Check Out How Many Companies China Hacked to Build the Comac C919
A big part of Made in China 2025 -- Beijing's plan to boost China's economy from low-grade manufacturing to high-tech hegemony -- is the production of a passenger jet aircraft to compete with offerings from Boeing (NYSE:BA) and Airbus (EPA:AIR), which came to fruition when the Comac C919 made its maiden flight in early 2017. But just how much of this plane is actually Chinese? Not a lot, according to a recent study published by CrowdStrike: many of the aircraft's key components are based on stolen IP from American and European firms.
While some Western aviation firms participated in the production of the Comac C919, many found themselves in the position of "forced technology transfer" as hackers took more than what Comac legitimately paid for. According to CrowdStrike, China's Ministry of State Security (MSS) coordinated the attack on these Western component suppliers using a combination of cyberwarfare and human intelligence. In addition to using MSS resources and contracted local hackers-for-hire, Ministry operatives would locate Chinese nationals that were employed by the target company and have them deliver malware payloads onto the network.
Crowdstrike says the cyber espionage campaign took place between 2010-2015 and breached leading aviation suppliers such as Ametek, Honeywell, Safran, Capstone Turbine, and GE. Whenever Comac legitimately acquired parts from a supplier, that supplier's network would be hacked and all data about its other products and pipeline would be sent back to China.
For instance, after Comac signed a deal with CFM International (a French-GE joint venture to produce jet engines) to produce a variant of its Leap-X engine for the C919 (the Leap-1C), Crowdstrike's report showed that their network was hacked and all data about the engine was downloaded for use in producing a made-in-China version saving China's aviation sector years of development time and billions of dollars. The end result of this forced technology transfer is the CJ-1000AX, which is a technical doppelganger to the Leap-1C, including dimensions and turbofan blades.
For its part, the Comac C919 struggles to find customers as lengthy delays stemming from technical troubles threaten its competitiveness. Comac has secured 305 orders for the aircraft, mostly from domestic airlines.
A Target a Little Too Big
Crowdstrike says that the attacks on Western aviation suppliers went relatively undetected, until the MSS and its hacking teams went after a target a little too big: healthcare provider Anthem and the US Office of Personnel Management.
Targeting the US OPM directed the full investigatory powers of the US Government to MSS. The US was able to arrest a number of the contracted freelance hackers as they attended cybersecurity conferences around the world. Yanjun Xu, a key MSS officer that directed attacks against a number of US-based aviation companies, was arrested in Belgium and extradited to the US.
China Keeps Doing This
The case of the Comac 919 is unique because of the high-profile nature of the project, but the extent of Chinese cyber espionage and technology theft runs the full gamut from Kickstarter projects to large Enterprise initiatives. While the US and other Western states have their own cyber warfare initiatives the key difference is that they are not being used to benefit commercial enterprises in their respective countries, but rather as a state-to-state weapon.
Any sort of trade deal with China would need to include provisions that curb these cyberattacks and force firms to start respecting international IP law. After all, China itself has quite a robust domestic patent system and strict domestic cybersecurity laws. It's time that US leadership force China to abide by its own laws so its companies compete against their foreign peers on a level playing field.