Within a day of each other, the Washington Post published a shocking list of U.S. defense programs whose designs have reportedly been stolen by Chinese cyberattacks and ABC news said the plans for Australia's spy headquarters were also stolen by Chinese hackers. It makes China sound like a secret-sucking cyber espionage machine, but is that really the case?

What Was Taken

The Washington Post gets their information from a confidential report prepared for the Pentagon by the Defense Science Board. A public version of the report is also available. The Post says that the report does not single out China, but that interpretation comes from "senior military and industry officials with knowledge of the breaches said the vast majority were part of a widening Chinese campaign of espionage against U.S. defense contractors and government agencies."

Among the compromised programs listed are PAC-3 Patriot missile system, the Terminal High Altitude Area Defense used by the Army for intercepting missiles, the Navy's AEGIS missile defense system, the F/A-18 jet fighter, the tilt-rotor V-22 Osprey, and the Black Hawk helicopter. Two very new programs were also among those reportedly affected: the Navy's Littoral Combat Ship and the F-35 Joint Strike Fighter.

However, the picture is not as complete as it seems. The Post wrote that the list of intrusions, "did not describe the extent or timing of the penetrations. Nor did it say whether the theft occurred through the computer networks of the U.S. government, defense contractors or subcontractors."

The Post goes on to note that there have reportedly been frustrations with contractors and sub-contractors for having classified information stolen on their watch.

China: The Evil Cyber Espionage Empire?

The knee-jerk interpretation to this disclosure (and others) is that China is a powerhouse of cyber espionage capable of stealing whatever secrets they want and that the U.S. is powerless to stop them. This seems very unlikely.

Last week, the New York Times ran a piece which delved into China's hacker culture, revealing a disparate band of private contractors and not a team of highly trained hackers operating in lock-step with the government.

"Another former hacker said the monolithic notion of insidious, state-sponsored hacking now discussed in the West was absurd," wrote Edward Wong for the Times. "The presence of the state throughout the economy means hackers often end up doing work for the government at some point, even if it is through something as small-scale as a contract with a local government office."

Some of these pilfered secrets have made their way back to the central Chinese government, but it's just as likely that they were taken by individuals or companies and then sold to someone else. As is the case with other forms of cybercrime, the hackers are generally trying to make money off the information, not use it themselves. It also suggest a piecemeal approach to these attacks, with hackers working different angles and grabbing what they can—not a concerted effort for specific programs to build up a larger picture of American weapons programs.

Furthermore, determining who is behind a cyber-attack is famously difficult. In the case of the Australian attack, the report says "the attack came from a server in China." Maybe it was from someone in China, or maybe that was just the last point investigators were able to find.

There's been a glut of media attention on China's cyber espionage activity, and a lot of research to back it up, but that might not refelct reality. In their 2012 Data Breach Report, Verizon found a massive increase in cyber espionage attacks from China but presented that information with a major caveat. At the time, Verizon's principal on the managing risk team told SecurityWatch that looking for year over year trends in the data was problematic because so many new sources were added this year. "It throws off the data a bit," explained Porter. "It's an inherent statistical biasses from changing data sets from year to year."

The increased information on Chinese espionage activity is just as easily attributed to an increased interest in information on Chinese espionage. It's a topic that has gotten a lot of press, and the Pentagon is clearly interested, perhaps spurring researchers to look closer at this specific activity. That doesn’t mean that China is the monster hacker of our imaginations.

It is, after all, an open secret that allies spy on each other all the time (see: the recent ejection of a U.S. operative by Russia). The Times report pointed out that "many Chinese hacking attacks that have been discovered do not appear very sophisticated. American cybersecurity experts say attacks from Chinese groups often occur only from 9 to 5 Beijing time." Quoting FireEye's Darien Kindlund, the Times continued, "And unlike, say, the Russians, Chinese hackers do not tend to cloak their movements."

Should You Be Afraid?

In short, you personally should not be afraid; it's very unlikely that Chinese hackers are after you.

These headlines are scary, and they are certainly indicative of how nations will interact in the digital age: countries will hack one another, secrets will be stolen (and likely sold). Retired Lieutenant General Harry Raduege said as much at the RSA conference this year, when he described a kind of cyber "warm war" with a few major hacks hitting the front page of newspapers from time to time. The scariest thing from all these reports is that the U.S. seems to still be coming to terms with that.

But it's also important to take this news with some big grains of salt. The Department of Defense is facing the possibility of huge cuts while the nation wrings its hands about the deficit. In an age of sequestration, it's a good idea to have a reason to spend billions and trillions on new and better defense programs. And with the war in Iraq over while operations in Afghanistan coming to a close, the search is on not just for future threats but also the justification for future spending.

Cybersecurity is a huge issue, one with ramifications we don't even understand right now. The big takeaway from these reports is likely that China had the incentive to invest and engage in cyber espionage activities, and that the U.S. has not. Hopefully the folks in Washington will respond by making prudent investments where it matters—like training low-level employees in basic security practices—and not chasing after the phantoms of worst-case scenarios.

Image via Staff Sgt. D. Myles Cullen

Further Reading

Security Reviews