non-military IP [intellectual property] to Chinese firms to allow them to manufacture products that compete in the market is another question.”