Xiafen “Sherry” Chen, a 59-year-old hydrologist born in China and a naturalized US citizen for nearly two decades, says she thought she was doing a harmless favor.
It ended up nearly costing her everything.
She was arrested in October 2014 and accused of illegally accessing restricted areas of a protected US government computer database and providing false statements, crimes that could have led to 25 years in prison and $1 million in fines.
Chen was placed on unpaid leave from her government job as a scientist for the National Oceanic and Atmospheric Administration (NOAA) as her family scrambled to pull together money for a lawyer.
The lawyer turned out to be a good hire – in March, he persuaded prosecutors to drop all the charges, according to an account of the case published this week by the New York Times.
As the Times reports, Chen was suspected of spying for China, and got swept up in a dragnet amid growing concerns in the US about cyberespionage and the theft of trade secrets and national security secrets by hackers working for the Chinese military.
The government’s case against Chen didn’t hold much water – as the Times discovered in its review of court filings and interviews with Chen and her colleagues, “prosecutors hunted for evidence of espionage, failed and settled on lesser charges that they eventually dropped.”
So how did Chen, a scientist working at the National Weather Service facility in tiny Wilmington, Ohio, end up accused of being a spy?
It started, she says, with her efforts to answer questions from a Chinese official about US dam infrastructure.
On a trip to China in 2012 to visit her parents, Chen was asked by a family member to help out in a dispute over a payment for a water pipeline, by using her connection to a former university classmate who was now an official in the Chinese Ministry of Water Resources.
The Chinese official wanted to know more about how water projects in the US were financed, and Chen offered to help.
When she returned home, Chen downloaded some files from the National Inventory of Dams, using a password that wasn’t her own; and she began asking questions about dams from an acquaintance at the US Army Corps of Engineers.
Although Chen’s requests for information about US dams would seem to be within the purview of her job – her work for the National Weather Service involved creating mathematical models to predict floods – her inquiries led to a year-long investigation, and later she was arrested at her office by FBI agents.
Although Chen never shared any classified information with her contact in China, she did make a crucial error in judgment that put her – rightly or wrongly – under suspicion.
The database of dam projects Chen accessed was restricted by a password, but although most of the data in it was publicly available (only six of 70 data fields were restricted to government employees, according to the Times), Chen did not have a password – and so she asked for one from a coworker, who emailed it to her.
Chen sent an email to the Chinese official with a link to the dam database (but not the password), telling him that “this database is only for government users, and nongovernment users are not able to download any data from this site,” and told him to contact her with further questions, according to the Times.
Perhaps Chen should have known that shared passwords are a security risk; or maybe she should have considered that her emails to and from the Chinese official were not private and could have been read by anyone.
It’s easy to sympathize with Chen in this case – but it’s also understandable why investigators in the US are quick to jump on any suspicion of Chinese spying – especially in cases that involve “critical national infrastructure” such as dams and reservoirs.
The US government and US businesses are under constant threat from Chinese and Russian hackers, and the Obama administration is moving to aggressively counter cyberattacks with new sanctions, while it weighs the costs of going after states like China in what is increasingly a cyber “cold war” between super powers.
Michael Rogers, the director of the US National Security Agency, said this week that the US will consider any and all options to counter cyberattacks, possibly including retaliation using “conventional” weapons.
If you’re ever tempted knowingly to bypass security in your own workplace (or even at home!) just to do someone a favor, don’t forget that insecurity doesn’t only play into the hands of intelligence agencies.
You could be putting yourself, your employer and even your customers at risk of cybercriminals, regulatory non-compliance, or even just plain old bad PR, so think twice before you try the digital equivalent of tailgating a colleague through the lobby door.