How the Chinese Communist Party Uses Cyber Espionage to Undermine the American Economy
Available Downloads
Benjamin Jensen testified before the House Judiciary Subcommittee on Courts, Intellectual Property, and the Internet about intellectual property and strategic competition with China.
The United States is locked in a long-term competition with the Chinese Communist Party (CCP). Even though that competition need not turn to conflict, it will almost certainly continue to see a network of operatives linked to the CCP wage a systematic cyber espionage campaign designed to gain an intelligence advantage and steal intellectual property. Put simply, China is trying to cheat its way to the top of key industries in the 21st century. Their quest to achieve dominance in artificial intelligence and machine learning (AI/ML) is unlikely to be any different.
Let’s start with the facts. According to the Dyadic Cyber Incident and Campaign Dataset (DCID), the People’s Republic of China is the world’s most egregious actor in terms of cyber espionage targeting private firms and linked to stealing intellectual property. Since 2000, China has been associated with 90 cyber espionage campaigns, 30% more than Russia. The actual number is likely higher and each instance sees multiple businesses targeted that overlap priority industries specified in the CCP’s “Made in China 2025” plan.[1] In other words, hackers work for communist technocrats in modern China. And, as seen in numerous cases these cyber operations work alongside clandestine human intelligence networks to steal trade secrets from U.S. firms.[2] These multifaceted campaigns have the potential to offset any advantages artificial intelligence brings to cyber defenses, a reality on display in the recent discovery of malware in U.S. critical infrastructure.[3]
Take Operation CuckooBees, a multiyear cyber espionage campaigning targeting multinational companies revealed by Cybereason in 2022.[4] The operation involved APT 41, the same group connected to DOJ indictments in 2020 against five Chinese nationals in connection with hacking over 100 companies.[5] Initial estimates suggest Operation CuckooBees exfiltrated hundreds of gigabytes of intellectual property from companies, much of it linked again to Made in China 2025 national science and technology goals.
The scale of the theft is staggering. A survey of Chief Financial Officers estimates that 1 in 5 U.S. corporations has had their IP stolen.[6] The challenge is especially acute in startups and small businesses, the areas likely to see the greatest innovation linked to AI/ML. The leading generative AI systems we are all experimenting with came from Open AI - a non-profit research lab that grew out of a tech accelerator not a Fortune 100 company.[7] Small businesses account for over 44% of U.S. economic activity.[8] These are the exact firms least likely to invest in state-of-the-art cyber security.
Now, consider how this pattern of activity could accelerate given advances in generative AI. First, it will create new targets for China’s espionage campaigns. Imagine a young startup using generative AI to develop entirely new chemical compounds and materials that could support the green economy. Communist party linked advanced persistent threat (APT) groups could scan the internet for key technologies of interest for national development goals and once they found the startup tailor malware to infiltrate its network. For example, the APT group could use generative AI to tailor phishing attempts to gain access and steal intellectual property (IP).[9] The case is not farfetched. In 2014, a U.S. grand jury indicted five agents from the People’s Liberation Army for hacking SolarWorlds, a firm that was about to release a revolutionary new solar cell. [10]
Even more disconcerting, APTs linked to the Chinese Communist Party could seek to undermine the cloud computing and chip infrastructure the new AI economy will rely on. Imagine an entirely new form of economic warfare in which hackers poison data sets and digitally sabotage data centers in rival states. Again, this is not farfetched. In 2023, a network of still unidentified hackers gained login credentials for major data center operators. The strategic logic of corrupting rival state’s data will only grow as the Chinese Communist Party mandates firms keep Chinese data inside China.[10]
Next, imagine an entirely new form of cyber-enabled political warfare.[11] Tailored messages and deep fakes could undermine trust in public institutions, a phenomenon that has been on the rise globally for the last decade.[12] In fact, we addressed this scenario in the U.S. Cyberspace Solarium Commission.[13] While, the tactic is more in line with Russian cyber strategy, there is nothing stopping the Chinese Communist Party from adopting a proven playbook using algorithms already available.
It stands to reason that cyber espionage campaigns by the Chinese Communist Party are about to increase in scope and severity with the proliferation of generative AI. APT groups will gain new targets of opportunity as the technology unleashes a business revolution. Every entrepreneur with a new idea for applying generative AI to solve a problem will become a target of the largest authoritarian regime the world has ever seen. The hackers and spies supporting the Chinese Communist Party will use this same technology to develop new forms of malware, holding the American economy at risk from sustained IP theft.
Therefore, the question before you is what can the Congress do to protect American businesses in this new era of competition. I will conclude with a few thoughts.
First, there is no cybersecurity without cloud security. Generative AI models require access to large data sets and compute power to learn. This learning makes them more responsive to users and adaptable to different business cases. Therefore, without data there is no AI. As a result, helping companies find ways to protect their data without stifling innovation is a critical national security challenge. If we thought about national security in terms of cybersecurity along these lines, the loss of hundreds of billions of dollars to IP theft would be unacceptable. It would be the equivalent of every ship in the navy sinking each year.
