Valley Public Radio - Live Audio

As China Hacked, U.S. Businesses Turned A Blind Eye

Apr 12, 2019
Originally published on April 13, 2019 10:14 am

Technology theft and other unfair business practices originating from China are costing the American economy more than $57 billion a year, White House officials believe, and they expect that figure to grow.

Yet an investigation by NPR and the PBS television show Frontline into why three successive administrations failed to stop cyberhacking from China found an unlikely obstacle for the government — the victims themselves.

In dozens of interviews with U.S. government and business representatives, officials involved in commerce with China said hacking and theft were an open secret for almost two decades, allowed to quietly continue because U.S. companies had too much money at stake to make waves.

Wendy Cutler, who was a veteran negotiator at the Office of the U.S. Trade Representative, says it wasn't just that U.S. businesses were hesitant to come forward in specific cases. She says businesses didn't want the trade office to take "any strong action."

"We are not as effective if we don't have the U.S. business community supporting us," she says. "Looking back on it, in retrospect, I think we probably should have been more active and more responsive. We kind of lost the big picture of what was really happening."

None of the dozens of companies or organizations that NPR reached out to that have been victims of theft or corporate espionage originating from China would go on the record.

And for its part, the Chinese government officially denied to NPR and Frontline that it has been involved in such practices.

Wendy Cutler, a former diplomat and negotiator at the Office of the U.S. Trade Representative, told NPR that U.S. businesses wouldn't let the trade office take direct action on their behalf in Chinese cybertheft cases. Here she delivers a 2015 speech at the Asia Society in Hong Kong.
Bruce Yan / South China Morning Post via Getty Images

But that's not what former U.S. Attorney David Hickton found. When he took over in the Western District of Pennsylvania in 2010, he says, he was inundated with calls from companies saying they suspected China might be inside their computer systems.

"I literally received an avalanche of concern and complaints from companies and organizations who said, 'We are losing our technology — drip, drip, drip,' " he says.

Hickton opened an investigation and quickly set his sights on a special unit of the Chinese military — a secretive group known as Unit 61398. Investigators were able to watch as the unit's officers, sitting in an office building in Shanghai, broke into the computer systems of American companies at night, stopped for an hour break at China's lunchtime and then continued in the Chinese afternoon.

"They were really using a large rake — think of a rake [like] you rake leaves in the fall," he says. "They were taking everything ... personal information, strategic plans, organizational charts. Then they just figured out later how they were going to use it."

But when Hickton went to the companies, eager for them to become plaintiffs, he ran into a problem. None of the companies wanted any part of it. Hickton says they had too much money on the line in China.

"What we were tone-deaf to is [that] we seemed to think we could just walk in and wave the flag of the USA," Hickton says, "and it just didn't work."

Even today, five years later, Hickton still won't name most of the companies involved — and they have never come forward.

Eventually he was able to convince five largely local companies and the steelworkers union to come forward, mostly, he says, because he grew up in Pittsburgh and went to school with a lot of the managers.

David Hickton, then the U.S. attorney for the Western District of Pennsylvania, speaks during a 2014 announcement of indictments against Chinese military hackers. With him are then-Attorney General Eric Holder (left) and John Carlin, then the assistant attorney general for national security.
Alex Wong / Getty Images

"I knew these people," Hickton says. "They trusted me. ... We couldn't ask them to be patriotic at the expense of engendering a shareholder case."

But, he says, he could have included hundreds — or even thousands — more.

"We've made a terrible mistake by being so secretive about our cyberwork," he says. "We have not fairly told the people we represent what the threats are."

Government and business leaders interviewed by NPR and Frontline said individual companies were making millions of dollars in China over the past decade and a half and didn't want to hurt short-term profits by coming forward. They demanded secrecy, even in the face of outright theft.

But now the impact of that secrecy is coming to light, they say. Companies are facing hundreds of millions of dollars in future losses from the theft, and U.S. officials say they are years behind trying to tackle the problem.

Michael Wessel, commissioner on the U.S. government's U.S.-China Economic and Security Review Commission, says it wasn't supposed to be this way. U.S. officials had high hopes when China officially joined the World Trade Organization in 2001.

"There was a honeymoon period in the first six or seven years, a desire to try [to] make things work," Wessel says.

But, he says, starting around 2006, businesses began coming to him saying that China had stolen their designs or ideas or had pressured them into partnerships and taken their technology.

Just like with Hickton, Wessel says, they wouldn't come forward publicly.

"The business community wanted the administration to come in hard without anyone's fingerprints being on the reasoning behind it," he says. "They wanted the profits, but they also didn't want the possible retribution."

