Hacking investigator: We 'kicked the hornet's nest' with China report
WASHINGTON (AP) - When Kevin Mandia, a retired military cybercrime investigator, decided to expose China as a primary threat to U.S. computer networks, he didn't have to consult with American diplomats in Beijing or declassify tactics to safely reveal government secrets.
He pulled together a 76-page report based on seven years of his company's work and produced the most detailed public account yet of how, he says, the Chinese government has been rummaging through the networks of major U.S. companies.
It wasn't news to Mandia's commercial competitors, or the federal government, that systematic attacks could be traced back to a nondescript office building outside Shanghai that he believes was run by the Chinese army. What was remarkable was that the extraordinary details - code names of hackers, one's affection for Harry Potter and how they stole sensitive trade secrets and passwords - came from a private security company without the official backing of the U.S. military or intelligence agencies that are responsible for protecting the nation from a cyberattack.
The report, embraced by stakeholders in both government and industry, represented a notable alignment of interests in Washington: The Obama administration has pressed for new evidence of Chinese hacking that it can leverage in diplomatic talks - without revealing secrets about its own hacking investigations - and Mandiant makes headlines with its sensational revelations.
The report also shows the balance of power in America's cyberwar has shifted into the hands of the $30 billion-a-year computer security industry.
"We probably kicked the hornet's nest," Mandia, 42, said in an interview at the Alexandria, Va., headquarters of Mandiant. But "tolerance is just dwindling. People are tired of the status quo of being hacked with impunity, where there's no risk or repercussion."
China has disputed Mandiant's allegations.
Mandiant, which took in some $100 million in business last year - up 60 percent from the year before - is part of a lucrative and exploding market that goes beyond antivirus software and firewalls. These "digital forensics" outfits can tell a business whether its systems have been breached and - if the company pays extra - who attacked it.
Mandiant's staff is stocked with retired intelligence and law enforcement agents who specialize in computer forensics and promise their clients confidentiality and control over the investigation. In turn, they get unfettered access to the crime scene and resources to fix the problem (Mandiant won't say exactly how much it charges, but it's estimated to average around $400 an hour).
The growing reliance on contractors like Mandiant has been compared to that enjoyed by the military and State Department contractor formerly known as Blackwater, which provided physical security to diplomats and other VIPs during the Iraq war. Officials inside and outside government say that's not a bad thing; contractors can often act more quickly than the government and without as much red tape. There are also serious privacy concerns: Most U.S. citizens don't want the government to access their bank accounts, for example, even if China is attacking their bank.
"The government doesn't have the capacity," said Shawn Henry, a former FBI executive assistant director who works for a Mandiant competitor, CrowdStrike. "There are a lot of people working hard. But the structures aren't there."
Michael DuBose, another former senior Justice Department official who works at a different Mandiant competitor, Kroll Advisory Solutions, added: "I think there's a recognition that the government can't stand at the entry point of the Internet to the United States and shield it from all bad things coming in."
Since Mandiant released its report this week, government officials and lawmakers have publicly embraced its findings. Sen. Dianne Feinstein, the Democratic chairwoman of the Senate Intelligence Committee, hailed Mandiant for exposing China as a problem. She called its report "sobering" and said she hoped it would spur an international agreement to protect companies from cyber-espionage.
"It's a forcing function in the private sector, and frankly ... it's a forcing function with the government," said retired Air Force Gen. Michael Hayden, the former director of the CIA and the National Security Agency who now works for the Chertoff Group, a security consulting firm.
Mandiant's report raises questions, too, about the extent to which private companies are in control of defending the nation's most crucial networks, like power companies and water treatment plants. Another question is what rules of engagement private companies might rely on. When does a company strike back?
Mandia and his competitors said they are beholden to U.S. and international laws, which prohibit the type of intrusive acts they accuse China of taking. Mandia also says his clients aren't interested in starting a cyberwar with foreign hackers, in part because they are so vulnerable.
"The only time (hacking back) would really work is if we got all the bad guys out of our networks in the first place," he said. "Then you can start playing that game."
Still, publishing the hacking report was itself an offensive shot across China's bow.
