5 August 2011
Dave Clemente
(Former Chatham House Expert)


A recent cyber espionage report by the security company McAfee made the news headlines this week and is sobering in its conclusions. It reveals a five-year campaign of carefully orchestrated and targeted intrusions into the computer networks of 72 public and private sector organisations. The majority of the victims were government departments and defence contractors in the US, and in many cases the intrusions are believed to have resulted in the loss of ‘valuable intellectual property and trade secrets’.

The McAfee report leans towards the conclusion that a single actor or group was responsible and although no suspects are explicitly named, China has immediately leapt to the top of the list among cyber security experts. This suspicion is due to the nationality of the victims, previous similar attacks and the principle of cui bono - 'who benefits'?

The quantity and quality of the stolen data is significant and confirms the patience, persistence and adaptability of the attackers. The duration of the operation signals that substantial resources and support were provided to those carrying out the attacks, and further bolsters the conclusion that a state actor was intimately involved.

Though highly undesirable for the victims, espionage has a long history (not least during the Cold War) and is nearly always practiced in both directions. China is undoubtedly a target of interest for many countries, although the Chinese government is rarely willing to make detailed public statements regarding cyber attacks they have suffered.

In many respects the transfer of knowledge and economic wealth through espionage is a logical route for a country that wishes to shortcut the lengthy and laborious process of technological research and development. However, it is not enough; though they are lucrative, stolen industrial secrets reveal only part of the equation, and sustained progress requires something more.

Governmental and corporate transparency and accountability are an absolute necessity, particularly when producing and maintaining advanced jet engines or high-speed rail transport networks. The recent train crash in China's Zhejiang Province is an example of public suspicion that safety is being jeopardised in a rush to develop advanced technology. Acquiring the blueprints to a cutting-edge industrial secret helps with making the first copy, but it does not explain how to implement a quality control methodology, convince employees to produce reliable data, or manage the logistics and supply chain that will build the next ten thousand copies.

Organisations that do not encourage transparency and accountability, or subordinates who are afraid to deliver bad news to their superiors, will result in systemic dysfunction and disorder that no amount of espionage can solve. Inadequate cyber security measures mean that governments and corporations around the world will continue to find themselves victims of serious attacks. And for those who practice cyber espionage most vigorously, it will require a little more to make a great leap forward.