So China has at last admitted, albeit obliquely, that it sponsors offensive hacker units—martial cyber corps, if you will. It’s an unprecedented confession for the state, whose persistent denials have been met for years with the diplomatic equivalent of, “Yeah, right.”
China’s admission, however unsurprising, is a rare ray of light piercing the murky fathoms of international cyber warfare. The news arrived in the most recent edition of The Science of Military Strategy, a much pored-over document produced by China’s Academy of Military Sciences, the top research institute of the country’s military. Though published at the end of 2013, the latest version took time to trickle out to the global community and to be translated from the original Mandarin. But inside, readers found a treat.
“This is the first time we’ve seen an explicit acknowledgement of the existence of China’s secretive cyber-warfare forces from the Chinese side,” Joe McReynolds, a researcher at the Center for Intelligence Research and Analysis, tells The Daily Beast. “It means that the Chinese have discarded their fig leaf of quasi-plausible deniability.”
The perpetual parries of Chinese officials on the subject of cyber war have long frustrated the global security community. But the days of outright dismissing inquisitions and accusations of hacking—the waving of hands with a Jedi-like flourish and the ineffective uttering of These are not the hackers you’re looking for—seem to have expired. China has fessed up.
Admission of capability is a first step towards progress in the relationship between US and China. CN PR guys will need new scripts though.
— Richard Bejtlich (@taosecurity) March 18, 2015
The existence of Chinese hacking teams has morphed from an open secret into a bewildering, if not irritating, joke. Despite the historic nature of last week’s buried announcement, no one in the industry appears to be surprised by it—though it has left some security experts feeling slightly vindicated. Fortune, noting that cyber warfare is an exceedingly important element of what we call “The new cold war on business,” took the opportunity to speak with veterans of the security world who have been following China’s cyber antics for some time. They shared some choice words.
“Oh my god,” remarked Dmitri Alperovitch, co-founder and CTO at security firm CrowdStrike, with mock surprise. “We’ve just found out the sky is blue.”
In all seriousness, one can understand Alperovitch’s cynicism. He’s the author of the 2011 “Shady rat” report—a white paper exposing an extraordinary and extensive (allegedly state-sponsored) hacking campaign—and former vice president of threat research at McAfee. There, he had been tracking the purported spies’ activity for at least five years before taking it public. Alperovitch says the company, then owned by Intel (INTC), would not permit him openly to conjecture about the attack’s attribution, since its business had major operations in China. “Citing McAfee company policy, he refused to speculate on which country was behind Shady rat,” Vanity Fair reported at the time.
Alperovitch recalls that at the time the white paper appeared, people questioned it, proposing hacktivist or organized criminal groups as plausible culprits. Russian cyber security firm Kaspersky Labs openly dissed the report’s claims and implications, dubbing the investigation “shoddy rat,” and concluding its blog post review with a terse Q&A:
Was it backed up by a state?
Does Shady RAT deserve much attention?
Alperovitch brings his memory of the experience to bear when considering China’s latest disclosure. (The past incident appears to have left some bitterness on his palate.) “Not even four years since that report and now its become common knowledge that almost everyone in the security community accepts as fact,” he says. “It’s incredible how quickly things have changed.”
Kaspersky Labs, by the way, still maintains its doubt. The firm tells fortune in an emailed statement: “We’ve been researching the ShadyRat botnet and its related malware, and the result of this work enables us to conclude that the attackers seem amateurish compared to the high-profile operations that were on Kaspersky Lab’s radar during the same period (2010-2012). We can’t conclude that the ShadyRat operation is a state-sponsored one.”
At CrowdStrike, however, Alperovitch has continued to pursue the putative overseas attackers. Last year, his company released a detailed attribution paper on one of the People’s Liberation Army’s alleged Shanghai-based hacking units: Putter Panda. (See also: Deep Panda and Hurricane Panda.) Even though he says it’s long overdue, China’s crack at an admission—of capability, not culpability—is a first step toward moving the conversation forward, Alperovitch says. Whereas before he described China as holding a “frankly nonsensical position,” and of its officials as being “masters of denying the most obvious facts,” he believes the new information may allow nation states now to begin to establish the norms of behavior in cyber space.
