Earlier this year Chinese hackers broke into the computer systems of a U.S. Navy contractor, stealing a trove of data on American weapons systems. The 614 gigabytes of data taken from an unclassified network could undermine the fighting ability of U.S. submarines.
The intrusion and theft, first reported by The Washington Post on Friday, was yet another hack in the more than decade-long campaign by Chinese intelligence targeting U.S. defense companies, in an effort to help close the technology gap as China tries to become a U.S. military peer.
Contractors are often targeted by state-supported cyber operatives since their security systems are often weaker than the military measures, Ian Wallace, co-director of the New America Cybersecurity Initiative, told USNI News.
“China goes after defense contractors because that’s the easiest way to get information about current or future U.S. military capability,” he said.
The sprawling network of defense companies that supply the Pentagon has been under near-constant probing by Chinese hackers, with the occasional big breach compromising critical U.S. programs. A 2007 hack of Lockheed Martin gave China details on the F-35 Lightning II Joint Strike Fighter design and electronic systems, while a 2013 congressional report found that China had taken details on dozens of weapons systems.
The latest hack covered undersea warfare systems, including the Sea Dragon anti-ship missile program as well as electronic warfare data. Although China has targeted nearly every type of weapons system program with its hacking activity, naval systems have been of particular interest – likely because of the ongoing tensions over territorial claims in the South China Sea.
Part of the issue is that what China has been doing – stealing military technology – has been historically tolerated by countries as part of typical espionage.
“This is within the realm of fair game for the Chinese to try, just as U.S. intelligence agencies will be trying to find out information on China,” Wallace said.
“But that doesn’t mean that if you catch other countries spying that you don’t take action to stop it and deter it in the future.”
China had paired its hacking of military technology with stealing commercial technology to help Chinese companies, but in 2015 China promised to cut down on its theft of intellectual property in the U.S. However, that didn’t cover spying on military hardware.
The Pentagon began trying to force companies to improve security systems in 2011, suggesting that new language be added to contracts requiring that companies implement basic cybersecurity and that firms inform the government within 72 hours of a hack. Industry groups pushed back against the idea, and changes foundered for another half decade until a 2016 regulation was put in place.
That regulation, which took full effect at the beginning of 2018, still provides broad flexibility to companies to adhere to the 110 standards it created.
“It’s not spelled out, like you have to have a certain type of password,” Rolando Sanchez, co-chair of the National Defense Industrial Association Cybersecurity Division Legal Committee, said. “It depends on what each company’s needs are.”
Industry groups pushed for the variation in the cybersecurity requirements partially because the defense supply chain covers everything from massive giants like Lockheed Martin to small businesses that might have less experience with cybersecurity and less money to dedicate to information technology.
“If you have a small contractor, or even a mid-size contractor, that’s not paying attention to their systems, and a nation-state wants to get access, they probably can,” Sanchez said.
Beyond trying to defend contractor systems more carefully, the Trump administration has also been looking at ways to try to deter future Chinese hacking. Last month the State Department issued a report on how the U.S. could stop other countries from stealing critical information, noting that improved security isn’t enough.
“The United States will also undertake a new effort to increase deterrence of state actors through cost imposition and other measures,” the report said.
The report also said that the U.S. had to publicly declare specific types of consequences for specific types of malicious cyber activity but didn’t provide specifics. The agency is due to issue a subsequent report with details on its deterrence plan, but no date has been set for its release.
That leaves companies still facing the constant threat of Chinese hackers trying to improve security to combat a well-equipped and highly sophisticated Chinese intelligence machine with no signs of a slowdown.
“Throughout millennia, espionage has been one of the ways in which militaries can seek to understand the capabilities of their rivals,” Wallace said. “I don’t see this stopping.”