A Chinese businessman has been sentenced to nearly four years in prison for conspiring to hack the computer systems of Boeing and other US defense contractors to steal military technical data.
Su
Bin, a Chinese national and the owner of a Chinese aviation technology
company, was sentenced Wednesday in US District Court in Los Angeles to
46 months in prison. Bin, 51, had faced up to 30 years in prison before
pleading guilty in March to a federal charge of conspiracy to unlawfully
access computers in the United States. The sentence comes amid heightened tensions between the two nations over computer espionage.
Su
worked with the two unidentified hackers in China between 2008 and
2014, instructing them on what data to target and transmit to
state-owned Chinese companies. The trio stole 65 gigabytes of sensitive
information related to fighter jets such as the F-22 and the F-35 as
well as Boeing's C-17 military cargo aircraft program, the Justice
Department said.
"Su Bin's sentence is a just punishment for his
admitted role in a conspiracy with hackers from the People's Liberation
Army Air Force to illegally access and steal sensitive U.S. military
information," Assistant Attorney General Carlin said in a statement.
"Su assisted the Chinese military hackers in their efforts to
illegally access and steal designs for cutting-edge military aircraft
that are indispensable to our national defense."
A report published by the House Committee on Science, Space and Technology today found
that hackers purported to be from China had compromised computers at
the Federal Deposit Insurance Corporation repeatedly between 2010 and
2013. Backdoor malware was installed on 12 workstations and 10 servers
by attackers—including the workstations of the chairman, chief of staff,
and general counsel of the FDIC. But the incidents were never reported
to the US Computer Emergency Response Team (US-CERT) or other
authorities and were only brought to light after an Inspector General
investigation into another serious data breach at the FDIC in October of
2015.
The FDIC failed at the time of the "advanced persistent threat"
attacks to report the incidents. Then-inspector general at the FDIC, Jon
Rymer, lambasted FDIC officials for failing to follow their own
policies on breach reporting. Further investigation into those breaches
led the committee to conclude that former FDIC CIO Russ Pittman misled
auditors about the extent of those breaches and told employees not to
talk about the breaches by a foreign government so as not to ruin FDIC
Chairman Martin Gruenberg's chances of confirmation.
The cascade of bad news began with an FDIC Office of the Inspector
General (OIG) investigation into the October "Florida incident." On
October 23, 2015, a member of the Federal Deposit Insurance
Corporation's Information Security and Privacy Staff (ISPS) discovered
evidence in the FDIC's data loss prevention system of a significant
breach of sensitive data—more than 1,200 documents, including Social
Security numbers from bank data for more than 44,000 individuals and
30,715 banks, were copied to a USB drive by a former employee of FDIC's
Risk Management Supervision field office in Gainesville, Florida. The
employee had copied the files prior to leaving his position at the FDIC.
Despite intercepting the employee, the actual data was not recovered
from him until March 25, 2016. The former employee provided a sworn
statement that he had not disseminated the information, and the matter
was dropped.
However, Gruenberg told Science, Space and Technology Committee
Chairman Rep. Lamar Smith (R-Texas) in a February letter about the
breach that only about 10,000 "individuals and entities" were affected
by the leak and that the former employee was cooperative. That claim was
contradicted by the FDIC's Office of the Inspector General after it
used that breach for an audit of the FDIC's security
processes—indicating that the actual number was several times larger and
that there were other breaches that had not been reported. One of those
was a similar breach in September when a disgruntled employee in New
York left with a USB drive containing the SSNs of approximately 30,000
people. That breach had been glossed over by the FDIC's CIO, Lawrence
Gross, and had only been mentioned in an annual Federal of Information
Security Management Act (FISMA) report, despite its classification as a
"major" breach. This was in addition to a similar, reported breach in February when another departing employee in Texas "inadvertently and without malicious intent" downloaded 44,000 records.
Then in May, the FDIC "retroactively reported five additional major
breaches" to the committee, according to the report. Only after a
Congressional hearing on those breaches did the FDIC offer credit
monitoring services to the more than 160,000 individuals whose personal
information was included in the data leaked.
The committee's report accuses Gross—who took over in 2015 after
former FDIC CIO Barry West disappeared on "administrative leave" in June
of last year for unknown reasons—of creating a "toxic workplace" for
FDIC's IT team and of sabotaging efforts to improve the agency's
security footing. Nearly 50 percent of FDIC employees can use portable
storage devices such as USB drives or portable disk drives, and the only
thing assuring the FDIC that data was not being disseminated by former
employees are signed affidavits. Gross is also the driving force behind
an initiative to purchase 3,000 laptops for FDIC employees, arguing that
laptops are more secure than desktops
