How “Hat-tribution” on China Has Harmed U.S. National Policymaking

Back in the early 2000’s, cybersecurity researchers blamed every financial services attack on Russian or Eastern European hackers and every non-financial services attack on China. Every attack literally fell into one of those two buckets. U.S. Air Force officers in the 90’s were convinced that only the Chinese government was interested in stealing non-financial data like intellectual property. They were so positive that they gave China a code name — Advanced Persistent Threat (APT). Some of those Air Force officers later founded Mandiant and commercialized the name APT in a white paper that they released in 2010. In those years, APT was a “who”, not a “what”.

After the Office of the National Counterintelligence Executive issued its report in 2011 which named at least four nations that were responsible for intellectual property theft: China, Russia, France, and Israel; Mandiant began losing the battle for keeping APT as a code name for China and it quickly evolved into a generic description for how hackers attack a network.

Mandiant made a fortune from its long-standing policy of blaming every network breach on Chinese hackers; a fact that didn’t go un-noticed by almost every other cybersecurity company. Between 2010 and 2015, any report that named China as the culprit caught the attention of corporate CEOs as well as major news outlets. In 2013, Mandiant issued its APT1 report. By the end of the year, it was acquired by FireEye for $1B.

In 2014, Crowdstrike issued its own PLA report which identified by name an alleged PLA hacker based in large part upon a photo that showed a PLA officer’s hat. CrowdStrike executives called it “hat-tribution” and the PLA hacker group was named “Putter Panda”.

That Crowdstrike considered a hat in a photo as evidence is a commentary on how badly private companies have handled intelligence collection and analysis. That, and a 10 year + history of mis-attributing every intellectual property attack that ever happened to the government of China has brought us to the inevitable end result — putting the White House in an uncomfortable diplomatic position with the Chinese government who may very well be keeping its word. Ironically, it’s Crowdstrike executive and co-founder Dmitri Alperovitch whose blog post brought this controversy about.
The very first intrusion conducted by China-affiliated actors after the joint Xi-Obama announcement at the White House took place the very next day — Saturday September 26th. We detected and stopped the actors, so no exfiltration of customer data actually took place, but the very fact that these attempts occurred highlights the need to remain vigilant despite the newly minted Cyber agreement.
We are releasing below the timeline of intrusions into these commercial entities that we detected over the course of the last 30 days. It is important to note that this is not an exhaustive list of all the intrusions from Chinese-government affiliated actors we have detected during this time period; it is limited only to commercial entities that fit squarely within the hacking prohibitions covered under the Cyber agreement. The intrusion attempts are continuing to this day, with many of the China-affiliated actors persistently attempting to regain access to victim networks even in the face of repeated failures.
We assess with a high degree of confidence that these intrusions were undertaken by a variety of different Chinese actors, includingDEEP PANDA, which CrowdStrike has tracked for many years breaking into national-security targets of strategic importance to China, as well as commercial industries such as Agriculture, Chemical, Financial, Healthcare, Insurance, Legal, Technology and many others.

This company blog post combined Crowdstrike’s threat intelligence with a marketing pitch for its Falcon platform. The post speaks for itself, blaming China for ongoing cyber attacks after the Xi-Obama agreement. However, after AP, CBS, and the Washington Post picked up the story, Alperovitch attempted to walk back his post’s claims by saying “We are not stating anywhere that the Chinese are violating the agreement. It is not up to us to draw that conclusion.”

A White House spokesman who spoke with Foreign Policy wouldn’t comment on the Crowdstrike blog post except to say “As a general matter, malicious cyber actors from a variety of nations find U.S. networks and companies attractive targets, and seek access to sensitive or proprietary information for a variety of purposes.”

How many of those “malicious cyber actors from a variety of nations” use China to launch their attacks from?

How many independent, non-state-affiliated Chinese hackers launch their own attacks for fun and profit?

And how does Crowdstrike, Mandiant or any other company differentiate between those and actual Chinese government attacks?

I’ve been challenging security intelligence companies to answer that question for years and have yet to hear a responsible answer from any of them.