Chinese government still sponsoring cyber-espionage, says FireEye COO

A year ago, Mandiant, since acquired by FireEye, issued a long report called "APT1" that accused China's People's Liberation Army of launching cyber-espionage attacks against 141 companies in 20 industries through a group known as "PLA Unit 61398" operating mainly from Shanghai.

In his keynote address at the RSA Conference, FireEye senior vice-president and chief operating officer, Kevin Mandia, provided an update on what happened after the report was published. "How did the Chinese government respond?" Mandia said. "We were hoping we'd see behavioural change."

The report provided in-depth evidence in technical detail about the cyber-attacks, Mandia said. The Chinese government, though, issued a carefully worded statement rejecting the findings.

"We did alter their behavior," Mandia said. The Chinese never again used the same attack infrastructure. And there was an overall "temporary hiatus" but that has again ramped up. China is "a nation-state sponsoring intrusions into businesses in the US," he said.

+ ALSO ON NETWORK WORLD Background: new report says cyberspying linked to China's military | Hot, new products at RSA +

While the "APT1" report is generally given credence in the US, it's worth noting that Chinese networking giant Huawei does not. "We just don't find the report to be credible at all," said a Huawei representative at the RSA conference this week.

While the US and China had been on track last year to discuss the prickly cyber-spying issue, those talks largely dissolved publicly when former NSA contractor, Edward Snowden, started feeding secret documents to the media that showed the US involved in mass surveillance on a global scale.

The US government claims to not conduct cyber-espionage for purposes of stealing trade secrets from foreign companies to share with American competitors. But foreigners who now believe their every move on the Internet is being tracked by the NSA aren't buying it.

The TrustyCon Conference held its first-ever event yesterday right across the street from the event sponsored by RSA, the security division of EMC. TrustyCon (the "Trustworthy Technology Conference") was organised by the Electronic Frontier Foundation and others in the past month after some speakers scheduled to appear at the RSA Conference angrily backed out after evidence came to light that RSA years ago had included a crypto algorithm in its crypto toolkit that most of the industry now believes to be an NSA backdoor.

This is viewed as a betrayal of trust, and TrustyCon was quickly devised as an alternative to the RSA Conference where speakers would discuss topics such as NSA mass surveillance. The TrustyCon event yesterday raised $20,000 for EFF, which said it would use the money to pursue efforts to fight NSA mass surveillance.

Chief research officer at F-Secure, Mikko Hypponen, delivered an eloquent presentation on the government surveillance topic at TrustyCon, more or less the one he would have delivered at the RSA Conference if he hadn't dropped out in protest.

Hypponen, whose company F-Secure is based in Finland, said the day has come when it's not only cyber-criminals writing malware but governments as well.

U.S. influence extends not only from its significant military might, where there's funding for cyberespionage and cyber weapons, but also from its market dominance in Internet-based services coming from the likes of American-based giants such as Google, Microsoft and Facebook, Hypponen said.

But fears that the U.S. is abusing its power to conduct Internet-based surveillance is leading to a backlash in Europe and South America, where anger over new stories about the NSA has other countries trying to come up with alternatives to anything connected to the U.S., Hypponen warned.

There are even questions as to whether U.S.-based anti-malware companies are shielding government-made malware, or would agree to not scan for it, Hypponen said. He pointed to how a Netherlands-based digital rights group called Bits of Freedom recently asked anti-malware vendors from across the world to publicly state whether they cooperate with any government-created malware effort by not scanning for government-created malware.

Hypponen said based on his tracking of this issue with Bits of Freedom, so far Symantec and McAfee haven't responded, though Microsoft responded by saying it didn't cooperate with any government to deliberately not scan government-made malware.

On the other hand, Hypponen said one good thing that seems to be happening is that one of the most well-known examples of what's believed to be government-created malware, Stuxnet, that was used in 2010 against Iranian nuclear facilities, is not known to have led to a copycat.

"We were really worried there would be copycats," said Hypponen. "I am glad we were wrong."

Today, security companies themselves are targets of attacks to steal information and compromise products -- perhaps not only from cyber-criminals out for financial gain but also governments that see security vendors as a backdoor path to cyberespionage.

RSA finally confronted the NSA backdoor scandal publicly this week when executive chairman Art Coviello used his keynote address to say RSA had been exploited by the NSA, which he said abused its position of trust. It was a stunning declaration that in some sense represents a turning point for the U.S. high-tech industry.

But for Hypponen, who lives in Finland and keenly feels his "foreigner" status making him and all other "foreigners" a target for NSA mass surveillance, there's clearly a feeling of ambivalence about whether RSA is really wiping the slate clean.

"They should have known better," says Hypponen, saying the world is left trying to decide whether RSA is guilty of collusion with the NSA over this backdoor or just "incompetence" in not realizing what was really happening.

Ellen Messmer is senior editor at Network World, an IDG website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: emessmer@nww.com

Read more about wide area network in Network World's Wide Area Network section.