China continues to steal intellectual property and trade secrets from U.S. companies for its own economic advancement and the development of its military but “at lower volumes” since the two countries forged an agreement in 2015 meant to curb the practice, according to a report published Thursday by American intelligence agencies.
The assessment, which also incorporates the findings of private sector security experts, comes amid roiling trade tension between the U.S. and China that has spawned dueling tariffs on billions of dollars worth of goods. It is unlikely to quell concerns from the White House that China continues to pose a significant threat to American companies.
[The U.S.-China trade war has begun. Here’s how things got to this point.]The report shows that China mounts a multifaceted approach to stealing secrets, which include computer software source codes, chemical formulas, and technology that can be used in weapons systems. Though it relies on computer hacking, China also acquires technology and know-how through joint ventures and purchases of companies, academic and research partnerships, and front companies meant to “obscure the hand of the Chinese government” in order to acquire technologies governed by U.S. export controls, the report found.
The findings were published by the National Counterintelligence and Security Center, part of the Office of the Director of National Intelligence, which oversees all U.S. spy agencies.
In 2015, after the Obama administration threatened to impose sanctions on China, both countries agreed to refrain from conducting cyber operations for economic advancement. The deal was mostly one-sided, as the United States doesn’t steal proprietary information and technology from other countries’ for its own economic advancement, intelligence and security officials have said. (The U.S. does steal for political and strategic purposes.)
The report shows that while some progress has been made curbing Chinese economic espionage, its cyber operations continue and are focused on defense contractors or information technology and communications companies that provide products and services to support government and private sector information networks.
“We believe that China will continue to be a threat to U.S. proprietary technology and intellectual property through cyber-enabled means or other methods,” according to the report. “If this threat is not addressed, it could erode America’s long-term competitive economic advantage.”
Intelligence officials are increasingly concerned about an emerging threat in which attackers target software manufacturers and distributors, rather than individual users. In these so-called “supply chain” attacks, software is manipulated — perhaps to install a backdoor for hackers to enter later — before it is installed or updated on a computer. The attacks can affect millions of people who download the software, often from sources they trust.
Recent evidence suggests the problem is pervasive and that companies are unprepared to manage it. Two-thirds of respondents in a surveycommissioned this month by computer security company CrowdStrike said their organizations had experienced a supply-chain attack, with 90 percent of those incurring some financial cost.
The intelligence report called 2017 “a watershed in the reporting of software supply chain operations.” Last year, seven “significant events” were publicly reported, compared to four between 2014 and 2016, the report found.
“Hackers are clearly targeting software supply chains to achieve a range of potential effects to include cyber espionage, organizational disruption, or demonstrable financial impact,” the report said.
Among the most notable incidents cited by intelligence officials is one that affected a popular tool used to delete unwanted and potentially dangerous files from personal computers. More than one million computers downloaded an infected version of the program, CCleaner, which hackers then used to target technology companies, including Samsung, Sony and Intel, according to researchers.
Security analysts have found evidence they think links the attack to Chinese hackers, whom they believe broke into a British software maker to corrupt the popular CCleaner program.
Hackers also infiltrated software supply chains to conduct a devastating attack last year in Ukraine. The CIA has attributed that attack to Russian military hackers, who used a virus called NotPetya to delete information from computers used by banks, energy firms, senior government officials and an airport. The attack crippled Ukraine’s financial system during a war with separatists loyal to Moscow.
The attack had significant financial costs to companies, including FedEx and Maersk, which each suffered $300 million in damages, the intelligence report said.
[Russian military was behind ‘NotPetya’ cyberattack in Ukraine, CIA concludes]The report warns that new laws and inspection regimes in foreign countries pose a risk to American firms.
Last year, China began requiring foreign companies to submit communications technology to a government-administered national security review. Companies that operate in China also must store their data there, which exposes it to government influence, the report noted.
Russia also “has dramatically increased its demand for source code reviews for foreign technology being sold inside the country,” the report said.
The report singles out Russia and Iran as malign actors intent on penetrating U.S. computer systems and critical infrastructure.
Russia aims to use cyber espionage “to bolster an economy struggling with endemic corruption, state control, and a loss of talent departing for jobs abroad,” the report said. Russian hackers have stolen intellectual property from U.S. health care and technology companies, and last year compromised operational networks at energy companies, the report found.
Iran targets American firms as part of what the report calls “a subset” of offensive cyber operations mostly focused on Israel and Saudi Arabia.
For instance, an Iranian hacker group called Rocket Kitten “consistently targets U.S. defense firms, likely enabling Tehran to improve its already robust missile and space programs with proprietary and sensitive U.S. military technology,” the report said. Iranians are also targeting aerospace and civil aviation firms, financial institutions, and energy sector companies.
To combat old and evolving threats, the U.S. government is taking a range of actions, including trying to collaborate more with business and computer security experts to stay abreast of threats and either stop them from happening or manage the fallout.
The report said that the U.S. will continue to use other countermeasures including attributing attacks to particular countries, diplomatic demarches, economic sanctions and law enforcement actions.
In recent years, the Justice Department has indicted foreign citizens for computer hacking. And while many of those accused aren’t likely to see the inside of an American courtroom, some experts believe the legal actions have had a deterrent effect particularly in China, where the national government has come to realize that to be taken seriously as a world economic power, it has to curtail its aggressive economic espionage.