The U.S. Justice Department on Monday moved to charge Chinese military officials in an economic cyber-espionage case. It’s the first time American prosecutors have made such charges against a foreign country. Kojo chats with the author of a report that the U.S. is using as evidence in the case.


  • Richard Bejtlich Chief Security Strategist, FireEye; Senior Non-Resident Fellow, Brookings Institution; Former Chief Security Officer, Mandiant


  • 13:06:40

    MR. KOJO NNAMDIFrom WAMU 88.5 at American University in Washington, welcome to "The Kojo Nnamdi Show," connecting your neighborhood with the world. Later in the broadcast, armed for nonviolence. Former activist Charlie Cobb joins us to explore the role that self-defense played in the Civil Rights Movement. But first, a new chapter in the cyberconflict between China and the United States. The Justice Department, today, charging members of the Chinese military with conducting cyberespionage on American companies.

  • 13:07:18

    MR. KOJO NNAMDIAmong other things, the U.S. government claims Chinese hackers stole design information about an American nuclear power plant and improperly gained access to the intellectual property of multiple firms. It's the first time American prosecutors have moved such a case against a foreign country. This hour, we're joined by a man behind a report on Chinese hacking that the Justice Department is citing as evidence of the criminal activity that they're now prosecuting.

  • 13:07:47

    MR. KOJO NNAMDIHe joins us by phone. Richard Bejtlich, Chief Security Strategist for FireEye and the non-resident senior fellow at The Bookings Institution. He served as chief security officer for the cybersecurity firm, Mandiant. Richard Bejtlich, thank you so much for joining us.

  • 13:08:05

    MR. RICHARD BEJTLICHThank you, Kojo. I'm happy to be here.

  • 13:08:07

    NNAMDIWe talked with you on this broadcast, more than a year ago, about a Mandiant report that described, in detail, alleged activities by a specific unit within the Chinese Peoples' Liberation Army, Unit 61398, to penetrate and steal information from American companies. Earlier today, Assistant Atty. Gen. John Carlin described the criminal charges the U.S. government is bringing forward as such.

  • 13:08:34

    MR. JOHN CARLINFor the first time, we are exposing the faces and names behind the keyboards, in Shanghai, used to steal from American businesses. And thanks to the investigation of the FBI and the hard work of the western district of Pennsylvania, this indictment describes with particularity specific actions on specific days by specific actors to use their computers to steal information from across our economy.

  • 13:09:03

    MR. JOHN CARLINIt describes how they targeted information and industries, ranging from nuclear to steel to renewable energy. And it shows that while the men and women of our American businesses spent their business days innovating, creating, and developing strategies to compete in the global marketplace, these members of Unit 61398 were spending their business days in Shanghai stealing the fruits of our labor.

  • 13:09:30

    NNAMDIRichard Bejtlich, you tweeted earlier this morning that you feel these criminal charges are like an early Christmas. What do you mean by that, and why do you feel this way about this indictment?

  • 13:09:40

    BEJTLICHWell, Kojo, I've been doing this now for a long time. I've been in the -- and just as recently as four or five years ago, no one would even say the word China associated with this sort of level of -- had to use a code word which was advanced persistent threat because, to even mention China, there was a fear that you were somehow releasing classified information about who was behind this activity.

  • 13:10:06

    BEJTLICHSo to go from that to just not even talk about it, to, in 2011, have the counterintelligence executive name China and Russia as two of these perpetrators, to then go to last year where the EPT1 report comes out from Mandiant where we name the actual unit, to now have officially sanctioned United States government activity against these individuals, acknowledging the unit, acknowledging the headquarters that was on the TV, that everyone remembers from last year, it's just been a remarkable journey.

  • 13:10:35

    NNAMDIFor those who didn't hear our conversation with you in 2013, how did Mandiant go about tracing cyberattacks to this unit of the Chinese army, which was apparently working out of an office building in Shanghai?

  • 13:10:48

    BEJTLICHYes. There's two main factors involved here. One is time and one is scope. So if you were to ask me to do attribution for some random attack on a particular day of the week, that would be very, very difficult to do. But if you ask me to do the same level of attribution over a seven-year period, and you watch these actors doing these hacking activities, year in and year out, they're going to do things that reveal who they are because they're not necessarily thinking anyone is watching or if, even if someone is watching, there'll be any consequence.

  • 13:11:20

    BEJTLICHSo, for example, there were cases where we saw these actors, at one moment, hacking, taking information from Western companies, and then in another moment, using that same connectivity to, say, check their Facebook page or to send an email. And it's by those sorts of little mistakes that you gather over the years and across many, many victims. You know, we have seen 141 victims in seven years. You put all that together. That gives you the detail you need to unearth who these individuals are.

  • 13:11:49

    NNAMDITo be clear, what exactly was it that you found in that 2013 report? And how did that square with the charges revealed by the Justice Department today?

