The numerous reports that the Chinese military has been launching thousands of cyber attacks against international targets—including American firms—over the past several years should come as a surprise to no one, security experts say.
Mandiant, a cybersecurity company, released a report Monday detailing the activities of a group it dubbed "APT1," which has hacked at least 141 companies in 20 major industries, stealing "technology blueprints, proprietary manufacturing processes, test results, business plans," and more. Mandiant says it has traced the attacks to a single building in Shanghai that is staffed by "perhaps thousands of people" and that their activities are "likely government-sponsored."
Cybersecurity experts have long known that hackers in China have been launching cyber attacks against American companies—last year, Michigan Republican Rep. Mike Rogers, who sponsored the embattled Cyber Intelligence Sharing and Protection Act (CISPA), which was eventually tabled in the House, said "China has stolen so much intellectual property that it would be considered 50 times the print collection of the United States Library of Congress."
Kevin Coleman, a senior fellow with the Technolytics Institute, says that the Mandiant report is the "same ol', same ol'" and doesn't change the cyber security landscape for those in the industry, who already knew that China was a major player in cyber warfare.
"I don't think the report comes close to quantifying the problem—it's all based on unclassified information. To have any idea, we'd have to know the classified portion of this," he says. "I think if you take what information is covered publicly and multiply it by five, that's how bad it is."
In response to the Mandiant report, the Chinese Foreign Ministry said that the Chinese government does not support hacking and that it's nearly impossible for Mandiant to prove where the attacks originated from.
"Hacking attacks are transnational and anonymous. Determining their origins are extremely difficult. We don't know how the evidence in this so-called report can be tenable," Hong Lei, a spokesperson for the ministry, told reporters Monday.
Washington has placed a renewed emphasis on cyber security in recent weeks—President Barack Obama issued an executive order the night of his State of the Union address that will allow federal agencies to share classified "cyber threat" information with private companies.
"America must also face the rapidly growing threat from cyber-attacks. We know hackers steal people's identities and infiltrate private E-mail. We know foreign countries and companies swipe our corporate secrets," Obama said during that address. "Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy."
But while that executive order may have restarted the cyber security conversation, without Congressional action, it's unlikely to have much teeth, Coleman says.
"I think it was a warning shot across the bow of Congress," he said of the executive order. "He was saying that the inaction that's going on [in Congress] is really putting the nation's critical infrastructure at risk."
In an October interview with Time, then-Secretary of Defense Leon Panetta said the United States needed to take greater action to prevent a cyber attack that can "virtually paralyze a country."
"The whole point of this is that we simply don't just sit back and wait for a goddamn crisis to happen," Panetta said. Cyber attacks have "the kind of capability that can basically take down a power grid, take down a water system, take down a transportation system, take down a financial system."