Wessel says that was never going to work. While nothing in the original trade agreements specifically mentions cybertheft, the U.S. could have brought criminal cases forward, enacted sanctions or opened investigations under rules set up by the World Trade Organization — if a company would let it.

Court cases and documents from recent years offer a clue into what experts believe has really been going on. The Chinese government has been accused of stealing everything from vacuum cleaner designs to solar panel technology to the blueprints of Boeing's C-17 aircraft.

Hackers from China, often with ties to the government, have been accused of breaking into gas companies, steel companies and chemical companies. Not long ago, Chinese government companies were indicted for stealing the secret chemical makeup of the color white from DuPont. China developed its J-20 fighter plane, a plane similar to Lockheed Martin's F-22 Raptor, shortly after a Chinese national was indicted for stealing technical data from Lockheed Martin, including the plans for the Raptor.

Chinese hacking made occasional headlines, but none really grabbed Americans' attention. There was one exception.

In 2010, Google went public in announcing that it had been hacked by the Chinese government. Thirty-four other American companies that were also part of the hack stayed silent. Most have kept it a secret to this day.

A man places flowers outside Google's Chinese headquarters in Beijing on Jan. 15, 2010. The tech giant's accusation that year that it had been hacked by China cast light on a problem few companies discuss: the pervasive threat from Chinese-based cybertheft.
Vincent Thian / AP

NPR tracked down 11 of the total 35 companies. All of them either did not respond to NPR's request or declined to comment.

A former top Google official who was closely involved in managing the hack told NPR that Google was "infuriated" that no other company would come forward, leaving Google to challenge China alone.

"[We] wanted to out all of the companies by name," said the official, who spoke on the condition their name not be used because they did not have permission from Google to speak about the incident. "One of the companies we called, said 'Oh, yeah, we've been tracking this for months.' It was unbelievable. The legal department talked us out of it."

"We felt like we stood up and did the right thing," the former official said. "It felt like Helm's Deep, the battle from The Lord of the Rings in which you're impossibly surrounded and severely outnumbered."

They just all hid under a rock and pretended it didn't happen. - James McGregor, a former chairman of the American Chamber of Commerce in China, on U.S. businesses reacting to Chinese hacking

James McGregor, a former chairman of the American Chamber of Commerce in China, who was there at the time, says the companies kept even business organizations like his from speaking out.

"What they should have done is held a press conference and say, 'We 35 businesses have been hacked,' and you would have put it right back on China," says McGregor. "Instead, they just all hid under a rock and pretended it didn't happen."

McGregor says their silence left little room for punishment, and worse, he says, it hid the extent of the problem.

Across the ocean, cybersleuth Dmitri Alperovitch was sitting at his desk at a security company in Atlanta when Google called looking for backup. He says when he took a look, he was stunned.

"I knew pretty much right away this is something very different," says Alperovitch, who is co-founder of the cybersecurity firm CrowdStrike. "For the first time we were facing a nation-state and intelligence service that was breaking into companies — not governments, not militaries, but private sector organizations."

But, he says, U.S. government officials were nowhere to be seen.

"They did not even publicly concur with the attributions that Google had made at the time," he says.

Dmitri Alperovitch, co-founder of the cybersecurity firm CrowdStrike, said he was stunned after Google announced it was hacked by China. Here he speaks during the Milken Institute Global Conference in California on May 1, 2017.
Patrick T. Fallon / Bloomberg via Getty Images

Obama administration officials say they did not turn a blind eye to the Google hack or cybertheft from China.

The administration was struggling with other important priorities, such as North Korea, Iran, the economy and climate change, says Evan Medeiros, Obama's top China specialist and then a staffer at the National Security Council.

"Direct confrontation with China does not usually result in lasting solutions," Medeiros says, noting that President Obama secured an agreement with Chinese President Xi Jinping to halt the attacks and put together a regional trade agreement — the Trans-Pacific Partnership — to add pressure.

But neither measure lasted.

"Hindsight is always 20/20," he says. "I wish that we had spent more time ... finding creative ways to punish them for creating a nonlevel playing field."

Without those punishments, the attacks continued.

In the year after the Google hack, Alperovitch uncovered two more serious intrusions that, he says, involved thousands of American companies.

In the fall of 2011, he went to the White House to warn officials about what he had found. He sat down in the Situation Room with a half-dozen top administration leaders.

