Saturday, March 16, 2013

China cyber-war: Don't Believe the Hype

I make some basic assumptions about the China cyberinstrusion issue:

First, that the Chinese program of industrial espionage, both conventional and cyber-based, is immense and it's gotten out of hand.  The previous justification--that, as a matter of national security, the PRC had to obtain by hook or by crook vital technologies that the West and Japan refused to share--doesn't hunt.   In my opinion, the PRC should unilaterally wind down the program without trying extract any concessions from the US in return.

Second, I do not think that the cyber industrial espionage issue should be conflated with the "cyberwarfare" scaremongering, which is a transparent exercise in budget and mission enhancement for the NSA and Pentagon, and a China-bashing hobbyhorse for cynical politicians.

Instead, I think the industrial/cyberespionage issue should be linked in the public sphere to the intellectual property issue--another area in which the PRC should be behaving better.

The infrastructure/military issue is too important and too sensitive to serve as public political fodder, and the US hands are far from clean in this regard--see Stuxnet.

Third, I would like to think that the Obama administration's thoughts run along the same track, but the cyber-train is getting hijacked by the cyberwar enthusiasts.  That's the approach I take in this week's Asia Times Online column, by parsing National Security Adviser Tom Donilon's speech at the Asia Society.

Fourth, bitching about Chinese state hacking is not going to solve the hacking/security problem.  The threats are coming from all over (look at Russia, not just China), and they are capable of challenging whatever defenses that nations, militaries, and corporations can come up with.

I think these points are ones that sober, pipe-smoking liberals can consider endorsing.

Here's the last point, which may be a little harder to swallow:

I'm a big believer in the open-architecture free-for-all, but the Internet is now government business, and governments around the world are going to do their best to control the Internet.

As viruses and exploits have proliferated and demonstrated their ability to elude detection programs, the reality of the Internet has evolved away from open architecture to a defensive architecture buttressed by state data collection, surveillance, and legal coercion meant to identify and confront threats.  It sounds like I'm describing the Chinese Internet, but I'm describing the US Internet as well.

I expect "freedom to connect" to survive as a convenient China-bashing talking point for the US government, but I expect the US military and security apparatus will become increasingly sympathetic to Internet-taming strategies by the PRC and other nations, so that threats can be identified, managed, and negotiated in coordination between capable state interlocutors and not left up to corporate players or the miraculous self-perfecting ecology of the untrammeled Internet.

Which is another way of saying get used to the Great Firewall in China and a less overt but similar pattern of data collection, monitoring, and threat identification in the US.  And get used to the PRC believing that US calls to get rid of the Great Firewall are simply hypocritical demands for unilateral disarmament and empty political posturing.

[This piece originally appeared at Asia Times Online on March 15, 2013.  It can be reposted if ATOl is credited and a link provided.]

The United States has made the interesting and perhaps significant decision to generate a crisis around Chinese cyber-intrusions as the Obama administration enters its second term. With its typical careful, methodical preparation, the Obama administration has been gradually rolling out the Chinese cyber-threat product since November 2011 with escalating evidentiary indictments of Chinese hacking, but without overtly linking these activities to the Chinese government or military. [1]

The most recent shoes to drop were the detailed brief drawn up by Mandiant Corp against the PLA's Unit 61398, allegedly the PLA outfit in the white office building in Shanghai's Pudong District that phished, lurked, and drained information from the New York Times and many other US businesses, and the subsequent calling out of the PRC by name for its cyber-sins by National Security Advisor Tom Donilon. [2]

People hoping for a reset in US-Chinese relations - including the PRC - may feel a twinge of disappointment that the United States has decided to hype another point of US-PRC friction.

Then again, there is the interesting question of whether the White House is trying to conduct a measured escalation, but is getting stampeded by the threat inflation/budget boosting priorities of the US national security apparatus and its eager handmaiden, the Western media.

Donilon came up with a nuanced approach to Chinese cyber-mischief during his speech to the Asia Society, which deserves to be quoted at length.

