At a press conference announcing the indictment of four Chinese hackers Monday, US Attorney General William Barr spoke out loud what had long been discussed only over drinks at security conferences: Some of the biggest hacks of Americans’ private data in the past decade had been the work of the Chinese government, resulting in a massive, unparalleled espionage advantage.
“For years, we have witnessed China’s voracious appetite for the personal data of Americans, including the theft of personnel records from the US Office of Personnel Management, the intrusion into Marriott hotels, and Anthem health insurance company, and now the wholesale theft of credit and other information from Equifax,” he told reporters, in what was almost certainly the first time the four attacks had been publicly linked by a government official. While the new indictments from Barr make clear the common perpetrator, the damage China is alleged to have done may take decades for the United States to undo.
China’s hoovering of Americans’ private data has long been one of the biggest open secrets of modern intelligence. Gradually, over years, the Justice Department and the US government publicly pointed the finger at China for each breach in turn.
Public notice began with the break-in at the Office of Personnel Management in the spring of 2015, shortly after which then-director of national security James Clapper named the superpower as the “leading suspect.” “You have to kind of salute the Chinese for what they did,” Clapper said at the time. In 2017, the FBI arrested a Chinese national, Yu Pingan, who it said worked on the malware used in the OPM breach. In 2018, Reuters reported that the Justice Department was zeroing in on Chinese hackers for the Marriott breach. Then, last year, the Justice Department charged Fujie Wang, as well as other members of a hacking group, with the intrusions that targeted Anthem.
But if you read the public charges closely, the US stayed away from discussing the suspects’ motives or affiliations, or trying to hint in any way about why so many big breaches seemed to have a Chinese nexus. That changed this week.
Monday’s detail-heavy indictment against Chinese military personnel marks the first time that the US has directly gone after Chinese government hackers since its groundbreaking May 2014 indictment against five People’s Liberation Army members for economic espionage—a case that came down even as Chinese hackers were, unbeknownst to the US, already inside the OPM system. Barr’s announcement and the accompanying charges also directly tied the Chinese Communist Party to the case, as part of a larger “China strategy” that the Justice Department has been pushing to raise the costs of China’s rampant intellectual property theft and economic espionage.
The aggressiveness of the campaign has raised concerns that it could result in racial profiling—a new book, The Scientist and the Spy, alleges that profiling did occur during the FBI’s last major anti-China push—and so FBI deputy director David Bowdich was quick to draw parameters around the Justice Department’s work. “I want to make one very important point,” he said at Monday’s press conference. “Our concern is not with the Chinese people or with the Chinese-American [community], it is with the Chinese government and Chinese Communist Party.”
China’s alleged hacking efforts have borne fruit just as big data and artificial intelligence combine to make those massive databases useful, sortable, and studiable. As Barr said on Monday, “This data has economic value, and these thefts can feed China’s development of artificial intelligence tools as well as the creation of intelligence targeting packages.”
Indeed, what has long worried intelligence professionals as the scope of China’s data ambitions became clear is not the size of each individual theft—even though all four rank among the largest and most serious data breaches ever—it’s the ways that the layers of the data build upon one another. The OPM breach exposed the personnel records of effectively every civilian employee of the US government, some 21 million people; they included not just key identifiers like names and Social Security numbers but also the comprehensive forms known as SF-86s, which are used in the process of granting employees security clearance and can contain all manner of sensitive information, from drug use and debts to foreign travel. Anthem reported that nearly 80 million people had their insurance information stolen. Marriott’s final accounting of the intrusion into its Starwood subsidiary ended up just shy of 400 million individual records stolen, including as many as 5 million passport numbers. Equifax saw the theft of personal identifiable information regarding 147 million people—effectively the entire adult population of the United States—including drivers’ license numbers of at least 10 million of them.