Mandia said he started his company in 2004 after years in the private sector because there was no company focused on investigating intrusions. With a master's degree in forensic science from George Washington University, he became Mandiant's sole employee and, two years later, got a cash infusion from a college friend. Now, he oversees some 330 employees and the field is growing rapidly. He says he used to see maybe three major incidents a month when he started his business; now he estimates there can be anywhere from 30 to 100 incidents a month.
Mandia is hardly alone. A former co-worker, Stuart McClure, recently started his own company, called Cylance. He received $15 billion in venture capital funds for his business, which he says is distinctive because of its focus on prevention. McClure said in general he sees the future of cyberdefense residing in the private sector, with its deeper pockets and less red tape.
"With a commercial entity, you can get more creative," McClure said.
As for any problems they might cause in diplomatic or security circles for the federal government, Mandia and his competitors say that's not really on their radar, although he's hiring attorneys to help him monitor changing U.S. policies and regulations. But as a tech guy, he says he's focused on stopping intrusions.
"We're security guys," Mandia said. "We're not diplomats."
He pulled together a 76-page report based on seven years of his company's work and produced the most detailed public account yet of how, he says, the Chinese government has been rummaging through the networks of major U.S. companies.
It wasn't news to Mandia's commercial competitors, or the federal government, that systematic attacks could be traced back to a nondescript office building outside Shanghai that he believes was run by the Chinese army. What was remarkable was that the extraordinary details - code names of hackers, one's affection for Harry Potter and how they stole sensitive trade secrets and passwords - came from a private security company without the official backing of the U.S. military or intelligence agencies that are responsible for protecting the nation from a cyberattack.
The report, embraced by stakeholders in both government and industry, represented a notable alignment of interests in Washington: The Obama administration has pressed for new evidence of Chinese hacking that it can leverage in diplomatic talks - without revealing secrets about its own hacking investigations - and Mandiant makes headlines with its sensational revelations.
The report also shows the balance of power in America's cyberwar has shifted into the hands of the $30 billion-a-year computer security industry.
"We probably kicked the hornet's nest," Mandia, 42, said in an interview at the Alexandria, Va., headquarters of Mandiant. But "tolerance is just dwindling. People are tired of the status quo of being hacked with impunity, where there's no risk or repercussion."
China has disputed Mandiant's allegations.
Mandiant, which took in some $100 million in business last year - up 60 percent from the year before - is part of a lucrative and exploding market that goes beyond antivirus software and firewalls. These "digital forensics" outfits can tell a business whether its systems have been breached and - if the company pays extra - who attacked it.
Mandiant's staff is stocked with retired intelligence and law enforcement agents who specialize in computer forensics and promise their clients confidentiality and control over the investigation. In turn, they get unfettered access to the crime scene and resources to fix the problem (Mandiant won't say exactly how much it charges, but it's estimated to average around $400 an hour).
The growing reliance on contractors like Mandiant has been compared to that enjoyed by the military and State Department contractor formerly known as Blackwater, which provided physical security to diplomats and other VIPs during the Iraq war. Officials inside and outside government say that's not a bad thing; contractors can often act more quickly than the government and without as much red tape. There are also serious privacy concerns: Most U.S. citizens don't want the government to access their bank accounts, for example, even if China is attacking their bank.
"The government doesn't have the capacity," said Shawn Henry, a former FBI executive assistant director who works for a Mandiant competitor, CrowdStrike. "There are a lot of people working hard. But the structures aren't there."
Michael DuBose, another former senior Justice Department official who works at a different Mandiant competitor, Kroll Advisory Solutions, added: "I think there's a recognition that the government can't stand at the entry point of the Internet to the United States and shield it from all bad things coming in."
Since Mandiant released its report this week, government officials and lawmakers have publicly embraced its findings. Sen. Dianne Feinstein, the Democratic chairwoman of the Senate Intelligence Committee, hailed Mandiant for exposing China as a problem. She called its report "sobering" and said she hoped it would spur an international agreement to protect companies from cyber-espionage.
"It's a forcing function in the private sector, and frankly ... it's a forcing function with the government," said retired Air Force Gen. Michael Hayden, the former director of the CIA and the National Security Agency who now works for the Chertoff Group, a security consulting firm.
