A top cybersecurity lawyer says the Chinese are after any edge they can get, from
financial details that help with negotiations to reading scripts.
3/7/2013 by Stewart Baker, who practices cybersecurity law at Steptoe & Johnson in
Washington. He has been a top official concerned with cybersecurity policy at the
Department of Homeland Security and the National Security Agency – THR
Hollywood should be on notice: It’s not just the Pentagon and CIA that are victims of
hackers. They’re targeting more and more private companies. A recent report from
American cybersecurity firm Mandiant linked the Chinese government’s People’s
Liberation Army to massive, sustained intrusions into corporate networks.
The report, which traced many attacks to the PLA’s Shanghai-based Unit 61398, was
devoured in Washington and Silicon Valley. But Hollywood mostly has shrugged off
Chinese cyberspying as someone else’s problem.It’s true that, unlike defense contractors and high-tech companies, the entertainment
industry generally doesn’t depend on research secrets for its competitive edge.
Hollywood has plenty of intellectual property, but not the kind that can be protected
by secrecy (except for the occasional movie that seems valuable — until everyone sees
it). And, while there are secrets to success in the movie business, they can’t be stolen
as easily as, say, plans for the Joint Strike Fighter.
But we’re kidding ourselves if we think that the Chinese hackers are only stealing big,
expensive secrets. Here, Hollywood might be blinded by its own product.
China’s cyberspies aren’t intrepid Jolt-drinking loners (with an occasional adoring
girlfriend) navigating dangerous networks to snatch secrets and flee before they’re
geo-located by their opponent’s giant global tracking system.
No, the hacking campaigns described by Mandiant and others have all the flash
and derring-do of your latest trip to the dry cleaners. Chinese hacking often begins
with a decidedly low-tech approach — and the bad guys have little trouble breaking
into networks. They send you and your co-workers a stream of spoofed e-mails that
seem to come from your boss or colleagues. A March 3 report in The New York
Times detailed a simulated attack by the federal Department of Homeland Security
into a power plant’s network by persuading a plant employee to click on a link to look
at “cute puppies.” If just one person clicks on one link in one e-mail, the hackers are
in.
And once they’re in, they stay: Mandiant found companies that had been hosting
Chinese hackers for more than four years.
With their access assured, the hackers can treat the victim’s secrets exactly like dry
cleaning, returning each week to package the CEO’s e-mails and ship them to
Shanghai.
It’s routine. So routine, in fact, that most of the hacking is done between 8 a.m. and
5 p.m. Beijing time.
Mass production makes everything cheaper, and hacking is no exception.
Adding a company to the target list is as easy as choosing the color of your next car.
The Mandiant report found that the PLA’s Unit 61398, specializing in English
speakers, had gained control of hundreds and likely thousands of corporate
networks.
With the cost of infiltration so low, these hackers could compromise the entire
Fortune 500 just to collect the whole set. And you’d certainly expect them to target
any company whose secrets might be interesting to anyone in the Chinese
government.
Hollywood might not have big secrets, but it’s got plenty of little secrets that someone
in China probably wants. No government on Earth is more sensitive to its depiction
in mass media than China’s. Why wouldn’t its government want to read the earliest
versions of Hollywood’s scripts or have a ringside seat while studio execs debate how
best to accommodate Chinese censors?
And don’t rule out what might be called crony espionage, either.
Any company that has juice with the central government is a candidate for the
cheapest form of state aid: free access to the secrets of their competitors and joint-
venture partners. China is an enormous market, with the potential for great profits.
But if the other side knows just how hungry the studios are — by reading their
internal communications — the studios won’t leave the table with more than crumbs.
Once you know the other side’s bottom line, it’s amazing how good a negotiator you
can be.
Disputes that arise after the deal is done can be handled the same way.
People who sue Chinese companies, along with their lawyers, are targeted by
hackers. When security researchers are asked how many of the 100 largest U.S. law
firms have been compromised by China, estimates range from 80 to, well, 100.
As for corruption, there’s no more sensitive topic in China. If a Western company is
under investigation for paying bribes to Chinese officials, as many entertainment
companies are now rumored to be, it’s safe to assume that the Chinese government
will want to know — ahead of time — what the company is planning to tell the U.S.
Securities and Exchange Commission.
In short, the studios have no reason to worry about hackers from China — as long as
they don’t do business there.
For those that do, a new day of paranoia and network security is about to dawn.