4. Security Expert: Mandiant Failed At Attribution
Criticism of Mandiant's conclusions has also come from information security circles. "My problem with this report is not that I don't believe that China engages in massive amounts of cyber-espionage. I know that they do -- especially when an executive that we worked with traveled to Beijing to meet with government officials with a clean laptop and came back with one that had been breached while he was asleep in his hotel room," said Jeffrey Carr, CEO of Taia Global, in a blog post.
Carr also recently criticized Mandiant's report that Chinese attackers hacked into The New York Times, and said that if the group's APT1 evidence had been submitted to a "professional intelligence analyst," for example at the CIA, a more rigorous analysis -- for example by using the Analysis of Competing Hypotheses (ACH) vetting process -- would likely have failed to prove attribution.
"My problem is that Mandiant refuses to consider what everyone that I know in the intelligence community acknowledges -- that there are multiple states engaging in this activity; not just China," Carr said. "And that if you're going to make a claim for attribution, then you must be both fair and thorough in your analysis and, through the application of a scientific method like ACH, rule out competing hypotheses and then use estimative language in your finding. Mandiant simply did not succeed in proving that Unit 61398 is their designated APT1 aka Comment Crew."
5. U.S. Considers The Diplomacy Angle
After the Mandiant report went public, reporters began pressing U.S. government officials about what they planned to do about the perceived threat. On that front, the White House this week unveiled a new strategy aimed at combating the theft of U.S. trade secrets by hackers.
That strategy includes diplomatic efforts, which are already underway. "We've raised our concern at the highest level about cyberthreats from China, including the involvement of the military," said U.S. Department of State spokeswoman Victoria Nuland in a Tuesday media briefing, without commenting on whether the government sees the Chinese government as being behind the APT1 attacks. "Without getting too deeply into the details of private diplomatic discussions we're having, what we have been involved with is making clear that we consider this kind of activity a threat not only to our national security but also to our economic interests, and laying out our concerns specifically so that we can see if there's a path forward."
6. Follow The Money
Mandiant said that APT1 alone has stolen terabytes of data from at least 140 different businesses. But to what end? Furthermore, some commentators have asked why this potentially incendiary information security data is coming from a firm that sells information security services, rather than from the U.S. government? "Shouldn't a military intelligence report about APT1 come from the government instead of an IT consultancy? Dodgy," tweeted Australia-based security engineer Vitaly Osipov.
Likewise, others have questioned whether a Chinese military agency would commit the sorts of sloppy mistakes that allowed Mandiant to trace the attacks back to their supposed origin.
"Perhaps the question we should be asking isn't 'Who did it?' but rather 'Who benefits?'" said John Artman, a presenter and producer at China Radio International in Beijing, in a blog post. "So far, it appears to be U.S. policymakers bent on beefing up cybersecurity legislation using China as the go-to bogeyman. Naturally, lots of media have fallen in step, regurgitating a tired, not-at-all subtle narrative that we should know better than to accept at face value."