Chinese cyber exploits are back in the news with a bombshell story claiming China planted tiny “spy chips” inside Made in China servers now in major data centers of Amazon, Apple, and others. Amazon and Apple vigorously deny knowing about spy chips on their servers, even though the story quotes unnamed “senior sources” at both companies. Observers point to this confusion as an example of why reporting on the secretive national security world is challenging.
Many security leaders found the story credible. While it may turn out to be disinformation, I find it plausible too. My intelligence contacts have warned for years that supply chain risks in China were growing. There was a targeted attack involving a spy chip on a US-brand Made in China laptop. Descriptions of this latest chip are consistent with a device designed to subvert a server’s BMC controller, potentially giving attackers backdoor access.
Whether true or not, the allegation fits a well-documented pattern of behavior: China’s sustained, sophisticated campaign of industrial espionage to steal technology and trade secrets. For years, the Chinese military has sponsored Advanced Persistent Threat (APT) operations targeting corporations and government agencies worldwide – especially in the US – to acquire private intellectual property (IP). Suspected US victims include Anthem, Boeing, Dow Chemical, Google, Morgan Stanley, New York Times, RSA, US Steel, Westinghouse, and the federal Office of Personnel Management.
While Russian cyber operations focus on political objectives, and North Korean cyber-attacks focus on cash, almost everything China does to our private sector (that we know about) is focused on one thing: commercial economic advantage. To understand Chinese cyber activity, we must examine it in the context of the looming US-China trade war.
US-based companies want access to China’s vast domestic market to sell their products. They also want access to cheap Chinese labor and parts to make those products. China is happy to supply the parts and labor, but reluctant to open its markets. What China wants is American scientific and technological secrets. China often uses them to launch companies who mimic their US counterparts, especially in the tech sector. China has its own versions of Amazon and Apple, for example, such as Alibaba and Xiaomi. This misbehavior has grown so widespread it was even spoofed in the latest season of HBO’s Silicon Valley.
The China-US trade imbalance goes beyond import tariffs. It’s also driven by Chinese subsidies to domestic industries, artificially low labor costs (also partly due to subsidies), currency manipulation, weak or unenforced intellectual property laws, and (of course) cyber espionage.
Former NSA director Keith Alexander calls Chinese thefts of American IP “the greatest transfer of wealth in history.” China's APT attacks were curtailed under a 2015 agreement with the Obama administration, but now with Trump's trade tariffs, it appears the Chinese consider the deal void and gone back to their old ways.
By ramping up their APT attacks again, and perhaps escalating with spy chips, China is sending a message to Trump that they have more weapons at their disposal than we do in the event of a full-fledged trade war. The US has a slight advantage in a trade war limited to tariffs. But in areas like cyber, currency manipulation, industry subsidies, and IP law, China holds a clear advantage and they want Trump to know that.
The Trump administration toughened its China rhetoric but tariffs are pretty much the only trade tool they have, and they've used it heavily. The Chinese show little sign of feeling the heat. Their campaign of industrial espionage continues unabated, as this latest spy chip story seems to show. The US may want to “hack back” but American companies are more vulnerable to cyber-attack than their Chinese counterparts, more dependent on the Internet, and less well defended. This asymmetry tilts the cyber battlefield in China’s favor.
Suppose the US succeeded in thwarting China’s cyber-attacks, perhaps through tariffs, sanctions, or stronger defenses. How would China continue feeding its addiction to American tech and trade secrets? One possible answer: China could buy them instead of stealing them.
There is already early evidence of this. China offers low-cost manufacturing facilities and labor to US firms through local subsidiaries with ties to the Chinese government and access to the parent company’s IP. The IP flows from corporate headquarters overseas to the subsidiary in China to the Chinese government, while the parent company is unaware or turns a blind eye.
US companies need to realize that selling their crown jewels to China is not a viable long-term business plan, and it will not gain them access to coveted China markets. On the contrary, it helps China launch competing companies that make similar products, making it even harder to gain a foothold in China. US firms should focus on protecting their IP by shoring up cyber defenses, managing supply chain risk, and limiting their network footprint within China.
UPDATE 11/2/2018: The Department of Justice indicted two Chinese agents plus eight accomplices for conducting cyber espionage attacks against US aerospace firms.
Michael McCormick is an information security consultant, researcher, and founder of Taproot Security.