JEFFREY BROWN: There was a new report today of cyber-spying by the Chinese, this time aimed at U.S. military and defense systems.
According to The Washington Post, designs for more than two dozen U.S. weapon systems have been hacked and compromised. The Post cited a confidential report by a Pentagon advisory panel called the Defense Science Board — among the designs said to have been breached: an advanced Patriot missile system; the FA-18 fighter jet; and the F-35 Joint Strike Fighter, considered the most expensive weapons system ever built.
In a written statement today, a Pentagon spokesman said the Defense Department “takes cyber-espionage very seriously,” but “suggestions that cyber-intrusions have somehow led to the erosion of our capabilities or technological edge are incorrect.”
Warnings about the cyber-threat from China to both the military and private businesses have grown in recent months. In March, National Security Adviser Thomas Donilon told an audience that the attacks had to stop.
NATIONAL SECURITY ADVISOR TOM DONILON, United States: Increasingly, U.S. businesses are speaking out about their serious concerns about sophisticated, targeted theft of confidential business information and proprietary technologies through cyber-intrusions emanating from China at a very large scale. The international community cannot afford to tolerate such activity from any country.
JEFFREY BROWN: In February, cyber-security firm Mandiant issued a report saying that this building in Shanghai houses one of the Chinese military’s most active hacking groups.
And earlier this month, a Pentagon report said that U.S. government computers were targets of break-ins that could be attributable directly to the Chinese government and military.
And to fill in the picture, we turn to Dmitri Alperovitch, co-founder and CEO of CrowdStrike, a cyber-security company, and James Lewis, director of the Technology and Public Policy Program at the Center for Strategic and International Studies here in Washington.
Dmitri Alperovitch, starting with you, first fill in this — what do we mean by design systems? What exactly is being stolen?
DMITRI ALPEROVITCH, Co-Founder and CEO, CrowdStrike: Well, it’s everything under the sun really that’s not bolted down.
It’s the blueprints for these weapons systems, these advanced weapons system that the Chinese can use to recreate and try to match our capabilities. It’s also providing them with the ability to identify weaknesses in these systems, vulnerabilities that they can leverage so that they cannot just master those capabilities, but exceed them and potentially defeat us on the battlefield.
JEFFREY BROWN: And, James Lewis, is it possible to know how much damage or impact this has had at this point?
JAMES LEWIS, Center for Strategic and International Studies: No, we can’t really tell.
We know that some Chinese weapon systems appear to be based on stolen U.S. technology, like their stealth fighter. In other cases where they have gotten into the intricate software that controls weapons, hopefully, we caught all the damage, but you can never be sure.
JEFFREY BROWN: And just to stay with you, so to what end — why would they be doing it? What purposes would — what use would they put it to?
JAMES LEWIS: You know, if you look at the systems that were compromised, it maps pretty well with Chinese strategic military interests.
They read the Pentagon report that said that if there’s a war with China, it will be an air/sea battle, so they went after air systems, missile defense, air defense, naval systems. What they’re doing is they’re looking for that military edge both by improving their own weapons and, more importantly, knowing how to beat ours.
JEFFREY BROWN: What would you add to that, Dmitri Alperovitch?
DMITRI ALPEROVITCH: I think that’s absolutely right.
It shouldn’t be a surprise to anyone who has paying attention to the news over the last five or six years, really, everything under the sun has been taken by the Chinese, not just for military contractors or government agencies, but private companies that are manufacturing commercial technologies, and now we’re seeing sort of the results of that.
It’s striking to see that full list, because you wonder …
JEFFREY BROWN: Well, that’s what I was wondering. I mean, we do hear about this a lot, but when you see this list of all these weapons systems, that’s a little surprising, isn’t it?
DMITRI ALPEROVITCH: Absolutely. And it makes you wonder if there’s anything left that they don’t yet have, because it’s a pretty comprehensive list of every cutting-edge weapon system that we have built over the last decade or so, from air systems, weapon — missile systems, as Jim mentioned, naval systems.
Do we have anything that is left that they don’t have?
JEFFREY BROWN: And what do you make of the Pentagon’s statement that we saw, that — saying that, we take it very seriously, but nothing has been compromised, nothing has been really hurt yet?
