The United States is reportedly under attack by the Chinese government. America's business secrets, critical infrastructure and wealth are the targets.
But many businesses are taking a lackadaisical approach to cybersecurity. Multiple industry studies have shown that the vast majority of companies don't begin following cybersecurity best practices until after they've been hit.
The latest and most telling example came Tuesday. According to a new report from information security company Mandiant, the Chinese military is linked to one of the most prolific hacking groups in the world.
That group, known as the "Comment Crew," has attacked Coca-Cola(KO), EMC(EMC) security division RSA, military contractor Lockheed Martin(LMT), and hundreds of others. It reportedly holds the blueprints to America's energy systems, and has funneled trade secrets out of some of the country's largest corporations.
The implications of China's presence in Corporate America's networks are vast, from matters of economic competitiveness to international diplomacy.
China has strong ties with its businesses, and any information gathered from U.S. corporations could wind up in the hands of a Chinese rival. Imagine Apple's rumored iWatch being produced first by a competitor that stole Apple's plans. Not only would Apple(AAPL) lose an edge in the market, but the theft could impact the vast ecosystem of third-party software developers and accessory makers.
"It is fundamentally important that the American private sector wake up to the fact that dozens of countries -- including China -- are robbing us blind." said Tom Kellermann, head of cybersecurity at Trend Micro(TMICY) and former commissioner of President Obama's cybersecurity council.
Kellerman estimates that the cost of trade secrets being stolen online is in the hundreds of billions of dollars annually.
"This is not some 15-year old trying to hack your database to see if he can," said Andy Serwin, adviser to the Naval Post Graduate School's Center for Asymmetric Warfare and chair of the information security practice at Foley & Lardner. "This is a large-scale organized effort to steal your company's most valuable information."
The Chinese government has long been believed to be behind a widespread cyberespionage scheme, but Mandiant's report is the first to clearly explain the link.
"It is time to acknowledge the threat is originating from China," said Dan McWhorter, Mandiant's managing director of threat Intelligence. "Without establishing a solid connection to China, there will always be room for observers to dismiss advanced persistent threat actions as uncoordinated, solely criminal in nature, or peripheral to larger national security and global economic concerns."
Cyber Cold War has clearly begun. Fears about a crippling attack by China on the nation's power grid or other critical infrastructure are also a legitimate worry. That's because 85% of such infrastructure -- including electric and water utilities -- is controlled by private industry.
"Knowing China could turn off our lights has vast diplomatic implications," said Dave Aitel, CEO of security consultancy Immunity.
And while there haven't been any successful breaches of critical infrastructure command and control centers yet, there is strong evidence that a cybercriminal could strike if they wanted to. Last year, Comment Crew broke into the network of smart grid control systems maker Telvent. In that attack, Comment Crew gained access to blueprints for 60% of North and South America's oil and gas pipelines.
That's likely part of the reason why the Obama administration, which signed an executive order last week that promotes sharing information about cyberattacks between the government and critical infrastructure companies, has been reluctant to call out China on its own. In his State of the Union address, the president simply said that the U.S. knows "foreign countries and companies swipe our corporate secrets."
In response to the Mandiant report on Tuesday, an administration spokesman said the White House continues to work with the Chinese government to stop the flow of these attacks.
But experts say something bigger needs to be done. An increasing number of businesses are looking to Congress to pass legislation that would set minimum cybersecurity standards for businesses to follow. Industry experts say that if Mandiant's report truly serves as a wake-up call, hopefully such a bill will ultimately get passed.
"Every time a big report comes out, it builds awareness ... and it gives us a chance to saber rattle and blame someone else. But we still don't pass cybersecurity legislation," said Art Coviello, CEO of RSA. "There are a lot of really good proposals on the table. Are we going to have rule of law prevail or not?"