Why I Oppose The 12 Chinese Hacker Groups Claim

The claim that I'm referring to was reported by Associated Press to a variety of news outlets and essentially stated that "as few as 12 different Chinese groups, largely backed or directed by the government there, do the bulk of the China-based cyberattacks stealing critical data from U.S. companies and government agencies, according to U.S. cybersecurity analysts and experts."

My view is that this claim is bullshit. Here's why:

ONE. It's self-serving. The cybersecurity analysts and experts quoted in the article from Mandiant and Dell SecureWorks have 1) a vested interest in painting China as the bad guy since the bulk of their marketing is APT-centric (APT being a code word for China) and 2) SecureWorks has a less than stellar track record in analysis (Stuxnet and Duqu 2011) and attribution (Kyrgyrzstan 2009) - they've made highly questionable claims in both cases.

TWO. The 12 hacker groups have not been named which prevents independent analysis being performed by individuals who don't have a vested interest in the outcome.

THREE. There's been no proven reliable way to assign attribution. Digital DNA is a marketing ploy, not a fact.

FOUR. It conflicts with our own research on State and non-State actors involved in cyber espionage.

FIVE. It conflicts with our confidential work in incident response and protection for Taia Global clients including members of the Defense Industrial Base.

SIX. It lacks rigor. For example, I highly doubt that either Mandiant or Dell SecureWorks applied negative analysis to their findings before making their claims (i.e., looked for reasons why their findings could be wrong - a standard analytic technique).

The companies behind this claim should make their case publicly and present their evidence for peer review or not make it at all. This type of sensationalist reporting, besides trolling for government contracts, feeds anti-China paranoia while minimizing the role of many other State actors engaging in the same activity as China. Senators and Congressmen unfortunately don't have enough knowledge about cybersecurity to discern truth from fiction so what starts off as highly questionable analysis soon becomes terrible U.S. government policies; especially when it is advocating for permission for civilian U.S. companies to counterattack a specific nation's network. There has never been a worse idea in the history of bad ideas than that one.


  1. I have similar case.

    Just found my blog has been quoted by William Hagestad, Lieutenant Colonel US Marine Corps. In the Energy and Utility Cyber Security Summit. (http://www.cybersummits.com/eu/pdf/day1/Red-Dragon-part-1.pdf)

    Regretted to find Mr. Hagestad did not quote my message clearly and incomplete… :(

  2. Unfortunately, that's typical behavior by people who have a vested interest in making China the sole bad guy in the universe of cyber threat actors. What's the URL of your blog?

  3. http://espionageware.blogspot.com/#!/2011/11/is-china-really-actor-of-apt-attacks.html
    Just got your book, will read it this weekend


Post a Comment