"The most surprising thing to me was the lack of surprise," Alperovitch says. "I got the distinct impression that none of this was news. When I pressed them on why they were not taking stronger action against China, their response was, 'We have a multifaceted relationship with China.' "

Chinese President Xi Jinping shakes hands with then-U.S. President Barack Obama following a news conference in Washington, D.C., on Sept. 25, 2015. During the visit, the two leaders announced an agreement to halt cyberattacks.
Pete Marovich / Bloomberg via Getty Images

Alperovitch says White House officials told him that some of the same companies that were being victimized by China also wanted to continue doing business in China.

"They didn't want to take any action that would jeopardize that billions of dollars of trade we were doing at the time," he says.

Ask McGregor, the American business representative, how companies can complain about China's behavior to the U.S. government while simultaneously preventing the government from taking strong action, and his answer is blunt.

"Companies were afraid of China," he says. "American business companies' incentives are to make money."

McGregor today advises dozens of American companies in China, and he says they are confronting a new reality. China is no longer an up-and-comer — it's a true competitor and quickly closing in on America's high-tech sector. McGregor says company leaders are beginning to ask whether years of theft and hacking have given China an edge that the United States will no longer be able to stay in front of.

And U.S. government officials are asking whether federal agencies will be able to catch up on enforcement.

Top government leaders told NPR that federal agencies are years behind where they could have been if the theft had been openly addressed.

Even at the Defense Department, as late as 2014, cybertheft from China was not one of the Pentagon's top priorities.

"Our intelligence agencies were looking at the Middle East, at the Russians," says Air Force Brig. Gen. Robert Spalding, a China expert who worked for the Joint Chiefs of Staff and the National Security Council.

He says he had never given the issue of Chinese cybertheft much thought. But then, in the fall of 2014, he loaded a confidential briefing into his computer. It was case after case in which the Chinese government had stolen the product designs from almost a dozen high-tech American companies, in a couple of cases almost putting them out of business.

"It immediately changed my conception, my view of the world," he says. "I realized I did not know how the world worked."

U.S. President Donald Trump and Chinese President Xi Jinping leave an event in Beijing on Nov. 9, 2017. The Trump administration, and the Obama administration before that, have brought cybertheft concerns to the Chinese directly.
Nicolas Asfouri / AFP/Getty Images

Spalding says he made it his mission to get the word out to other government agencies. But even in 2015, he says, he was met mostly with a shrug.

He says he went to the departments of Commerce and the Treasury, as well as the U.S. Trade Representative and the U.S. State Department.

"The two responses we got were, 'Oh my gosh, this is really, really bad.' And the second one is, 'That's not my job,'" Spalding says. "That was almost the universal answer we got every time we went to a senior leader. Bad problem but not my problem."

Spalding, who retired from the Air Force last year, says in the final years under Obama and now under President Trump, agencies are finally starting to take some action. The Justice Department is bringing criminal cases, the trade representative's office is investigating China's dealings and both administrations have brought concerns to the Chinese directly.

But, Spalding says, it may have come 10 years too late.

"We all missed it," he says. "We have to understand the problem and get to work on it."

Copyright 2019 NPR. To see more, visit https://www.npr.org.

AILSA CHANG, HOST:

Chinese cyber theft costs the U.S. economy at least $57 billion a year. That's what top government officials tell NPR. And that theft means lost jobs and lost wages for Americans. Three successive administrations have known about this problem and tried to deal with it. Their efforts have been largely unsuccessful. The cyberattacks have continued for nearly 15 years.

ARI SHAPIRO, HOST:

NPR and the PBS show "Frontline" have been trying to figure out why it's so hard to stop the theft. We found that one of the biggest hurdles isn't China. It's the victims - U.S. businesses. They've kept the U.S. government from acting against China, and they've made millions playing both sides of the fence. NPR's Laura Sullivan reports.

(SOUNDBITE OF TRAIN WHISTLE)

LAURA SULLIVAN, BYLINE: High above Pittsburgh on the 25th floor of an old Gothic revival building, former U.S. Attorney David Hickton sits at his desk under the photographs of five men who once worked for the Chinese government.

DAVID HICKTON: That's the wanted poster for the China case.

SULLIVAN: When Hickton took over for the Western District of Pennsylvania in 2010, he'd only been on the job a few weeks when he said he started getting calls from local companies. They told him they thought China might be inside their computer systems.

HICKTON: I literally received an avalanche of concern and complaints from companies and organizations who said, we are losing our technology - drip, drip, drip. And we don't have any apparatus in place to deal with it.

SULLIVAN: Hickton opened an investigation and set his sights on a particular unit of the Chinese military - Unit 61398. Hickman and others watched how unit officers sitting in an office building in Shanghai broke into American companies' computers at night. They stopped for an hour break at lunch and continued in the afternoon.

