by David Wise
FBI director Robert Mueller described the problem in a speech in San Francisco in 2009. "At the start of a cyber investigation, we do not know whether we are dealing with a spy, a company insider, or an organized criminal group," he said. "Something that looks like an ordinary phishing scam may be an attempt by a terrorist group to raise funding for an operation."
The government has tried to thwart assaults on critical defense networks. NASA, the target of cyber intrusions at both the Kennedy Space Center in Florida and the Johnson Space Center in Houston, initiated a program code-named AVOCADO to block suspected Chinese computer attacks. The Department of Homeland Security's EINSTEIN program has provided government agencies with sensors designed to detect computer intrusions.
In 2002 the US Naval War College was the site of a war game called Digital Pearl Harbor. Mock attacks by computer security experts simulated attacks by other countries on vital US infrastructure. The exercise found that the Internet and digital financial networks were the most vulnerable. Other experts have warned that telecommunications networks and the air traffic control system could be disrupted by cyberattacks.
Like the United States, China has devised plans to disrupt the digital networks of an adversary in a war. According to the 2009 report by the University of Toronto researchers, "China is actively developing an operational capacity in cyberspace, correctly identifying it as the domain in which it can achieve strategic parity, if not superiority over the military establishments of the United States and its allies."
The role of the People's Liberation Army was also highlighted in the Defense Department's 2008 annual report to Congress on Chinese military power: "The PLA has established information warfare units to develop viruses to attack enemy computer systems and networks." The report added that the PLA sees computer network operations "as critical to achieving 'electromagnetic dominance' early in a conflict."
Although the evidence is murky, Chinese hackers may have targeted that country's critics in the United States. Two Republican members of Congress claimed in 2008 that the computers in their offices on Capitol Hill had been penetrated by hackers they believed were in China. The two representatives, Chris Smith, of New Jersey, and Frank Wolf, of Virginia, both conservatives, were longtime vocal critics of China's human rights record.
And in an Atlanta suburb in 2006, Peter Yuan Li, a computer technology specialist, naturalized American citizen, and critic of the Chinese government, was robbed, beaten, tied up, and blindfolded by three or four armed Asian men who invaded his home and took two laptop computers, leaving behind other valuable items. He required fifteen stitches to treat a facial injury suffered in the attack.
Li was a locally prominent follower of Falun Gong, a spiritual movement that China has outlawed as an "evil cult." The FBI and Fulton County detectives investigated the robbery and attack on Li, but there were no arrests. Li, for one, had no doubt about why he was targeted. He blamed China for the break-in, which he claimed was designed to silence him. He expressed surprise "that in the US they could do such things."
In 1987 Li came to the United States for graduate studies at Princeton, where he received a PhD in electrical engineering. For several years he has worked with other activists to combat Internet censorship in China. "Initially we provided e-mails to China, we had twenty million e-mail addresses and sent articles to them," he said. "Around 2004 proxy servers didn't work anymore, they were easily blocked, and we had to go to more sophisticated methods."
Along with his group, Li then began supplying Internet users in China with software that allowed them to navigate around the government's firewall. There were various ways to get the software into China. "They block e-mails, but we can still send some, either through e-mail or Skype." Inside China, he said, the software is passed along by word of mouth or on the Internet. When a computer user in China clicks on a link provided in an e-mail, the user can download software that connects to a computer overseas, which then reroutes the traffic to the restricted Chinese website.
In Li's view, cyberattacks on the Pentagon and other US agencies are originating in China. "The Chinese government regards hackers as heroes," he said. "The government does not crack down on the hackers. The way for students to show genius is to do hacking. I believe they [the Chinese government] are organizing these attacks."
Most concerns over cyberspying aimed at US defense and intelligence networks have been focused on software, the use of programs that can disable or steal data from the target computers. But computer security experts today are increasingly worried about the compromise of hardware—computer chips that control missiles, aircraft, and radars.
One reason is that only about 2 percent of the integrated circuits purchased every year by the military are manufactured in the United States. And even most American chip makers have moved offshore, where labor is cheaper. A computer chip made with a hidden, malicious flaw could sabotage a weapons system. And the compromised hardware is almost impossible to detect.
A chip might even be embedded with a "kill switch," allowing the weapon to be disabled by remote control. When the Israeli air force attacked a suspected nuclear reactor site in Syria in 2007, observers wondered why the Syrian air defenses did not respond. Later, there were unconfirmed reports that a kill switch, provided by the United States to Israeli intelligence, had been used to disarm the Syrian radars.
The United States has been slow to discern the threat to national security of cyberspies and hackers. President Obama, recognizing the problem, declared in May 2009, "We're not as prepared as we should be as a government or as a country." He spoke ruefully of how, during his presidential campaign a year earlier, "hackers gained access to emails and a range of campaign files, from policy position papers to travel plans."
He talked about "spyware and malware and spoofing and phishing and botnets." And, he warned, "In today's world, acts of terror could come not only from a few extremists in suicide vests but from a few key strokes on the computer—a weapon of mass disruption."
