I make some basic assumptions about the China cyberinstrusion issue:
First, that the Chinese program of industrial espionage, both conventional and cyber-based, is immense and it's gotten out of hand. The previous justification--that, as a matter of national security, the PRC had to obtain by hook or by crook vital technologies that the West and Japan refused to share--doesn't hunt. In my opinion, the PRC should unilaterally wind down the program without trying extract any concessions from the US in return.
Second, I do not think that the cyber industrial espionage issue should
be conflated with the "cyberwarfare" scaremongering, which is a
transparent exercise in budget and mission enhancement for the NSA and
Pentagon, and a China-bashing hobbyhorse for cynical politicians.
Instead, I think the industrial/cyberespionage issue should be linked in the public sphere to the intellectual property issue--another area in which the PRC should be behaving better.
The infrastructure/military issue is too important and too sensitive to serve as public political fodder, and the US hands are far from clean in this regard--see Stuxnet.
Third, I would like to think that the Obama administration's thoughts run along the same track, but the cyber-train is getting hijacked by the cyberwar enthusiasts. That's the approach I take in this week's Asia Times Online column, by parsing National Security Adviser Tom Donilon's speech at the Asia Society.
Fourth, bitching about Chinese state hacking is not going to solve the hacking/security problem. The threats are coming from all over (look at Russia, not just China), and they are capable of challenging whatever defenses that nations, militaries, and corporations can come up with.
I think these points are ones that sober, pipe-smoking liberals can consider endorsing.
Here's the last point, which may be a little harder to swallow:
I'm a big believer in the open-architecture free-for-all, but the
Internet is now government business, and governments around the world
are going to do their best to control the Internet.
As viruses and exploits have proliferated and demonstrated their ability to elude detection programs, the reality of the Internet has evolved away from open architecture to a defensive architecture buttressed by state data collection, surveillance, and legal coercion meant to identify and confront threats. It sounds like I'm describing the Chinese Internet, but I'm describing the US Internet as well.
I expect "freedom to connect" to survive as a convenient China-bashing talking point for the US government, but I expect the US military and security apparatus will become increasingly sympathetic to Internet-taming strategies by the PRC and other nations, so that threats can be identified, managed, and negotiated in coordination between capable state interlocutors and not left up to corporate players or the miraculous self-perfecting ecology of the untrammeled Internet.
Which is another way of saying get used to the Great Firewall in China
and a less overt but similar pattern of data collection, monitoring, and
threat identification in the US. And get used to the PRC believing
that US calls to get rid of the Great Firewall are simply hypocritical
demands for unilateral disarmament and empty political posturing.
[This piece originally appeared at Asia Times Online on March 15, 2013. It can be reposted if ATOl is credited and a link provided.]
The United States has made the interesting and perhaps significant
decision to generate a crisis around Chinese cyber-intrusions as the
Obama administration enters its second term. With its typical careful,
methodical preparation, the Obama administration has been gradually
rolling out the Chinese cyber-threat product since November 2011 with
escalating evidentiary indictments of Chinese hacking, but without
overtly linking these activities to the Chinese government or military.
[1]
The most recent shoes to drop were the detailed brief drawn up by Mandiant Corp against the PLA's Unit 61398, allegedly the PLA
outfit in the white office building in Shanghai's
Pudong District that phished, lurked, and drained information from the
New York Times and many other US businesses, and the subsequent calling
out of the PRC by name for its cyber-sins by National Security Advisor
Tom Donilon. [2]
People hoping for a reset in US-Chinese relations - including the PRC -
may feel a twinge of disappointment that the United States has decided
to hype another point of US-PRC friction.
Then again, there is the interesting question of whether the White House
is trying to conduct a measured escalation, but is getting stampeded by
the threat inflation/budget boosting priorities of the US national
security apparatus and its eager handmaiden, the Western media.
Donilon came up with a nuanced approach to Chinese cyber-mischief during
his speech to the Asia Society, which deserves to be quoted at length.
