A report commissioned by the US-China Economic and Security Review Commission (USCESRC) revealed among its findings that “Nefarious actors linked to China have targeted the networks of private sector entities and private sector government contractors in order to obtain sensitive government information and to exploit vulnerabilities within federal information systems.”
China has expanded its efforts to obtain economic advantage by pursuing knowledge of key technologies through corporate acquisitions and by using the economic power of Chinese companies as tools of the state.”
The report noted the vulnerabilities of the Internet of Things (IoT) and 5G mobile telecommunication networks saying they “will expand the attack surface” of federal information and communication technology networks for China’s cyber criminals, “while decreasing time required to breach them.”
The report also called out the massive number of Chinese components that live inside the U.S. government’s IT networks with shipments from China accounting for 51 percent, on average, of imports by the seven largest commercial IT manufacturers that supply the US federal government. At 73 percent, Microsoft’s dependence on China-origin components is the highest among the seven.
It also calls out ZTE, a Chinese telecommunications equipment maker already facing sanctions from the US Department of Commerce for false statements about its sales to Iran, for state-sponsored corporate espionage. You can find a more in depth discussion of the ZTE case in this recent version of The SINO Files.
The UK acknowledge the growing threat in a 2017 report as well, detailing the evolution of a China-based cyber-espionage campaign known by several names including “APT10” and “Stone Panda”. APT stands for Advanced Persistent Threat.
APT10 has been known to target US defense industrial base organizations, managed IT service providers and their clients, as well as several directly targeted organizations in Japan, according to the report, with the earliest known activity occurring in December 2009. “Espionage attacks associated with China-based threat actors have traditionally targeted organizations that are of strategic value to Chinese businesses and where IP obtained from such attacks could facilitate domestic growth or advancement.”
Inside the intelligence community, the threat from Chinese cyber actors is old hat but the private sector is becoming increasingly more aware, or perhaps it is better to say they are finally making efforts to be more vigilant — the awareness is also nothing new to those who have been paying any sort of attention for the last decade plus.
Add these official warnings of China’s continued cyber threat efforts to the growing list of pain points between Beijing and Washington. In December, Trump accused China of “attempting to erode American security and prosperity” in his national security assessment speech.
Last year, the USCESRC recommended an expansion in the authority of the Committee on Foreign Investment in the United States (CFIUS) to review – and if necessary, halt – acquisitions of US companies by Chinese firms if the technologies developed or produced by a US party could be adapted for military purposes. Several bills strengthening CFIUS are currently making the rounds in Congress.
Featured Image Courtesy of YouTube