Episode 4: "Naming and Shaming" of To Catch a Thief: China’s Rise to Cyber Supremacy

Host: Nicole Perlroth
Guests: Dave DeWalt (NightDragon), Kevin Mandia (Mandiant), Ben Santeris, Steve Stone, John Carlin, Paul Moser
Release Date: March 31, 2025

1. Introduction: Unveiling China’s Cyber Dominance

In the fourth episode of To Catch a Thief: China’s Rise to Cyber Supremacy, host Nicole Perlroth delves into the intricate web of Chinese cyberattacks that have systematically undermined American industries and infrastructure. The episode, titled "Naming and Shaming," explores how China's state-sponsored hacking evolved from mediocre intrusions to becoming an apex predator targeting the United States' critical sectors.

2. China's Meteoric Economic Ascent and Cyber Prowess

Nicole Perlroth sets the stage by highlighting China's rapid transformation:

“Within a few decades, the Chinese economy went from agrarian backwater to manufacturing middleman, to world-class innovator in its own right.” ([00:04])

She cites prominent examples where China has outpaced the U.S. through aggressive cyber strategies:

• Huawei: Once the world's leading telecom equipment supplier, now facing global rejection.
• Solar Panels: Despite American innovations in 1954, China controls over 80% of the global supply chain.
• TikTok: Emerged as the fastest-growing social media app, surpassing American counterparts.
• DJI Drones: Dominating both consumer and U.S. law enforcement markets.
• BYD Electric Vehicles: Surpassing Tesla in the global EV market by 2023.

3. Mechanisms of Cyber Theft: IP Theft and Market Domination

Nicole emphasizes how cyber theft and subsidies enabled Chinese companies to dominate:

“The hacking, the outright theft gave them a huge leg up.” ([02:03])

She explains that Chinese firms, such as Huawei and SolarWorld, leveraged stolen intellectual property (IP) to produce similar products at lower costs, effectively driving American competitors out of business. This strategy not only stifled American innovation but also led to the loss of jobs and economic stability in numerous U.S. towns.

4. Firsthand Accounts from Cybersecurity Veterans

Dave DeWalt, CEO of NightDragon and former CEO of McAfee and FireEye, provides an insider perspective:

“That time period was the most dangerous in America's history. I think as we really got a superpower elevated, probably 50 years of IT advancement in a five-year period because developing all that on your own would never have happened.” ([02:41])

DeWalt recounts how Chinese cyberattacks accelerated China's technological capabilities, enabling them to overtake sectors like aviation and energy through persistent and sophisticated breaches.

5. The Revelation of APT1 and Public Attribution

The episode details the emergence of APT1 (Advanced Persistent Threat 1), a codename used by the Bush administration to covertly refer to Chinese hackers:

“The Bush administration didn't want to say China, so they called it Advanced Persistent Threat. That's code for China.” ([03:38])

Perlroth narrates her investigation into a significant breach at The New York Times, where Chinese hackers infiltrated systems by hijacking a Chinese takeout restaurant’s PDF menu:

“Once they were in, getting these Chinese hackers out of your systems, finding and closing every backdoor was a huge challenge.” ([04:00])

This breach exemplified the relentless persistence of Chinese cyber operations, even after apparent clean-ups.

6. Government Action: Indictments and Legal Pursuits

The collaboration between journalists and cybersecurity experts led to a pivotal moment. John Carlin, former Assistant Attorney General for National Security, discusses how public attribution enabled legal actions:

“It was about more than justice for the victimized American companies. This was about establishing global norms of acceptable behavior.” ([24:40])

A grand jury in Pennsylvania indicted five members of PLA unit 61398, naming victims like SolarWorld, US Steel, and Westinghouse Electric. This legal move marked a significant step in holding Chinese entities accountable for their cybercrimes.

7. Evolution of Chinese Hacking Tactics: From Military Units to Mercenaries

The podcast explores the diversification of Chinese cyber operations beyond military units to include private contractors and "gunslingers":

“These were moonlighters tasked with episodic state missions. Privately employed engineers who got paid by the state to hack on the side.” ([29:14])

Paul Moser, a New York Times correspondent, explains how under Xi Jinping, Chinese hacking shifted to a more decentralized and profit-driven model, fostering a mercenary-like hacker community:

“They become this almost mercenary army, the sort of hackers for hire, soldiers of fortune.” ([35:09])

This shift increased the sophistication and stealth of Chinese cyberattacks, making them more difficult to trace and mitigate.

8. Case Study: The Demise of SolarWorld and Its Implications

SolarWorld serves as a poignant example of the devastating impact of Chinese cyber theft:

“In 2012, SolarWorld discovered Chinese hackers had broken into its network and passed its crown jewels over to Chinese state-owned enterprises.” ([13:14])

Despite legal battles and lobbying for tariffs, SolarWorld succumbed to overwhelming competition from subsidized Chinese panels, leading to massive layoffs and the eventual closure of its Hillsboro, Oregon factory in 2021. This case underscores the broader economic repercussions of sustained cyber aggression.

9. The Critical Role of Attribution and Public Disclosure

Initially, American leaders hesitated to publicly attribute cyberattacks to China due to economic dependencies. However, investigative journalism and collaboration with cybersecurity firms like Mandiant changed the landscape:

“When Mandia read China's denial in my story, he decided, screw it, let's show them the proof.” ([17:15])

Publicly naming Chinese hacking units forced the U.S. government to take definitive actions, shifting from passive acknowledgment to active prosecution of cybercriminals tied to the Chinese state.

10. Ongoing Cyber Threats and Strategic Responses

Despite public indictments, Chinese cyberattacks persist and evolve. The Office of Personnel Management (OPM) breach, affecting 25 million Americans, exemplifies the continued vulnerability:

“American's personal data was now in the crosshairs.” ([39:05])

Kevin Mandia emphasizes the necessity of establishing rules of engagement in cyberspace to hold nations accountable:

“To hold nations accountable, we need to have Rules of engagement in cyberspace.” ([27:02])

The episode concludes by highlighting the urgent need for a robust and coordinated response to mitigate ongoing and future cyber threats from China.

11. Conclusion: The Imperative of Naming and Shaming

"Naming and Shaming" serves as a critical examination of how American vulnerabilities were exploited by Chinese cyber operations, leading to significant economic and societal consequences. Through detailed case studies and expert testimonies, the episode underscores the importance of transparency, accountability, and strategic action in countering state-sponsored cyber threats.

Notable Quotes:

• Dave DeWalt: “That time period was the most dangerous in America's history... America’s companies would have dominated China had they not been able to build their own Chinese companies with the IP they stole.” ([02:41], [03:06])

• Kevin Mandia: “We need to have Rules of engagement in cyberspace.” ([27:02])

• Paul Moser: “These guys become this almost mercenary army, the sort of hackers for hire, soldiers of fortune.” ([35:09])

• Steve Stone: “There was this really emerging moment where we just recognized things were different...” ([30:10])

This comprehensive summary encapsulates Episode 4's exploration of China's strategic cyberattacks against the United States, highlighting the evolution, impact, and responses to these covert operations. Through meticulous reporting and expert insights, To Catch a Thief sheds light on a largely untold aspect of modern geopolitical conflict.