Bypassing the issue of cyber-spying against military and government
targets that probably falls into the grey area of "everybody does it and
why shouldn't they", and defining and limiting the issue to a specific
and remediable problem - the massive state-sponsored PRC program of
industrial and commercial espionage against Western targets - Donilon's
framing placed "cyber-theft" in a category similar to the intellectual
property gripe, also know as systematic piracy of US software, as an
info strategy condoned by the Chinese government:
Another such issue is cyber-security, which has become a
growing challenge to our economic relationship as well. Economies as
large as the United States and China have a tremendous shared stake in
ensuring that the Internet remains open, interoperable, secure,
reliable, and stable. Both countries face risks when it comes to
protecting personal data and communications, financial transactions,
critical infrastructure, or the intellectual property and trade secrets
that are so vital to innovation and economic growth.
It is in this last category that our concerns have moved to the
forefront of our agenda. I am not talking about ordinary cybercrime or
hacking. And, this is not solely a national security concern or a
concern of the US government. Increasingly, US businesses are speaking
out about their serious concerns about sophisticated, targeted theft of
confidential business information and proprietary technologies through
cyber intrusions emanating from China on an unprecedented scale. The
international community cannot afford to tolerate such activity from any
country. As the President said in the State of the Union, we will take
action to protect our economy against cyber-threats.
From the President on down, this has become a key point of concern and
discussion with China at all levels of our governments. And it will
continue to be. The United States will do all it must to protect our
national networks, critical infrastructure, and our valuable public and
private sector property. But, specifically with respect to the issue of
cyber-enabled theft, we seek three things from the Chinese side.
First, we need a recognition of the urgency and scope of this problem
and the risk it poses - to international trade, to the reputation of
Chinese industry and to our overall relations. Second, Beijing should
take serious steps to investigate and put a stop to these activities.
Finally, we need China to engage with us in a constructive direct
dialogue to establish acceptable norms of behavior in cyberspace.
We have worked hard to build a constructive bilateral relationship that
allows us to engage forthrightly on priority issues of concern. And the
United States and China, the world's two largest economies, both
dependent on the Internet, must lead the way in addressing this problem.
[3]
This rather unexceptionable and reasonable demand that the PRC reign in
its gigantic program of economic/commercial hacking, ie cyber-enabled
theft as Donilon put it, and give US businesses a break, was not good
enough for the Christian Science Monitor, which has apparently shed,
together with its print edition, the sober inhibitions that once
characterized its news operations.
The CSM's headline:
US tells China to halt cyberattacks, and in a first, lays out demands
Obama's national security adviser, Thomas Donilon, spelled out a more
aggressive US stance on the cyberattacks, saying China must recognize
the problem, investigate it, and join in a dialogue. [4]
Note in the CSM story the effortless slide down the slippery slope from
cyber-theft to cyber-espionage to cyber-attacks (and for that matter,
"should" and "needs" to "demands"). Well, fish gotta swim, birds gotta
fly, and eyeballs have to be wrenched from their accustomed paths and
turned into click-fodder.
And don't get me started on the Pentagon:
A new report
for the Pentagon concludes that the US military is unprepared for a
full-scale cyber-conflict with a top-tier adversary. The report says the
United States must increase its offensive cyberwarfare capabilities.
The report also calls on the US intelligence agencies to invest more
resources in obtaining information about other countries' cyberwar
capabilities and plans.
The Washington Post reports that the report says that the United States
must maintain the threat of a nuclear strike as a deterrent to a major
cyberattack by other countries. The report notes that very few
countries, for example, China and Russia, have the skills and
capabilities to create vulnerabilities in protected systems by
interfering with components.
The report emphasizes that defensive cyber capabilities are not enough,
and that the United States must have offensive cyber capabilities which,
when needed, could be used either preemptively or in retaliation for a
cyber attack by an adversary. [5]
Security consultant Bruce Schneier addressed the threat inflation issue
(and the dangers of trying to design and justify retaliation in the
murky realm of cyberspace) in a blog post on February 21:
Wow, is this a crazy media frenzy.
We should know better. These attacks happen all the time, and just
because the media is reporting about them with greater frequency doesn't
mean that they're happening with greater frequency.
But this is not cyberwar. This is not war of any kind. This is
espionage, and the difference is important. Calling it war just feeds
our fears and fuels the cyberwar arms race.
In a private e-mail, Gary McGraw made an important point about attribution that matters a lot in this debate.
Because espionage unfolds over months or years in realtime, we can
triangulate the origin of an exfiltration attack with some certainty.
