In each case Hickton’s job was to find ways to prosecute individual officers in Unit 61398 without relying on evidence from the intelligence agencies. “We needed something we could bring to court, if this ever made it to court,” Hickton told me.
What would be missing, of course, were the NSA’s classified intercepts of the officers inside the big white tower on Datong Road. But as Mandiant had proven, it was possible to get pictures of the perpetrators within the building—which the Chinese have yet to concede serves as the headquarters for a PLA cyber unit—without actually relying on the NSA.
Working with the targeted companies and a trail of forensic evidence, Hickton was able to identify the five PLA officers later named in an indictment, using many of the same techniques that Mandiant had used. He even had their names—Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui—and ranks, enabling Hickton to make a public identification that, as he put it, “would freak out the Chinese.” But he had no illusions about bringing the five officers to justice. Unless these five decided to take their kids to Disney World sometime in the near future, the chance of grabbing them in the United States was next to nil. The case would be more symbolic than anything else—a legal and diplomatic gamble that the publicity around the indictment, and exposure of some of the evidence, might embarrass the Chinese into halting some of their most egregious behavior.
“I can’t do the diplomacy part,” Hickton said. “I can only do the we’re-trying-to-lock-you-up part.”
At the center of the prosecution strategy was John Carlin, the head of the national-security division of the Justice Department. “We needed to push back, and to do it through our legal system,” Carlin told me. “And that means building a solid case, the way you would build any other kind of solid case.”
It was a sign of the sensitivity of the whole matter that Hickton spent much of his time fighting a rearguard action with the Justice Department; he didn’t mind working with Carlin on the case, but the last thing he wanted to see was the case being taken away from him and enlarged in Washington. And other parts of the US government, Hickton believed, didn’t want the Justice Department to dabble in state-supported foreign cyber incursions at all. “The State Department didn’t like it because they were afraid it would mess up negotiations with the Chinese on other things,” Hickton told me. “The intelligence guys were afraid it would shut down their sources. So I had to spend months just keeping everyone together.”
When Hickton saw the Mandiant report and the Times investigation, it seemed to him that the work he’d done was for naught. He believed someone in Washington had made a deliberate decision “to ‘out’ the PLA, and that events would take their own course as a result of the report.” He was wrong: there was no government leak, and as he notes, the public outing bolstered his case.
Hickton took the evidence to a grand jury. They indicted five officers of the People’s Liberation Army, including “UglyGorilla” and his compatriot “KandyGoo.” But the indictment was kept under seal, pending an approval in Washington that it was the right time to take on the Chinese government.
Hickton was constantly on the phone to DC, or on a plane, pushing to get the indictments announced. Finally, in May of 2014, the approval came. The big announcement, to Hickton’s annoyance, came in Washington, not Pittsburgh. “State actors engaged in cyber espionage for economic advantage are not immune from the law just because they hack under the shadow of their country’s flag,” Carlin said in Washington. “We will hold state-sponsored cyber thieves accountable as we would any other transnational criminal organization that steals our goods and breaks our laws.”
When the Times asked Carlin and James Comey, then FBI director, whether the Chinese might retaliate by indicting Americans who hack on behalf of the US government, they said that, naturally, they could not discuss any offensive US cyber operations. But the difference, they both stressed, was that the United States didn’t steal secrets from China and give them to corporations like Google and Microsoft and Apple.
They were right, but it was a very American answer. It is a distinction that the Chinese have never bought into: To them, economic security and national security are a seamless web, and building strong, state-owned firms is essential to the defense of the state. And the indictments pointedly didn’t mention Chinese attacks aimed at the Defense Department or major defense contractors: clearly the United States did not want to invite Chinese revelations about American attacks on similar military targets in Beijing, Shanghai, and Hong Kong.
UglyGorilla and his coworkers have never seen the inside of an American courtroom, and Hickton, who left his job at the end of the Obama administration, concedes they may never face a judge. But Hickton keeps a copy of one of his favorite keepsakes from the case: the big red Wanted poster the Justice Department printed with the pictures of all five PLA officers.
* * *
—
The Chinese were blindsided by the indictments and professed outrage, calling the specifics of the indictments “fabricated facts” that “grossly violate the basic norms governing international relations and jeopardizes China–US cooperation.” It was they who were the victims of cyberattacks, the Chinese claimed, not the perpetrators. But the publication of the pictures of actual officers working at their keyboards made it clear to the PLA they were going to have to up their game. Eric Holder, then the attorney general, told me and my colleague Michael Schmidt that his response to the Chinese was in the nature of a dare: “If we fabricated all this, then come over to Pittsburgh and embarrass us by forcing us to put up or shut up, and we’ll put up.” The Chinese leadership didn’t press the point much further—apart from the odd rhetorical posturing—but they also showed little willingness to curtail industrial espionage. For the rest of 2014 and into 2015—with the OPM revelations—the two sides settled into a tit-for-tat strategy. The only glimmer of progress came in mid-2015 when a United Nations “council of experts” began to draft rules about what kind of hacking should be off-limits. The theft of intellectual property—a violation of international law even in the pre–cyber age—was an easy one to agree on.
