The Red Menace Blame Game - Why China is the World's Favorite Usual Suspect in Cyber Attacks
A fairy tale has crept its way into the collective western InfoSec mindset and poisoned the well of reason and rational thought. I am referring to what I like to term, “Lazy Neo-McArthyism”, i.e. blaming the Red Menace, a.k.a China.
It seems that every other cyber-incident, security breach or strain of malware is attributed to the superpower of the east.
The evidence for China’s involvement is often flimsy: an IP traced back to Chinese cyberspace, or a few Chinese characters or references on the digital corpse left on a victim’s computing device. It’s as though we have gone back to an age before enlightenment, when forensics were an un-invented science, when hearsay, superstition and jingoism were sufficient evidence and tortured confessions were the height of forensic investigative accomplishment.
“All warfare is based on deception. Hence, when able to attack, we must seem unable; when using our forces, we must seem inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.” -Sun Tzu, The art of War
“A great part of the information obtained in War is contradictory, a still greater part is false, and by far the greatest part is of a doubtful character.” -Carl Von Clauswitz, On War
“For the great majority of mankind are satisfied with appearances, as though they were realities, and are often more influenced by the things that seem than by those that are." -Niccolo Machiavelli, The Prince
I provide these quotes to get us back to reality. What these great military and strategic thinkers are trying to teach us is as follows:
Subterfuge. Deception. Manipulation. Stealth.
These are the primary tools of engagement in warfare. And the same, if not more, goes for Cyber-warfare, whether it be criminal, military or espionage intentions. Admittedly, a few zero-days in the armory can’t hurt either.
It does not take a huge leap of imagination to draw up scenarios where many geopolitical and criminal entities would see an advantage in implicating another power, especially one that is the “usual suspect” in any case, making a perfect scapegoat. Similarly, there is safety in launching an attack from a source that does not freely exchange such information with the nation of the target. The mistrust of others can be used against them.
It is absolutely standard practice, and has been since pre-personal computer Phreaking times, for hackers to daisy-chain infiltrated hosts to make any forensic tracing difficult. Enhancing the effectiveness of this approach even further, an attacker can choose to hop via hosts in several different countries, carefully selected to ensure that there are no treaties of extradition and criminal information exchange agreements in place. First some forgotten, badly maintained box in Russia, then to the UK, from there to Syria, from there to France, from there to China and from there to the US. The red tape would be long enough to stretch to the moon, if cultural and nationalistic conflicts can be avoided at all. It makes any investigation practically impossible, especially if, in addition to this, logs are deleted on each hop after the act. This is not difficult to achieve, and now even less so, with the rise of bot-nets and drive-by infections. A decade ago, each host would have had to be painstakingly and time-consumingly targeted and individually hacked.
This also brings me to the next issue with this naive interpretation of cybersecurity events. It implies a belief that China is the only, or at least the most active actor on the world stage. There is sufficient evidence to prove that China utilizes cyber-espionage, no doubt about that. But the stuxnet attack was the first act of actual state sponsored sabotage of infrastructure. The precedent, much to our moral detriment, was not set by them.
Western officials decry the “reckless" behavior of other nations and the unrestrained use of cyber-warfare (the warfare we are told does not exist.) even while evidence mounts that they too are actively engaged in covert, low frequency offensive cyberwar acts. Though doth protest too much, me thinks. This non-existent, non-occurring cyberwar is so not happening, that the current US Administration is considering issuing an executive order to tighten up America’s Cyber defenses. That’s a big commitment to something that does not exist. Seems like even Washington is confused on the matter.
Not only are national interests engaged in this non-existent cyberwarfare. Private interests are also in on the action. The faith in the belief that only nation states have the available resources to create and operate large-scale sophisticated offensive cyber-programs is entirely misplaced. Many entities have the available resources, know how and capabilities. You just need to employ the right people. In an age where you can hire your own private army or commercial intelligence agency , buy 0day exploits (greatly weakening the benefit of the Full Disclosure Movement), and with the presence of criminal organizations with nation sized GDP’s and special operations background, the idea that Cyberspace is not a war zone does not withstand close scrutiny.
The cost of such operations is also vastly overstated. A dedicated team of 3 specialists and upward, with the required equipment in a suitable location are sufficient, given time. We are not talking millions here. I cannot even hazard a guess how anyone could arrive at such an inflated estimate. Especially taking into consideration that many countries with a low per capita income still produce talented individuals with the ability to do this. The information is really widely available with any Internet connection. Freed from office politicis, and profitability concerns, the productivity would far outpace any corporate attempt.
