Like water rushing to a path of least resistance, the Chinese government has identified a number of defense contractors as a weak link in the American intelligence network, offering Beijing a gusher of secrets worth billions of dollars and a leg up in a growing military rivalry.
Amid a double-barrel recognition of the rise of China’s military might by Congress and the U.S. Army, the Chinese attacks on American contractors appear set to continue. Along with it, U.S. secrets could slip away.
On Friday, the Washington Post reported that the Chinese government compromised computers of a Navy contractor in early 2018, hacking “massive amounts of highly sensitive data related to undersea warfare.”
By targeting a contractor who works for the Naval Undersea Warfare Center in Newport, R.I., the Chinese hackers stole secret details related to a supersonic anti-ship missile, according to the Post. When aggregated, the report said, the information could be considered classified. The contractor was not named.
House Seapower Subcommittee Chairman Rep. Rob Wittman, R-Va., said Tuesday that classification issues prevented him from discussing the alleged hack in detail, but he did issue a broad call for the Pentagon to more strictly enforce National Institute of Standards and Technology security standards for defense contractors using unclassified systems. Adversaries, he said, are stitching together stolen scraps of unclassified information to gain insights about Navy capabilities.
“It’s as important to protect pieces of information as it is to protect whole batches of information,” Wittman said. “We’ve already said you have to protect these classified systems, and granted they’ve done a good job. Where we need to take the next step is to say these NIST standards have to be applied to anyone doing business with the DoD.”
That the Chinese government targeted a U.S. defense contractor is “not shocking,” said Jake Olcott, a vice president at Bitsight Technologies. “This activity has been going on for years.”
Chinese telegraphed hacking strategy
The Chinese plans to target defense contractors were anything but secret. Indeed, the Chinese have long preyed upon American defense contractors to steal information.
In 2016, a Chinese citizen pled guilty to stealing military secrets from the defense firm Boeing. That same year, an Australian supplier to the closely guarded F-35 aircraft that cost more than $400 billion was hacked, a spokesperson previously told sister publication Defense News.
The firm Proofpoint warned in October 2017 that defense firms “related to South China sea politics” were being targeted through malware. And the U.S. intelligence community warned in February that the Chinese government continued to attack defense contractors.
“Targeting defense contractors is part of the bigger trend of Chinese espionage. These operations are hacking in a way that is more acceptable in cyberspace,” said Fred Plan, a senior analyst at FireEye. He explained the shift as occurring after a 2015 summit between former U.S. President Barack Obama and Chinese leader Xi Jinping. The two agreed to limit cyberattacks on civilian interests, meaning there is a greater target on the back of defense contractors, Plan said.
Targeting an organization’s supply chain and third-party network is “not just the Chinese strategy; this is certainly a phenomenon,” Olcot said. “This is what we see in all sectors, whether it’s the financial sector, retail or energy.”
Contractors struggle to meet standards
There is a crucial gap between the network security of federal agencies and their contractors, according to a 2018 Bitsight report. The firm found that one in five technology and defense contractors have an outdated internet browser, meaning they are vulnerable to malware.
The federal government has also attempted to bolster network security for its contractors by creating working groups to share cyberthreat information. In 2015, the National Cybersecurity and Communications Integration Center was designated the central hub for threats between the government and private sector.
The Department of Defense also implemented new procedures this year for contractors handling controlled unclassified information. But experts warned that implementation of the new standards is uneven.
With their colossal budgets, the Department of Defense and the largest contractors can devote untold millions of dollars to network security. But one large contractor can have as many as 13,000 subsidiary partners, explained Jim Lewis, a senior vice president at the Center for Strategic and International Studies, a D.C.-based think tank. The large number of subordinate firms can create a constellation of companies that store closely held secrets, have tight budgets and are too numerous to audit. Just one vulnerability can lead to disaster.
“Not all companies in the supply chain have had time or resources to implement new standards,” Lewis said.
Still, experts are quick to point out that the use of contractors is an essential component of the American defense industry.
“It’s best not to paint with broad brushes, as there are many companies with very robust cybersecurity in place, and varying degrees of cybersecurity at federal agencies, too,” said David Wennergren, a managing director at Deloitte Consulting and former chief information officer at the Navy.
“Hackers will always look for the easiest path to entry, and that easiest path might be a private or public sector entry point.”
Joe Gould contributed to this report.
Justin Lynch is the Associate Editor at Fifth Domain. He has written for the New Yorker, the Associated Press, Foreign Policy, the Atlantic, and others. Follow him on Twitter @just1nlynch.