By Matthew DeMello
A screenshot of the Philippines’ Department of Transportation website that was the victim of a December 2005 cyber attack. An assailant going by the name of “meteor” leaves an ominous message at the top of the screen. Image courtesy of James Sarmiento.
A long standing conflict within the fields of technology and international security was thrust into the mainstream media spotlight late last week after The New York Times, Wall Street Journal, and Washington Post went public with their accounts of large-scale cyber attacks against their respective newspapers at the hands of Chinese hackers.
The Gray Lady wasted no time in pointing fingers, citing how the attack curiously coincided with the publishing of an online report in October on relatives of Chinese Prime Minister Wen Jiabao who earned billions through business dealings. The association all but incriminates the Chinese government as having some substantial role in the attacks – an accusation that neither the Times nor the Journal would be the first to make of Jiabao’s government.
The coinciding incidents quantify a new summit in a mountain of recent reports detailing Chinese-based hacking and internet criminal activity against everything from financial institutions to search engines, even European intelligence agencies.
The origins of these kinds of attacks stretch back to the turn of the century. Yet a brief summary of the recent surge in Chinese malware, or at least the public’s first awareness of its wide ranging implications, might best begin in early 2010, when Google publicly responded to a proliferation of Chinese malware that had occurred in the year prior, which they referred to as “Operation Aurora.”
The individuals behind the security infringement appeared to use Google as the central current with which to access technical vulnerabilities of various substantial businesses. As Google briefly summarized in their response to the attacks on their official blog, victims included 20 other large companies from industries “including the Internet, finance, technology, media and chemical sectors…”
The incidents that comprised Operation Aurora – a term coined not by any Chinese officials or discernible assailants, but by their victims in the West – characterize the methodology of cyber attacks we’ve seen in the time since; conducted loosely in concert and each traced back to sources in the same country.
As compared to other instances of Chinese-backed malware attacks, there was one major difference in the case of Operation Aurora. According to a must-read Vanity Fair feature story on the subject, in Operation Aurora, Chinese hackers went after Google’s source code, or in other words, the very internet-based DNA of their search engine.
In the time since, the methodology of Chinese hacking has only differentiated in terms of perceived goals and their intended targets. If the target is, say, a defense contractor like Lockheed Martin, or a cyber security firm like RSA, then the attack is usually meant to sabotage their online activities. If the target is an American newspaper or the Secretary of Defense (as was the case in 2007 when Secretary Robert Gates’s laptop was hacked by Chinese sources) the methodology of the attacks are geared for the ends of information gathering, or merely intimidation.
To place these various incidents in context, as well as the escalation of state-sponsored cyber-attacks from both the East and West, here’s a brief timeline of significant events and reports from the world of cyber security that have occurred in the time since Operation Aurora:
- January 2009: Barack Obama takes office and picks up where the Bush Administration’s cyber warfare program, codenamed “Olympic Games,” left off.
- Throughout 2010 (reported Feb 2011): “Night Dragon” cyber attacks target energy companies in an effort to retrieve project financing and operations bidding information.
- January 2011: Iran endures cyber attacks linked to Western powers and Israel in an effort to sabotage uranium enrichment facilities.
- March 2011: Digital security and solutions company, RSA experiences an Advanced Persistent Threat in an effort to extract information related to their SecurID security protocol. Such protocol serves as password protection for a number of defense programs and contractors.
- March 2011: The Obama Administration decides against cyber attacks that would have crippled Libyan air defense system.
- August 2011: “Operation Shady RAT” exposed to be a sophisticated series of cyber attacks over a five year period of time. It was discovered and named by internet security company McAfee. The event is first reported a month later in a Vanity Fair feature story on the history of cyber security breaches that have occured in the past decade.
- March 2012: Chinese cyber attack plays on the fears and curiosity of Iranian escalation in effort to spread virus.
- September 2012: Foreign journalists and correspondents experience Chinese malware attacks amidst an internal power shift in China’s Communist Party.
- October & November 2012: Newly-appointed Defense Secretary, Leon E. Panetta outlines the worst case scenarios of future cyber attacks, stressing vigilance now in advancing cyber defenses.
- January 2013: New Chinese malware attacks take aim at the Department of Defense. Later in the same month, The New York Times, Wall Street Journal, and Washington Post all report finding malicious software aimed at accessing any computer connected to their networks.
This monumental, yet largely muted online arms race between the superpowers warrants many soul-searching questions that national security experts and internet activists are continuing to untangle. Some of these questions allude to a shadowy conflict between superpowers that’s been raging underneath the feet of civil life being carried both online and offline, the caliber of which has been unknown since the Cold War.
The first of such questions being, despite knowing their national origin, who exactly are these attackers? Are they well-trained Chinese government tech experts with specific missions to antagonize Western industry and governance, or tech-savvy patriots crowd-sourced and managed by the state to wreak havoc for some other benefit? Or perhaps even worse, if only more likely — might they be doing so at the risk of punishment?