The stalemate was broken when American outrage over OPM ran headlong into government pageantry. Xi Jinping, settling into China’s presidency, was heading to Washington in September 2015 for his first state visit—a moment of pomp and circumstance that most Americans tended to ignore but was vital to the status-conscious Chinese leadership. Chris Painter, the head of the State Department’s cyber unit, recalled later that the Chinese officials were “almost pathological in wanting his trip to go perfectly.”
Obama’s team realized they had leverage and promptly threatened to impose sanctions on China for a variety of cyber activities, including Unit 61398’s exploits, in the days just before President Xi was scheduled to arrive. They knew that to the Chinese, sanctions would cast a huge pall over the trip and would suggest that Xi wasn’t in command of the relationship. The only way to avoid this embarrassment, they told the Chinese, was to negotiate the bare bones of the first arms-control accord for cyberspace.
Susan Rice, Obama’s national security adviser, was dispatched to Beijing in August. All the original American intelligence assessments of how Xi would conduct himself as leader—that he would focus on domestic issues, not press for territorial gains or challenge American influence around the world—had been proven wrong. He was far more of an activist on the geopolitical stage than anyone had expected. And while Rice was escorted in for a lengthy conversation with Xi, she left with the issue of cyber espionage unresolved. It looked as if Xi was preparing to stonewall at his meeting with Obama, the last chance to get something significant going before he left office.
But when Rice returned to Washington, “they suddenly called up and said they needed to send a delegation here,” she recalled later. The specter of sanctions—that would target a select set of companies and government entitie
s that had profited from hacking American firms—just ahead of Xi’s visit had finally given the Chinese pause. Suddenly fifty Communist Party officials and government bureaucrats, led by Meng Jianzhu, a close Communist Party adviser to Xi and head of state security, secretly landed in Washington to work out a deal.
Four days of marathon sessions took place at the Shoreham Hotel, near Rock Creek Park: a place so jammed with tourists of all nationalities that a delegation of that size could blend in. Painter and Suzanne Spaulding, a former senior CIA official who was overseeing cyber policy at the Department of Homeland Security, focused on a series of steps to stem the flood of attacks on American industry. “We were all thinking about OPM,” Spaulding later recalled, but espionage was left off the agenda—it would have complicated an already fraught set of issues.
The talks ended at three a.m. on the morning the Chinese were scheduled to return to Beijing. Upon landing, Meng acknowledged for the first time that there was a difference between cyber espionage for national-security purposes and cyber espionage for corporate economic benefit. Obama told American business leaders that cyberattacks would “probably be one of the biggest topics,” and his goal was to see “if we and the Chinese are able to coalesce around a process for negotiations” that would “bring a lot of countries along.”
When President Xi himself arrived in Washington several days later for his first state visit, he was treated to a lavish state dinner. Obama had invited all the Silicon Valley royalty who were struggling in China: Mark Zuckerberg of Facebook, Tim Cook of Apple, and the chief executives of Microsoft and DreamWorks.
Before Xi left, he and Obama announced an accord that included the first curbs on using the web to steal intellectual property. Oddly, it seemed to work right away: Mandiant and other firms saw a marked drop-off in that kind of hacking by the Chinese. Painter believes that Xi looked into the future and saw that “a few years from now, people are going to be stealing industrial designs from the Chinese, and he had to get ahead of it.” In fact, people have already gone after the Chinese—and most of them are Russian.
But Obama’s hope of creating a model that others would follow—what Kennedy did with the Limited Test Ban Treaty more than forty years before—never materialized. The agreement with China was not expanded, and no other countries began serious discussions along similar lines.
And the other subject that Obama and Xi discussed intensely, how to manage a young, headstrong dictator in North Korea, was quickly coming off the rails as well.
CHAPTER VI
THE KIMS STRIKE BACK
AGENT LACEY (LIZZY CAPLAN): Kim Jong-un is now capable of nuking all of the West Coast. The point is we’re talking about nuclear nations at war with each other…The CIA would love it if you two could take him out….
AARON RAPAPORT (SETH ROGEN): Like, for drinks?
LACEY: No, no, no take him out.
DAVE SKYLARK (JAMES FRANCO): Take out—like to dinner?
RAPAPORT: Take him out to a meal?
LACEY: Take him out.
RAPAPORT: Like on the town?
SKYLARK: Party?
LACEY: No, uh, take him out.
RAPAPORT: You want us to assassinate the leader of North Korea?
LACEY: Yes.
SKYLARK: What?!
—From The Interview, the 2014 comedy that prompted North Korea’s cyberattack on Sony Pictures Entertainment
Michael Lynton, the lean, European-born chief executive of Sony Pictures Entertainment, remembers well what happened when he called the State Department in the summer of 2014. He was worried about a torrent of threats from North Korea, all designed to force the studio to halt the release of a forthcoming comedy called The Interview.
“I had never seen a country demand that we kill a project,” Lynton told me.
It wasn’t hard to understand why the North Koreans were upset about the imminent release of a farce starring Seth Rogen and James Franco. The plot was not exactly subtle: Two bumbling, incompetent journalists score an interview with Kim Jong-un, but before they leave for the Hermit Kingdom they are recruited by the CIA to blow him to smithereens. The plot was completely improbable, but the North Koreans were not known for their finely honed sense of satire.
Publicity about the movie quickly pierced the cocoon of Pyongyang. The poster was arresting: Designed with Soviet-style touches from the Cold War, it depicted Kim’s missiles and tanks over an image of the young North Korean leader, looking appropriately fierce. The poster turned out to be more engaging than the movie it was advertising.
North Korea’s foreign ministry, anticipating the film’s plot, had already written a searing letter of protest to the secretary general of the United Nations, Ban Ki-moon, demanding that he intervene to stop the movie’s distribution. It apparently took awhile for the North to figure out that the secretary general, a South Korean, was not especially interested in solving their problem. And even if he had been, he was not in a position to have influence over Hollywood studios.
When the letter-writing gambit failed, North Korea began issuing threats against the United States. If Sony released the movie in American theaters as planned, on Christmas Day 2014, it would be viewed as an “act of terrorism” meriting “a decisive and merciless countermeasure.” This was the kind of line the North rolled out in response to everything from military exercises to sanctions. In other words, the response sounded like a parody of the dialogue in The Interview.
In Washington in 2014, before Kim’s missiles could credibly threaten the capital, such North Korean threats usually prompted the kind of yawns reserved for a budget hearing on agricultural subsidies. So the bluster over The Interview elicited no government response. But it got Lynton’s attention. As a business executive and then a Hollywood studio executive, he wasn’t accustomed to doing geopolitics. And the more noise the North Koreans made, the more nervous he became—in part because his bosses at the headquarters of the Tokyo-based parent company, Sony Corporation, were terrified. Its chief executive officer Kazuo Hirai was so anxious that Lynton and his co-chait, Amy Pascal, ordered the studio to tone down a scene at the end of the movie in which Kim’s head appears to explode during a gruesome assassination. Soon the name “Sony Pictures” disappeared from all of the film’s posters and promotional materials as the corporate leadership in Tokyo did all it could to distance the parent company from the film.
Still, the increasingly hysterical-sounding threats from North Korea left Lynton with a bigger decision—whether to kill the project altogether.
That’s when Lynton called Danny Russel.
Russel was then the State Department’s top Asia diplomat, a wry and experienced hand who had, by the time he turned sixty, seen just about every form of bizarre North Korean behavior. He had worked behind the scenes to get American hostages released, designed sanctions regimes, and helped draft diplomatic initiatives over the North’s weapons programs that he knew the Kim family would reject. Lynton didn’t know Russel—studio executives don’t spend a lot of time in Foggy Bottom, and diplomats may have an understandably jaundiced view about Hollywood. But when Lynton went looking for someone in the US government to consult, everyone suggested Russel. On their first phone call, Lynton quickly got to the urgent question: Were the North Koreans simply making noise, or was the situation about to get a lot worse?
“He either asked directly or by implication if we wanted them to pull it down because of the risk of retaliation against the US,” Russel recalled. Recognizing instantly that the US government couldn’t get into the business of approving or disapproving movies, Russel told Lynton it was a “business decision” for Sony Pictures. “I didn’t want to be in the position of having the United States government abridging free speech at the behest of a dictator,” he said. “It was their decision.”
Russel offered one last bit of advice: Don’t take publicity photo
s of Rogen and Franco at the Demilitarized Zone. The North Koreans get a little touchy up there. But as the phone call ended, Russel shared with Lynton the Washington wisdom on North Korea’s hyperbolic warnings: Most of them, he said, “were bullshit.”
What neither Russel nor Lynton knew was that North Korea’s small army of hackers had already begun figuring out how to decimate Sony. “At that point in time, Kim Jong-un was relatively new in the job, and I don’t think it was clear yet how he was different from his father,” Lynton said. “Nobody ever mentioned anything about their cyber capabilities.”
* * *
—
Nobody mentioned North Korea’s cyber skills because no one was really paying attention. And by the time The Interview was being made, the Hermit Kingdom had gone from viewing the Internet as a threat to viewing it as a brilliant invention for leveling the playing field with the West.
Like the Chinese, Kim Jong-il, the son of the country’s founder and the father of its current leader, had initially seen the Internet as a threat to his regime; anything that allowed citizen-to-citizen communication could complicate ironclad control over the country. In North Korea, unlike in China, the Internet was not difficult to rein in, at least before smartphones began slipping over the Chinese border. North Korean households had no computers, just televisions and radios with a couple of state-run channels.
But over time, even a sealed-off regime began to see the merits of using the Internet to wreak havoc and make profits. Kim Heung-kwang, a North Korean defector who said in an interview with the Times that he helped train many of the North’s first cyber spies, recalled that in the early 1990s a group of North Korean computer experts came back from China with a “very strange new idea”: using the Internet to steal secrets and attack the government’s enemies.
The Perfect Weapon Page 15