Of course, he is far from the only security expert to meet the so-called revelation about China’s electronic forces with lassitude. Dave Merkel, CTO at security firm FireEye (FEYE), is equally unsurprised by the report describing China’s militarized hacker teams. “It’s not news from my perspective,” he tells Fortune, mentioning that upon hearing the news he “kind of yawned” and thought “so what?”
“Hooray, China said it!” he hoots, before quickly yanking his faux-celebration back down to Earth. “We’ve been dealing with this for years. It doesn’t change anything.” Indeed, in 2013, FireEye’s forensics division Mandiant, then a separate firm, released a report outing five Chinese nationals as having, for nearly a decade, repeatedly stolen U.S. trade secrets. (Here’s Fortune‘s cover story on that report.) While the Chinese government still refutes the firm’s assertion, the U.S. Justice Department found it convincing enough to indict the military members on charges of cyber espionage and hacking, an unprecedented move for a foreign government. China’s Foreign Ministry, copping to no wrongdoing, averred: “The Chinese government, the Chinese military and their relevant personnel have never engaged or participated in cyber theft of trade secrets.” Well, then.
Amit Yoran, RSA president, adds his voice, too, to the proliferating “Well, duh” chorus accompanying the news of China’s hacking program. “Shock and surprise!” he exclaims, betraying ample sarcasm before assuming a more moderate tone. “I shouldn’t make too much fun of it. I think it’s significant.” Yoran, for one, is eminently skeptical of any country that denies it engages in cyber war; that’s simply the way states must operate nowadays. “Every government, whether they admit it or not, is active in this space,” he tells Fortune.
Although China’s disclosure comes as a watershed moment for the concealed world of cyber warfare, in reality, it doesn’t change much. Everyone has known about the state’s cyber, uh, secret for a long, long time. “I have a really bifurcated feeling,” Yoran deliberates aloud, summing up what might be considered the collective reaction of many in his field. “On the one hand I’m excited to see some public recognition that it’s going on. On the other hand, it’s a little bit of a ‘No kidding.'”
Next up, according to the experts Fortune spoke with, is for China to admit not only the existence but the extent of its espionage. “They’ve acknowledged the presence of the capability, not the degree of the activity,” Merkel says. As far as the state’s alleged practice of attacking foreign companies to pilfer intellectual property, and then providing those secrets to Chinese companies so they have an economic advantage, “I certainly don’t see them owning up to that in any form or fashion,” Merkel says.
As Chinese cyber war theorist Wei Jincheng wrote in 1996, “An information war is inexpensive, as the enemy country can receive a paralyzing blow through the Internet, and the party on the receiving end will not be able to tell whether it is a child’s prank or an attack from an enemy.” In the 2010s, the days of child pranking are over. Nation states have mobilized, marched and encamped segments of the internet—and they’re admitting it, presumably because the alternative is no longer tenable. While the existence of China’s digital troops comes as no surprise, the news may advance an international dialog that has been lacking around cyber war.
Then again, two days after the Daily Beast story appeared, China’s Ministry of National Defense denounced a Financial Times report that the country’s military had breached a web domain management site, Register.com. “China firmly opposes any type of cyber attack and punishes such crimes in accordance with the law. The Chinese military has never been involved in any hacking activity to steal business secrets,” the ministry reportedly told the Global Times, a state-run Chinese newspaper. The ministry added, indignantly: “The U.S. should explain its large-scale and organized cyber spying and phone tapping activities to the international community as soon as possible, rather than making irresponsible accusations.”
Guess those PR scripts must still need work.
(Neither the Chinese Ministry of Foreign Affairs nor the PLA responded to Fortune inquiries.)
Watch more business news from Fortune: