Companies take lead against cyberattacks
Government 'doesn't have the capacity,' so firms step in.
WASHINGTON - When Kevin Mandia, a retired military cybercrime investigator, decided to expose China as a primary threat to U.S. computer networks, he did not have to consult with American diplomats in Beijing or declassify tactics to safely disclose government secrets.
He pulled together a 76-page report based on seven years of his company's work and produced the most detailed public account yet of how, he says, the Chinese government has been rummaging through the networks of major U.S. companies.
It was not news to Mandia's commercial competitors, or the federal government, that systematic attacks could be traced back to a nondescript office building outside Shanghai that he says he believes was run by the Chinese army.
What was remarkable was that the extraordinary details - code names of hackers, one's affection for Harry Potter, and how they stole sensitive trade secrets and passwords - came from a private security company without the official backing of the U.S. military or intelligence agencies that are responsible for protecting the nation from a cyberattack.
The report, embraced by stakeholders in both government and industry, represented a notable alignment of interests in Washington: The Obama administration has pressed for new evidence of Chinese hacking that it can use in diplomatic talks - without revealing secrets about its own hacking investigations - and Mandia's company, Mandiant, makes headlines with the sensational revelations.
The report also shows the balance of power in America's cyberwar has shifted into the hands of the $30 billion-a-year computer security industry.
"We probably kicked the hornet's nest," Mandia, 42, said in an interview at Mandiant's headquarters in Alexandria, Va. But "tolerance is just dwindling. People are tired of the status quo of being hacked with impunity, where there's no risk or repercussion."
China has disputed Mandiant's allegations.
Mandiant, which took in about $100 million in business in 2012 - up 60 percent from the year before - is part of a lucrative and exploding market that goes beyond antivirus software and firewalls. These "digital forensics" outfits can tell a business whether its systems have been breached and - if the company pays extra - who attacked it.
Mandiant's staff is stocked with retired intelligence and law enforcement agents who specialize in computer forensics and promise their clients confidentiality and control over the investigation. In turn, they get unfettered access to the crime scene and resources to fix the problem (Mandiant will not say exactly how much it charges, but it is estimated to average around $400 an hour.)
The growing reliance on contractors such as Mandiant has been compared to that enjoyed by the military and State Department contractor formerly known as Blackwater, which provided physical security to diplomats and other VIPs during the Iraq war. Officials inside and outside government say that's not a bad thing; contractors can often act more quickly than the government and without as much red tape. There are also serious privacy concerns: Most U.S. citizens don't want the government to gain access their bank accounts, for example, even if China is attacking their bank.
"The government doesn't have the capacity," said Shawn Henry, a former FBI executive assistant director who works for a Mandiant competitor, CrowdStrike. "There are a lot of people working hard. But the structures aren't there."
Michael DuBose, another former senior Justice Department official who works at a different Mandiant competitor, Kroll Advisory Solutions, added: "I think there's a recognition that the government can't stand at the entry point of the Internet to the United States and shield it from all bad things coming in."
Since Mandiant released its report this week, government officials and lawmakers have publicly embraced its findings. Sen. Dianne Feinstein, of California, the Democratic chairwoman of the Senate Intelligence Committee, hailed Mandiant for exposing China as a problem. She called its report "sobering" and said she hoped it would spur an international agreement to protect companies from cyber-espionage.