  • 13:11:57

    BEJTLICHWell, what we did was we showed that there was a Chinese military unit -- the part of the Peoples' Liberation Army, Second Bureau of the Third Department, General Staff Director to the PLA, also known by a code name of 61398. We were able to show that this group had been active for a period of 2006 to 2013 when we released the report.

  • 13:12:21

    BEJTLICHThey had targeted 141 different companies, the majority of which were in the United States. All of them, more or less, had English language speakers as the common denominator. And this was consistent with what we had seen, in general, from Chinese hacking groups, that they specialize based on different areas. You know, there's a group that goes after Korea.

  • 13:12:41

    BEJTLICHThere's a group that goes after Japan, one that goes after Africa, one after Europe and so forth. So we showed, by virtue of our work helping victim companies, helping them to recover from these intrusions, what this group was stealing, what sectors they were going after, what their strategic goals were. We put that all together and released it for the public, along with indicators to help the public defend themselves and to identify if they were victims of this same group.

  • 13:13:08

    NNAMDIWe are talking with Richard Bejtlich. He is chief security strategist for FireEye and a non-resident senior fellow at the Brookings Institution. He served as chief security officer for the cybersecurity firm Mandiant about charges brought today by the U.S. Justice Department against members of the Chinese military for hacking into U.S. companies.

  • 13:13:27

    NNAMDIWe're taking your calls at 800-433-8850. What do you think about these charges and the way they were brought? 800-433-8850. Richard Bejtlich, what do you think your report and the Justice Department's case reveal about the motivations of China's cyberactivities? And how are they different from ours?

  • 13:13:49

    NNAMDII'm looking at a report here that said that among the documents that were passed on by Edward Snowden are documents indicating that we -- our intelligence agencies were monitoring Chinese companies. And I'm looking at one, in particular, the Chinese telecommunications company Huawei, H-U-A-W-E-I, Huawei. What are they looking for, and what are they ultimately looking to achieve through their cyberunits that is different to what we're looking for?

  • 13:14:18

    BEJTLICHIt's a wonderful question, Kojo. This is where we get into a level of nuance that many people don't want to go to. In the U.S. side, the United States conducts espionage for purposes of intelligence and national security. We want to find out who's out there, who's trying to hurt us, who could hurt us, that sort of thing, and also to further our capability to collect that sort of information. So, in the case of Huawei, you do have a case where there is a -- at least according to what's been released by Mr. Snowden -- I can't verify it or vouch for it.

  • 13:14:48

    BEJTLICHBut according to what I've read, agencies would get into Huawei to get access to their equipment, so that if it ended up in a country where we wanted to perform some type of espionage, we could get access to it. The Chinese, on the other hand, they are breaking -- now, they're doing similar sorts of activities, which I think, you know, those of us in the espionage world, that's what these firms do.

  • 13:15:11

    BEJTLICHHowever, the Chinese would send their military and their intelligence community after hundreds, if not thousands, of private sector companies for the express purpose of stealing intellectual property, trade secrets, design plans, emails of executives, anything that they could use to further their private company's progress in the market.

  • 13:15:32

    BEJTLICHAnd when deals get more favorable treatment at the WTO, whatever they needed to do to accelerate their economy, 'cause at the end of the day, the number one priority of the Chinese government is to stay in power. And the way that they do that is by providing economic growth for their people. That's what's behind all of this. It's not an intel or national security concern as we would formulate it. It's more about keeping their economy going in the most rapid way that they can.

  • 13:15:59

    NNAMDIThe Chinese would say, and the Chinese are saying, that we're making a distinction without a difference here, that, in fact, we only have your and our security agency's word for it that that's what they're doing.

  • 13:16:14

    BEJTLICHYes. Yeah. It would be nice if Mr. Snowden would leak some of the documents that reveal all the backstory for our own case. It's been very interesting to me that we've only seen information that comes out to benefit the Russian and the Chinese side of the story. And yet, if Mr. Snowden had taken so much information, there's surely something in there that shows where all of this justification comes from. I mean, for example, there's a really interesting part of the indictment that Mark Clayton, from Christian Science Monitor, pointed out to me.

  • 13:16:44

    BEJTLICHIt talks about how a state-owned firm hired 61398 to build a secret database to hold corporate intelligence. And so where did that information come from? It's not like the Chinese would just tell us that this is how they may go about transferring information from that military unit to a state-owned enterprise. So there is a bunch of backstory here that, you know, perhaps we'll learn exactly where it came from and maybe not.

  • 13:17:09

    NNAMDIYou said a year ago that this particular army unit in question has a very broad focus.

  • 13:17:16

    BEJTLICHYes. Of all the groups we track, 61398 hits many more industries than others. I mean, typically, these groups will focus on maybe a couple of industries, maybe five or six. We had seen APT1 or 61398 go after 21 different industry groups. So they -- you know, and we saw them grow, I mean, literally watched them expand their capabilities to the point of building a new headquarters in 2006 and 2007. That's one of the ways that we knew that they had really elevated their activity.

