‘What else is new?’: China’s hack on Microsoft follows a storied history of cyber-espionage

When James Lewis first heard about China’s hack on Microsoft — which allowed intruders to access unclassified emails for top U.S. officials — his reaction was unusual: “I burst out laughing because stealing somebody's encryption keys, that's a major deal.”

Lewis is director of the Strategic Technologies Program at the Center for Strategic and International Studies in Washington, D.C. And his reaction stemmed, in part, from his years spent studying and attempting to thwart Chinese cyber-espionage campaigns. Lewis noted that, amid a history of Chinese hackers stealing intellectual property and U.S. government secrets, the latest attack stands out in its cleverness. According to Microsoft, threat actors managed to create their own authentication tokens and impersonate government officials, bypassing the need for usernames and passwords in order to access email inboxes.

First discovered in June by the State Department, the breach also targeted Secretary of Commerce Gina Raimondo and U.S. Ambassador to China Nicholas Burns.

The timing was no coincidence. The breach occurred weeks before Secretary of State Antony Blinken traveled to Beijing and amid talks of ongoing sanctions to restrict exports of chips and other technologies to China. And, as Lewis said, “a standard part of the Chinese playbook for any negotiation is to hack the other side,” Lewis said.

Lewis, a former U.S. diplomat, has been working on issues related to China and cybersecurity for more than a decade. In the latest episode of the Click Here podcast, he spoke about the Microsoft hack, China’s history of cyber-espionage and why he thinks cyber deterrence is a “complete flop.”

This conversation has been edited for length and clarity.

Click Here: Let’s start with the Microsoft hack. When news of that came out, what was your first reaction? James Lewis: I had two reactions. The first reaction was I burst out laughing because stealing somebody's encryption keys, that's a major deal. And so I thought whoever those Chinese guys are, they need to get a medal. The second thing I thought was, I've seen this movie before. In fact, I saw it in 2008, which is largely when I started doing cybersecurity because in 2008 the Chinese [hacked into the department of Commerce]. And so I thought, What else is new?

CH: I don't think of the Commerce Department as being a really juicy target. Has that changed? JL: No, in fact, that's what I used to think. But what's changed here is [Commerce Secretary Gina] Raimondo is the fireball of the administration, and the Chinese are all up in arms about the sanctions and export controls. So Commerce has become an important target for them. She's got a trip coming up, and it’s standard Chinese practice to hack into your emails before you meet with somebody. That's just par for the course. It's been true for a decade. They wonder what's next in the pipeline, and they're neuralgic about the current export controls and the [Entity List]. But a standard part of the Chinese playbook for any negotiation is to hack the other side.

CH: And are you in the camp that think that they just hacked the cloud in this latest episode and that it was limited? Or do you think there's another shoe to drop? JL: Well, at any given moment, there's probably some number greater than one of global Chinese cyber-espionage campaigns going on around the world. And this was just another one. They target particular places, and they’ve moved from individual targets to service providers as a way to hit multiple targets at once. Of course there'll be another chapter in Chinese cyber-espionage, but I think this incident was probably a one-off.

CH: So they make encryption tokens and they grab stuff out of the cloud. There's been this psychological idea that, Hey, if I take my cybersecurity off-prem and give it to Microsoft and the experts there, my stuff will be safe. Has this hack sort of eroded the psychology behind the cloud on how it'll be safe? JL: You know, I don't think so. I think the general belief is [that] if you move to the cloud, you'll be safer. And a lot of this is smaller agencies like OPM [United States Office of Personnel Management] and their 14-person IT department versus the People's Liberation Army. So you're still better off moving to the cloud. What this points to is we have got to hold the cloud service providers more accountable for ensuring security. If you look at the big guys — Google, AWS [Amazon Web Services], Microsoft — you're better off going with them. But you have to make sure you have the right kind of contract in place to protect yourself. I think it's embarrassing for Microsoft. But in general, you're better off in the cloud.

CH: Do you think the general public really knows the scale of these hacking operations or that it's standard operating procedure that before a meeting they hack into your email to see what you're asking for? JL: No. And part of that is because cyber-espionage is invisible. You don't see it. And so if the Chinese, for example, instead of hacking Microsoft and getting access to State and Commerce that way, if they backed a truck up to the glass doors on 22nd Street at the State Department, smashed the glass doors, ran in and wheeled out dozens of safes and file cabinets, there would've been uproar, right? But when they do it in cyberspace nobody cares.

CH: Are the Chinese getting better at this? Are they getting more sly or are there just more Chinese hackers looking for more targets? JL: Certainly over the last 10 years they've gotten better. Before, the Chinese didn't care if you saw them. And there're so many easy targets in the U.S. They generally went after the easy targets. Now they have become much more efficient, much stealthier. So there's been a marked improvement in Chinese capabilities, but I'd say it's really since 2013 — not just overnight. [NOTE: The New York Times recently reported that U.S. officials have discovered Chinese malware in critical networks supporting American military bases around the world.]

CH: And just to be fair here, it isn't just the Chinese. Didn't the French used to have microphones in the Concorde? [Note: France has long been accused of bugging flights of U.S. officials and business people traveling on the Concorde supersonic aircraft.] JL: Yeah, when I worked at a big negotiation in Paris, the French gave us a photocopying machine, which was very nice of them. But we thought, you know, one copy for me, one copy for them. The French are not as active as the Chinese. It would be hard for anybody to be as active as the Chinese, but they do engage in commercial and diplomatic espionage against the United States. Not always, but enough times to be noticeable.

CH: Right. It's not a uniquely Chinese tactic. JL: Oh, no, no. But the scale and scope of Chinese cyber-espionage is overwhelming. It's remarkably aggressive, remarkably broad.

CH: Is there such a thing as cyber deterrence or is it just making things harder to break into? JL: Oh, that's a setup [laughing]. I love deterrence because it's like building an imaginary line in cyberspace and people are surprised: But they went around it. It's like, yes, I regret to announce that deterrence is a complete flop. If you talk to the people in the NSC [National Security Council] or the Office of the National Cyber Director or some of our Five Eyes partners, they will tell you deterrence doesn't work and we need to do something else. That's very difficult because that “something else” is hard to define.

CH: And I guess the only way it's really deterrence is that you're making it harder to break in, right? Sort of like putting stronger doors on the cockpit. JL: The problem is that we need them to stop coming after us so much. And the theory is they'll be frustrated and give up because they're not as successful as they once were. And that, of course, is just silly. You're an intelligence agency. You're gonna dedicate immense resources — and, if necessary, years — to attain your goal. And so making it a little harder to get in slows them down, but it's not gonna discourage them.

CH: So do we need to be more open about hacking back? JL: That's where it gets difficult because there's a whole set of complications there. Espionage is not something that justifies the use of retaliatory force. I got a note from [South] Korea this morning saying, how do we impose consequences for malicious behavior in cyberspace? I've had that discussion with the Germans, the Australians, the Brits. There's a dilemma, of course. Some people say, Our spying is OK. Your spying is not. And the Chinese say, Oh, come on. Get off it. So we may have to think about where we're willing to make concessions to increase trust. We’re not there yet. The French certainly aren't there yet. The Chinese are definitely not there yet. But we may need some clear understanding of what the limits are in cyberspace when it comes to this kind of stealing, cyber-espionage, and theft of intellectual property. But we don't even have the mechanisms in place to discuss that.