On February 10, 2020, William P. Barr, United States Attorney General, announced that the United States was indicting four members of the People’s Liberation Army in China for hacking Equifax in 2017. The accused men, Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei, accessed and stole the names, birth dates, and social security numbers of 145 million Americans, as well as the driver’s license numbers from at least 10 million Americans. Although it is unlikely that they will appear in court, the men were indicted on nine charges: computer fraud conspiracy, computer fraud and abuse with intentional damage and unauthorized access, conspiracy to commit economic espionage, economic espionage, conspiracy to commit wire fraud and wire fraud. The four men spent weeks doing reconnaissance, uploading malicious software, and stealing login credentials, all in order to prepare to steal both the birth date of millions of Americans, but also to take the intellectual property of Equifax — the design of their databases, which is the culmination of decades of work. As a precaution against getting caught, the hackers routed their traffic through 34 servers in 20 countries.
They were able to hack the company through a vulnerability in the company’s dispute resolution system, a software that they had purchased through a firm that announced the vulnerability in 2017. However, Equifax failed to fix it, and the four Chinese soldiers were able to breach that vulnerability. Furthermore, the United States Computer Emergency Readiness Team, an organization within the Department of Homeland Security, warned Equifax months before the breach that the system was vulnerable. The House Oversight Committee concluded that the hack was therefore entirely preventable.
This hack is part of a larger effort by the Chinese government to create a database of American information. There have been a number of hacks over the past decade, including the 2015 attacks on the health insurance firm Anthem and the Federal Office of Personnel Management, as well as the 2018 hack of the Marriott hotel chain. Barr has described the Chinese as having a “voracious appetite” for American’s personal information.
There is worry that the information that has been gathered could be used to specifically target individuals with access to information the Chinese government may want—researchers at universities, government employees, and the like. Most instances of hacking are from non-state actors with either financial or ideological motives; often hacking is used to gather information in order to “doxx” people—publish their private data—online. However, these cases of hacking by governments abroad worry both Washington and firms like these more, for good reason: the hackers are more sophisticated, and they have a powerful state behind them.
In his announcement of the indictment, Barr called the attack “a deliberate and sweeping intrusion into the private information of the American people,” and went on to say that “this data has economic value, and these thefts can feed China’s development of artificial intelligence tools.” He swore that Washington would hold China “accountable for their criminal actions,” although they do not usually charge other countries’ military or intelligence officers.
China has responded, bringing into question the validity of the United States’ claims given their international presence in the cyber security realm—accusing the United States of having a double standard. Chinese Foreign Ministry spokesman Geng Shuang decried the accusation: “the Chinese government, military and relevant personnel never engage in cyber theft of trade secrets:” He said that the accusations were “without a basis in fact,” and that the accusation is “completely hegemonic and amounts to legal bullying.” After denouncing the charges, he pressured the United States to drop the indictment: “We demand the United States immediately correct this mistake and repeal the charges in order to avoid another destructive step in the relationship between the two countries and militaries.”
This clearly amounts to a threat, and although after the two year investigation there is little doubt that the Chinese PLA officers did carry out the attack, Geng is correct to point out that the United States has been involved in spying on data from countries around the world. The U.S. and China both engage in spy on foreign businesses; a letter from Russia to the court involved in the United States lawsuit against the Russians for 2016 election interference read: “As current and former US officials have acknowledged on many occasions, the United States —acting primarily through the NSA within the US Department of Defense — is one of the most prolific practitioners of cyber attacks and cyber-intrusions on the planet.” The United States enjoys sovereign immunity in foreign courts worldwide. To request that the United States and other countries worldwide all agree to stop spying on each other’s data is equally fruitless as requesting that those countries demilitarize: it won’t happen.
That said, Equifax’s failure to protect themselves from the attack, while knowing they were vulnerable, is criminal. The fact that their oversight makes hundreds of millions of Americans vulnerable to any number of things—espionage, extortion, financial losses—means that they must proceed by making their systems more secure. The United States government needs to bring them to justice. The most significant retribution inflicted on Equifax was the IRS pulling out of a $7.2 million contract, and a group of five Oklahomans suing them. As we have seen, it is a national security issue, and the United States government should treat it as such.