During the fog of a real cyber war attack, which is more likely to
happen in milliseconds, the kind of forensic work that Mandiant did
would not be possible. (In fact, we might just well be "Gandalfed" and
pin the attack on the wrong enemy.)
Those of us who work on security engineering and software security can
help educate policymakers and others so that we don't end up pursuing
the folly of active defense.
I agree.
This media frenzy is going to be used by the US military to grab more
power in cyberspace. They're already ramping up the US Cyber Command.
President Obama is issuing vague executive orders that will result in
we-don't-know what. I don't see any good coming of this. [6]
Not to worry, is the US attitude.
The United States apparently feels that it can "win the Internet" by
harnessing the power of the invincible American technological knowhow to
the anti-Chinese cyber-crusade.
In another of the seemingly endless series of self-congratulatory
backgrounders given by US government insiders, the godlike powers of the
National Security Agency were invoked to Foreign Policy magazine in an
article titled
Inside the Black Box: How the NSA is helping US companies fight back against Chinese hackers:
In the coming weeks, the NSA, working with a Department of
Homeland Security joint task force and the FBI, will release to select
American telecommunication companies a wealth of information about
China's cyber-espionage program, according to a US intelligence official
and two government consultants who work on cyber projects. Included:
sophisticated tools that China uses, countermeasures developed by the
NSA, and unique signature-detection software that previously had been
used only to protect government networks.
Very little that China does escapes the notice of the NSA, and virtually
every technique it uses has been tracked and reverse-engineered. For
years, and in secret, the NSA has also used the cover of some American
companies - with their permission - to poke and prod at the hackers,
leading them to respond in ways that reveal patterns and allow the
United States to figure out, or "attribute," the precise origin of
attacks. The NSA has even designed creative ways to allow subsequent
attacks but prevent them from doing any damage. Watching these provoked
exploits in real time lets the agency learn how China works.
And amid the bluster, a generous serving of bullshit:
Now, though, the cumulative effect of Chinese economic
warfare - American companies' proprietary secrets are essentially an
open book to them - has changed the secrecy calculus. An American
official who has been read into the classified program - conducted by
cyber-warfare technicians from the Air Force's 315th Network Warfare
Squadron and the CIA's secret Technology Management Office - said that
China has become the "Curtis LeMay" of the post-Cold War era: "It is
not abiding by the rules of statecraft anymore, and that must change."
"The Cold War enforced norms, and the Soviets and the US didn't go
outside a set of boundaries. But China is going outside those boundaries
now. Homeostasis is being upset," the official said. [7]
A more impressive and evocative term than "upset homeostasis" to describe the US cyber-war conundrum is "Stuxnet".
The Obama administration's cyber-maneuverings have been complicated and,
it appears, intensified, by the problem that the United States "did not
abide by the rules of statecraft" and "went outside the boundaries"
and, indeed, became the "Curtis LeMay of the post Cold War era" when it
cooperated with Israel to release the Stuxnet exploit against Iran's
nuclear program.
That was a genuine piece of cyber-warfare, the effort to sabotage a critical military facility in a pre-emptive attack.
The Obama administration admitted the central role of the United States
and President Obama personally in the Stuxnet attack, apparently in a
desire to demonstrate his genuine, Iran-hating credentials to skeptical
conservatives and national security types prior to the November 2012
presidential election.
And President Obama, in his usual thoughtful way, 'fessed up to the fact
that it was the United States that started drawing outside the
cyber-warfare lines, as the New York Times' David Sanger reported in his
privileged account:
Mr Obama, according to participants in the many Situation
Room meetings on Olympic Games [the Stuxnet program], was acutely aware
that with every attack he was pushing the United States into new
territory, much as his predecessors had with the first use of atomic
weapons in the 1940s, of intercontinental missiles in the 1950s and of
drones in the past decade. He repeatedly expressed concerns that any
American acknowledgment that
it was using cyber-weapons - even under the most
careful and limited circumstances - could enable other countries,
terrorists or hackers to justify their own attacks.
"We discussed the irony, more than once," one of his aides said. Another
said that the administration was resistant to developing a "grand
theory for a weapon whose possibilities they were still discovering".
[8]
Yes, the irony, if irony is defined as "the refusal to acknowledge that
what you are doing is the precise opposite of what you are advocating
that other people do."
