The typical Chinese hack started off with a spear-phishing email to the target company’s employees. If just one employee clicked the email’s attachment, the computer would download a webpage crammed with malware, including a “Remote Access Trojan,” known in the trade as a RAT. The RAT opened a door, allowing the intruder to roam the network, acquire the privileges of a systems administrator, and extract all the data he wanted.
They did this with economic enterprises of all kinds: banks, oil and gas pipelines, waterworks, health-care data managers—sometimes to steal secrets, sometimes to steal money, sometimes for motives that couldn’t be ascertained.
McAfee, the anti-virus firm that discovered and tracked the Chinese hacking operation, called it Operation Shady RAT. Over a five-year period ending in 2011, when McAfee briefed the White House and Congress on its findings, Shady RAT stole data from more than 70 entities—government agencies and private firms—in 14 countries. The affected nations included the United States, Canada, several nations in Europe, and more in Asia, including many targets in Taiwan—but, tellingly, none in the People’s Republic of China.
President Obama didn’t need McAfee to tell him about China’s cyber spree; his intelligence agencies were filing similar reports. But the fact that a commercial anti-virus firm had tracked so much of the hacking, and released such a detailed report, made it hard to keep the issue locked up in the closet of diplomatic summits. The companies that were hacked would also have preferred to stay mum—no point upsetting customers and stockholders—but the word soon spread, and they reacted by pressuring the White House to do something. Largely because, after all these decades of analyses and warnings, many of them still didn’t know what to do themselves.
This was the setting that forced Obama’s hand. After another Asia security summit, where his diplomats once again raised the issue and the Chinese once again denied involvement, he told Donilon to deliver a speech that brought the issue out in the open. The Mandiant report—which had been published three weeks earlier—upped the pressure and accelerated the timetable, but the dynamics were already in motion.
One passage in Donilon’s speech worried some mid-level officials, especially in the Pentagon. Characterizing cyber offensive raids as a violation of universal principles, even as something close to a cause for war, Donilon declared, “The international community cannot afford to tolerate any such activity from any country.”
The Pentagon officials scratched their heads: “any such activity from any country?” The United States engaged in this activity, too, and everyone knew it.
The targets were different, though: American intelligence agencies weren’t stealing foreign companies’ trade secrets or blueprints, much less their cash. In NSC meetings on the topic, White House aides argued that this distinction was important: Espionage for national security was an ancient, acceptable practice, but if the Chinese wanted to join the international economy, they had to respect the rights of property, including intellectual property.