HICKTON: They really were using a large rake - think of a rake you rake leaves in the fall - they were taking everything. They were taking personal information. They were taking strategic plans. Then they just figured out later how they were going to use it.

SULLIVAN: It had been going on for years.

HICKTON: When I learned that we could actually pin the tail on the cyber donkey, the cyber donkey being Unit 61398, it just meant that we had a chance to actually bring the case.

SULLIVAN: But when he went to the companies, eager for them to be plaintiffs, an odd thing happened. None of them wanted any part of it. The same companies that had been complaining and new companies that had no idea they had been stolen from didn't want to be involved. Hickton says they told him they had too much money on the line in China.

Even today, five years later, Hickton still won't name most of the companies involved, and they have never come forward. Eventually, he was able to convince a handful of Pittsburgh-based companies to join the case. Mostly, he says, because he grew up here and went to school with a lot of the managers.

How many other companies do you think you could have included in this case?

HICKTON: How high can you count?

SULLIVAN: No.

HICKTON: Yeah. How high can you count? We've made a terrible mistake by being so secret about our cyber work. We have not fairly told the people we represent what the threats are.

SULLIVAN: For years, that threat remain largely underground. Government and business leaders say that wasn't an accident. U.S. companies have demanded secrecy, even in the face of outright theft. In interviews with NPR, U.S. companies said they had too much money at stake and said they had a responsibility to shareholders to manage theft problems quietly.

But now the impact of that secrecy is coming to light. Companies face hundreds of millions of dollars in future losses by keeping a secret that hand-tied U.S. officials and ultimately failed to hold China to account. It wasn't supposed to be this way. U.S. officials had high hopes when China joined the World Trade Organization in 2001.

MICHAEL WESSEL: There was a honeymoon period in the first six or seven years, a desire to try and make things work.

SULLIVAN: Michael Wessel has been a commissioner on the U.S. government's U.S.-China Economic and Security Review Commission. He says starting around 2006, businesses began coming to him saying China had stolen their designs or ideas or had pressured them into taking partnerships and taken their technology. But just like with David Hickton, Wessel says they wouldn't come forward.

WESSEL: The business community wanted the administration to come in hard without anyone's fingerprints being on the reasoning behind it. They wanted the profits, but they also didn't want the possible retribution.

SULLIVAN: Wessel says that was never going to work. The U.S. could have brought criminal cases forward, enacted sanctions or opened investigations if a company would let them. Wendy Cutler was a veteran negotiator at the office that could have done some of that enforcement, the Office of the U.S. Trade Representative. She said it wasn't just that U.S. businesses were hesitant to come forward in specific cases. She says the businesses didn't want them to take action in any cases.

WENDY CUTLER: U.S. enforcement officials were not as effective if we don't really have the U.S. business community supporting us but also providing us the information. You know, looking back on it, in retrospect, I think we probably should have been more active and more responsive. We kind of lost the big picture of what really was happening.

SULLIVAN: Court cases and documents from recent years offer a clue into what experts believe was happening. The Chinese government has been accused of stealing everything from vacuum cleaner designs to solar panel technology, to the designs of Boeing's C-17 aircraft. China has broken into gas companies, steel companies and chemical companies.

Not long ago, Chinese government companies were indicted for dealing the secret chemical makeup of the color white from DuPont. Chinese hacking made occasional headlines, but none really grabbed Americans' attention until January 2010...

(SOUNDBITE OF ARCHIVED RECORDING)

UNIDENTIFIED JOURNALIST #1: Finally tonight, Google's China threat.

SULLIVAN: ...When an American company did come forward...

(SOUNDBITE OF ARCHIVED RECORDING)

UNIDENTIFIED JOURNALIST #2: The world's leading search company announced yesterday it had discovered what it called a highly sophisticated and targeted attack.

SULLIVAN: ...Google decided to do what no other company had done. They announced the theft and publicly blamed the Chinese government. Thirty-four other well-known American companies had also been hacked, But to this day, most have kept it a secret. NPR tracked down 11 of the companies - none of them would comment on the hack.

James McGregor is the former chairman of the American Chamber of Commerce in China and was there at the time. He says the companies even kept the business organizations from speaking out.

JAMES MCGREGOR: What they should have done is held a press conference and said, we 35 businesses have been hacked, and you would put it right back on China. Instead, they just all hid under a rock and pretended it didn't happen.

