At a press conference announcing the indictment of four Chinese hackers Monday, US Attorney General William Barr spoke out loud what had long been discussed only over drinks at security conferences: Some of the biggest hacks of Americans’ private data in the past decade had been the work of the Chinese government, resulting in a massive, unparalleled espionage advantage.
“For years, we have witnessed China’s voracious appetite for the personal data of Americans, including the theft of personnel records from the US Office of Personnel Management, the intrusion into Marriott hotels, and Anthem health insurance company, and now the wholesale theft of credit and other information from Equifax,” he told reporters, in what was almost certainly the first time the four attacks had been publicly linked by a government official. While the new indictments from Barr make clear the common perpetrator, the damage China is alleged to have done may take decades for the United States to undo.
China’s hoovering of Americans’ private data has long been one of the biggest open secrets of modern intelligence. Gradually, over years, the Justice Department and the US government publicly pointed the finger at China for each breach in turn.
Public notice began with the break-in at the Office of Personnel Management in the spring of 2015, shortly after which then-director of national security James Clapper named the superpower as the “leading suspect.” “You have to kind of salute the Chinese for what they did,” Clapper said at the time. In 2017, the FBI arrested a Chinese national, Yu Pingan, who it said worked on the malware used in the OPM breach. In 2018, Reuters reported that the Justice Department was zeroing in on Chinese hackers for the Marriott breach. Then, last year, the Justice Department charged Fujie Wang, as well as other members of a hacking group, with the intrusions that targeted Anthem.
But if you read the public charges closely, the US stayed away from discussing the suspects’ motives or affiliations, or trying to hint in any way about why so many big breaches seemed to have a Chinese nexus. That changed this week.
Monday’s detail-heavy indictment against Chinese military personnel marks the first time that the US has directly gone after Chinese government hackers since its groundbreaking May 2014 indictment against five People’s Liberation Army members for economic espionage—a case that came down even as Chinese hackers were, unbeknownst to the US, already inside the OPM system. Barr’s announcement and the accompanying charges also directly tied the Chinese Communist Party to the case, as part of a larger “China strategy” that the Justice Department has been pushing to raise the costs of China’s rampant intellectual property theft and economic espionage.
The aggressiveness of the campaign has raised concerns that it could result in racial profiling—a new book, The Scientist and the Spy, alleges that profiling did occur during the FBI's last major anti-China push—and so FBI deputy director David Bowdich was quick to draw parameters around the Justice Department’s work. “I want to make one very important point," he said at Monday's press conference. "Our concern is not with the Chinese people or with the Chinese-American [community], it is with the Chinese government and Chinese Communist Party.”
China’s alleged hacking efforts have borne fruit just as big data and artificial intelligence combine to make those massive databases useful, sortable, and studiable. As Barr said on Monday, “This data has economic value, and these thefts can feed China’s development of artificial intelligence tools as well as the creation of intelligence targeting packages.”
Indeed, what has long worried intelligence professionals as the scope of China’s data ambitions became clear is not the size of each individual theft—even though all four rank among the largest and most serious data breaches ever—it’s the ways that the layers of the data build upon one another. The OPM breach exposed the personnel records of effectively every civilian employee of the US government, some 21 million people; they included not just key identifiers like names and Social Security numbers but also the comprehensive forms known as SF-86s, which are used in the process of granting employees security clearance and can contain all manner of sensitive information, from drug use and debts to foreign travel. Anthem reported that nearly 80 million people had their insurance information stolen. Marriott’s final accounting of the intrusion into its Starwood subsidiary ended up just shy of 400 million individual records stolen, including as many as 5 million passport numbers. Equifax saw the theft of personal identifiable information regarding 147 million people—effectively the entire adult population of the United States—including drivers’ license numbers of at least 10 million of them.
By combining personnel data with travel records, health records, and credit information, Chinese intelligence has amassed in just five years a database more detailed than any nation has ever possessed about one of its adversaries. The data and its layers work both to identify existing US intelligence officers through their personnel records and travel patterns as well as to identify potential weaknesses—through background checks, credit scores, and health records—of intelligence targets China may someday hope to recruit. Numerous cases in recent years have shown the creative ways China has identified and targeted potential spies, even sometimes using LinkedIn to find employees at companies of interest. The wealth of combined data now in the hands of Chinese intelligence will only make such targeting easier in the future.
China, whose own domestic surveillance state and facial recognition advances are as cutting-edge as they are Orwellian, appears to be sitting upon a database that it can use for decades to come. There is little to stop the country from turning the tools it has perfected at home against spies, would-be spies, intelligence officers, US government contractors, government officials, and people who simply work in any of the umpteen industries where it’s eager to collect industrial secrets.
China’s distinct advantage and evolving technology has forced a reckoning for US intelligence personnel. As Yahoo News’ Zach Dorfman and Jenna McLaughlin reported in December, US officials now worry whether they can work undercover overseas at all. The effort required to circumvent China’s data trove, advances in biometric identifiers, and facial recognition at border crossings and on street corners seems increasingly Sisyphean. Countries with advanced espionage operations—like Russia, China, and the US—have begun meeting covert operatives in countries like Peru that offer little in the way of biometric data collection. The CIA is rethinking how—and where—it recruits personnel for overseas operations, based on the “big data” implications and the potential “digital exhaust” personnel may have.
The challenge ahead was outlined in news Monday that made far fewer headlines than the Equifax charges: The National Counterintelligence and Security Center, a little-known part of the Office of the Director of National Intelligence, released its new strategy for countering espionage activities around the world.
One could see echoes of the Equifax and related data breaches in one of the three main thrusts of the new report: “Threats to the United States posed by foreign intelligence entities are becoming more complex, diverse, and harmful to U.S. interests,” it reported. “Threat actors have an increasingly sophisticated set of intelligence capabilities at their disposal and are employing them in new ways to target the United States. The global availability of technologies with intelligence applications—such as biometric devices, unmanned systems, high resolution imagery, enhanced technical surveillance equipment, advanced encryption, and big data analytics—and the unauthorized disclosures of US cyber tools have enabled a wider range of actors to obtain intelligence capabilities previously possessed only by well-financed intelligence services.”
The challenge spies and counter-spies have in front of them will only grow more daunting as biometric identifiers—fingerprints, facial recognition scans, and DNA tests—continue to become more common in daily life. It’s clear that the US government is already thinking about preventing and limiting its exposure to rich data troves, like Equifax, in the future: The Pentagon recently asked military personnel to stop using at-home DNA kits for health and ancestry purposes, fearful about where that unchangeable, unalterable genetic data may end up now or later.