The word "Stuxnet" does not appear in the official US lexicon of
dastardly cyber-attacks, even though, in terms of its severity and
irresponsibility (in addition to disabling the Iranian centrifuge
facility, the virus spread to 100,000 hosts in 155 countries; oops!) it
is truly the poster child for the dangers of the cyber-warfare option.
Instead, the US government has forcefully if not particularly
effectively attempted to divert attention from Stuxnet to "Shamoon", a
nasty virus that compromised office systems at a couple of Middle
Eastern energy giants, Aramco (Saudi Arabia) and RasGas (Qatar) in
August 2012, shortly after the Iranians started grappling with their
Stuxnet problem.
As part of the Stuxnet misdirection, Shamoon has become the invoked
cyber-attack bugbear of choice, despite the fact that, unlike Stuxnet,
it was a very conventional hack that erased data from management
computers and defaced homescreens with the taunting image of a burning
American flag.
There is, of course, no discussion of the distinct possibility that Iran
executed the exploit as a piece of cyber-retaliation for Stuxnet, and
not as an unprovoked attack. [9]
Before President Obama acknowledged shared paternity in Stuxnet, the
United States was engaged in negotiations with China on the very same
cyber-warfare norms that exercised the anonymous source in the Foreign
Policy article:
While no one has, with 100% certainty, pinned the Chinese
government for cyber-attacks on US government and Western companies, in
its 2012 report "Military and security developments involving the
People's Republic of China", the US secretary of defense considers it
likely that "Beijing is using cyber-network operations as a tool to
collect strategic intelligence" ...
The report raises China's unwillingness to acknowledge the "Laws of
Armed Conflict", which the Pentagon last year determined did apply to
cyberspace ... [10]
Not unsurprisingly, post-Stuxnet the Chinese government has even less
interest in the "Law of Armed Conflict in cyberspace" norms that the
United States wants to peddle to its adversaries but apparently ignore
when the exigencies of US interests, advantage, and politics dictate.
Instead, the PRC and Russia have lined up behind a proposed
"International Code of Conduct for Internet Security", an 11-point
program that says eminently reasonable things like:
Not to use ICTs including networks to carry out hostile
activities or acts of aggression and pose threats to international peace
and security. Not to proliferate information weapons and related
technologies.
It also says things like:
To cooperate in combating criminal and terrorist activities
which use ICTs [information and computer technologies] including
networks, and curbing dissemination of information which incites
terrorism, secessionism, extremism or undermines other countries'
political, economic and social stability, as well as their spiritual and
cultural environment. [11]
The United States, of course, has an opposite interest in "freedom to
connect" and "information freedom," (which the Chinese government
regards as little more than "freedom to subvert") and has poured scorn
on the proposal.
The theoretical gripe with the PRC/Russian proposal is that it endorses
the creation of national internets under state supervision, thereby
delaying the achievement of the interconnected nirvana that information
technology evangelists assure us is waiting around the next corner - and
also goring the ox of West-centric Internet governing organizations
like ICANN.
So the Chinese proposal is going exactly nowhere.
The (genuine) irony here is that the Chinese and Russians are showing
and driving the rest of the world in their response to the undeniable
dangers of the Internet ecosystem, some of which they are themselves
responsible for but others - like Stuxnet - can be laid at the door of
the US.
In response to hacking, the Internet as a whole has evolved beyond its
open architecture to a feudal structure of strongly-defended Internet
fortresses, with cyber-surfs free to roam the undefended commons outside
the gates, glean in the fields, and catch whatever deadly virus
happens to be out there.
In recent months, the word "antivirus" has disappeared from the
homepages of Symantec and MacAfee as they have recognized that their
reference libraries of viruses can't keep up with the proliferation of
millions of new threats emerging every year, let alone a carefully
weaponized packet of code like Stuxnet, and protect their privileged and
demanding users. Now the emphasis - and gush of VC and government
money - has shifted to compartmentalizing data and applications and
detecting, reducing the damage, and cleaning up the mess after a virus
has started rummaging through the innards of an enterprise.
In other words, the Internet fortresses, just like their medieval
analogues, are increasingly partitioned into outer rampart, inner wall,
and keep - complete with palace guard - in order to create additional
lines of defense for the lords and their treasure.
