As we come to the end of the tumultuous 2017, the award for sleight of hand perhaps should go to China and its intelligence apparatus, the Ministry for State Security (MSS) and People’s Liberation Army (PLA), as they continue to harvest intellectual property (IP) and personal data with almost total impunity. The question every company should be asking themselves: Do I have a product that might be useful to the populous of China? Do I have a Chinese competitor? Do I make a widget or provide a service used in any country’s defense industrial sector? Answer “yes” to any of these and the odds of finding yourself on the Chinese five-fingered-discount shopping list rises exponentially.
Can this be true?
Yes, Virginia, economic espionage and trade secret theft by China is a reality.
China announced its plan to invest $360 billion into renewable energies between 2017 and 2020, an amount that certainly caught the attention of many. One way to make those dollars stretch is by reducing R&D costs by using the technologies of others, either through licenses, joint ventures or theft. Each of which provides enterprise information security teams with an appropriate challenge to keep their trade secrets just that: secret.
Siemens AG of Germany saw one of its trusted insiders working within the smart energy group apprehended by Dutch authorities on his way to China with a boatload of proprietary trade secrets and intellectual property in April 2017. This was not the first time Siemens energy found itself in the crosshairs of China’s economic espionage efforts.
We learned in late November through the U.S. Department of Justice indictment of Dong Hao, executive director and manager of “purported China-based Internet security firm Guangzhou Bo Yu Information Technology Company Limited (a/k/a ‘Boyusec’)” which successfully penetrated Siemens’ networks.
In 2014, Boyusec conducted a reconnaissance and harvesting of access credentials. Then in 2015, revisited to complete the harvest, when Hao and his colleagues at Boyusec stole approximately 407GB of proprietary commercial data pertaining to Siemens’s energy, technology and transportation businesses, according to the Department of Justice.
While no evidence has been presented to link the two tech intrusions with the subsequent recruitment of the Dutch engineer, you do your own math. Are these acts of economic espionage connected? Does it matter?
Boyusec: A Front for China Intelligence
Pentagon analysts in 2016 identified Boyusec as an entity working with Huawei to produce security products that would allow Chinese intelligence to capture data and control computer and telecommunications equipment. Boyusec is “closely connected to the MSS,” according to the Pentagon, and Recorded Future attributes Boyusec as being associated with the cyber espionage group known as APT3.
The Siemens example is but one of many demonstrating how China works its way around their public face of cybersecurity détente with various governments, including the United States, Australia and Germany. China pledges it will not have its intelligence entities target the intellectual property of companies, and then it pushes its national intelligence resources into private entities to do the heavy economic espionage lifting and dirty work on its behalf.
That China is sufficiently capable to penetrate an enterprise that sells cybersecurity technology—Siemens AG—should capture the eye of all CSOs who are themselves evaluating their own infrastructure and awareness training.
Remember, you don’t get to choose whether you are next on China’s targeting list—those ginning up the technology requirements within the Chinese intelligence apparatus decide who is next. You do, however, get to decide how well-prepared you are.
— Christopher Burgess