Hacking incidents and the rise of the new Chinese bogeyman

February kicked off with reports from the New York Times that their computer networks had been breached by Chinese hackers. A few weeks later, US Computer Security firm Mandiant, released a report [PDF] which purported to link Chinese cyber attacks against 141 US companies to a section of the People’s Liberation Army (Unit 61398). Just two days after the release of the report, the US government announced a new strategy for dealing with such attacks and released a 142 page policy document on “Mitigating the Theft of US Trade Secrets” [PDF]. 

This all makes for excellent drama. State sponsored villainy, high-tech skullduggery and victims facing clear and present danger. The media frenzy that followed is understandable, predictable and completely dangerous. We have seen this movie before and with the ever-growing moves to militarise the internet, it would behoove us to pause for a bit before hauling out the pitchforks.

Does China have a military unit dedicated to Computer Network Operations (CNO)? Certainly. But this is perfectly normal for most developed countries today. Wikipedia claims that Israeli unit 8200 is the largest unit in the Israeli army and the American NSA has always taken pride in the number of PhD mathematicians it employs. Lots of ink has been dedicated over the past few years to the formation of US Cyber Command which is dedicated to US Cyberspace Operations and there have been just as many articles written on the drive to draft cyber warriors into the military (recently, the DoD even created new medals [PDF] to hand out for this “new” theatre of war).

So the existence of a dedicated Chinese unit signals intelligence and cyberwar is not news, and the fact that this unit would recruit from science and engineering faculties of Chinese universities should hardly come as a surprise. What is surprising is the unfaltering belief that since attacks come from IP addresses in the same geographic region as a PLA unit, ipso facto, the attacks are state sponsored and need some sort of government response.

For context, the area in question is about the size of Los Angeles and houses over 5 million people (making it roughly the equivalent of the second most populated US city). Claiming that attacks originating from anywhere in this city must imply the involvement of Unit 61398 is a stretch and ignores a raft of other possibilities.

So why do so many people so readily believe that attacks from China are state sponsored?

An argument is made that the attacks show coordination and shared purpose that implies a state sponsored mission. We know from recent history that the one does not imply the other. When Anonymous (and its splinter group Lulzsec) relentlessly attacked the Japanese Sony Corporation and brought down the Playstation network (and compromising Sony sites worldwide), was the natural assumption that this was a US State Sponsored attack against Japan? When the US hosts hundreds of conferences every year dedicated to hacking and computer security, are they accused of promoting cyber terrorism?

Another weak argument that is often bandied about is that the attacks show a scale that must imply the employment of thousands dedicated to the task (which must imply government funding). Again, we know that this is not true. The internet is a force multiplier and allows a handful of smart engineers to build infrastructure that scales exponentially. Don’t believe me? Ask Instagram, who managed to use a dozen engineers to build a service that scales to service millions (while generating billions in income).

Many assume that the existence of the “Great Firewall of China” means that the PLA has tight control over the entire Chinese internet space. A brief glance through the address space shows that this simply isn’t true. In 2011, a security researcher discovered that a popular Chinese entertainment programme inadvertently opened up an open proxy on all machines that ran the software. Presto, with one piece of misconfigured software, we have “100 million open proxies in China”. An open proxy means that we can co-opt the proxy to act on our behalf (which probably explains why so many attacks seem to be coming from Chinese address-space).

The thought of state sponsored attackers helps us feel better about the fact that we are so easily compromised, but the truth of the matter is that we are so easily compromised because for the most part, we haven’t figured out yet how to properly defend ourselves on the internet. This is another topic for another day, but one I have previously written about here.

Even if we accept the premise of the Mandiant report, the squeals from the US about these cyber espionage attacks ignore some ironic bits of history.

To date, the largest documented offensive cyber operations in the world were conducted by the USA and Israel in the form of 2010’s Stuxnet and Flame attacks against Iran. Even relatively passive countries that were avoiding the topic of cyberwar were forced to re-evaluate their positions post-Stuxnet.

But this is state sponsored corporate espionage, not cyberwar, which makes it all different. Once more, a brief history lesson makes sense.

The European Parliamentary Session Document from 2001 covering the USA’s echelon programme lists a number of egregious instances of US cyber espionage being used to benefit US based corporations over their European counterparts.

Examples include:

– The NSA intercepted communication between Airbus and the Saudi Arabian government during contract negotiations and forwarded this communication to Boeing and McDonnell-Douglas (who went on to win the contract instead).

– The NSA forwarded technical details of an engineering design to a US based firm (who then patented the design before the original inventors).

– The CIA hacked into the Japanese Trade Ministry to obtain details informing their negotiation on quotas for US cars.

– The NSA intercepted communications between VW and Lopez (and then forwarded this information to General Motors).

– The NSA surveillance of the Thomson-CSF/Brazil negotiations (for a billion dollar contract) were forwarded to Raytheon (who were later awarded the contract instead).

So China doesn’t exactly have the monopoly on cyber warfare or industrial espionage. In fact, it is fairly well understood that most modern states are engaged in similar activities against each other.

The new policy document pushed through by the White House includes the promise of “Enhanced Domestic Law Enforcement Operations” and “Improved Domestic Legislations” as two of its five strategic action items.

The penny drops.

First comes the bogeyman, and then comes the protection we need – more legislation and more law enforcement. Again, this all has a strangely familiar feeling.

There is a huge lobby in the US desperate to reclaim engineering jobs that have been shipped to China, and there is a huge lobby of hawks who are beginning to realise that the military digital complex can be even more profitable than the military industrial complex was. There is a powerful lobby that constantly pushes for increased regulation and there is an ever-increasing call for freedom-restricting technology that limits anonymity and online whistle-blowing.

All of them benefit from hyping the Chinese-Cyber-Demon and we would be well advised to make sure that we don’t let scary headlines, injured pride and our desire for online safety make us give up essential online liberties. We have made this mistake before.

Haroon Meer is the founder of Thinkst, an Applied Research company with a deep focus on information security.

You can follow him on Twitter: @haroonmeer