DMITRI ALPEROVITCH: Well, I think it’s always very difficult to estimate exactly how this information is going to be used.
In fact, one can say that the Chinese have stolen so much that you really wonder if they can leverage and actually understand that has been taken, because it’s a massive problem on their end just to analyze all this data.
But there’s no question that even if a fraction of that information is going to be put to good use, it will have damaging impact to our national security.
JEFFREY BROWN: Well, Jim Lewis, that was my next question, is how easy is it for them to take what they get through this cyber-espionage and learn about a particular design and then turn it — actually turn it into a weapons system?
JAMES LEWIS: I was kind of happy when I saw they had taken the V-22 Osprey, because it’s expensive and it took us years to figure out how to make it work.
What you see is a lag between the time the Chinese acquire the technology and the time they’re able to introduce a competing product or a product military system. For example, stealth fighter technology was probably taken in 2002, and it was six or seven years later before they could field a fighter. So they don’t have the capability to absorb all this.
They’re improving rapidly. A lot of this is their own indigenous investment, but they have got a lot of information that they don’t yet know how to take advantage of.
JEFFREY BROWN: Does that sound right to you?
DMITRI ALPEROVITCH: Absolutely.
But the other point that you need to be concerned about is that it’s not just that they’re taking this and duplicating it. It’s what weaknesses are they finding in those systems that they can actually use to defeat those weapons systems. They may not need to build a V-22 Osprey, but when they face one, they sure may know how to beat it.
JEFFREY BROWN: What about the — where are the vulnerabilities in our system, I mean, in terms of the ability for the cyber-spying to get these designs? Is it at the defense contract level? Is it at the — in the Defense Department itself? Is it everywhere?
DMITRI ALPEROVITCH: It’s really throughout.
The reality of cyberspace is such that offense will always be dominant. When someone wants something bad enough, they will always be able to get it, whether they do it through traditional cyber-espionage or through traditional spying through cyber-espionage. And that’s what we’re seeing is that there hasn’t been a network connected to the Internet that hasn’t been infiltrated if that network has something of value.
JEFFREY BROWN: Jim Lewis, what’s your answer to that?
JAMES LEWIS: It’s interesting to see how the targeting has changed, because DOD suffered significant losses, we can tell. They made a move to harden their networks, make them harder targets. And so whoever was spying on them, the Chinese, then switched to the prime contractors, the big defense contractors.
DOD then went and worked with the contractors, got them to harden their networks. And the Chinese switched to the subcontractors. And now DOD is working with the subcontractors. It looks like the Chinese are switching to some of our foreign partners. So they’re determined, they’re inventive. And every place we close up a hole, they find a new one.
I’m not sure Dmitri and I see eye to eye. I think you can make it harder for them to succeed, but we haven’t done that good a job.
JEFFREY BROWN: Well, that, of course — in our last couple minutes here, what should happen? Let me start with you Dmitri.
What can the U.S. do government-wise, military-wise, but also company-wise?
DMITRI ALPEROVITCH: We need a policy, a national policy, for dealing with this problem, both the national security espionage that’s taken place and even more importantly the economic espionage that’s been taking place for the last six or seven years.
And that policy needs to involve full toolkit of national power, economic power, diplomatic power. We really need to pressure the Chinese and let them know that there will be real costs to our relationship, to our trade partnership with China as a result of this activity. And we need to involve the private sector.
Right now, the private sector is playing the role of the victim. They’re told by the government, go sit in the corner and report when you’re being attacked. The private sector needs to engage and really make it more difficult and weigh the costs and risks to the adversaries that are infiltrating our networks.
JEFFREY BROWN: Jim Lewis, what’s your prescription?
JAMES LEWIS: Two things.
First, we need to harden our own defenses. The executive order President Obama put out in February does some work to do that, but we really need Congress to step up to the plate and pass legislation. The second thing we need to do is, we need to engage with the Chinese. And that’s where we need a comprehensive diplomatic strategy. Work with allies. Find penalties.
The Chinese will probably yield to our pressure, but it’s going to take years get to that outcome. We have just started. It’s a long road, but I think we can make this work.
JEFFREY BROWN: All right, James Lewis, Dmitri Alperovitch, thank you both very much.
DMITRI ALPEROVITCH: Thank you.
JAMES LEWIS: Thank you.