Bypassing the issue of cyber-spying against military and government targets that probably falls into the grey area of "everybody does it and why shouldn't they", and defining and limiting the issue to a specific and remediable problem - the massive state-sponsored PRC program of industrial and commercial espionage against Western targets - Donilon's framing placed "cyber-theft" in a category similar to the intellectual property gripe, also know as systematic piracy of US software, as an info strategy condoned by the Chinese government:
Another such issue is cyber-security, which has become a growing challenge to our economic relationship as well. Economies as large as the United States and China have a tremendous shared stake in ensuring that the Internet remains open, interoperable, secure, reliable, and stable. Both countries face risks when it comes to protecting personal data and communications, financial transactions, critical infrastructure, or the intellectual property and trade secrets that are so vital to innovation and economic growth.

It is in this last category that our concerns have moved to the forefront of our agenda. I am not talking about ordinary cybercrime or hacking. And, this is not solely a national security concern or a concern of the US government. Increasingly, US businesses are speaking out about their serious concerns about sophisticated, targeted theft of confidential business information and proprietary technologies through cyber intrusions emanating from China on an unprecedented scale. The international community cannot afford to tolerate such activity from any country. As the President said in the State of the Union, we will take action to protect our economy against cyber-threats.

From the President on down, this has become a key point of concern and discussion with China at all levels of our governments. And it will continue to be. The United States will do all it must to protect our national networks, critical infrastructure, and our valuable public and private sector property. But, specifically with respect to the issue of cyber-enabled theft, we seek three things from the Chinese side. First, we need a recognition of the urgency and scope of this problem and the risk it poses - to international trade, to the reputation of Chinese industry and to our overall relations. Second, Beijing should take serious steps to investigate and put a stop to these activities. Finally, we need China to engage with us in a constructive direct dialogue to establish acceptable norms of behavior in cyberspace.

We have worked hard to build a constructive bilateral relationship that allows us to engage forthrightly on priority issues of concern. And the United States and China, the world's two largest economies, both dependent on the Internet, must lead the way in addressing this problem. [3]
This rather unexceptionable and reasonable demand that the PRC reign in its gigantic program of economic/commercial hacking, ie cyber-enabled theft as Donilon put it, and give US businesses a break, was not good enough for the Christian Science Monitor, which has apparently shed, together with its print edition, the sober inhibitions that once characterized its news operations.

The CSM's headline:
US tells China to halt cyberattacks, and in a first, lays out demands

Obama's national security adviser, Thomas Donilon, spelled out a more aggressive US stance on the cyberattacks, saying China must recognize the problem, investigate it, and join in a dialogue. [4]
Note in the CSM story the effortless slide down the slippery slope from cyber-theft to cyber-espionage to cyber-attacks (and for that matter, "should" and "needs" to "demands"). Well, fish gotta swim, birds gotta fly, and eyeballs have to be wrenched from their accustomed paths and turned into click-fodder.

And don't get me started on the Pentagon:
A new report for the Pentagon concludes that the US military is unprepared for a full-scale cyber-conflict with a top-tier adversary. The report says the United States must increase its offensive cyberwarfare capabilities. The report also calls on the US intelligence agencies to invest more resources in obtaining information about other countries' cyberwar capabilities and plans.

The Washington Post reports that the report says that the United States must maintain the threat of a nuclear strike as a deterrent to a major cyberattack by other countries. The report notes that very few countries, for example, China and Russia, have the skills and capabilities to create vulnerabilities in protected systems by interfering with components.

The report emphasizes that defensive cyber capabilities are not enough, and that the United States must have offensive cyber capabilities which, when needed, could be used either preemptively or in retaliation for a cyber attack by an adversary. [5]
Security consultant Bruce Schneier addressed the threat inflation issue (and the dangers of trying to design and justify retaliation in the murky realm of cyberspace) in a blog post on February 21:
Wow, is this a crazy media frenzy. We should know better. These attacks happen all the time, and just because the media is reporting about them with greater frequency doesn't mean that they're happening with greater frequency.

But this is not cyberwar. This is not war of any kind. This is espionage, and the difference is important. Calling it war just feeds our fears and fuels the cyberwar arms race.

In a private e-mail, Gary McGraw made an important point about attribution that matters a lot in this debate.