SULLIVAN: McGregor says their silence left little room for punishment. And worse, he said, it hid the extent of the problem. Dmitri Alperovitch was one of the first to see it. He was working at a security firm in Atlanta during the Google hack. One afternoon, Google called, said they needed backup. Alperovitch is a well-known cyber sleuth. He says when he took a look, he was stunned.

DMITRI ALPEROVITCH: I knew pretty much right away that this is something very different. For the first time ever, we were facing a nation state, an intelligence service that was breaking into companies - not governments, not militaries, but private sector organizations.

SULLIVAN: Where was the U.S. government on all of this?

ALPEROVITCH: The U.S. government was nowhere to be seen.

SULLIVAN: Evan Medeiros was on staff at the National Security Council at the time and a top China specialist under President Obama. He says they didn't turn a blind eye. Obama signed an agreement with China to address the hacking. But he says the administration also had other priorities - North Korea, Iran, the economy, climate change.

EVAN MEDEIROS: Direct confrontation with China does not usually result in lasting solutions.

SULLIVAN: It seems like not confronting China did not provide any solutions either.

MEDEIROS: I mean, if you want big structural change, it takes time. The question is, do you want to play checkers? Do you want to play chess?

SULLIVAN: But without repercussions, the attacks continued. In the year after the Google hack, Dmitri Alperovitch uncovered two more serious intrusions into American companies. In the fall of 2011, he went to the White House to warn officials about what he had found. He sat down in the Situation Room with half a dozen top administration leaders.

ALPEROVITCH: I got the distinct impression that none of this was news. And when I pressed them on why they were not taking stronger action against China, their response was it's complicated.

SULLIVAN: Did they explain that?

ALPEROVITCH: Yes. Essentially, the answer was, we have a multifaceted relationship with China. Some of those same companies that were being victimized by China also wanted to continue doing business in China.

SULLIVAN: So I asked James McGregor, the American business representative from China.

How can businesses walk into United States agencies and complain about being treated unfairly if they're the ones that are preventing any action from being taken?

MCGREGOR: Well, sometimes two things can be true at the same time. Companies were afraid of China. There's this whole Tony Soprano side of the party that will come in and teach you a lesson and you better not complain. American business companies did what they - their incentives are to make money, you know.

SULLIVAN: How's that working out for them?

MCGREGOR: Well, it's - let's just say they're now facing - they're woke, you know.

SULLIVAN: Today, McGregor advises dozens of companies doing business in China and says that awakening has meant acknowledging they've got a problem. China's no longer an up-and-comer. It's a true competitor closing in on America's high-tech sector. And officials are beginning to ask whether years of theft and hacking have given China an edge the United States will no longer be able to stay in front of or whether U.S. government agencies will be able to catch up on enforcement.

Top government officials told NPR federal agencies are years behind where they could have been if the theft had been openly addressed. Even at the Pentagon, as late as 2014, cyber theft from China was not one of the department's top priorities.

ROBERT SPALDING: Our intelligence agencies were looking at the Middle East. They were looking at the Russians. We had more Pashto Urdu speakers than we had Chinese speakers in the intelligence apparatus.

SULLIVAN: Air Force Brigadier General Robert Spalding worked for the Joint Chiefs of Staff and was a China expert for the National Security Council. He had never given the issue much thought. But in the fall of 2014, he loaded a confidential briefing into his computer. It was case after case where the Chinese government had stolen the product designs from almost a dozen high-tech American companies.

SPALDING: It immediately changed my conception, my view of the world. I realized I did not know how the world worked.

SULLIVAN: Spalding says he made it his mission to get the word out to other government agencies. But even in 2015, he says he was met mostly with a shrug.

SPALDING: We went to Commerce, and we went to Treasury and U.S. Trade Representative and State Department. The two responses we got were, oh, my gosh, this is really, really bad. And the second one is, that's not my job. And that was almost the universal answer that we got. Every time we went to a senior leader - bad problem, but not my problem.

SULLIVAN: Spalding, who retired from the Air Force last year, says in the final years under President Obama and now under President Trump, agencies are finally starting to take some action. The Justice Department is bringing criminal cases. The trade office is investigating China's dealings. And both administrations have brought concerns to the Chinese directly. But Spalding says it may have come 10 years too late.

SPALDING: We all missed it. We have to understand the problem and then get to work on it.

SULLIVAN: Today, the Trump administration is wielding billions in trade tariffs to bring China to the table on a host of issues and hopes to negotiate an end to cyber theft as part of any trade agreement. But it may be years before the American public has a full understanding of what it has lost. Laura Sullivan, NPR News. Transcript provided by NPR, Copyright NPR.