Myths and realities of China’s 21st-century digital war

Monday, June 16, 2008

Myths and realities of China’s 21st-century digital war

The questions kept coming. Kay barely had a chance to touch his lunch. Card asked, “You told us about the U.S. intelligence service. Who do you think runs a really good intelligence service?”

”In my experience, it was not the British or the Israelis, despite their reputation,” [David] Kay said. MI6 and Mossad were legends in the intelligence world, but Kay said he was not always impressed with the usefulness of their product. “In my judgement, the best one is the Chinese.”

“Yeah, they’re always trying to steal our technical secrets,” Bush said.

- State of Denial, Bob Woodward

It’s a frightening concept: a nation that might have more hackers than other countries have citizens, working ceaselessly to burrow their way into the most hallowed digital recesses of foreign governments’ databases. Millions of diligent code-slingers, the “Geek Brigade,” in small dark rooms littered with computer parts and food wrappers click-clacking on keyboards and chipping away at 1’s and 0’s as the ramparts of our cyber defenses fall away and China moves towards a position of “electronic dominance.”

It’s a scene that’s easily conjured and, perhaps, even more quickly accepted. Along with math and science, unmatched technical savvy is pretty much expected of Asians. But are the Chinese really employing armies of stealthy cyber soldiers?

There certainly is no shortage of accusations, most recently with the allegations that a several US congressmen’s computers have been breached. The evidence seems to be pretty straight forward: several computers are hacked, the information taken is regarding “apparently” regarding Chinese dissidents, and following one of the attacks someone in a car with plates registered to Chinese officials was supposedly seen outside of the house of a Chinese dissident taking pictures.

The list goes on and on. There’s the allegations that Chinese hackers caused the blackout of 2003. There also numerous alleged attacks on governments large and small: Britain, the US, Germany and the great state of Pennsylvania to name a few.

It doesn’t stop with hacking. Just consider where most of the parts for our computers are produced. Ever heard of a kill switch? Essentially, it’s a tiny number of transistors on a chip that make remote access, reprogramming, and shut down commands possible, and the shear magnitude of transistors found on every chip makes these kill switches nearly impossible to detect:

Dean Collins, deputy director of DARPA's Microsystems Technology Office and program manager for the Trust in IC initiative... notes that many defense contractors rely heavily on field-programmable gate arrays (FPGAs)—a kind of generic chip that can be customized through software... "If you make a mistake on an FPGA, hey, you just reprogram it," says Collins. "That's the good news. The bad news is that if you put the FPGA in a military system, someone else can reprogram it."

Almost all FPGAs are now made at foundries outside the United States, about 80 percent of them in Taiwan. Defense contractors have no good way of guaranteeing that these economical chips haven't been tampered with. Building a kill switch into an FPGA could mean embedding as few as 1000 transistors within its many hundreds of millions. "You could do a lot of very interesting things with those extra transistors," Collins says.

Then there are the spies and the allegations of laptop copying.

There is no doubt that China is spying on the US to an extent that demands attention. Hell, it’s real enough for the US to integrate Macs into systems “to make them harder to hack.” Indeed, some would say, and did, that the level of espionage is reminiscent of the good old days, during the Cold War.

In light of all this, Benjamin Friedman at the Cato Institute brings up some good questions, in reference to this widely-cited article, about what might happen when you have a bona fide, undeniable security threat from a country like China (e.g. it makes it really easy to blame them for everything).

But anyone can see dodgy sourcing. Harris’ blackout scoop comes from the former president of something called the Cyber Security Industry Alliance who claims that he heard it from intelligence sources. In support of this contractor’s claim, the article quotes a bunch of federal officials paid to combat cyber-threats. They say, essentially, “Yes, it’s possible the Chinese did this, but we can’t say more.” Technical details aren’t included. It’s a secret, we’re told. The article only briefly discusses the very plausible explanations for both blackouts that don’t involve Chinese hackers. In the 2003 case, at least, that multi-causal story is backed by extensive investigations on the public record.

Another problem is the article’s uncritical acceptance of the claim that the Chinese government employs a hacker militia to attack US websites. No evidence is offered beyond the assertions of an intelligence official employed to combat cyber-threats, a security contractor who works for such officials, and one consultant / analyst. No doubt there are lots of Chinese hackers breaking into US networks. After all, there are lots of Chinese. But why should we believe that these hackers are agents of the Chinese state rather than bored teenagers in Internet cafés? However malicious its intent, why would the Chinese government want to outsource its espionage to a bunch of underemployed programmers?

The story also reports on several Chinese efforts to steal information from US corporate executives and government officials. These stories are plausible – but two caveats could have been highlighted. First, our military and intelligence agencies almost certainly hack into Chinese networks and steal information. Second, there is no official claim in this story or elsewhere, despite all the sound and fury, that Chinese hackers have broken into classified US networks and gathered useful information.

In light of this, I went back to some of the articles I’ve read over the last year. Many of the cases do seem quite convincing, especially those emanating from the Pentagon and the German government. I noticed, though, in some cases that I, personally, had mistaken the hacking by one person, in the case of Pennsylvania, as an accusation of Chinese government action. Several other articles site “unnamed sources” or “intelligence officials,” in little, if anything, else. Even Congressman Smith from the first article stipulates that “"This doesn't absolutely prove Beijing was behind the attack. But it raises very serious concern that it was,” and of course the Chinese government is demanding some proof.

Which all has me asking, what do these allegations that don’t prove Beijing’s part in the attacks do to the character of the country or group making the claims. A part of me feels that all it does is push China in a direction we wouldn’t want them to go, under the assumption that no matter what they do, they’ll still be blamed for these attacks.

Again, there is a lot of evidence that leads one to believe that China is doing this, but very little of it is released to the public, aside from shadowy unnamed sources.

What’s always important to remember, though, is that every other country is likely to do its damndest to reciprocate. I have little doubt the the US hacks anywhere it can into Chinese government computer systems on a regular basis.