First appeared in the New York Times
When Kenneth G. Lieberthal, a China expert at
the Brookings Institution, travels to that country, he follows a routine that
seems straight from a spy film.
He leaves his cellphone and laptop at home and
instead brings “loaner” devices, which he erases before he leaves the United
States and wipes clean the minute he returns. In China, he disables Bluetooth
and Wi-Fi, never lets his phone out of his sight and, in meetings, not only
turns off his phone but also removes the battery, for fear his microphone could
be turned on remotely. He connects to the Internet only through an encrypted,
password-protected channel, and copies and pastes his password from a USB thumb
drive. He never types in a password directly, because, he said, “the Chinese
are very good at installing key-logging software on your laptop.”
What might have once sounded like the behavior
of a paranoid is now standard operating procedure for officials at American
government agencies, research groups and companies that do business in China
and Russia — like Google, the State Department and the Internet security giant
McAfee. Digital espionage in these countries, security experts say, is a real
and growing threat — whether in pursuit of confidential government information
or corporate trade secrets.
“If a company has significant intellectual
property that the Chinese and Russians are interested in, and you go over there
with mobile devices, your devices will get penetrated,” said Joel F. Brenner,
formerly the top counterintelligence official in the office of the director of
national intelligence.
Theft of trade secrets was long the work of
insiders — corporate moles or disgruntled employees. But it has become easier
to steal information remotely because of the Internet, the proliferation of
smartphones and the inclination of employees to plug their personal devices
into workplace networks and cart proprietary information around. Hackers’
preferred modus operandi, security experts say, is to break into employees’
portable devices and leapfrog into employers’ networks — stealing secrets while
leaving nary a trace.
Targets of hack attacks are reluctant to discuss
them and statistics are scarce. Most breaches go unreported, security experts
say, because corporate victims fear what disclosure might mean for their stock
price, or because those affected never knew they were hacked in the first
place. But the scope of the problem is illustrated by an incident at the United
States Chamber of Commerce in 2010.
The chamber did not learn that it — and its
member organizations — were the victims of a cybertheft that had lasted for
months until the Federal Bureau of Investigation told the group that servers in
China were stealing information from four of its Asia policy experts, who
frequent China. By the time the chamber secured its network, hackers had
pilfered at least six weeks worth of e-mails with its member organizations,
which include most of the nation’s largest corporations. Later still, the
chamber discovered that its office printer and even a thermostat in one of its
corporate apartments were still communicating with an Internet address in
China.
The chamber did not disclose how hackers had
infiltrated its systems, but its first step after the attack was to bar
employees from taking devices with them “to certain countries,” notably China,
a spokesman said.
The implication, said Jacob Olcott, a
cybersecurity expert at Good Harbor Consulting, was that devices brought into
China were hacked. “Everybody knows that if you are doing business in China, in
the 21st century, you don’t bring anything with you. That’s ‘Business 101’ — at
least it should be.”
Neither the Chinese nor Russian embassies in
Washington responded to several requests for comment. But after Google accused
Chinese hackers of breaking into its systems in 2010, Chinese officials gave
this statement: “China is committed to protecting the legitimate rights and
interests of foreign companies in our country.”
Still, United States security experts and
government officials say they are increasingly concerned about breaches from
within these countries into corporate networks — whether through mobile devices
or other means.
Last week, James R. Clapper, the director of
national intelligence, warned in testimony before the Senate Intelligence
Committee about theft of trade secrets by “entities” within China and Russia.
And Mike McConnell, a former director of national intelligence, and now a
private consultant, said in an interview, “In looking at computer systems of
consequence — in government, Congress, at the Department of Defense, aerospace,
companies with valuable trade secrets — we’ve not examined one yet that has not
been infected by an advanced persistent threat.”
Both China and Russia prohibit travelers from
entering the country with encrypted devices unless they have government
permission. When officials from those countries visit the United States, they
take extra precautions to prevent the hacking of their portable devices,
according to security experts.
Now, United States companies, government
agencies and organizations are doing the same by imposing do-not-carry rules.
Representative Mike Rogers, the Michigan Republican who is chairman of the
House Intelligence Committee, said its members could bring only “clean” devices
to China and were forbidden from connecting to the government’s network while
abroad. As for himself, he said he traveled “electronically naked.”
At the State Department, employees get specific
instruction on how to secure their devices in Russia and China, and are briefed
annually on general principles of security. At the Brookings Institution, Mr.
Lieberthal advises companies that do business in China. He said that there was
no formal policy mandating that employees leave their devices at home, “but
they certainly educate employees who travel to China and Russia to do so.”
McAfee, the security company, said that if any
employee’s device was inspected at the Chinese border, it could never be
plugged into McAfee’s network again. Ever. “We just wouldn’t take the risk,”
said Simon Hunt, a vice president.
At AirPatrol, a company based in Columbia, Md.,
that specializes in wireless security systems, employees take only loaner
devices to China and Russia, never enable Bluetooth and always switch off the
microphone and camera. “We operate under the assumption that we will inevitably
be compromised,” said Tom Kellermann, the company’s chief technology officer
and a member of President Obama’s commission on cybersecurity.
Google said it would not comment on its internal
travel policies, but employees who spoke on condition of anonymity said the
company prohibited them from bringing sensitive data to China, required they
bring only loaner laptops or have their devices inspected upon their return.
Federal lawmakers are considering bills aimed at
thwarting cybertheft of trade secrets, although it is unclear whether this
legislation would directly address problems that arise from business trips
overseas.
In the meantime, companies are leaking critical
information, often without realizing it.
“The Chinese are very good at covering their
tracks,” said Scott Aken, a former F.B.I. agent who specialized in counterintelligence
and computer intrusion. “In most cases, companies don’t realize they’ve been
burned until years later when a foreign competitor puts out their very same
product — only they’re making it 30 percent cheaper.”
“We’ve already lost our manufacturing base,” he
said. “Now we’re losing our R.& D. base. If we lose that, what do we fall
back on?”