Because espionage unfolds over months or years in realtime, we can triangulate the origin of an exfiltration attack with some certainty. During the fog of a real cyber war attack, which is more likely to happen in milliseconds, the kind of forensic work that Mandiant did would not be possible. (In fact, we might just well be "Gandalfed" and pin the attack on the wrong enemy.)

Those of us who work on security engineering and software security can help educate policymakers and others so that we don't end up pursuing the folly of active defense.

I agree.

This media frenzy is going to be used by the US military to grab more power in cyberspace. They're already ramping up the US Cyber Command. President Obama is issuing vague executive orders that will result in we-don't-know what. I don't see any good coming of this. [6]
Not to worry, is the US attitude.

The United States apparently feels that it can "win the Internet" by harnessing the power of the invincible American technological knowhow to the anti-Chinese cyber-crusade.

In another of the seemingly endless series of self-congratulatory backgrounders given by US government insiders, the godlike powers of the National Security Agency were invoked to Foreign Policy magazine in an article titled Inside the Black Box: How the NSA is helping US companies fight back against Chinese hackers:
In the coming weeks, the NSA, working with a Department of Homeland Security joint task force and the FBI, will release to select American telecommunication companies a wealth of information about China's cyber-espionage program, according to a US intelligence official and two government consultants who work on cyber projects. Included: sophisticated tools that China uses, countermeasures developed by the NSA, and unique signature-detection software that previously had been used only to protect government networks.

Very little that China does escapes the notice of the NSA, and virtually every technique it uses has been tracked and reverse-engineered. For years, and in secret, the NSA has also used the cover of some American companies - with their permission - to poke and prod at the hackers, leading them to respond in ways that reveal patterns and allow the United States to figure out, or "attribute," the precise origin of attacks. The NSA has even designed creative ways to allow subsequent attacks but prevent them from doing any damage. Watching these provoked exploits in real time lets the agency learn how China works.
And amid the bluster, a generous serving of bullshit:
Now, though, the cumulative effect of Chinese economic warfare - American companies' proprietary secrets are essentially an open book to them - has changed the secrecy calculus. An American official who has been read into the classified program - conducted by cyber-warfare technicians from the Air Force's 315th Network Warfare Squadron and the CIA's secret Technology Management Office - said that China has become the "Curtis LeMay" of the post-Cold War era: "It is not abiding by the rules of statecraft anymore, and that must change."

"The Cold War enforced norms, and the Soviets and the US didn't go outside a set of boundaries. But China is going outside those boundaries now. Homeostasis is being upset," the official said. [7]
A more impressive and evocative term than "upset homeostasis" to describe the US cyber-war conundrum is "Stuxnet".

The Obama administration's cyber-maneuverings have been complicated and, it appears, intensified, by the problem that the United States "did not abide by the rules of statecraft" and "went outside the boundaries" and, indeed, became the "Curtis LeMay of the post Cold War era" when it cooperated with Israel to release the Stuxnet exploit against Iran's nuclear program.

That was a genuine piece of cyber-warfare, the effort to sabotage a critical military facility in a pre-emptive attack.

The Obama administration admitted the central role of the United States and President Obama personally in the Stuxnet attack, apparently in a desire to demonstrate his genuine, Iran-hating credentials to skeptical conservatives and national security types prior to the November 2012 presidential election.
And President Obama, in his usual thoughtful way, 'fessed up to the fact that it was the United States that started drawing outside the cyber-warfare lines, as the New York Times' David Sanger reported in his privileged account:
Mr Obama, according to participants in the many Situation Room meetings on Olympic Games [the Stuxnet program], was acutely aware that with every attack he was pushing the United States into new territory, much as his predecessors had with the first use of atomic weapons in the 1940s, of intercontinental missiles in the 1950s and of drones in the past decade. He repeatedly expressed concerns that any American acknowledgment that it was using cyber-weapons - even under the most careful and limited circumstances - could enable other countries, terrorists or hackers to justify their own attacks.

"We discussed the irony, more than once," one of his aides said. Another said that the administration was resistant to developing a "grand theory for a weapon whose possibilities they were still discovering". [8]
Yes, the irony, if irony is defined as "the refusal to acknowledge that what you are doing is the precise opposite of what you are advocating that other people do."

