China Must Worry about an American Version of Shady RAT

One of the most widespread reactions to the revelation of Operation Shady RAT, the five-year long hacking of over 70 organizations in 14 different territories, has been: how did this go on for so long without anyone knowing about it? Or to put the question in a more strategic context, why hasn’t the United States (or the West more broadly) told China to put a stop to this?

The answers fall into several categories:

Here is one additional possibility that I haven’t seen discussed. Maybe the U.S. has not called China on the mat before because it has been getting so much information from its own hacking of China.  We know that Chinese networks are probably extremely vulnerable. The security researcher Dillon Beresford spent 18 months in computers belonging to provincial and central government agencies, universities, and the People’s Liberation Army. This BusinessWeek article describes companies that discover and sell unknown bugs to government contractors as a growing segment of the cybersecurity market. Those vulnerabilities are being used against someone.

The McAfee report describes the attacks as an “historically unprecedented transfer of wealth.” But maybe, at least until recently, the balance was titled toward the United States. American hackers had steady access to important political and military secrets. Now that the scales are shifting, the two sides share a common interest in developing some agreed rules about state behavior in cyberspace. Or they just may decide to invest more in offensive capabilities, provoking an arms race.