The
31-page
document directly blames the governments of
the two rival powers for campaigns to steal American
technology, reflecting what analysts said was a deep
feeling of frustration at being unable to stop the spying
through either diplomatic talks or technological defences.
The incidents mentioned in the report include the attack on
Google’s
network in 2010, where the company later claimed part of its
source code may have been taken, and a 2011 study by McAfee
that described an intrusion it called “
Night Dragon”
which took data from the systems of energy companies and
which was traced back to an address in
China.
It also lists the cases of three ethnic Chinese
employees of American companies who were arrested for
stealing proprietary information which they had allegedly
planned to sell to new employers in China.
The incidents described in the paper released to
Congress had been reported previously in isolation, yet at
the time government officials refused to assert on the
record that they were part of major strategic thrusts,
especially by China.
Officials had kept quiet so as not to jeopardise
ongoing negotiations or to reveal exactly what they knew
about specific Chinese actors and their methods. Most
companies that have been victims of such cyber-spying have
also sought to avoid putting the blame on China.
Google was a rare exception, when in January of last
year it
linked an intrusion it suffered to
China. The company, which has
vested voting control in just three individuals, partially
withdrew from the country as a result.
“We believe that more information sharing and dialogue
around security is a positive trend for the industry. This
is a topic that people should take very seriously,” Jay
Nancarrow, a Google spokesman, said on Thursday.
But even as an understanding of the pattern has become
more prevalent, other companies have declined to follow
suit. RSA, the security company owned by
EMC that admitted
a breach earlier this year, blamed an unnamed government,
though people familiar with the case said it was obviously
China.
Even big technology security concern McAfee, now owned
by chipmaker
Intel, has pulled
punches.
A report it issued in August
documented a spying effort that targeted defence
contractors, nonprofits, manufacturers and Olympic
committees noted that the evidence pointed to one country,
but did not say which. Both EMC and Intel do substantial
business in China and were reluctant to offend their hosts
and business partners, according to people briefed on
internal discussions.
Many companies do not disclose breaches at all, the new
government report observes. They are often unaware of what
has occurred, or lack the ability to pin the thefts
conclusively on one group of actors. In other cases, they
fear adverse customer and investor reaction.
One security expert said increased openness was the
right thing for customers and shareholders. But he said he
did not know what it would mean for the US relationship
with China. “I just don’t know the end game,” he said.
“Possibly it even helps China to be a more responsible
world power.”
The Google incident last year contributed to a sharp
deterioration in US relations with China, which also
included disputes about US arms sales to Taiwan,
Tibet
and climate change. While some of these disagreements have
been patched up this year, the public accusations in the
report run the risk of fanning new diplomatic tensions.
Indeed, the Chinese government wasted little time in
denouncing the report. “China’s economic development and
prosperity is the result of an effective national
development strategy and the hard work of the Chinese
people,” a spokesman for the Chinese embassy in Beijing
said. The allegations in the report were “unwarranted and
irresponsible”.
A western government official added: “This report is
very direct and unusual in its tone. This issue is very
sensitive and Russia and China have not
responded well when people have tried to make these
accusations in the past.”
While the report attempts to demonstrate a pattern of
behaviour behind individual acts of internet espionage, it
admits that it is difficult to conclusively prove that
they were all government-directed. Indeed, the evidence
against Russia in the report is relatively thin, with one
of the few specific cases being the much-derided spy ring
that was arrested last year. Intelligence experts say that
it is almost impossible to get a perfect “smoking gun” of
government involvement in such cases.
Additional reporting by James Blitz in London