Warning to Hollywood: Chinese Hackers Want Your Secrets (Guest Column)
A top cybersecurity lawyer says the Chinese are after any edge they can get, from financial details that help with negotiations to reading scripts.
This story first appeared in the March 15 issue of The Hollywood Reporter.
Hollywood should be on notice: It's not just the Pentagon and CIA that are victims of hackers. They're targeting more and more private companies. A recent report from American cybersecurity firm Mandiant linked the Chinese government's People's Liberation Army to massive, sustained intrusions into corporate networks.
The report, which traced many attacks to the PLA's Shanghai-based Unit 61398, was devoured in Washington and Silicon Valley. But Hollywood mostly has shrugged off Chinese cyberspying as someone else's problem.
It's true that, unlike defense contractors and high-tech companies, the entertainment industry generally doesn't depend on research secrets for its competitive edge. Hollywood has plenty of intellectual property, but not the kind that can be protected by secrecy (except for the occasional movie that seems valuable -- until everyone sees it). And, while there are secrets to success in the movie business, they can't be stolen as easily as, say, plans for the Joint Strike Fighter.
But we're kidding ourselves if we think that the Chinese hackers are only stealing big, expensive secrets. Here, Hollywood might be blinded by its own product. China's cyberspies aren't intrepid Jolt-drinking loners (with an occasional adoring girlfriend) navigating dangerous networks to snatch secrets and flee before they're geo-located by their opponent's giant global tracking system.
No, the hacking campaigns described by Mandiant and others have all the flash and derring-do of your latest trip to the dry cleaners. Chinese hacking often begins with a decidedly low-tech approach -- and the bad guys have little trouble breaking into networks. They send you and your co-workers a stream of spoofed e-mails that seem to come from your boss or colleagues. A March 3 report in The New York Times detailed a simulated attack by the federal Department of Homeland Security into a power plant's network by persuading a plant employee to click on a link to look at "cute puppies." If just one person clicks on one link in one e-mail, the hackers are in.
And once they're in, they stay: Mandiant found companies that had been hosting Chinese hackers for more than four years.
With their access assured, the hackers can treat the victim's secrets exactly like dry cleaning, returning each week to package the CEO's e-mails and ship them to Shanghai.
It's routine. So routine, in fact, that most of the hacking is done between 8 a.m. and 5 p.m. Beijing time.
Mass production makes everything cheaper, and hacking is no exception. Adding a company to the target list is as easy as choosing the color of your next car. The Mandiant report found that the PLA's Unit 61398, specializing in English speakers, had gained control of hundreds and likely thousands of corporate networks.
With the cost of infiltration so low, these hackers could compromise the entire Fortune 500 just to collect the whole set. And you'd certainly expect them to target any company whose secrets might be interesting to anyone in the Chinese government.
Hollywood might not have big secrets, but it's got plenty of little secrets that someone in China probably wants. No government on Earth is more sensitive to its depiction in mass media than China's. Why wouldn't its government want to read the earliest versions of Hollywood's scripts or have a ringside seat while studio execs debate how best to accommodate Chinese censors?
And don't rule out what might be called crony espionage, either. Any company that has juice with the central government is a candidate for the cheapest form of state aid: free access to the secrets of their competitors and joint-venture partners. China is an enormous market, with the potential for great profits. But if the other side knows just how hungry the studios are -- by reading their internal communications -- the studios won't leave the table with more than crumbs. Once you know the other side's bottom line, it's amazing how good a negotiator you can be.
Disputes that arise after the deal is done can be handled the same way. People who sue Chinese companies, along with their lawyers, are targeted by hackers. When security researchers are asked how many of the 100 largest U.S. law firms have been compromised by China, estimates range from 80 to, well, 100.
As for corruption, there's no more sensitive topic in China. If a Western company is under investigation for paying bribes to Chinese officials, as many entertainment companies are now rumored to be, it's safe to assume that the Chinese government will want to know -- ahead of time -- what the company is planning to tell the U.S. Securities and Exchange Commission.
In short, the studios have no reason to worry about hackers from China -- as long as they don't do business there.
For those that do, a new day of paranoia and network security is about to dawn.
Stewart Baker practices cybersecurity law at Steptoe & Johnson in Washington. He has been a top official concerned with cybersecurity policy at the Department of Homeland Security and the National Security Agency.