In other words, they are starting to look like the Chinese and Russian national internets.
Despite the precautions, there will always be people vulnerable to
social engineering (clicking on a dodgy attachment or link while at
work), and there will always be more talented and motivated hackers. And
maybe more talented hackers aren't even necessary.
Barbara Demick of the Los Angeles Times located the personal blog of a
PLA cyber-drudge who, in addition to blathering about the presumably
classified details of his hacking job (such as perfecting a Trojan known
as "Back Orifice 2000"), moaned the boredom of hacking for The Man, and
the embarrassment of looking like a loser at his high school reunion:
My only mistake was that I sold myself out to the country
for some minor benefits and put myself in this embarrassing situation.
[12]
Critical observers declared that the alleged PLA intrusions documented
by Mandiant were conducted by the B Team, inviting the analogy that
military hacking is to hacking as military music is to music:
Jaime Blasco, labs director at security tools firm
AlienVault, described APT1, aka Comment Crew [which Mandiant associated
with 61398], as one of the more successful hacking group based on the
number of targets attacked - but not necessarily on the skill level of
its members.
"APT1 is one of the less sophisticated groups," Blasco said. "They
commonly reuse the same infrastructure for years and their tools are
more or less easy to detect. The techniques they use to gain access to
the victims are more based on social engineering and most of the times
they don't use zero-days exploits to gain access." [13]
Even so, they were inside the New York Times for months (part of that
time, admittedly, they were being tracked and analyzed by Mandiant).
Bottom line: attacks will happen, attacks will succeed, and reliable (or
more likely, probable) attribution will emerge only in the days and
weeks after detection (detection itself might be a matter of years)
through the grinding application of forensics, correlation of
information in massive databases, and anxiously parsing leads for
reliability and to try and filter out dangerous disinformation.
Absolute cyber-safety, through defense or deterrence against an
antagonist, is a chimera. The best hope for the Internet might be
"peaceful coexistence" - the move toward cooperation instead of
confrontation that characterized the US-USSR relationship when it became
apparent that "mutually assured destruction" was leading to a
proliferation of dangerous and destabilizing asymmetric workarounds
instead of "security through terror".
Or, as the Chinese spokesperson put it in Demick's article:
"Cyberspace needs rules and cooperation, not war. China is
willing to have constructive dialogue and cooperation with the global
community, including the United States," Foreign Ministry spokeswoman
Hua Chunying said at a briefing Tuesday. [14]
It looks like the Obama administration, by carefully and convincingly
placing the cyber-theft issue on the table, might be working toward some
kind of
modus vivendi that leads to a joint reduction of Internet threats - dare I say, win-win solution? - with the PRC.
It remains to be seen if this initiative can withstand the pressures of
the US military, security, and technology industries for a profitable
threat narrative - and the Obama administration's own inclination toward
zero-sum China-bashing.
Notes:
1.
If There's a War With China…, China Matters, February 20, 2013.
2.
Exposing One of China's Espionage Units, Mandiant.
3.
Remarks By Tom Donilon, National Security Advisory to the President: "The United States and the Asia-Pacific in 2013", March 11, 2013.
4.
US tells China to halt cyberattacks, and in a first, lays out demands, Christian Science Monitor, March 11, 2013.
5.
U.S. military “unprepared” for cyberattacks by “top-tier,” cyber-capable adversary: Pentagon, Homeland Security Newswire, March 6, 2013.
6.
More on Chinese Cyberattacks, Schneier on Security, February 21, 2013.
7.
Inside the Black Box, Foreign Policy, March 7, 2013. (subscription only)
8.
US digs in for cyber warfare, Asia Times Online, October 13, 2012.
9.
America Freaked Out by the Cyberboogeyman It Unleashed, China Matters, October 12, 2012.
10.
US hopeful China will recognize its cyber rules, CSO, May 21, 2012.
11.
China and Russia's 'International Code of Conduct for Information Security', .nxt, September, 2011.
12.
China hacker's angst opens a window onto cyber-espionage, Los Angeles Times, March 12, 2013.
13.
APT1, that scary cyber-Cold War gang: Not even China's best, The Register, February 27, 2013.
14.
China hacker's angst opens a window onto cyber-espionage, Los Angeles Times, March 12, 2013.
