Obama has made repeated overtures to the Chinese because they are the world’s most indiscriminate hackers and because the two nations have other diplomatic ties and interests; in other words, diplomacy on this issue with China is a plausible notion. The indictment is Obama’s way of turning up the pressure—and of showing just how much we know about what they’re doing. (The Chinese may think they’ve deeply penetrated the world of U.S. secrets; but they may not have known, till now, just how deeply we’ve penetrated their own—so much so that, when they hack into American networks, we see what their hackers are seeing.)
The indictment is interesting not only for the crimes it’s seeking to punish, but also for the crimes it’s letting brush by. The statutes that the Justice Department cites fall mainly under 18 U.S. Code 1030, “Fraud and related activity in connection with computers.” The Chinese hackers are charged under those sections of the statute that deal with gaining access to files of financial value—but not other sections that deal with damage to national security, although there’s plenty of evidence that they engage in that sort of hacking as well. An explicit decision was made to ignore that sort of hacking, to draw a distinction between military and industrial espionage.
It’s not that Obama is giving military hackers a free ride. The Pentagon spends billions of dollars a year trying to make its own networks more secure. But he recognizes, this is what militaries do.
Unit 61398 made headlines just over a year ago, in February 2013, when the New York Times reported, based on a study by the Mandiant, a leading cybersecurity contractor, that the super-secret Chinese military unit had hacked into the newspaper’s computer networks. This was the first time many people had heard of not just Unit 61398 but of nation-state hacking as a serious problem generally. In fact, though, it’s been going on for two decades.
In the fall of 1997, the Joint Chiefs of Staff conducted a top-secret exercise known as Eligible Receiver, in which a 25-man Red Team from the National Security Agency—using off-the-shelf commercial equipment—hacked into the major computer networks of the Defense Department, the military services, and several U.S. combatant commands worldwide. The exercise spurred the first official steps to beef up the security of the military’s computers. The threat wasn’t hypothetical. When the Red Team players were hacking into the Pentagon networks, they saw traces of Russian and French hackers who were already there. (The NSA had been hacking into foreign networks, too.) Soon after the exercise, the Pentagon ordered “intrusion detection systems” to be installed on all Defense Department computers. Instantly, they detected hundreds of intrusions a week. The pattern continues to this day—with many nations hacking, and getting hacked, nonstop.
In this sense, hacking isn’t much different from other forms of espionage through the ages. But in two ways, it’s very different. First, in the cyber-age, a nation doesn’t need to send spies abroad. Instead, with some computers and a few dozen trained specialists, it can spy remotely—and therefore cheaply. (North Korea, for instance, is said to have an excellent cyberwarfare unit.)
Second, because the Internet opens into a single worldwide network, hacking into even a piece of that network opens up the possibilities of vast penetration—and destruction. Almost everything is plugged into this network—personal email, industrial secrets, household appliances, and even the workings of electrical power grids, water supplies, dams: increasingly, everything. One of the worries in new-age strategic thinking is that, in an attempt to gain leverage in an armed conflict, one side might launch—or threaten to launch—a cyber-attack that turned out the lights in a major city. It’s known that foreign cyberwarfare units are already poking around in these infrastructure networks—their digital traces have been spotted—just as our cyber-units poke around in similar networks abroad. It would be very hard to launch an effective cyberstrike that shut down, say, a power grid or some waterworks. But fundamentally, it would not be so different from a cyberstrike that disabled a newspaper’s network or hacked into a bank’s credit card records or stole a manufacturer’s trade secrets.
These worries—about the financial costs inflicted today and the possible war scenarios spun out tomorrow—are why many people involved in this field are calling for the world’s leaders to draft “rules of the road.” The Chinese, who are the most suitable collaborators on such a project, have resisted all such calls for negotiation. Maybe the indictment will shock them into a dialogue. Maybe not. It’s worth a shot.