Second, maybe it is time to take the gloves off. Consider a Cold War sabotage case. In the early 1980s, KGB Directorate 7 routinely used a network of spies and intermediaries to steal IP, including software. In an effort to undermine these activities and the Soviet economy in 1982 President Reagan authorized inserting malware into software code high on the KGB shopping list.[14] The net result was a massive gas pipeline explosion in Siberia that made the Soviet’s think twice about the utility of stealing Western IP. I am not advocating we destroy critical infrastructure in the People’s Republic of China. I am suggesting that it is time to think about how to undermine the incentives for stealing American IP. Sanctions and indictments don’t appear to be enough.
Competition is inevitable. Conflict is not. The United States must find ways to compete outside of military confrontation that deny the ability of the Chinese Communist Party to undermine the American economy. Hearings like this are a positive first step and help to shed light on the magnitude of the challenge ahead. Thank you again for the opportunity to testify.
Statistical Appendix
Compiled by Jose Macias, Center for Strategic and International Studies Future Lab
Table 1 summarizes data from the recently published Dyadic Cyber Incident and Campaign Dataset (DCID 2.0).[15] China has engaged in 114 documented cyber campaigns from 2000-2020. Of these 114 documented cases, 90 are attributed to espionage campaigns. Of these 90 espionage cases, 32 operations targeted private entities across 10 different commercial sectors (See Table 2 In appendix). The sectors targeted most frequently were Information Technology (7), Healthcare and Public Health (5) and Energy (4). Regarding the suspected theft of intellectual property, not including personal identifiable information, email or non-trade secrets, DCID recorded China’s cyber theft of research on cancer, vaccines, submarines, oil production, blueprints for unmanned vehicles, technical specifications for fifth-generation stealth fighters, nuclear power plant designs, metallurgy secrets, and solar cells.[17]
Select Cases of Espionage on Private Entities
Aviation
Senior defense officials reported that the F-35 Joint Strike Fighter’s self-diagnostic system was compromised in 2009.[16] The majority of the files stolen focused on the design and performance statistics of the fighter, as well as its electronic systems.[17] With access to these files, officials suspected that adversaries may reduce the efficiency of the fighter jet by understanding its limitation and performance weaknesses.
A complaint and investigation began into suspected spy Su Bin in 2014 where the U.S. Department of Justice argued his role in the criminal conspiracy to steal military technical data, including data relating to the C-17 strategic transport aircraft and certain fighter jets produced for the U.S. military.[18] Su pleaded guilty and admitted to conspiring with two persons in China from October 2008 to March 2014 to gain unauthorized access to protected computer networks in the United States, including computers belonging to the Boeing Company in Orange County, California, to obtain sensitive military information and to export that information illegally from the United States to China.[19]
In 2011 Chinese intelligence officers focused on the theft of technology underlying a turbofan engine used in U.S. and European commercial airliners.[20] In 2018, The U.S. DOJ indicted Zha Rong and Chai Meng, and other co-conspirators who worked for the Jiangsu Province Ministry of State Security (“JSSD”) on charges for breaching aerospace companies based in Arizona, Massachusetts and Oregon.[21] The intelligence officers targeted companies that manufactured parts for the turbofan jet engine. Separate to this indictment, it is also reported that Chinese spies have stolen data on unmanned aerial vehicles (UAV).[22]
Energy Sector
In 2011 it was reported that Chinese intrusions in commercial facilities led initially to the defacement of public facing websites.[23] However, when formal charges were brought in 2018, two individuals were indicted on the theft of data from over 45 companies based in at least 12 states.[24]
The U.S. DOJ indicted Zhu Hua and Zhang Shilong who worked for a “technology company” in Tianjin, China, and supported the Chinese Ministry of State Security’s Tianjin State Security Bureau in its mission to steal trade secrets. The investigation found that Zhu and Zhang stole data on oil and gas exploration and production. The full extent of the investigation uncovered a deeper web of theft through an array of commercial activity, industries and technologies. These included aviation, satellite and maritime technology, industrial factory automation, automotive supplies, laboratory instruments, banking and finance, telecommunications and consumer electronics, computer processor technology, information technology services, packaging, consulting, medical equipment, healthcare, biotechnology, pharmaceutical manufacturing, and mining. They also gained access to U.S. Department of Energy’s Lawrence Berkeley National Laboratory.
Between 2006-2014, Members of the Chinese People’s Liberation Army (PLA) broke into Westinghouse Electric Co. (Westinghouse), U.S. subsidiaries of SolarWorld AG (SolarWorld), United States Steel Corp. (U.S. Steel), Allegheny Technologies Inc. (ATI), the United Steel, Paper and Forestry, Rubber, Manufacturing, Energy, Allied Industrial and Service Workers International Union (USW) and Alcoa Inc. to steal trade secrets and benefit their state-owned enterprises.[25] The operation was not attributed until 2014 when the U.S. concluded their investigation into the breach and indicted five PLA members, Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui, who were officers in Unit 61398 of the Third Department of the Chinese People’s Liberation Army (PLA).[26]
Maritime
In 2017, Chinese operatives breached the computers of a Navy contractor at a university and stole research on undersea fighting capabilities apart of a Department of Defense (DoD) project named Sea Dragon.[27] The research stolen was on supersonic anti-ship missile that would be fitted on submarines by 2020. Specifically, the intruders stole signals and sensor data, submarine radio room information relating to cryptographic systems, and the Navy submarine development unit’s electronic warfare library.[28] Further reporting found that this is not the only instance of research by universities on maritime military capabilities, rather that it is a part of a systematic campaign that targeted at least 27 universities.
Please consult the PDF for references.