Edward Snowden told Hong Kong media that the United States is involved in extensive hacking operations directed against China and Hong Kong.
There is more than a little irony in seeing a hacking group, whose efforts were supposed to be secret, being caught with its pants down. It’s also fascinating to have the curtain pulled away, revealing some very practical aspects of the world of freelance hackers. But on a deeper level, the hackers’ internal secrets illuminate the threats we face from that world.
Before we get to those threats, here’s what we know and don’t know about the documents. They seemingly come from I-Soon, a firm in Chengdu, China, that provides its cyber mercenary services to the government of the People’s Republic of China. The company’s website was deleted after the leak became public. It’s not clear who posted the files, which include chat records, internal communications, and other data, or why. Many cybersecurity experts believe the documents are authentic, but the company did not respond to a request from a Barron’s researcher to confirm them.
The cache includes detailed maps of roads in Taiwan (of obvious interest to the People’s Liberation Army) and marketing pitches by I-Soon touting its capabilities and exploits. The documents suggest the company successfully attacked targets of potentially strategic value such as government ministries from Southeast Asia to Africa, as well as targets of opportunity such as the Vietnamese traffic police. Much of the work was evidently undertaken for the Ministry of State Security, which has a rich history of foreign cyber maliciousness. But some of the contracts were apparently with the Ministry of Public Security, which keeps tabs on Chinese citizens domestically and overseas and is responsible for the repressive surveillance of Uighurs in Xinjiang province. I-Soon pitched its services to Xinjiang officials, The Wall Street Journal reported.
A few observations, in ascending order of importance:
First, freelance hackers are more vulnerable, and can be important sources of information.
The secrets of hackers-for-hire are often easier to compromise than those of government or military spy agencies. Private sector hackers aren’t subject to military discipline, may well jump from one private firm to a competitor (perhaps giving individuals incentives to reveal dirt on their former employer), sometimes display poor “operational security” by leaving themselves vulnerable to cyberhacks (whether due to hubris or lack of operational rigor), have fewer resources than governments (yielding poorer training and perhaps reduced access to expensive, cutting-edge cyber tools and equipment), and might be less concerned about leaving traces of their hacks (occasionally mixing espionage with ransomware, a tradecraft violation).
The result? Private sector hackers can be a softer target for Western spy agencies than the regimes for whom they work. Even better, a successful penetration of a private sector hacker—especially a very competent one—might reveal a treasure trove of important and nicely packaged information, making the spy agencies’ work much easier. For example, a for-hire hacker might have in its files a solicitation from a government ranking its intelligence targets, or a memo prepared for its government client summarizing the significance of the intelligence it collected and explaining its methods and where it encountered challenges.
Second, it’s not just China. Russia, Iran, and others employ private hackers and criminals.
Western governments and cybersecurity researchers have uncovered many instances of authoritarian governments dipping into the shadowy world of ransomware criminals and hackers-for-hire to do their bidding. For years, the Kremlin has employed criminal gangs and worked through the notorious Internet Research Agency; Iran’s Islamic Revolutionary Guard Corps routinely employs cyber proxies; and China appears to have a rich supply of private firms eager to obtain ministry contracts. The U.S. Department of Justice has sought to make an example of a few of these with indictments of Chinese, Iranian, and Russian cyber criminals.
Although tolerating private hackers inside a country’s borders would violate the objectives of the Budapest Convention, China, Iran, and Russia aren’t parties to the international treaty. The United States and most European countries, however, are signatories. For legal and policy reasons, Western spy agencies don’t employ private hackers. In the U.S., such activity would typically violate the Computer Fraud and Abuse Act. (That said, U.S. spy agencies rely on private contractors for some technical assistance, and any “intelligence activity” is expressly exempted from the statute.)
Third, China’s cyber maliciousness is overwhelming.
There’s almost no way to overstate the scope and intensity of the Chinese cyber threat to the U.S. and Europe. The heads of the U.K. Security Service and the FBI recently described China as engaged in “a coordinated campaign on a grand scale,” with the FBI opening a new Chinese cyber investigation the equivalent of every 12 hours. In January, FBI Director Christopher Wray noted that the number of hackers in the Chinese government trying to burrow their way into U.S. government and commercial networks was at least 50 times greater than the number of FBI cyber personnel. Even at that astonishing scale, the PRC relies heavily on outside contractors. And judging from I-Soon’s marketing materials, it was clearly worried about its competition, so there must be a robust base of commercial vendors eager to land PRC hacking contracts.
Moreover, no longer content with surveillance of military networks or industrial espionage, PRC hackers have been busy penetrating civilian and infrastructure networks (water supply systems and the like). These networks have no apparent economic or military value—unless the purpose was to preposition for wreaking havoc in the event of an overt military conflict. Microsoft discovered the presence of Chinese hackers in infrastructure in Guam last year—clearly relevant to a potential U.S. response to any takeover of Taiwan, and just months ago the FBI and Justice Department dismantled operations of the PRC’s notorious and effective Volt Typhoon cyber gang.
Fourth, the PRC cyber threat will get even worse.
PRC cyber maliciousness aimed at America will surely worsen. This is not simply a function of greater resources devoted by the PRC to cyber wrongdoing or even its use of increasingly sophisticated techniques. Nor is it attributable merely to the continued march of digitization, the interconnectedness of everything and the resulting ever-expanding “attack surface.” Much of the danger lies in the PRC’s increased targeting of operational technology. Sensors and control devices in everything from traffic signals to valves in chemical plants generally have weaker cybersecurity than information and communications systems, and the PRC has already established its strategic willingness and capability to embed malware in American infrastructure. China faces no legal, and few geopolitical, reasons to curtail its cyber activities. And with hackers-for-hire such as I-Soon boasting of their technical abilities to help the PRC government realize, if not expand, its goals, the threat is certain to grow.
To be sure, the federal government and the private sector are working hard to blunt that growing threat, but the I-Soon leak gives us a glimpse of what we are up against.
Glenn S. Gerstell served as general counsel of the National Security Agency from 2015 to 2020 and is a senior adviser at the Center for Strategic and International Studies.