China's government conducted cyber attacks against American businesses in violation of a U.S.-China agreement made during the Obama administration, the admiral in charge of Cyber Command told Congress on Tuesday.
Adm. Mike Rogers, retiring commander of Cybercom, testified that China's aggressive cyber attacks are one feature of Beijing's pursuit of economic and diplomatic interests in violation of established international norms.
"China's behavior in cyberspace exemplifies this trend," Rogers told the Senate Armed Services Committee in prepared remarks.
The four-star admiral, who also is director of the National Security Agency, said the agreement reached in 2015 between Chinese supreme leader Xi Jinping and then-President Barack Obama called for both sides to refrain from cyber attacks that steal intellectual property for commercial gain.
"Subsequent evidence, however, suggests that hackers based in China sustained cyber espionage that exploited the business secrets and intellectual property of American businesses, universities, and defense industries," Rogers said, noting the Justice Department indictment of three Chinese hackers that stole data from American companies.
The three hackers worked for Boyusec, a Chinese cyber security firm that is a front company that U.S. intelligence has linked to China's Ministry of State Security, the civilian spy service.
The 2015 agreement called for the United States and China to halt government-sponsored cyber espionage against companies.
"In addition, the Chinese government could exploit the production of information and technology products to harvest corporate, government, and even personal data from foreign countries," Rogers stated.
It was the first time a senior military or intelligence official confirmed China has failed to adhere to the 2015 agreement the Obama administration touted as halting Chinese cyber attacks.
Previously, officials in congressional testimony hedged assessments on whether China was abiding by the accord, asserting that the agreement produced a reduction in cyber thefts.
Without mentioning China, Rogers said several states "mounted sustained campaigns against our cleared defense contractors to scout and steal key enabling technologies, capabilities, and systems."
"Our adversaries have grown more emboldened, conducting increasingly aggressive activities to extend their influence without fear of significant consequence," he said. "We must change our approaches and responses here if we are to change this dynamic."
The committee budget hearing was centered on Cybercom's fiscal 2019 budget request that has not been made public. The command, currently part of Strategic Command, will be elevated to an independent combatant command this year.
Cybercom's budget last year was $647 million. It has 6,187 people in 133 Cyber Mission Force teams at its headquarters in Fort Meade, Md., and spread throughout the world with military services and commands.
In eight years since its formation in 2009, Cybercom remains hamstrung by unclear lines of authority for its operations to protect defense networks and respond to foreign cyber attacks.
Rogers stated several times during the hearing "we're not there yet" when asked about resolving command organizational problems.
On Russia, the Justice Department recently indicted 13 Russians and three companies for their covert role in interfering with the 2016 election through social media.
No action, however, has been taken against China for its large-scale cyber attacks, including 2015 theft of 22 million records of federal workers from the Office of Personnel Management. Other, more damaging Chinese cyber attacks have been carried out against American military and private sector networks, including defense contractor systems.
Democrats pressed Rogers during the hearing to explain why the Trump administration has not taken stronger action against Russia for election meddling. The interference involved both cyber attacks and posting of stolen documents online, along with the use of social media and advertising in attempts to influence voters.
Rogers said some steps were taken to thwart Russian influence activities. But Moscow remains undeterred from the activities that are expected to continue in the 2018 midterm elections, he said.
Against Russian operations, Rogers said, "I have directed the National Mission Force to begin some specific work." He did not elaborate.
However, the United States is not retaliating by interfering in the upcoming presidential elections in Russia, he said, noting, "we are doing some things."
The Russians "haven't paid a price, at least, that's sufficient to get them to change their behavior," the commander said.
"Clearly what we've done hasn't been enough," he said. "I believe that [Russian] President Putin has clearly come to the conclusion there's little price to pay here," he said. "And that therefore 'I can continue this activity.'"
Against terrorism, Rogers credited Cybercom with conducting effective cyber attacks against the Islamic State terror group. ISIS, he said, is now weakened and has lost some 98 percent of its territory in Iraq and Syria. "Cyberspace operations played an important role in this campaign," he said.
Few details were disclosed but Rogers said they included working with military and security forces "to find and destroy the key nodes in ISIS online infrastructure and media operations."
China is among four nations posing major cyber threats. Russia, North Korea, and Iran are the others.
However, China's cyber attacks have eclipsed all others in terms of the theft of extremely important data.
Classified National Security Agency documents made public several years ago revealed that Chinese cyber theft inflicted what NSA called "serious damage to [Defense Department] interests."
Under a Chinese government cyber espionage operation code-named Byzantine Hades, NSA reported that Chinese hackers were traced to 30,000 incidents, including 500 that labeled "significant intrusions of DoD systems" against at least 1,600 network computers and 60,000 user accounts.
The Chinese cyber attacks cost more $100 million to assess damage and rebuild compromised networks, including strategically important information systems, such air refueling schedules for the Pacific Command used during the movement of F-22 fighters over long distances.
China also obtained internal Air Force records for 33,000 officers and more than 300,000 user identifications and passwords from the Navy.
Navy missile navigation and tracking systems information and navy nuclear submarine and antiaircraft missile designs also were stolen.
China's defense industrial espionage against the United States penetrated and stole data from the military’s most advanced systems, including the B-2 bomber, F-22 and F-35 fighter jets, the space-based laser, and others, NSA stated.
The amount of data stolen by Chinese cyber spies was 50 terabytes of data—five times all the information contained in the nearly 161 million books and other printed materials held by the Library of Congress, the agency document stated.
Rogers said a fifth threat area involving non-state cyber actors has not developed as a threat as rapidly as other cyber dangers.
"China and Russia, who we see as peer and near-peer competitors in cyberspace, remain our greatest concern, but rogue regimes like Iran and North Korea have growing capabilities and are using aggressive methods to conduct malicious cyberspace activities," he said.
Overall cyber attacks have "evolved dramatically" in the past eight years since Cybercom was first set up.
"Today we face threats that have increased in sophistication, magnitude, intensity, volume and velocity, threatening our vital national security interests and economic well-being," Rogers said.
On Russia, Rogers said Russia's military was behind what he called the most costly cyber attack in history, involving the use of "NotPetya" malware. The malware that encrypted and ruined data on thousands of Ukrainian hard drives.
"This cyber attack quickly spread well beyond Ukraine, causing billions of dollars in damages to businesses across Europe and as far away as the United States," he said.
NotPetya and a separate sophisticated malware called "WannaCry," were based on modified cyber attack capabilities posted by an anonymous group called the Shadow Brokers, Rogers said.
The Shadow Brokers emerged in 2016 and posted stolen NSA hacking tools, including those using what are called zero-day exploits—strategic flaws in operating systems that are used in attacks until the flaws are patched.
Rogers said states he did not identify were behind some of the cyber attacks that used malware posted by the Shadow Brokers.