Wednesday, February 20, 2013

Red Guest, Blue Guest: NYT in the Service of the Sino-American Cyberwar


If There’s a War With China…  It’s All Evan Osnos’ Fault!

by Peter Lee - China Matters

Evan Osnos is the China columnist for the New Yorker.
My impression is that he usually covers the social issues/human rights/dissident beat.
However, yesterday, riffing off the news about organized Chinese hacking of US government and private websites, he veered off into counter-proliferationblack ops:

The fact is that the United States government has already shown signs of an energetic capacity for cyber war, as in the case of Stuxnet, the software worm that the U.S., working with Israel, is believed to have used to disrupt Iran’s uranium-enrichment program. Coincidentally, I happened to ask some North Korea experts last week if Pyongyang’s latest round of nuclear tests might make it a prime target for a Stuxnet-style intervention. “The only time I heard anything along such lines recently was suspicion that the April launch failure may have resulted from cyber attack—but that was in the realm of conspiracy theory,” John Delury, of Yonsei University, in Seoul, told me. 
As long as it’s in the realm of the theoretical, here’s another twist: given China’s vocal frustration with its erstwhile allies in Pyongyang, and China’s fondness for cyber adventures, any chance that China might try a Stuxnet approach to slow down a headache on its northeast border? From what I gathered, the chances were slim, in part because of operational differences between Iran and North Korea. “Do the Chinese know which industrial-control systems are in place?” Adam Segal, of the Council on Foreign Relations, asked. “Could they deliver the malware to a system that is most likely ‘air gapped’ and not connected to the Internet? Could they be sure that the infection wouldn’t spread—back to China or to U.S. or others? Do D.P.R.K. nuclear scientists travel? Is it possible to leave thumb drives around with no one noticing?”

On a couple of levels I am gobsmacked by Olnos’ blithe presumption.

I will set aside for the time being his rather fanciful view of the dynamics underlying PRC-DPRK relations. Suffice to say that Beijing’s vision for sustaining its rather precarious economic and political sway over the northern half of the Korean peninsula do not involve sabotaging Pyongyang’s most cherished strategic initiative.

But as to the casual attitude toward a “Stuxnet approach”, Stuxnet was an act of war. Full stop. If the PRC or anybody else did that to us, they would face the prospect of direct, escalating retaliation.

If one is looking for an explanation for why cyberwarfare has become an obsession of the Department of Defense, with the planned addition of thousands of specialists to “Cyber Command”, and why President Obama raised the spectre of cyberwarfare in his State of the Union address, look no further than Stuxnet.

I believe the stories of massive hacking effort condoned and directed by the PRC government, and the significant value of the intellectual property and secrets extracted.

But for the sake of clarity, let’s call it “cyberespionage”.

Cyberwarfare—the destruction of military, industrial, or infrastructure facilities i.e. acts of war—is qualitatively different.

I also believe that the reason that that the reason that Chinese cyberespionage is hyped today (and conflated into the “cyberwarfare” category) is to distract attention from the US complicity in an irrevocable escalation of cyberwarfare, and to prepare public opinion against the day when this weapon is turned against us.

In the same article that Osnos advances the narrative of the dire character of Chinese hacking (After years of warnings that Chinese hacking was a rising threat, the Mandiant study, and the willingness of U.S. officials to confirm many of its findings, signal a blunt new American counteroffensive against the era of Chinese cyber attacks), he proposes that the PRC might engage in a Stuxnet-type exploit of cross-border military sabotage.

There’s a qualitative difference in what the PRC has been accused of in the past, and what the US did with Stuxnet.

That’s not because the PRC is run by wonderful, peace-loving people--or because the PRC has not developed any cyberwar weapons (for one thing, I expect the PRC's computer scientists have been interested and involved participants in Iran's struggles with Stuxnet).

It’s because the PRC is extremely careful to avoid cycles of escalation with US power, preferring to counterpunch asymmetrically.

In defense matters, the asymettric doctrine is embodied in “non-interference in the affairs of sovereign states” as a bedrock value, one that provides China with a ready, if ever-eroding, bulwark against US “pre-emption” and “R2P” doctrines which leverage US military and technological superiority across national borders, and the ability for unmatchable escalation that is at the heart of the American game.

That isn’t a diplomatic and strategic shield to be abandoned lightly for the transient pleasures of fucking with North Korea’s nuclear program, or other cyberwarfare shenanigans, for that matter.

So I found Osnos’ speculation rather clueless, both in the matter of his understanding of the PRC security mindset and in the matter of his apparent utter gormlessness as to the significance of the Stuxnet exploit.

I will speculate that Olnos’ level of comfort with the “Stuxnet approach” has a lot to do with the fact that “we did it first, so it must be OK.”

Well, it’s not OK, and President Obama realizes it and the Pentagon realizes it, as can be seen from the attached piece.

But if Evan Osnos thinks it’s OK, and his ignorance is contagious, we’re closer to the day when US cyberaggression against China can be excused and advocated as “less than war” and any Chinese retaliation will, inevitably, be condemned as “an act of war”.

