Christopher Krebs, currently director of Cybersecurity and Infrastructure Security Agency at the U.S. Department of Homeland Security, testifies during a Senate Armed Services Committee hearing in Washington, on Oct. 19, 2017. (Drew Angerer/Getty Images)

China’s Cybersecurity Threats Target Middleman IT Providers, US Official Says

China is growing more efficient at cyber theft, a U.S. official warned at a recent cybersecurity conference in Washington.

“So what we’re seeing is rather than the Chinese actors going directly at individual companies, they’re going to the points of aggregation. They understand the business decisions and the business processes domestically here in our infrastructure, but not just in the U.S., but in Europe and elsewhere,” said Christopher Krebs, director of Cybersecurity and Infrastructure Security Agency at the U.S. Department of Homeland Security.

Krebs was one of the keynote speakers at the eighth annual International Conference on Cyber Engagement held on April 23.

“Points of aggregations” refer to managed service providers (MSPs), which are companies that manage other firms’ information technology (IT) infrastructure systems. These could include small and medium-sized MSPs, as well as large technology firms such as IBM.

Krebs explained that many firms are choosing to outsource their IT to these MSPs to save money and be more productive.

“And so they’re going to these managed service providers, which provides the adversary or the actor, a much more efficient way of getting to the stuff they want to get. And that’s the intellectual property, that’s personally identifiable information,” he added.

Krebs highlighted the case of the U.S. Department of Justice indicting two Chinese citizens in December last year for targeting such MSPs. Zhu Hua and Zhang Shilong, as members of the hacker group APT10 (Advanced Persistent Threat 10), allegedly broke into computers and computer networks managed by MSPs on behalf of businesses and governments around the world.

Zhu and Zhang allegedly acted in association with the Tianjin City bureau of China’s Ministry of State Security, the country’s main intelligence agency.

Earlier in October 2018, the U.S. Department of Homeland Security issued a warning against increased attacks by APT10, targeting U.S. firms in multiple sectors, including information technology, energy, health care, communication, and manufacturing.

The targeted U.S. firms were leaders in the same sectors that China has prioritized for aggressive development, according to its industrial development blueprint “Made in China 2025”—which outlines how China will dominate high-tech sectors such as robotics and advanced information technology by 2025.

“If you’re a domestic infrastructure, if you’re a U.S. company, if you’re any company that plays in any of those strategic sectors, you have a target on you. Manage risk accordingly,” Krebs warned.

He added that U.S. companies wanting to do business in China should be “eyes-open,” for China’s cybersecurity and intelligence laws leave their data vulnerable to the Chinese regime.

A new cybersecurity law that went into effect in June 2017, demanded all companies operating in China to store their data within China’s geographical area—a move that means data on Chinese servers could be accessed by the Chinese regime at will.

China’s national intelligence law, also effective in 2017, requires every Chinese organization and citizen to assist and cooperate with Beijing’s national intelligence efforts. The broad and vague definition of “national intelligence” means that companies and citizens must answer to the Chinese regime when called upon.

The Chinese regime’s unfair business practices, including technology theft, cost the U.S. economy more than $57 billion annually, according to an April 12 NPR report, citing estimates by unidentified White House officials.