For one unnamed American biomedical company, it took five years to bring a new product to market as it stuttered on the ideation assembly line. There was genesis, then research and development, then meticulous rounds of testing to refine what came before and meet regulatory scrutiny. Only then was the product manufactured and sold for use in a hospital.
How did a Chinese competitor manage to rush the same product to market in 18 months? Heart valves and prosthetics take less time, it turns out, when a team of digital cat burglars can sneak into the American company’s mainframe and pop out with schematics for a fully tested product, beating the original innovators to market.
“It happens with every industry,” says Shawn Henry, president of services and chief security officer of CrowdStrike, a cyber security firm in Irvine, Calif. The biomedical company is a client of CrowdStrike’s, one of countless U.S. firms that see foreign hackers worm their way into their mainframes and facilities on a regular basis.
It's nothing personal. In several areas of the world, the United States is mired in economic and political tension. In China, it is facing a rising economic power that has little patience for Western dominance. In Russia, it is facing a belligerent former power that is using force to recoup what was lost so long ago (and economic leverage to keep it that way). The hostilities continue to play out in bold headlines and fraught diplomatic relations, a Cold War simmer that refuses to boil over.
In the digital world, however, the U.S. and its adversaries have been at war for some time. Some of the largest U.S. threats are buzzing through Russian and Chinese computer systems operated by droves of highly skilled hackers. A small biomedical company beat by a copy of its own product? Just the tip of a mammoth iceberg of cyber warfare over the last decade that has left companies and organizations that are standing on the sidelines shellacked.
Cyber sabotage has quickly become the 21st century’s preferred form of international trade theft. Hackers hunt any intellectual property worth a dollar, ruble, or yuan. Pilfered research from the biomedical, energy, finance, software, IT, defense, and aerospace industries creates not only economic gain but state-related advantage. In China, the state and economy are so intertwined that illicit intelligence-gathering doubles as national security. In Russia, the battery of economic sanctions in response to its military actions in Eastern Europe have incentivized subterfuge opportunities.
It is difficult to attribute attacks to certain nations. In the interconnected digital world, there is no equivalent of a DNA sample or fingerprint to identify the perpetrator of a specific cyber crime. Still, aggregate data—including time zone, location of the physical servers used in the attack, nation-specific tools and techniques, and language indicators—leads researchers like CrowdStrike to place the majority of blame on Moscow and Shanghai.
“I’m talking about thousands of data points here,” Henry says. Cyber theft is a lot like bank robbing, he says—the more you do it, the more trails you leave. “You’re able to see consistencies of patterns, and along the line somewhere the attackers make a mistake. They make the digital equivalent of parking their getaway car near the convenience store camera, and we can attribute.”
Eric Chien, technical director at Symantec (symc), the computer security company, organizes foreign cyber soldiers into three categories: independent hackers, hackers financially backed by states, and purely state-employed hackers. Each prefer to operate in a different corner of the international market. Independent hackers, for example, often break into consumer-based industries for financial gain. The theft of data from JPMorgan Chase and other banks, disclosed in August, is one example. The theft of 1.2 billion digital credentials by a Russian crime ring, also revealed in August, is another.
State-backed or state-employed hackers, on the other hand, are more interested in information with strategic value. Contract-based hackers might pillage companies for oil-drilling maps, software source code, or military technology for the next generation of fighter jets. Others might might sabotage the mergers and acquisitions of U.S. companies with their Russian or Chinese counterparts at their government’s behest.
There has been an uptick of activity from China ahead of the 2014 G-20 Summit in Brisbane, Henry says.
“It’s typical of G-20 that the Chinese are interested in advance knowledge of what people’s positions are, what people will be discussing, and how it will impact Chinese business and public perception of China,” he says. “It’s really about knowing the answers to the test before they take it.“
Less frequent (but more concerning) are large-scale campaigns from state actors aimed at undermining infrastructure and stability. In 2013 and 2014, the Dragonfly attacks targeted a clutch of energy companies in the U.S. (as well as Spain, France, Italy, Germany, Turkey, and Poland) to gain access to the power grid and related infrastructure. A similar battery of Russian attacks on U.S. energy companies occurred in 2013. In 2014, the Turla malware campaign involved the attack of foreign embassies of former Eastern Bloc nations. Diplomats and foreign agents were spied on for at least four years. With a steep cost to conduct such surveillance yet no apparent economic motive, some researchers attribute the campaign directly to government.
Cyber security firms have few readymade fixes for an issue as extensive as a digital international trade war. International agreements to limit such behavior are seen as toothless. Russia and China have denied allegations of cyber espionage and, in the wake of disclosures about the activities of the National Security Agency by the former contractor Edward Snowden, accused the U.S. of hypocrisy.
David Gorodyansky, chief executive of the privacy software developer AnchorFree, laments what he sees as disingenuous U.S. foreign cyber policy. “The [NSA spying scandal] kind of prompted Russia and China to do the same thing,” he says. “We spied on Germany and Brazil and all these other places, so they have no reason not to do the same thing. We need to take the high ground and say, ‘Look, we’re not going to play this game.’”
Henry says the benefits are too tempting. “Those nations [that steal intellectual property] are gaining so much,” he says. “They’re at an advantage. We’re at a disadvantage. I just don’t see [international agreements] happening anytime soon.”
Henry and Gorodyansky agree on an uneasy truth: If the U.S. government can’t protect its businesses, those businesses should protect themselves. Otherwise that new product on the market might look all too familiar.
Correction, October 28, 2014: An earlier version of this article misspelled the name of AnchorFree's chief executive. It is David Gorodyansky, not Orodyansky.