  • 13:17:46

    NNAMDIThis morning, Atty. Gen. Eric Holder said the charges brought in this case are groundbreaking. Let's take a listen.

  • 13:17:53

    MR. ERIC HOLDERThis case should serve as a wakeup call to the seriousness of the ongoing cyberthreat. These criminal charges represent a groundbreaking step forward in addressing that threat. This indictment makes clear that state actors who engage in economic espionage, even over the Internet, from faraway places like offices in Shanghai, will be exposed for their criminal conduct and sought for apprehension and prosecution in an American court of law.

  • 13:18:23

    NNAMDIU.S. Atty. Gen. Eric Holder talking about what he sees as groundbreaking about these charges. Here is Caleb in Greenbelt, Md. Caleb, you're on the air. Go ahead, please.

  • 13:18:34

    CALEBYeah. Thank you for having me. I have a question for Richard. I guess, for those of us in the InfoSec community, we've kind of observed this going on for a while. And nothing has ever really been done. So my question is, what caused this to occur? And with the five Chinese officials who were indicted, which will never see a court in the United States, what is the reason for this process if we'll never get these guys in court?

  • 13:19:02


  • 13:19:03

    BEJTLICHYeah. That's a great question. So my sense is that this has been a DOJ operation going for at least a year, potentially more. You heard Mr. Holder reference the President's 2013 State of the Union Address to talk about how important this was. So my sense is that this was planned for a long time. And, as soon as the case was ready, they were going to put it out there. And, in fact, they may have coordinated the release with the black shades announcement, which was over 100 hackers around the world, in cooperation with Interpol and European law enforcement.

  • 13:19:38

    BEJTLICHTo have both of these things come out on the same day, that's sort of a DOJ hallmark. You see these sort of large things that they bring together at once. My sense is that it's not necessarily corroborated with other parts of the government, though, because we just had a Chinese general visit the United States and receive nice treatment. So that sort of puts a damper on U.S.-China military relations.

  • 13:19:58

    BEJTLICHYou've got a situation in Southeast Asia where Vietnam and China are in very hot water right now over an oil rig that's in Vietnamese waters. So that's not going to help either the DOD or the State Department's side of things. So, you know, I don't think that this was necessarily part of a timed strategy, but it is consistent with the president's desire to signal to the Chinese that this activity isn't acceptable.

  • 13:20:25

    NNAMDIThe U.S. and China have been trying to hold talks about this set of issues. What have been the stumbling block so far?

  • 13:20:31

    BEJTLICHWell, one of the stumbling blocks is a different perception of what security means. In the United States, security tends to involve the integrity of the system, freedom from hacking. Those are the sort of -- freedom to use the Internet, that sort of thing. In China and also in Russia, you see security as more of an information control issue.

  • 13:20:51

    BEJTLICHIt's very important to realize from the Chinese perspective that they believe that they're the ones who are under assault, and in some ways they are, as any sort of country on the Internet is. But they most -- they're most concerned with the United States dollar, the United States' involvement in sort of setting the rules for global commerce, and also United States culture.

  • 13:21:12

    BEJTLICHWhen they built the great firewall of China, this technical tool that they use to control their Internet access, it wasn't to keep the Chinese people from getting out necessarily. They're trying to keep U.S. culture from getting in. So they see this as sort of a larger perspective where, once again, the United States or the West is trying to keep China down, trying to contain China, trying to prevent the peaceful rise.

  • 13:21:35

    NNAMDIHow would you say the explosion of the Edward Snowden story and all the details it laid bare about American activities have affected this conversation?

  • 13:21:44

    BEJTLICHIt was a bombshell. A year ago -- I guess the first week in June when they came out -- you may remember that, prior to the disclosures, you had this crescendo of pressure being applied to the Chinese government, partly due to the management report but also due to other activities that were happening around the same time.

  • 13:22:03

    BEJTLICHSo all of that air was deflated. That balloon collapsed when, two days before the announcement, Mr. Snowden disclosed his documents. It immediately undercut the U.S.'s moral authority. Everyone said, look, the United States is hacking. How can you say the Chinese are doing anything that you're not doing? Completely changed the equation. Today, you see a decision by the DOJ to try to go back on the offensive in this perspective. And it's taken this long to try to move that around.

  • 13:22:34

    NNAMDIRichard Bejtlich is chief security strategist for FireEye and a non-resident senior fellow at the Brookings Institution. He served as chief security officer for the cybersecurity firm Mandiant. Richard, thank you so much for joining us.

  • 13:22:46

    BEJTLICHThank you, Kojo.

  • 13:22:47

    NNAMDIWe're going to take a short break. When we come back, armed for nonviolence. Former activist Charlie Cobb joins us to explore the role that self-defense and guns played in the Civil Rights Movement. I'm Kojo Nnamdi.

Topics + Tags

Most Recent Shows