It is precisely this factor that makes it such a brilliant and successful asymmetric warfare strategy. The potential damage and gain by far outweigh the risk and cost.
Criminals go to where the money is. Spies go to where the Information is. Competitors go to where the Intellectual Property is. Hacktivists go to where the Publicity is. And it’s all right there, on the Net - or at least attached to it.
Naivety, Ideology, Nationalism, Blind Patriotism, and the oh-so dangerous and frustratingly infuriating Optimism, are traits nobody working in any risk analysis or security responsibility competence should display. We are all grown-ups here. A measure of a man or woman is how he or deals with uncomfortable truths, and so it is with any security analyst. If someone cannot see past such reality filters, they cannot objectively assess reality. A certain amount of cynicism and questioning of appearances is a necessity.
For want of a better word, Cyber-warfare is a good term to apply to almost any offensive information security activity. Howard Schmidt once lamented that the use of the term is not appropriate, a daring assertion in an age where we liberally apply the designations “war” and “warfare” to such abstract concepts as Terrorism, Poverty, Obesity and Class. It is far more suited for cybersecurity than many of the other PR slogan causes that have abused the classification. It is a loaded word conjuring up just enough connotations of risk and danger to drive home the seriousness of some of its potential consequences.
This is not about Geeks exploring cyberspace anymore. Nor is this just about small time criminal gangs committing credit card fraud. We are still trying to couch Information Security in Business Terms, a futile endeavor if ever I have seen one, and a misguided response to an entirely different problem: the financial upheaval and uncertainty that still haunts the world. It is understandable that in times of financial duress and greater competitive pressure all focus is on the most pressing issue -- profitability. But the resulting mantra of “Security has to enable Business” has meant that we have taken a wrong path, wasted time and as a result have let the security risks get the upper hand. Whilst everyone was called to man the oars for greater speed, no one was looking out for rocks and pirates.
You can’t make money if you are not secure. Not in the long run. Not in this climate. A lax security attitude and a failure to recognize the increase in risk in the world in the future will cost you brand loyalty, competitive advantages, head starts in Research, Government contracts and make all of your business information as transparent to hostile parties as though they worked for you.
The economic prognosis for the foreseeable future is not positive. The worlds economic order is undergoing a shift,beginning with where the centers of innovation are, where the manufacturing takes place and even the pricing.
This shift will not be short in duration, we are talking several decades, not years. It is only natural that China, the current leading runner in this marathon and the most imposing challenger to western hegemony, should instill a sense of fear and suspicion into the current western Zeitgeist. The east does not play by the same rules as the west, especially not in business, and our ability to impose our demands of playing by our standards and in our interest are waning.
Those times are over. The climate, business or otherwise, will get harder and less playful.
The potential for further unrest and upheaval in the developing world has also risen to a critical point due to steadily rising commodity prices. The next year may see us at the point again where rioters fill our T.V screens and small governments fall and topple. The political instability in the Middle East ushered in by the Arab spring has also still not reached a stable juncture, and that too appears seemingly more and more like a prolonged process with several different possible outcomes, although a decrease of western influence seems one of the more likely developments.
The threat of military confrontation has also not receded, but increased to an intensity not seen since the end of the cold war. We live in interesting times, as the Chinese curse wishes (the irony is intended).
To be effective, Information Security has to be couched and expressed in a way that reflects the subject matter it is dealing with, not in Business Terms that have little relation to what security is required to do and functions. It is entirely the wrong language for it. We have lost focus of why security came to be involved at all.
Events on the geopolitical stage will play a far greater role in shaping our world in the next years than globalized economics, even though it was the latter that has lead us down this path and sown the seeds for the events still to unfold. The business environment and the market will adapt, although it will be a painful process for many businesses, and many will not be able to make this transition. New opportunities, solutions and approaches will arise, as they always do when the parameters are changed and the deck is shuffled again.
The role of the information security professional will indeed change, as many are predicting. But I do not see this as a step towards closer business integration or as business enablers, although they will need to understand the businesses they serve far more intimately than is often now the case. It will be a move towards a more fitting paradigm, one that reflects the realities on the ground in the order that will emerge through time. Businesses will look to their security staff to protect and guide them, not in matters of doing business, but in matters of doing business securely.
Related Reading: Not Enough Proof That China Is Behind The Elderwood Gang