Mandiant's report raises questions, too, about the extent to which private companies are in control of defending the nation's most crucial networks, like power companies and water treatment plants. Another question is what rules of engagement private companies might rely on. When does a company strike back?
Mandia and his competitors said they are beholden to U.S. and international laws, which prohibit the type of intrusive acts they accuse China of taking. Mandia also says his clients aren't interested in starting a cyberwar with foreign hackers, in part because they are so vulnerable.
"The only time (hacking back) would really work is if we got all the bad guys out of our networks in the first place," he said. "Then you can start playing that game."
Still, publishing the hacking report was itself an offensive shot across China's bow.
Mandia said he started his company in 2004 after years in the private sector because there was no company focused on investigating intrusions. With a master's degree in forensic science from George Washington University, he became Mandiant's sole employee and, two years later, got a cash infusion from a college friend. Now, he oversees some 330 employees and the field is growing rapidly. He says he used to see maybe three major incidents a month when he started his business; now he estimates there can be anywhere from 30 to 100 incidents a month.
Mandia is hardly alone. A former co-worker, Stuart McClure, recently started his own company, called Cylance. He received $15 billion in venture capital funds for his business, which he says is distinctive because of its focus on prevention. McClure said in general he sees the future of cyberdefense residing in the private sector, with its deeper pockets and less red tape.
"With a commercial entity, you can get more creative," McClure said.
As for any problems they might cause in diplomatic or security circles for the federal government, Mandia and his competitors say that's not really on their radar, although he's hiring attorneys to help him monitor changing U.S. policies and regulations. But as a tech guy, he says he's focused on stopping intrusions.
"We're security guys," Mandia said. "We're not diplomats."
China plans on running the show by 2050 and is well on its way to achieving that goal. Read "China debates the future security enviroment" and the "Americas declining role" chapter 2. Scary reading there, i tell you what !
With all of the latest technological advances, I am really thinking the early 1900's sound very appealing today. I just want to live a very simple boring life now and am so tired of the drama and threats to everything and everyone. Them were the days.......
One problem with this story is that if Kevin Mandia is 42 years old and started his business in 2004 like the article says then there is no way he can be retired from the military. You have to be in for 20 or more years to retire. He probably was in the military and got out, but before 20 years. Please do some correct reporting on these stories.
If he joined when he was 18-22 years old he most certainly can be retired from the military. It's not that unusual for kids to enlist when they graduate from high school.
@Jatok Do the math. If he joined when he was 18, like I did, and he is 42 now, there is no way he could have done 20 years from 18 years old and been at retirement age in 2004 when he started his business. He would have only been 33 years old. That would put him at 15 years in the military. I went in at 18 and retired at 38 from 20 years of service. I am just saying it doesn't add up unless he was medically retired. Also I doubt very much that he started his business when he was in the military. That would have been a major problem considering his job in the military.Â
@Thepriest He could be medically retired which doesn't have to make the 20 year mark. Plus in the 90's and early 2000's they were allowing some to "retire" at the 15-18 year mark. I can't remember why but I do remember knowing a few who took the Navy up on it and "retired" at 17 years.
@Robinsnest @Thepriest True he could have medically retired. At the 15 to 18 year mark it is still not a retirement it is an early out.
It remains a puzzle how much we have handed over to China regarding our manufactoring ect compared to their threat to cyberspace and their drive into the Thrid World to obtain and dominate raw materials. Let alone they are still a Communist government with regard to how they are with their own people. We have not sold billions of Chinese a ton of American stuff as American industry predicted or sold to congress. It is the other way around on the selling.
I wonder if the other industrialized countries in the world are getting hacked too. Germany France UK.
I would think the companies most sensative information would be in a stand alone computer not accessable to the web.
@mstipton Bad idea to have anything in France as for as data goes. If a competitor wants info off your system, one bribe to an official and the authorities are packing all your gear out so it can be inspected (copied). This is why Boeing doesn't have any of its data centers in France.
So what...what will we do, what have we done about it...nothing...we need their money to pay for the new american dream of living off the government.
Nice China, real nice.
The Chinese govt is two-faced. To our face they deny everything. Internally, they just bought the hackers all new equipment!!