The word "Stuxnet" does not appear in the official US lexicon of dastardly cyber-attacks, even though, in terms of its severity and irresponsibility (in addition to disabling the Iranian centrifuge facility, the virus spread to 100,000 hosts in 155 countries; oops!) it is truly the poster child for the dangers of the cyber-warfare option.

Instead, the US government has forcefully if not particularly effectively attempted to divert attention from Stuxnet to "Shamoon", a nasty virus that compromised office systems at a couple of Middle Eastern energy giants, Aramco (Saudi Arabia) and RasGas (Qatar) in August 2012, shortly after the Iranians started grappling with their Stuxnet problem.

As part of the Stuxnet misdirection, Shamoon has become the invoked cyber-attack bugbear of choice, despite the fact that, unlike Stuxnet, it was a very conventional hack that erased data from management computers and defaced homescreens with the taunting image of a burning American flag.

There is, of course, no discussion of the distinct possibility that Iran executed the exploit as a piece of cyber-retaliation for Stuxnet, and not as an unprovoked attack. [9]

Before President Obama acknowledged shared paternity in Stuxnet, the United States was engaged in negotiations with China on the very same cyber-warfare norms that exercised the anonymous source in the Foreign Policy article:
While no one has, with 100% certainty, pinned the Chinese government for cyber-attacks on US government and Western companies, in its 2012 report "Military and security developments involving the People's Republic of China", the US secretary of defense considers it likely that "Beijing is using cyber-network operations as a tool to collect strategic intelligence" ...

The report raises China's unwillingness to acknowledge the "Laws of Armed Conflict", which the Pentagon last year determined did apply to cyberspace ... [10]
Not unsurprisingly, post-Stuxnet the Chinese government has even less interest in the "Law of Armed Conflict in cyberspace" norms that the United States wants to peddle to its adversaries but apparently ignore when the exigencies of US interests, advantage, and politics dictate.

Instead, the PRC and Russia have lined up behind a proposed "International Code of Conduct for Internet Security", an 11-point program that says eminently reasonable things like:
Not to use ICTs including networks to carry out hostile activities or acts of aggression and pose threats to international peace and security. Not to proliferate information weapons and related technologies.
It also says things like:
To cooperate in combating criminal and terrorist activities which use ICTs [information and computer technologies] including networks, and curbing dissemination of information which incites terrorism, secessionism, extremism or undermines other countries' political, economic and social stability, as well as their spiritual and cultural environment. [11]
The United States, of course, has an opposite interest in "freedom to connect" and "information freedom," (which the Chinese government regards as little more than "freedom to subvert") and has poured scorn on the proposal.

The theoretical gripe with the PRC/Russian proposal is that it endorses the creation of national internets under state supervision, thereby delaying the achievement of the interconnected nirvana that information technology evangelists assure us is waiting around the next corner - and also goring the ox of West-centric Internet governing organizations like ICANN.

So the Chinese proposal is going exactly nowhere.

The (genuine) irony here is that the Chinese and Russians are showing and driving the rest of the world in their response to the undeniable dangers of the Internet ecosystem, some of which they are themselves responsible for but others - like Stuxnet - can be laid at the door of the US.

In response to hacking, the Internet as a whole has evolved beyond its open architecture to a feudal structure of strongly-defended Internet fortresses, with cyber-surfs free to roam the undefended commons outside the gates, glean in the fields, and catch whatever deadly virus happens to be out there.

In recent months, the word "antivirus" has disappeared from the homepages of Symantec and MacAfee as they have recognized that their reference libraries of viruses can't keep up with the proliferation of millions of new threats emerging every year, let alone a carefully weaponized packet of code like Stuxnet, and protect their privileged and demanding users. Now the emphasis - and gush of VC and government money - has shifted to compartmentalizing data and applications and detecting, reducing the damage, and cleaning up the mess after a virus has started rummaging through the innards of an enterprise.

In other words, the Internet fortresses, just like their medieval analogues, are increasingly partitioned into outer rampart, inner wall, and keep - complete with palace guard - in order to create additional lines of defense for the lords and their treasure.

In other words, they are starting to look like the Chinese and Russian national internets.

Despite the precautions, there will always be people vulnerable to social engineering (clicking on a dodgy attachment or link while at work), and there will always be more talented and motivated hackers. And maybe more talented hackers aren't even necessary.

Barbara Demick of the Los Angeles Times located the personal blog of a PLA cyber-drudge who, in addition to blathering about the presumably classified details of his hacking job (such as perfecting a Trojan known as "Back Orifice 2000"), moaned the boredom of hacking for The Man, and the embarrassment of looking like a loser at his high school reunion:
My only mistake was that I sold myself out to the country for some minor benefits and put myself in this embarrassing situation. [12]
Critical observers declared that the alleged PLA intrusions documented by Mandiant were conducted by the B Team, inviting the analogy that military hacking is to hacking as military music is to music:
Jaime Blasco, labs director at security tools firm AlienVault, described APT1, aka Comment Crew [which Mandiant associated with 61398], as one of the more successful hacking group based on the number of targets attacked - but not necessarily on the skill level of its members.

"APT1 is one of the less sophisticated groups," Blasco said. "They commonly reuse the same infrastructure for years and their tools are more or less easy to detect. The techniques they use to gain access to the victims are more based on social engineering and most of the times they don't use zero-days exploits to gain access." [13]
Even so, they were inside the New York Times for months (part of that time, admittedly, they were being tracked and analyzed by Mandiant).

Bottom line: attacks will happen, attacks will succeed, and reliable (or more likely, probable) attribution will emerge only in the days and weeks after detection (detection itself might be a matter of years) through the grinding application of forensics, correlation of information in massive databases, and anxiously parsing leads for reliability and to try and filter out dangerous disinformation.

Absolute cyber-safety, through defense or deterrence against an antagonist, is a chimera. The best hope for the Internet might be "peaceful coexistence" - the move toward cooperation instead of confrontation that characterized the US-USSR relationship when it became apparent that "mutually assured destruction" was leading to a proliferation of dangerous and destabilizing asymmetric workarounds instead of "security through terror".

Or, as the Chinese spokesperson put it in Demick's article:
"Cyberspace needs rules and cooperation, not war. China is willing to have constructive dialogue and cooperation with the global community, including the United States," Foreign Ministry spokeswoman Hua Chunying said at a briefing Tuesday. [14]
It looks like the Obama administration, by carefully and convincingly placing the cyber-theft issue on the table, might be working toward some kind of modus vivendi that leads to a joint reduction of Internet threats - dare I say, win-win solution? - with the PRC.

It remains to be seen if this initiative can withstand the pressures of the US military, security, and technology industries for a profitable threat narrative - and the Obama administration's own inclination toward zero-sum China-bashing.

1. If There's a War With China…, China Matters, February 20, 2013.
2. Exposing One of China's Espionage Units, Mandiant.
3. Remarks By Tom Donilon, National Security Advisory to the President: "The United States and the Asia-Pacific in 2013", March 11, 2013.
4. US tells China to halt cyberattacks, and in a first, lays out demands, Christian Science Monitor, March 11, 2013.
5. U.S. military “unprepared” for cyberattacks by “top-tier,” cyber-capable adversary: Pentagon, Homeland Security Newswire, March 6, 2013.
6. More on Chinese Cyberattacks, Schneier on Security, February 21, 2013.
7. Inside the Black Box, Foreign Policy, March 7, 2013. (subscription only)
8. US digs in for cyber warfare, Asia Times Online, October 13, 2012.
9. America Freaked Out by the Cyberboogeyman It Unleashed, China Matters, October 12, 2012.
10. US hopeful China will recognize its cyber rules, CSO, May 21, 2012.
11. China and Russia's 'International Code of Conduct for Information Security', .nxt, September, 2011.
12. China hacker's angst opens a window onto cyber-espionage, Los Angeles Times, March 12, 2013.
13. APT1, that scary cyber-Cold War gang: Not even China's best, The Register, February 27, 2013.
14. China hacker's angst opens a window onto cyber-espionage, Los Angeles Times, March 12, 2013.

1 comment:

Unknown said...

The US media plays the whole issue as if US hackers don't exist or are completely powerless. Of course, no one brings up STUXNET because doing so would mess up their message which is to urge more investment (tax dollars) in the security industry.