So Evan, if there’s a war with China…it’s your fault!

Crossing the Digital Line


President Obama chose to open the Pandora’s box of cyberwar with the Stuxnet attack on Iran’s centrifuge operations. In the process, he made a mockery of the Pentagon’s attempts to establish the rules of cyberwarfare in discussions with a most active and interested adversary--China.


Now, it is almost inevitable that, in addition to potential battlefields on land, sea, and in the air, the escalating and repeating cycle of genuine risk, threat inflation, politicized fearmongering, destabilizing challenges, and growing polarization, accompanied by expanded missions and fattened budgets for the security establishment and its defense contractors —will apply to the US-PRC cyber-arena.


China, of course, is an enthusiastic practitioner of every commercial, military, and diplomatic hack known to science and, it can be safely assumed, is developing its own suite of cyberweapons.

I expect Stuxnet also provides adequate inspiration and justification for the Chinese security and defense establishment to further formalize and professionalize its cyberwar operation and bloat its budget.


Chinese hacks against US targets have traditionally been attributed to freelancers indirectly steered by the Chinese government in order to preserve deniability, as I wrote for Asia Times in April 2012:
China is notorious for its interest in cyber-war as an asymmetric counter to the conventional military superiority of the United States ... and for its apparent willingness to farm out, encourage, or benefit from private hacker initiatives.

On 2010, Mara Hvistendahl wrote in Foreign Policy:
[T]he hacking scene in China probably looks more like a few intelligence officers overseeing a jumble of talented - and sometimes unruly - patriotic hackers. Since the 1990s, China has had an intelligence program targeting foreign technology, says James A Lewis, senior fellow for cyber-security and Internet policy at the Center for Strategic and International Studies. Beyond that, however, things get complicated. "The hacking scene can be chaotic," he says. "There are many actors, some directed by the government and others tolerated by it. These actors can include civilian agencies, companies, and individuals." [3]
Patriotic hackers in China are called "hong ke" or "red guest", a pun on the phonetic rendering "hei ke" or "black guest" for hacker.

Their patriotic cyber-duties included destroying the online presence of South Korean boy band Super Junior after an unruly and undignified crowd of Chinese fans clamored to hear the band at the Shanghai World Expo and embarrassed Chinese nationalists. [4]

They also weigh in on foreign issues of greater moment, mixing it up with their Japanese counterparts when Sino-Japanese passions are inflamed by visits to the Yasukuni Shrine or the collision between a Chinese fishing boat and Japanese coast guard vessel off Diaoyutai/Senkaku in 2010.

But their major utility to the Chinese government may be their ability to generate chaff - a barrage of cyber-attacks to distract and overwhelm US security specialists trying to cope with China's pervasive, professional program of industrial and military espionage - and give the People's Republic of China (PRC) government deniability when hacking is traced to a Chinese source.

Chinese industrial cyber-espionage has emerged as a dominant near-term security concern of the United States.

The Barack Obama administration went public with its case against China in November 2011, with a report on industrial espionage titled Foreign Economic Collection. It described China rather generously as a "Persistent Collector" given the PRC's implication in several high-profile industrial espionage cases and soft-pedaled the issue of official Chinese government involvement. The report stated:
US corporations and cyber-security specialists also have reported an onslaught of computer network intrusions originating from Internet Protocol (IP) addresses in China, which private sector specialists call "advanced persistent threats." Some of these reports have alleged a Chinese corporate or government sponsor of the activity, but the IC [intelligence community] has not been able to attribute many of these private sector data breaches to a state sponsor. Attribution is especially difficult when the event occurs weeks or months before the victims request IC or law enforcement help. [5]
A month later, in December 2011, US criticism of China became a lot more pointed. Business Week published an exhaustive report on Chinese cyber-espionage, clearly prepared with the cooperation of federal law enforcement authorities as it named and described several investigations:
The hackers are part of a massive espionage ring codenamed Byzantine Foothold by US investigators, according to a person familiar with efforts to track the group. They specialize in infiltrating networks using phishing e-mails laden with spyware, often passing on the task of exfiltrating data to others.

Segmented tasking among various groups and sophisticated support infrastructure are among the tactics intelligence officials have revealed to Congress to show the hacking is centrally coordinated, the person said. US investigators estimate Byzantine Foothold is made up of anywhere from several dozen hackers to more than one hundred, said the person, who declined to be identified because the matter is secret.
[6]
United States security boffin Richard Clarke had this to say about Chinese cyber-espionage in an interview with Smithsonian magazine:
"I'm about to say something that people think is an exaggeration, but I think the evidence is pretty strong," he tells me. "Every major company in the United States has already been penetrated by China."

"What?"

"The British government actually said [something similar] about their own country."

