Chinese Denials of Cyber-Attacks Not Credible

October 31st,2011 | Foreign Affairs, Leadership, Terrorism, The Internet |  No Comments »

Last week, the U.S.-China Economic and Security Review Commission, which was created by Congress in 2000 to monitor, investigate, and report on national security implications of the relationship between the U.S. and China, reported in a draft of its annual report that the computer command systems of two U.S. satellites, Landsat-7 and Terra AM-1, were hacked into between October 2007 and October 2008:

The responsible party achieved all steps required to command the satellite…. Such interference poses numerous potential threats, particularly if achieved against satellites with more sensitive functions. Access to a satellite’s controls could allow an attacker to damage or destroy the satellite. An attacker could also deny or degrade as well as forge or otherwise manipulate the satellite’s transmission.

The draft report noted that the cyber-attacks were similar to those committed in the past by the Chinese military.

Predictably, today China denied that it was involved in the attacks. Xinhua, the government-controlled Chinese news agency, quoted Chinese Foreign Ministry spokesman Hong Lei, who protested:

This commission always observes China through tainted glasses. The report is totally factitious, made with ulterior motives, and does not warrant refuting.

Hmm.

Of course if, as Hong stated, the report truly “does not warrant refuting,” then why did the Chinese government bother to “refute” it?

Especially given the fact that the Commission did not directly accuse China of committing the cyber-attacks.

Well, as Shakespeare wryly observed:

The lady doth protest too much, methinks.

(Hamlet, Act 3, scene 2, 222–230.)

Of course, as Disordered Liberty has previously commented, the Chinese have actively engaged in cyber-espionage and cyber-attacks for years. (See Will the Chinese Apply Their New Anti-Terrorism Law to Their Own Cyber-Attacks, http://www.disorderedliberty.com/?p=720.)

The record of China’s malicious misuse of the internet is well documented. For example, in its 2010 Report to Congress, the U.S.-China Economic and Security Review Commission concluded:

China’s government, the Chinese Communist Party, and Chinese individuals and organizations continue to hack into American computer systems and networks as well as those of foreign entities and governments. The methods used during these activities are generally more sophisticated than techniques used in previous exploitations. Those responsible for these acts increasingly leverage social networking tools as well as malicious software tied to the criminal underground.

Recent high-profile, China-based computer exploitations continue to suggest some level of state support. Indicators include the massive scale of these exploitations and the extensive intelligence and reconnaissance components.

In 2010, China’s ‘‘Great Firewall’’ affected select U.S. Internet users, and a state-owned Chinese Internet Service Provider ‘‘hijacked,’’ or inappropriately gained access to, select U.S. Internet traffic. Other nations were also affected in these incidents.

Chinese authorities are tightening restrictions on foreign high technology firms’ ability to operate in China. Firms that fail to comply with the new regulations may be prohibited from doing business in Chinese markets. Firms that choose to comply may risk exposing their security measures or even their intellectual property to Chinese competitors.

(Chapter 5: China and the Internet; Section 2: External Implications of China’s Internet–Related Activities)

In reaching these conclusions, the Commission specifically noted the following acts of Chinese cyber-espionage and cyber-attacks:

In early 2010, reports emerged of a large-scale cyber attack against Google’s operations in China. In January, Google’s chief legal officer announced that in mid-December 2009, Google had ‘‘detected a highly sophisticated and targeted attack on [its] corporate infrastructure originating from China that resulted in the theft of intellectual property,’’ later reported to be the firm’s invaluable source code. Evidence from the ensuing investigation suggested that another ‘‘primary goal of the attackers was accessing the [Google e-mail] accounts of Chinese human rights activists.’’ Investigators determined that the breech constituted one component of a larger computer network exploitation campaign targeting ‘‘a wide range of businesses—including the Internet, finance, technology, media, and chemical sectors,’’ with perhaps 33 or more other victim companies. Computer security professionals now widely refer to this campaign as ‘‘Operation ‘Aurora’ ’’ following revelations, based on technical indicators, that the perpetrators referred to the exploitation as such.

