By Danny Yadron and Siobhan Gorman
A group of American companies made a rare bet this week that
sometimes it serves their business interests to admit they've been
hacked.
The companies, named as the targets of illegal hacking by
Chinese military officers in a U.S. indictment, took an unusual
step into a harsh public spotlight that most firms have sought to
avoid in the past.
The decision by Alcoa Inc., U.S. Steel Corp., the U.S. division
of SolarWorld AG and others to take part in the government's legal
assault on Chinese hacking reflected both the level of corporate
frustration over hacking and the benefit of acting in numbers.
In this week's Justice Department indictment, attorneys bundled
six cases together, avoiding a singular focus on any individual
organization and emphasizing that there are multiple victims of the
same hacking group.
"There's always safety in numbers," said Kevin Mandia, who
founded the computer-security firm Mandiant, a division of FireEye
Inc. "It makes it the new normal."
For years, companies have usually tried to steer clear of even
taking their breaches to law enforcement for fear their hacking
would be made public, wounding their reputations and stock
prices.
The companies named as targets this week hadn't previously
disclosed the breaches.
Executives and people familiar with the investigation said in
interviews Tuesday that the firms had reached a breaking point.
While they would have preferred to keep the breaches secret, they
saw no other way to stop them.
"Of course there is the risk that customers and vendors or other
stakeholders might think their data is insecure," said Ben
Santarris, U.S. spokesman for SolarWorld. But the firm wanted "to
bring this problem to light and to put criminals on notice."
John Carlin, head of the Justice Department's national security
division, said there has been a "sea change" in U.S. corporate
attitudes toward hacking penetrations. More and more, he said,
companies are willing to be identified as victims to help the U.S.
government pursue hackers.
When Mr. Carlin and his colleagues sought to select which cases
to pursue for this first round of indictments, finding companies
that would come forward publicly was a key criterion.
Prosecution is seen as a long shot in any event, considering
that Beijing is unlikely to hand over the military officers named
in the indictment. But without company cooperation, the case likely
would have fallen flat.
Mr. Mandia said the case-bundling approach is a likely model for
future efforts, and the current strategy will likely make other
companies more willing to acknowledge hacking incidents
publicly.
Other cybersecurity specialists were more skeptical that
companies will willingly disclose their breaches.
"Unless they have an explicit or implicit obligation to
disclose, the prospect of Justice Department indictments that will
never lead to prosecution, much less diminished attacks, is nothing
close to an 'incentive' to disclose," said Brian Finch, a
cybersecurity lawyer with the Washington law firm Dickstein
Shapiro.
On Monday morning, SolarWorld executives emailed employees and
customers to stress that their data is secure. In the indictment,
U.S. attorneys accused the hackers of breaking into SolarWorld's
systems several times in 2012 to glean its strategy in a trade
dispute with China.
The company first learned of the breaches, which have since
stopped, from an FBI field office in 2012, Mr. Santarris said.
There are still plenty of cases where companies would prefer to
keep breaches secret. Breaches at the U.S. Chamber of Commerce,
Coca-Cola Co. and Chesapeake Energy Corp. were all first disclosed
in news reports rather than corporate announcements.
But the Chamber did acknowledge its breach after receiving an
inquiry from The Wall Street Journal in 2011.
The recent theft of 40 million Target Corp. payment-card numbers
was first reported by Brian Krebs, a security blogger. The company
has since said it was preparing to disclose the breach.
Experts have seen a shift among companies in the past year or
two, though. Rather than trying to keep hacking incidents under
wraps, companies have begun criticizing the White House
response.
"We're reaching a tipping point," said James Lewis, a
cybersecurity expert at the Center for Strategic and International
Studies who frequently advises Washington on cyber issues. "It's
getting too expensive to eat the cost anymore. That's why I think
the administration had to move. There has been an unhappiness with
the perceived lack of action by the administration."
White House spokeswoman Laura Lucas Magnuson said she wouldn't
discuss cybersecurity talks with firms, but she said, "We do want
to foster a climate where there are clear and predictable rules of
the road in cyberspace so that businesses can engage in the trade
and commerce that benefit both the American and Chinese
economies."
In private meetings last year, Alcoa Chief Executive Klaus
Kleinfeld was angry that his company had lost a bid for a project
in Africa, a person familiar with the matter said. Mr. Kleinfeld,
the person said, had evidence foreign hackers were helping rivals
outbid him by spying on Alcoa's bid strategy.
An Alcoa spokeswoman declined to comment.
After the FBI notified SolarWorld of its breach, the company did
an audit of its cybersecurity defenses. When it took certain steps,
the company noticed the breaches stopped.
Mr. Santarris said the company didn't know then that the U.S.
government would use the company as a case targeting a hacking unit
linked to the Chinese military. But SolarWorld executives agreed
"to support whatever they're doing," he said.
"Our sort of mission-critical goal is to restore competition in
the solar industry," he said. "We wanted to support the application
of law."
Devlin Barrett contributed to this article.
Write to Danny Yadron at danny.yadron@wsj.com and Siobhan Gorman
at siobhan.gorman@wsj.com
Subscribe to WSJ: http://online.wsj.com?mod=djnwires