China indictments spotlight military's vulnerability

iStockPhoto / FCW

The Justice Department’s indictment this week of five Chinese military officials on cyber espionage charges raised the specter of China’s alleged ongoing efforts to steal intellectual property from the U.S. military.

The hacking alleged in the indictment did not surprise defense-industry cyber experts interviewed by FCW. China’s targeting of American military know-how is no secret. Nor was the Pentagon caught off guard, according to a spokesperson, who said the department had advance notice of the indictment.

How prepared the defense industry is for such cyber espionage in the long run will depend, at least in part, on an information-sharing framework between government and contractors that participants say has improved in recent years.

A confidential 2013 Defense Department report cited by the Washington Post said Chinese spies had hacked designs for some of the United States’ most advanced weapons systems. The public version of that report by the Pentagon’s Defense Science Board named China and Russia as nation-states capable of penetrating well-defended systems and willing to try “lower-tier exploits first before exposing their most advanced capabilities.” 

The Chinese military engages in cyber operations that range in sophistication from the very basic to complex coding that targets American drones and strike fighters, said Tony Cole, vice president and global government CTO at FireEye, a network security firm.

Defending against those more advanced threats is complicated by the IT embedded in weapons systems. DOD has admitted that it has work to do to shore up such IT-enabled vulnerabilities.

“While DOD takes great care to secure the use and operation of the ‘hardware’ of its weapon systems, the same level of resource and attention is not spent on the complex network of information technology (IT) systems that are used to support and operate those weapons or critical IT capabilities embedded within them,” the 2013 DOD report concluded.

The department’s “dependence on this vulnerable technology is a magnet to U.S. opponents,” and DOD’s efforts to address the problem were “fragmented,” the report said. 

A senior DOD official expressed similar concerns at an industry event last month. “Employing reverse engineering techniques, adversaries can exploit weapon-system technical plans for their own benefit. Perhaps even more significant, they have gained insight into operational concepts and system use, developed from decades of U.S. operational and developmental experience,” the official said.

The cybersecurity posture of U.S. allies also affects that of Washington, according to Cole.

China is “not stealing just from us. If we have new technology that we’re developing, many times we’re sharing that very closely with our allies,” he said. China’s cyber spies also have in their crosshairs Great Britain and, in their own neighborhood, South Korea and Japan, he said.

But Cole said that this added vulnerability should not make Washington less willing to share its military capabilities with allies.

“I think we just need to actually have wider awareness of the risk, across the board, to other governments that we share technology with, as well as their integrator community that supports them,” he argued.

The Defense Industrial Base Cybersecurity Information Assurance program is one of government and industry’s main information-sharing mechanisms for warding off cyber espionage. Defense officials have lauded it for improving trust between government and contractors in sharing threats.

Cole was optimistic about the ability of programs like DIB CS/IA to cope with China’s state-sponsored hacking. If “somebody goes after a new jet that we’re building, maybe they get wing design and that’s all they get, because we catch it, we find out, we stop it, and they only get a component of it, versus pulling down a terabyte of data and they have the entire design,” he said.  

About the Author

Sean Lyngaas is an FCW staff writer covering defense, cybersecurity and intelligence issues. Follow him on Twitter: @snlyngaas

The 2015 Federal 100

Meet 100 women and men who are doing great things in federal IT.


  • Shutterstock image (by venimo): e-learning concept image, digital content and online webinar icons.

    Can MOOCs make the grade for federal training?

    Massive open online courses can offer specialized IT instruction on a flexible schedule and on the cheap. That may not always mesh with government's preference for structure and certification, however.

  • Shutterstock image (by edel): graduation cap and diploma.

    Cybersecurity: 6 schools with the right stuff

    The federal government craves more cybersecurity professionals. These six schools are helping meet that demand.

  • Rick Holgate

    Holgate to depart ATF

    Former ACT president will take a job with Gartner, follow his spouse to Vienna, Austria.

  • Are VA techies slacking off on Yammer?

    A new IG report cites security and productivity concerns associated with employees' use of the popular online collaboration tool.

  • Shutterstock image: digital fingerprint, cyber crime.

    Exclusive: The OPM breach details you haven't seen

    An official timeline of the Office of Personnel Management breach obtained by FCW pinpoints the hackers’ calibrated extraction of data, and the government's step-by-step response.

  • Stephen Warren

    Deputy CIO Warren exits VA

    The onetime acting CIO at Veterans Affairs will be taking over CIO duties at the Office of the Comptroller of the Currency.

  • Shutterstock image: monitoring factors of healthcare.

    DOD awards massive health records contract

    Leidos, Accenture and Cerner pull off an unexpected win of the multi-billion-dollar Defense Healthcare Management System Modernization contract, beating out the presumptive health-records leader.

  • Sweating the OPM data breach -- Illustration by Dragutin Cvijanovic

    Sweating the stolen data

    Millions of background-check records were compromised, OPM now says. Here's the jaw-dropping range of personal data that was exposed.

  • FCW magazine

    Let's talk about Alliant 2

    The General Services Administration is going to great lengths to gather feedback on its IT services GWAC. Will it make for a better acquisition vehicle?

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above