Obama announced that he would appoint a White House cybersecurity coordinator to work with federal, state, and local government agencies and the private sector to defend against cyberattacks on the nation's infrastructure. The following month, the Defense Department ordered the creation of the nation's first military cyber command. The appointment of Lieutenant General Keith B. Alexander, who was also director of the National Security Agency, to head the new command stirred controversy. A powerful argument can be made that the NSA, already snooping on e-mails and phone calls under a secret program instituted by President George W. Bush and later approved by Congress, should not exercise control over computer security.
At the same time, the creation of a White House "cyber czar" and a military cyber command were long overdue, given the continuing computer attacks against the United States. And there was plausible evidence that many of the intrusions originated in China.
In examining cyber espionage, the detailed 2009 report by the University of Toronto researchers, while appropriately cautious in not blaming every hacker attack on the Chinese government, noted that the cyber assaults on 103 countries were targeted against diplomats, military personnel, the staff of prime ministers, and journalists.
"The most logical explanation, and certainly the one in which the circumstantial evidence tilts strongest, would be that this set of high profile targets has been exploited by the Chinese state for military and strategic intelligence purposes.... Many of the ... high-value targets that we identified are clearly linked to Chinese foreign and defence policy.
"Like radar sweeping around the southern border of China, there is an arc of infected nodes from India, Bhutan, Bangladesh and Vietnam, through Laos, Brunei, Philippines, Hong Kong, and Taiwan."
There was one other key piece of intelligence uncovered by the academic researchers. The attackers' Internet Protocol (IP) addresses, the identifying numbers assigned to all computers and servers, "trace back in at least several instances to Hainan Is
land."
There is a reason the finding was especially significant in the continuing effort to pinpoint the source of the cyberspies. The location is a tourist attraction, but it is also something more. Hainan Island, in the South China Sea, is the site of China's Lingshui signals intelligence facility and the Third Technical Department of the People's Liberation Army.
Perhaps the strongest evidence linking China to cyberspying against the US was provided by WikiLeaks, which began making public 250,000 confidential American diplomatic cables in late November 2010. Among them was a cable to Washington from the US embassy in Beijing, dated in January of that year, reporting that a Chinese contact said that hacker attacks against Google were directed by the Politburo, the highest level of China's government.
The cable stated: "A well-placed contact claims that the Chinese government coordinated the recent intrusions of Google systems. According to our contact, the closely held operations were directed at the Politburo Standing Committee level."
The trove of cables, made public by Julian Assange, the founder of WikiLeaks, described a global, coordinated campaign of computer attacks run by Chinese government officials, and Internet hackers recruited by China's government. The documents described previously secret intrusions of American government agencies, attacks code-named BYZANTINE CANDOR and BYZANTINE HADES by US investigators.
One 2008 State Department cable quoted an analysis of Chinese cyberattacks by Germany's security service, which surmised "the intention of PRC actors is espionage, and the primary attack vector used in their malicious activity is socially engineered e-mail messages containing malware attachments and/or embedded links to hostile websites." The cable added that the emails "were spoofed to appear targeted specifically to the recipients' interests, duties, or current events."
The WikiLeaks cables provided further confirmation of what had long been suspected: that China, despite its loud denials, was actively engaged in cyberspying against the United States and other targets around the world.
Chapter 22
AN AFTERWORD
IN JANUARY 2010 Google made a surprise announcement that reverberated across Washington, Beijing, and other world capitals. The technology giant threatened to pull out of China because of attacks on its computer systems and thirty-four American companies, mostly in Silicon Valley. The cyberattacks were traced to half a dozen servers in Taiwan, but Google strongly suspected that the assaults, aimed partly at Gmail accounts of Chinese human rights activists, had originated in China.
The attacks aimed at the US companies in California, including Northrop Grumman and Dow Chemical, appeared designed to scoop up information about weapons systems, and perhaps their vital "source codes," or computer programming instructions. Google turned to the National Security Agency, the nation's eavesdropping and code-breaking arm, for help in investigating the attacks.
Google also made clear that it would no longer cooperate with Chinese Internet censorship. Soon afterward, the company closed its search engine service in China, google.cn, and automatically routed users to its uncensored website in Hong Kong, google.com.hk, although Google said it was "well aware" that China could block access there as well at any time.*
The United States treaded lightly at first in response to the initial Google announcement. The White House was silent. A week went by before Secretary of State Hillary Clinton made a speech calling for global "Internet freedom" and asking the Chinese authorities to "conduct a thorough investigation of the cyber intrusions." China responded angrily, saying that Clinton's "groundless accusations" were "harmful to US-China relations."
Aside from the difficulty of proving that the Chinese government, rather than individual hackers, was behind the spying, there were geopolitical and financial reasons for the muted response by Washington. In 2010 China held more than a trillion dollars of US debt. If the United States were a house, China would hold the mortgage. The Google episode, more than anything else, captured the ambiguous and mutually dependent nature of the relationship between the United States and China in the twenty-first century.
