On November 30, 2018, Marriott International acknowledged that “an unauthorized party had copied and encrypted information” belonging to hundreds of millions of unique guests. What looked like a now all-too-typical hacking incident took an even more disturbing turn when, just two weeks later, Secretary of State Mike Pompeo confirmed reports that Chinese Government-linked hackers were responsible for the data breach. A hack whose purpose had initially appeared straightforward financial gain suddenly assumed a darker hue, given that Beijing’s intent may transcend any attempts simply to monetize this data and seek to advance bolder espionage and counterespionage efforts, as well as other national security goals. This is our new reality: cyber powers, including China, are collecting and compiling data on private citizens, including Americans and other nationals, not just potentially to make a quick buck but also (and more consequentially) to pursue national security objectives through tactics known and still unknown—because they haven’t been deployed or developed yet.
Let’s start with what everyone does know about the Chinese Government: it has a seemingly unquenchable thirst for data on its own citizens, perhaps even to an Orwellian extent. That manifests itself in cameras that are everywhere in China, the government’s monitoring of social media, and the development of a “social credit score” due to be in place in 2020, which will pull from financial transactions, social behavior, political views, and general lifestyle data to “rate” citizens. While their scope can be exaggerated, Beijing’s efforts and ambitions to know, and thus control, its citizenry are becoming well known to Americans.
What’s new, and shockingly so, is Beijing’s effort to scoop up data on ordinary American citizens. November’s Marriott hack appears to be the first time that Chinese surveillance has extended to ordinary Americans on such an astonishing scale. This wasn’t the targeting of U.S. Government employees to ferret out possible spies, like China’s hack of the Office of Personnel and Management, or the targeting of American companies to steal their intellectual property, like China’s corporate espionage against the likes of Westinghouse and U.S. Steel. Instead, this was gathering the extensive information that a major hotel chain had collected about hundreds of millions of Americans—not to mention millions from other countries. It’s true that, among those masses of Americans, there presumably were particular government officials and industry leaders of special interest to Beijing—hence the disturbing admission by Marriott that 5.25 million passport numbers stolen hadn’t been encrypted (in addition to 20.3 million passport numbers that were also stolen but encrypted). But, when one considers the massive scope of this state-sponsored data theft, it reveals a new paradigm in cyberattacks, one in which hard targets aren’t the only ones at risk, and in which consumers—also known as every one of us—may now be direct targets or incidental soft targets for sophisticated, government hackers from powerful nation-states, with a time horizon for activation months, years, or even decades in the future.
How this is accomplished is also new. The prospects of monitoring mass swaths of foreign citizens once would have posed a logistical nightmare. It simply was not feasible for even a powerful surveillance state to monitor hundreds of millions of people moving around foreign countries. Yet, in today’s Internet era, e-commerce and social media have in essence both trained and habituated consumers to provide massive amounts of information to the corporations with which they interact. Now, consumers actively provide location data when booking hotel reservations or checking in and passively provide such data when their apps persistently monitor their locations. Likes, dislikes, browser histories, medical records, bank statements, and more become part of a consumer’s compiled data history. The same technologies that advertisers and media companies use to generate billions in revenue can also be used to compile a dossier on each and every American. Online commerce gathers home mailing addresses, which are also tied to offline data sets like tax records. It’s not hard for a company like Marriott to acquire all of that data under the guise of simplifying your consumer experience—and, in turn, it’s unfortunately become far too easy for cyber powers to steal them. And, as the “Internet of Things” continues to evolve, even more data will be associated with user accounts, creating an increasingly capacious and detailed view of consumers’ identities and behaviors.
Why to do this is even newer. Since the reports of China’s involvement in the Marriott data breach, too little attention has been paid to the question of why Beijing would want this mass set of consumer data in the first place, beyond the supposition that somewhere within it there could be something useful to learn about government and industry leaders. That’s a sign that data accumulation as an end in itself has become so second-nature to us that we neglect to question the motivations or implications behind even staggering hacks. But why Beijing would do this is an essential question. Some specific use cases for weaponizing this data set are easily imaginable. Perhaps this data set can help to reveal Americans spying against China and even Chinese spying for America. Perhaps the data set can be exploited to reveal, track, or discredit Chinese dissidents and human rights advocates. Perhaps this data set can be used to fuel the election interference with which Beijing is already experimenting by providing the type of information on American voters that facilitates microtargeting them with disinformation. Or perhaps this data set can be used to develop and deploy campaigns to paint China in a favorable light so as, say, to improve China’s leverage in the ongoing tariff war between Washington and Beijing.
But most intriguing is the possibility that Beijing doesn’t even know why or how it might be able to use this data set, yet nonetheless figures that it’s worth acquiring it now, with an anticipation of putting it to use later. That’s true in at least two senses. First, the universe of data-driven hostile activity remains wholly unexhausted. What we’ve seen so far—like Russian election interference via social media—is likely just the early steps in burgeoning cyber conflicts. In the months, years, or even decades to come, Beijing may well figure out how to bring together multiple methods and manners to utilize this sort of data against American interests in ongoing, and likely escalating, cyber conflicts. Second, machine learning is yielding uses for large data sets that humans alone could not imagine—or even understand—given that machine learning can generate correlations among data that the machine itself can’t explain. Given these potential use cases, among others, Beijing’s plan may be simply to vacuum up as much data like this as possible and then see what today’s machine learning—or, better yet, tomorrow’s machine learning—can do with it.
All told, the 2018 Marriott hack should be a wake-up call for Western countries, corporations, and citizens that soft cyber targets face a new threat from powerful cyber actors, with stakes which may be bigger than we or even those launching these attacks are yet able to realize. The result of such threats is that the private sector is now on the front lines of national security interests, with data vulnerabilities exposing risks beyond simple identity theft. Given the stakes, there should be heightened urgency around building better modes of cooperation—including but not limited to information sharing and security safeguard protocols—between the public and private sectors so that, like Beijing, Washington begins to treat ordinary data as the crucial national security asset it is.