The Cybersecurity 202: Trump administration increases pressure on China with more hacking indictments
6:06 am PDT, Friday, May 10, 2019
WASHINGTON - The Trump administration ratcheted up its campaign against Chinese hacking operations Thursday, unsealing indictments against two hackers for a massive 2015 breach of the health insurer Anthem that compromised the personal information of 78 million people.
The Justice Department's charges against members of a "sophisticated China-based hacking group" are the latest in an unprecedented string of hacking charges against Chinese spies and cyber criminals for compromising government agencies, tech companies, manufacturing firms and other targets.
The Trump administration has lobbed four rounds of indictments at Chinese hackers for sophisticated cyber crimes in just the past 18 months - more than at hackers from any other nation - a pace clearly designed to send a stark message to Beijing to curtail its aggressiveness in cyberspace.
That's a dramatic quickening of pace from the Obama administration, which indicted Chinese hackers just once - in 2014 - that was seen as a shot across the bow at Beijing and even helped produce a brief lull in Chinese IP theft.
"The Chinese thought they could get away with anything," Jim Lewis, a former Commerce Department cybersecurity official, told The Washington Post. "This is part of a larger administration strategy to be more aggressive and assertive . . . to find and make public Chinese hackers and punish them for their activities."
The Trump administration's aggressiveness on this front - notably, announcing the charges as the United States and China are engaged in high-stakes trade negotiations - shows how far the tactic of using indictments to deter nation-state hackers has come since it began under Barack Obama.
Those 2014 indictments against five members of China's People's Liberation Army were the first of its kind. Indictments since then have been accompanied by a pressure campaign from administration officials - including coordinated naming and shaming campaigns with other nations for Chinese hacking operations against government agencies. Trump administration officials have consistently signaled that curtailing Chinese digital espionage and intellectual property theft is among their highest cyberspace priorities.
"There's been a shift over the last six years to treat these issues with China much more seriously and to use all the tools at our disposal, including law enforcement," Chris Painter, State Department cyber coordinator during the Obama administration, told me.
Yet indictments and tough talk have done little to change the pace of Chinese hacking and the Trump administration has struggled to impose consequences serious enough that Beijing will pay attention.
The alleged Anthem hackers - one named Fujie Wang and another whose name officials don't know - are unlikely to ever come to the United States to face trial.
"Indictments are a useful step for pushing back and imposing consequences," said Lewis, who directs the technology policy program at the Center for Strategic and International Studies. "It's what [the Justice Department] can do and it's a good place to start. But I think [Justice officials] would agree it's not enough."
Prosecutors described the Anthem hack in a news release as "brazen," a "wanton violation of privacy" and "one of the worst data breaches in history." The alleged hackers also compromised three other large U.S. companies in three industry sectors, the indictment states.
Cyber experts previously speculated that the Anthem breach wasn't aimed simply at stealing individual Americans' personal information but was part of a broader scheme to combine information from different breaches to identify intelligence agents and top government officials who might be vulnerable to blackmail.
That seemed particularly likely because of apparent links between the Chinese hacking group behind the Anthem breach and the group behind the 2015 Office of Personnel Management hack, which compromised sensitive security clearance information about more than 20 million current and former U.S. government employees.
Thursday's indictment does not outline such a plan - but it also doesn't state that the information stolen by the hackers was ever sold or used for identity theft as purely criminal hackers would do.
The indictment also does not say whether the hackers were working on behalf of the Chinese government or on their own.
Gloss