Politics aside, in the espionage war, as this history has demonstrated, China has often, although certainly not always, been successful. Indeed, China may be America's single most effective and dangerous adversary. It managed over the years to penetrate both the CIA and the FBI. It acquired highly classified and guarded nuclear weapons secrets. The FBI's counterintelligence agents have also won significant battles, detecting several of China's spies, including a number who have been arrested and successfully prosecuted. Yet the record of China's achievements is formidable.
What is strikingly different about many of the Chinese spy cases is how they overlap and interlock, a tangled web of espionage with tendrils spreading in different directions. The threads of the Chi Mak, Dongfan Chung, Tai Shen Kuo, Gregg Bergersen, and James Fondren cases, for example, were all held by a single spymaster in China, Lin Hong.
There is a controversial subtext to Chinese spying in the United States. Asian Americans have good reason, historically, to be skeptical of the US government. For sixty years, beginning in 1882 and lasting into World War II, Chinese were barred from immigrating to the United States by the Chinese Exclusion Act. In 1917 Congress created an Asiatic Barred Zone, prohibiting immigration from much of East Asia and the Pacific Islands; the law was not abolished until 1952. Thousands of Japanese Americans were shunted off to internment camps in the paranoia after Pearl Harbor, a blot on Franklin D. Roosevelt's otherwise admirable record as a peacetime and wartime leader. Xenophobia, particularly with respect to those who look different, is embedded in US history.
When the FBI investigates or arrests a Chinese national or an American of Chinese background, it inevitably opens itself up to charges of racism. When Katrina Leung was arrested, even though she was exposed as someone working for the MSS, using a Chinese code name and reporting to a handler in Beijing, some prominent Chinese Americans in Los Angeles leaped to her defense and implied that she was being singled out because of her ethnicity and gender.
In the backlash after the government's unconscionable treatment of Wen Ho Lee, who was no hero, many Chinese Americans and others concluded that the government and the FBI were in the business of targeting ethnic Chinese as spies.
The fact that Lee's background was ethnic Chinese may well have influenced the Department of Energy to single him out, although the evidence on that point remains ambiguous and may never be fully resolved. Yet, as already noted, there were good reasons, unrelated to Lee's ethnicity, that he became a suspect. He had worked on the W-88 nuclear warhead in the most secret division at Los Alamos, the vault where nuclear bombs are designed. So had others. But Wen Ho Lee stood out as the subject of two previous FBI investigations, for telephoning the TIGER TRAP spy suspect and lying about it, and for failing to report that he had been questioned about key US nuclear secrets when China's top bomb designer visited him privately in a hotel room in Beijing.
The record of Chinese espionage against defense and intelligence agencies in the United States demonstrates that it is China, rather than the FBI, that targets ethnic Chinese. In any number of cases, the MSS and the intelligence arm of the People's Liberation Army have sought, sometimes successfully, to recruit Chinese Americans, by appealing to their roots and family ties to the "motherland." Of course, that reality should not obscure the fact that the vast majority of Chinese Americans are loyal to the United States.
As noted, inside the FBI, the agency with the greatest responsibility for uncovering China's spies in America, counterintelligence is not regarded as the most fruitful career path. Pursuing terrorists or white-collar criminals is a better track toward promotion. And for decades, even within the counterintelligence division, the Chinese target was an orphan. Moscow's spies, not Beijing's, were perceived as the main enemy.
Only a minuscule number of FBI agents specialized in Chinese cases. If the bureau lacked an understanding of China, that was not true of the small group of Chi
na hands. Some became so fascinated by their subject that they stayed in the Chinese counterintelligence program, knowing that as a result they would never make it to the level of a special agent in charge of a field office or a desirable headquarters post.
Bill Cleveland, until his career was derailed by his singular lack of judgment in the PARLOR MAID debacle, was known inside the FBI as a serious student of China, who over the years became immersed in its language, culture, and history. J.J. Smith, who unwisely bet his counterintelligence career on a source with whom he became emotionally entangled, and who ultimately betrayed him, was also well versed in the byways of Chinese culture and society. Perhaps for both men, China, as much as Katrina Leung, became a kind of fatal attraction.
As an institution, the FBI was overly dependent on its informants. In the PARLOR MAID case, the FBI's prime source on China, whose reports went all the way to the White House, was secretly working for the MSS.
In the ETHEREAL THRONE case, Jeffrey Wang, an innocent man, lost his job and was subject to a lengthy FBI investigation when he was falsely accused as a Chinese spy by a longtime bureau informant who had a personal, family grudge against him. And Denise Woo, the Asian American FBI agent who became convinced of Wang's innocence and rightly tried to help him clear his name, was fired and prosecuted for her efforts.
In the wake of these twin disasters, the FBI ordered an overdue review of the bureau's use of informants. Changes were made, among them a rule that the files of bureau assets be reviewed every sixty to ninety days. An informant review panel was established by the attorney general. None of which was any help to Jeff Wang or Denise Woo.
