"It's a forcing function in the private sector, and frankly ... it's a forcing function with the government," said retired Air Force Gen. Michael Hayden, the former director of the CIA and the National Security Agency who now works for the Chertoff Group, a security consulting firm.
Mandiant's report raises questions, too, about the extent to which private companies are in control of defending the nation's most crucial networks, like power companies and water treatment plants. Another question is what rules of engagement private companies might rely on. When does a company strike back?
Mandia and his competitors said they are beholden to U.S. and international laws, which prohibit the type of intrusive acts they accuse China of taking. Mandia also says his clients aren't interested in starting a cyberwar with foreign hackers, in part because they are so vulnerable.
"The only time (hacking back) would really work is if we got all the bad guys out of our networks in the first place," he said. "Then you can start playing that game."
Still, publishing the hacking report was itself an offensive shot across China's bow.
Mandia said he started his company in 2004 after years in the private sector because there was no company focused on investigating intrusions. With a master's degree in forensic science from George Washington University, he became Mandiant's sole employee and, two years later, got a cash infusion from a college friend. Now, he oversees some 330 employees and the field is growing rapidly. He says he used to see maybe three major incidents a month when he started his business; now he estimates there can be anywhere from 30 to 100 incidents a month.
Mandia is hardly alone. A former co-worker, Stuart McClure, recently started his own company, called Cylance. He received $15 million in venture capital funds for his business, which he says is distinctive because of its focus on prevention. McClure said in general he sees the future of cyberdefense residing in the private sector, with its deeper pockets and less red tape.
"With a commercial entity, you can get more creative," McClure said.
As for any problems they might cause in diplomatic or security circles for the federal government, Mandia and his competitors say that's not really on their radar, although he's hiring attorneys to help him monitor changing U.S. policies and regulations. But as a tech guy, he says he's focused on stopping intrusions.
"We're security guys," Mandia said. "We're not diplomats."
The report: http://intelreport.mandiant.com/