One of the most widespread reactions to the revelation of Operation Shady RAT, the five-year long hacking of over 70 organizations in 14 different territories, has been: how did this go on for so long without anyone knowing about it? Or to put the question in a more strategic context, why hasn’t the United States (or the West more broadly) told China to put a stop to this?
The answers fall into several categories:
- Companies have been either been naively ignoring the scope of the problem or are totally clueless about it. Or as Dmitri Alperovitch, the report’s author, put it: "I divide the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know."
- Cybersecurity is broken and has been broken for a while. Cloud computing and the explosion of mobile devices have greatly complicated the problem. Traditional firewalls and signature detection cannot cope with the highly personalized attacks that the hackers behind Shady RAT and a host of other breaches used.
- Companies do not want to anger China. When Google announced it was hacked in January 2010, it claimed "at least twenty other companies" were similarly targeted. No other company spoke up, probably because they did not want to draw Beijing’s ire and face problems doing business in the China market.
- This has not been a priority for the United States government, either because it has other issues it wants to address with China--North Korea, revaluation of the RMB, Iran--or, stated baldly, the Chinese own us. As Kevin Fogarty put it, "The U.S. could protest cyberattacks by sending a couple of aircraft-carrier groups to the China Sea for a little gunboat diplomacy, but it would be pretty embarrassing if China were to just repossess the whole fleet as partial repayment of the $1.2 trillion the U.S. owes it."
Here is one additional possibility that I haven’t seen discussed. Maybe the U.S. has not called China on the mat before because it has been getting so much information from its own hacking of China. We know that Chinese networks are probably extremely vulnerable. The security researcher Dillon Beresford spent 18 months in computers belonging to provincial and central government agencies, universities, and the People’s Liberation Army. This BusinessWeek article describes companies that discover and sell unknown bugs to government contractors as a growing segment of the cybersecurity market. Those vulnerabilities are being used against someone.
The McAfee report describes the attacks as an "historically unprecedented transfer of wealth." But maybe, at least until recently, the balance was titled toward the United States. American hackers had steady access to important political and military secrets. Now that the scales are shifting, the two sides share a common interest in developing some agreed rules about state behavior in cyberspace. Or they just may decide to invest more in offensive capabilities, provoking an arms race.