In 2014, China seems to have gone on a hacking spree, targeting sensitive U.S. data. The effort was thorough and aggressive, going after not only personal information held by the Federal Office of Personnel Management, but also healthcare data kept by Anthem and CareFirst as well as travel data, including passport numbers, stored by the Marriott hotel chain.
That coordinated effort yielded a treasure trove of data for Chinese intelligence and exposed a critical need for collaboration between private companies and the government to safeguard data from malicious foreign actors.
Department of Homeland Security Secretary Kirstjen Nielsen echoed this point in July, explaining, “Cyberattacks collectively now exceed the danger of physical attacks … this has forced us to rethink homeland security.” In the same speech, she introduced the new National Risk Management Center, which, among other functions, is designed to better connect the government to companies that experience a breach.
She was right, of course, but the coordinated Chinese attacks happened four years ago, although, in the case of Marriott, only recently were discovered. In September, Marriott learned it had been hacked. In November, that information became public, revealing that about 500 million individuals had had their personal data compromised. On Tuesday, the hackers were identified by the New York Times as being suspected as working from the Chinese Ministry of State Security.
In the aftermath, the Obama administration worked out a truce with Beijing to halt cyberattacks on private companies, in 2015. But by then Beijing may already have had the access and information it wanted.
Since then, Chinese intelligence has been slowing, testing the waters of just what the U.S. would be willing to tolerate when it comes to cybersecurity, eating away at the 2015 agreement.
That has not only compromised individual information, exposing wide swaths of the country to fraud, but worse provided detailed information on critical information to track U.S. intelligence assets, their Chinese contacts, as well as offering a window into potential candidates to be recruited by Beijing.
Although a cyberattack does not have the theatrics of a missile launch and may, as demonstrated by the trickle of information about the Marriott attack, not immediately reveal the depth of the breach, the information can have serious consequences.
That was a lesson the CIA learned the hard way when a compromised communications network led to the deaths of informants in China.
But it is not just the CIA and other government actors that need robust cyber defenses. Private companies that store sensitive data must not be left vulnerable to sophisticated attacks from state actors. The success of Chinese breaches should be a clear warning that the government must work with private companies on cybersecurity and do so quickly. Data security is a key component of national defense.
After all, if Marriott had been the target of a physical attack, that would be obvious.
