comments_image Comments

The Imperfect Report on China's 'Army of Hackers'


The New York Times published a front-page story yesterday linking the Chinese army to widespread hacking against the United States. A report by the security firm Mandiant obtained by the Times says the People’s Liberation Army is almost definitely running a cyber-espionage base from the outskirts of Shanghai responsible for hacking over 100 American companies.

Pretty much every media organization has taken the infallibility of Mandiant’s report for granted, despite heavily-supported doubts from a leading cybersecurity analyst suggesting the firm is guilty of “expectation-bias.” Taia Global CEO Jeffrey Carr wrote a blog post hours after the Times story detailing “critical analytic flaws” in Mandiant’s report. In a nutshell, Carr says Mandiant fails to consider other nations as potential perpetrators of hacks against the United States, despite several other nations—including Israel, Russia and France—carrying out cyber-espionage activity at rates close to the frequency of China. Carr’s logic is so compelling, and his implications so troublesome, that the post is worth quoting at length:

In summary, my problem with this report is not that I don't believe that China engages in massive amounts of cyber espionage. I know that they do - especially when an executive that we worked with traveled to Beijing to meet with government officials with a clean laptop and came back with one that had been breached while he was asleep in his hotel room.

My problem is that Mandiant refuses to consider what everyone that I know in the Intelligence Community acknowledges - that there are multiple states engaging in this activity; not just China. And that if you're going to make a claim for attribution, then you must be both fair and thorough in your analysis and, through the application of a scientific method like ACH, rule out competing hypotheses and then use estimative language in your finding.

In blunter terms, Mandiant is pointing the finger at China, one of the foremost subjects of U.S. fear mongering, without exhausting the company’s full range of analytic capability. If Carr’s assessment is correct, then Mandiant’s report is reckless at best, and disingenuous at worst. And the consequences of Mandiant’s omissions could come at great cost.

The Times’ revelations predictably sparked waves of doomsday warnings from cybersecurity firms and their allies in Washington. Yesterday, House Intelligence Committee chairman Mike Rogers (R-Mi.) warned we could be facing “cyberterrorism that makes 9/11 pale in comparison.” Rogers’ rhetoric comes in the same year outgoing Defense Secretary warned of an imminent “cyber Pearl Harbor.”

My colleague Alex Kane wrote convincingly about the way the Obama administration invokes doomsday to defend dubious tactics for fighting cyber threats. Rogers and Rep. Dutch Ruppersberger (D-Md.) appealed to the same line of thinking to push the Internet privacy-killing bill, CISPA. These disturbing initiatives promote the expansion of the U.S.’s already robust surveillance state, and demand vigilant skepticism from the American public. Moreover, many field experts agree that the focus on information sharing as the antidote to cyberthreats is completely misdirected, at the expense of the more sensible approach of upgrading our infrastructure’s archaic cybersecurity defense systems. In a tweet, McAfee chief security researcher Dave Marcus clearly laid out the folly of our government’s reactive, as opposed to preventive approach to cybersecurity:

This is not all to say the U.S. doesn’t face a real cybersecurity threat from China. But Mandiant’s oversights single-out China as the cyberthreat boogeyman, when several other nations, including the U.S., engage in similar activity. This kind of selective blame could lead U.S. cybersecurity officals down a dangerous path, to say nothing of the significantly awkward implications for U.S.-China relations.

See more stories tagged with: