For the past five years Western nations and corporations have been penetrated at will and their most valuable secret data stolen by a new group of state-sponsored actors, mostly from China. And the victims don’t even realize they’ve been robbed.

That is the warning from cyber-security expert and co-founder of cyber-security startup CrowdStrike, Dmitri Alperovitch. These new actors have penetrated some of the most secure sites in the Western world — military and civilian agencies of 14 Western governments, including the United States, major IT companies like Google and the large oil and gas companies, even computer security vendors. Once in, the adversaries take up long-term residence in the victim’s computer infrastructure and steal the most valuable assets the victim has – more valuable in the long run than money – data. “This is the largest transfer of wealth in the history of the world,” Alperovitch says. And that wealth is being transferred from the Western economies mainly to China not because of legitimate business advantage but rather by cyber-invasion.

In the last three years Alperovitch, who is the former VP of threat research at McAfee,  publicly revealed three major, long-term incursions:
1. Operation Aurora, the penetration of Google,
2. Night Dragon, the penetration of several Western oil and gas companies, and,
3. Shady Rat, the multi-year penetration of more than 70 organizations including agencies of 14 Western governments and a list of companies.

In each case these were multi-year operations that went unidentified by the victims, And in each case the specific targets were not corporate bank accounts but rather vital data. In Night Dragon, for instance, the thieves, who Alperovitch says were working for the state-owned Chinese oil and gas monopolies, were stealing information on the negotiating strategies of the Western companies and specifically information on their strategies for bidding on contracts to exploit new oil and gas fields worldwide. That information allowed the Chinese to cheat in the auctions to get contracts for the best fields. That cost the Western competitors billions, will raise the price of oil in the West, and also may have prevented the countries that own those fields from getting the best contracts.

And the danger extends beyond governments and large organizations. Any company of any size with technology that interests the adversaries or that is doing business in China, can expect to be penetrated. For instance, Alperovitch says, any company that is going to bid on a contract with the Chinese government or businesses can expect to be penetrated about 90 days before the negotiations are concluded or the contract signed.

When Alperovitch and McAfee Sr. VP and CTO George Kurtz left McAfee and, with Gregg Marston founded CrowdStrike, they started a mission to expose and help companies defeat this new, dangerous form of cyber-crime. They left McAfee, Alperovitch says, because it and the rest of the cyber-security industry are building the wrong products.

“The existing models of building better walls and trying to prevent the adversary from getting in are not going to work. All of the companies and government agencies that have been penetrated had antivirus, they all had firewalls, they all had intrusion prevention systems and a variety of other security technologies, and they all got hacked.”

The protection model needs to be expanded beyond prevention to the identification of intrusions. “The adversary is in your systems and has been there continuously,” he says. “You need to have a continuous process where you are literally searching everywhere within your network and system for that adversary.” Companies need to identify how the adversary is getting in and what they are after.

Also very important, the victims need to identify their adversaries, “which no one is doing in the security industry.” One reason that the adversaries are winning all the battles is that their actions have no negative consequences for them. If they are discovered they just change tactics and attack again.

If the oil and gas companies, for instance, had realized what was happening, they could have showed that evidence to the countries that owned the fields and perhaps gotten them to void the results of the auction or disqualify the Chinese. They could have taken the evidence to the World Trade Organization or sued. And they could have improved the protection surrounding their bidding data. One of the goals of CrowdStrike, whose name combines the concept of crowdsourcing to build better strategies and technologies to deal with the threat, with the idea of striking back at the aggressors, is to raise the cost of making those attacks.

That mission is attracting other rock stars of the security industry, including Shawn Henry,  who retired as Executive Assistant Director of the FBI for Cyber-Security this spring to become president of CrowdStrike’s Services Division.

Funded by an initial $26 million investment from Warburg Pincus, the startup is just developing its products and services. But it’s potential market is huge.

“There are only two kinds of companies out there,” says Alperovitch, “those that know they’ve been hacked and those that have been but don’t know it.”