The short answer, according to security technologist and author, Bruce Schneier, is it’s hard to tell for sure.
“We know that the [Chinese] government is sponsoring cyber attacks. We know that their military and defense doctrine discusses superiority in cyberspace as an aspect of both war and intelligence gathering,” Mr. Schneier summarized in his appearance on the latest episode of BTR’s current events podcast, Third Eye Weekly.
“We also know that there are a large number of independent groups operating in China without the official direction of the government, but with their implicit sanction,” said Schneier. “So it would be independent hacker groups that are hacking from China for various nationalistic reasons, and they just know if they find something, they hand it off to their handlers. In return, they get immunity from prosecution and are kind of left alone.”
Despite our having knowledge of these groups and defense initiatives, Schneier tells BTR that no single attack has been able to be traced directly to any of these sources, which leads authorities to a paralyzing question in addressing the escalation of cyber weaponry: Whose responsibility should it be to deal with them?
Since actionable evidence suggests that the Chinese state has an active hand in these assaults, and the U.S. possesses a similar, albeit more centralized, cyber offensive program, shouldn’t such matters of national defense fall under the jurisdiction of the federal government?
This past Monday, The New York Times reported that the Obama administration is currently seeking wide-ranging legal powers to address cyber attacks in a fashion not unlike their highly controversial drones program. The rationale of which is formed with a typical “shoot-first” bravado that America has shown time and time again to address War on Terror objectives since the Iraq War, i.e. granting the president powers to order pre-emptive attacks with little, if any, checks or oversight.
However, in the time since Operation Aurora, large corporations have grown accustomed to responding to the threat of cyber attack in a manner befitting of most sophisticated national defense programs. The development has significantly blurred the lines between the roles played by government and private industry on the internet compared to their highly debated and strictly rigid barriers in the physical world.
“The last time we had such a powerful discontinuity is probably the European discovery of the Western Hemisphere,” said former director for both the N.S.A. and C.I.A., Michael Hayden, in a telling interview for Vanity Fair. “At that point, we had some big, multi-national corporations—East India Company and Hudson’s Bay—that acted as states. And I see elements of that with the big Microsofts and Googles of the world. Because of their size, they actually are making decisions that have the impact of the kinds of decisions made in the halls of government.”
On the other hand, companies with sizable influence over the economy (and little tolerance for increased expenditures) don’t afford any resources toward cyber defense under the assumption it should be the responsibility of the feds. In the eyes of one anonymous Senate staffer, also cited in the same Vanity Fair story, such a naive mentality has preceded many crises in history: “They act like they don’t really believe that a bank could get completely taken out, or that a tech giant could get its whole lunch eaten, because it sounds as fictional as 9/11 would have sounded before it happened.”
Such questions and complications over responsibility bares heavily on internet freedom activists and interest groups, many of whom view the enlarged presence of state orchestrated or sponsored cyber operations as an undesirable militarization of the internet, potentially threatening its integrity as a global marketplace for commerce, information, and ideas.
Alan Butler, Advisory Counsel for the Electronic Information Privacy Center, believes that there is a role both for the federal government and the private sector to play in cyber defense. However, he says that “questions get more difficult when we stop talking defensive efforts and start talking about offense – whether it’s attacks or cyber exploits that seek to gather information. That authority and the legal for those actions, I think, is a lot less clear.”
Bruce Schneier speaking at RSA’s 2012 conference about the dangers of the ways that poor regulation and Big Data poses certain dangers to a free and private internet.
These questions come at a time when American authorities are clearly and frantically attempting to gather intelligence from large information sharing pools, as made evident from recent transparency reports from Google and Twitter. In each, between two thirds to 80 percent of overall requests for users’ private information from the government were done so without warrants.
Despite the possible, yet flagrant breach of civil liberties, Mr. Butler doesn’t see enough reason to suspect they have ulterior or unscrupulous motives for doing so. What these inquiries should tell us, however, is how desperate the government is for information of any kind in the hopes of finding something that’s potentially revelatory.
Which is not to say that their intent isn’t worth being concerned about.
“The concept that we just need to collect more [information] I don’t think is an answer to the problem,” says Butler. “And I think it poses a whole host of new problems as to private information, because data gathered for one purpose – to inform about an incoming cyber attack – might then be stored, then later used or profiled for some completely different purpose, like investigating a petty crime.”
As with so much of the “security vs. freedom” debates since the passing of the Patriot Act, the impending forces behind the new cyber arms race of the last several years have set a free society on yet another collision course with its values. This time around, however, it is the potential for a larger national-security crisis rather than the result of a successfully executed disaster with real-world results that ushers in re-evaluations of implied responsibility and tangible legal authority.
As the boundaries between nations, corporations, and individuals become more opaque in attempts to provide for a safe and free internet, what is at stake in the growing debate is the foundation of that same landscape that puts each of these parties on an open and leveled playing field.
Additional reporting on this story was conducted by Timothy Dillon.