***

Other reports about Chinese-backed malicious cyber activity persisted throughout 2010. Quantifying the pervasiveness of such malicious activity remains challenging, but one analysis revealed that over 28 percent of all targeted phishing e-mails originate in China. Anecdotal reports about the success of these activities continue to surface, some with compelling links to the Chinese government. One exceptionally well-documented study of a cyber intrusion against the Indian government deserves further discussion.

In April 2010, the Information Warfare Monitor and the Shadowserver Foundation released a detailed report called ‘‘Shadows in the Cloud’’ that describes an elaborate computer exploitation campaign. According to the report, a China-based computer espionage network targeted primarily Indian diplomatic missions and government entities; Indian national security and defense groups; Indian academics and journalists focused on China; and other political institutions in India, as well as the Office of His Holiness, the Dalai Lama. The network also compromised computers in at least 35 other countries, including the United States. Although the full extent of the exploitation remains unknown, the investigators determined that those responsible successfully obtained sensitive files, apparently belonging to the Indian government. Files removed included ‘‘one document that appears to be encrypted diplomatic correspondence, two documents marked ‘‘SECRET,’’ six as ‘‘RESTRICTED,’’ and five as ‘‘CONFIDENTIAL.’’

(Id., footnotes omitted.)

In a previous report, the Commission found:

Foreign intelligence services have discovered that unclassified US government and private sector information, once unreachable or requiring years of expensive technological or human asset preparation to obtain, can now be accessed, inventoried, and stolen with comparative ease using computer network operations tools. The return on present investment for targeting sensitive US information in this way (the intelligence gain) can be extraordinarily high while the barriers to entry (the skills and technologies required to implement an operation) are comparatively low.

Many countries are in the process of developing capabilities to either respond defensively to this threat or build their own offensive network operations programs, however, China is most frequently cited as the primary actor behind much of the activity noted in media reporting, and US officials are increasingly willing to publicly acknowledge that China’s network exploitation and intelligence collection activities are one of this country’s most consuming counterintelligence challenges.

China’s development of its computer network operations capability extends beyond preparations for wartime operations. The PLA and state security organizations have begun employing this capability to mount a large scale computer network exploitation effort for intelligence gathering purposes against the US and many countries around the world, according to statements by US officials, accusations by targeted foreign governments, and a growing body of media reporting on these incidents.

A long term, persistent campaign to collect sensitive but unclassified information from US Government and US defense industry networks using computer network exploitation techniques, long attributed to China, has successfully exfiltrated at least 10 to 20 terabytes of data from US Government networks as of 2007, according to US Air Force estimates and that figure has possibly grown in the past two years, though no figure is publicly available.

* * *

General James Cartwright, while serving as the Combatant Commander of US Strategic Command, testified before a Congressional commission that China is actively engaging in cyber reconnaissance by probing the computer networks of U.S. government agencies as well as private companies. He further noted that the intelligence collected from these computer reconnaissance campaigns can be used for myriad purposes, including identifying weak points in the networks, understanding how leaders in the United States think, discovering the communication patterns of American government agencies and private companies, and attaining valuable information stored throughout the networks.

A review of the scale, focus, and complexity of the overall campaign directed against the United States and, increasingly, a host of other countries around the world strongly suggest that these operations are state-sponsored or supported. The operators appear to have access to financial, personnel, and analytic resources that exceed what organized cybercriminal operations or multiple hacker groups operating independently could likely access consistently over several years. Furthermore, the categories of data stolen do not have inherent monetary value like credit card numbers or bank account information that is often the focus of cybercriminal organizations. Highly technical defense engineering information, military related information, or government policy analysis documents are not easily monetized by cybercriminals unless they have a nation-state customer, making the activity “state-sponsored” by default, regardless of the affiliation of the actual operators at the keyboard.

(Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation, October 9, 2009, footnotes omitted.)

Until the U.S. is willing to aggressively confront the Chinese government regarding its state-sponsored cyber-intrusions, Beijing, much like a small child, will undoubtedly continue to engage in its bad behavior.