Clarke claims, for instance, that the manufacturer of the F-35, our next-generation fighter bomber, has been penetrated and F-35 details stolen. And don't get him started on our supply chain of chips, routers and hardware we import from Chinese and other foreign suppliers and what may be implanted in them-"logic bombs," trapdoors and "Trojan horses," all ready to be activated on command so we won't know what hit us. Or what's already hitting us.
[7]
Some big numbers are being thrown around to publicize the Chinese threat.

Business Week's report, while admitting the woolliness of its methodology, stated that losses to American companies from international cyber-espionage amounted to US$500 billion in a single year.

Scott Borg, director of a non-profit outfit called the US Cyber Consequences Unit told Business Week:
"We're talking about stealing entire industries ... This may be the biggest transfer of wealth in a short period of time that the world has ever seen."
Beyond these apocalyptic economic and military scenarios, we might also descend to the personal and political and point out that Google, a favorite target of Chinese cyber-attacks, is Obama's friend, indispensable ally, brain trust and source of personnel in the high-tech sector.

Connect the dots, and it is clear that the Obama administration, in its usual meticulous way, is escalating the rhetoric and preparing the public and the behind-the-scenes groundwork for major pushback against China in the cyber-arena.

When the New York Times (and Bloomberg and the Wall Street Journal) got hacked after printing embarrassing stories about the immense family wealth of Chinese leaders at the end of 2012, the dominant meme was still the “amateur hacker” as “nationalist vigilante” determined to avenge the affront to China’s dignity.

However, I was struck by the fact that the hackers explored the New York Times system primarily to identify sources for the offending articles.

Perhaps the intruders simply wanted reveal the names in order to incite a “flesh engine search” so that the sources would face the rough justice administered by the PRC’s nationalistic netizens (though I haven’t heard that any source was exposed on the Chinese internet)…but to me it appears more plausible that somebody in the PRC security apparatus wanted to find out-- for internal use--who violated party discipline by leaking personal information on the families of top leaders from the files of the Organization Department.

It was also interesting to me that, according to the Times, most of the hacks occurred during business hours…Chinese time. The implication being, the PRC is moving away from the freelance hacker model to employing salaried drones who punch the clock at 8:00 am and spend their day grinding down a punchlist of planned cyberintrusions.

The United States, of course, has not been standing idly by.

In a parallel to the alleged Chinese regime patronage of freelance hackers, the United States Department of Defense also has a history of recruiting black-hat hackers to provide the DoD with expertise or…whatever.

I profiled one of the first publicized freelance hacks of Chinese sites, by one “Hardcore Charlie” on the occasion of a blizzard of hacks by “Anonymous China” against several hundred sites, many of which, like the Taoyuan Land Reform Bureau’s, were low-level and presumably poorly secured.

“Hardcore Charlie”’s hack attracted some media attention because his hack of the China Electronics Import & Export Corp. website scored some puzzling and confidential if not particularly useful documents: shipping manifests for contractors trucking supplies to US bases in Afghanistan.

I don’t know of “Hardcore Charlie” hacked the website of the China Electronics Import and Export Corporation for lulz, from principled outrage, or because he thought or was told that he could avoid the prosecutorial hammer currently descending on associates in his hacker collective by executing a China hack at the behest of the US government.

In any case, judging by his manifesto, Hardcore Charlie does not look like the model cyber-soldier:

Hola comradezz, Today us prezenta recently owneed chino military kontraktor CEIEC Us be shoked porque their shiiit was packed with goodiez cummin froma USA Military brigadezz in Afghanistan, them lulz hablando mucho puneta sam slit eyed dudz in Vietnam and Philiez doing bizness in Ukraine and Russia selling goodiez to Taliban terrorists.

As the US and China professionalize its cyber forces—and expand their capabilities beyond espionage and low level harassment to inflicting real-world damage and casualties—freelancers like Hardcore Charlie, with his affection for anti-imperialist thrash metal, will be remembered as quaint artifacts of a simpler, more innocent bygone age when the devastation of a cyberattack was measured by the brilliance of the taunting gif deposited on the victim’s homepage.

The U.S. military has a strong bias toward formalizing and institutionalizing aggression in order to prevent uncontrolled and counterproductive actions by its own forces, allies, and proxies, and trying to get its antagonists to accept the same norms. As will be seen below, the U.S. military has already had an unsuccessful go at trying to define the rules of cyber-engagement with the Chinese before Stuxnet blew the American argument out of the water.

However, cyberwarfare is in a different class from other forms of unconventional warfare.

Because of the central feature of the Internet—its interconnectedness—it is extremely difficult to assure a high level of security and containment in the case of an attack and prevent unpredictable and extensive “collateral damage”...

…even if cyber attacks are executed by serious people in crisp military uniforms who have been trained to the highest level of readiness through cogent Powerpoint presentations and loyally obey crystal-clear orders transmitted down the chain of command from omniscient strategists and tacticians.

In fact, I might say that it was…irresponsible…for President Obama to get the world into the cyberwarfare business.

The US government has been frantically cleaning up the Stuxnet cybermess, as can be seen from this post from last year, with a new afterword.


No comments: