The US vs. China: A Very Civil (Cyber) War

Any cyber attack between the US and China would likely be limited due to the interdependent economic relationship the two nation’s share
Any cyber attack between the US and China would likely be limited due to the interdependent economic relationship the two nation’s share

It was only there for a split second. It appeared by surprise, in a video on China’s state-sponsored China Central Television last August. Viewers saw an image of a computer screen, with a list of websites associated with the outlawed Falun Gong group. One of them included the University of Alabama at Birmingham (UAB). Underneath was a button saying ‘attack’.

China’s cyber attack capabilities have been long suspected, but hard to prove. Small snippets like the video (which was subsequently yanked from the internet by the Chinese) all lend credence to claims that China is engaged in a form of low-level warfare with the US, and others in the West.

Spies Like These

China has been openly accused of mounting cyberwarfare campaigns on various occasions. Most recently, a report authored for the US House Committee on Foreign Affairs by Northrop Grumman suggested coordinated activity between the Chinese People’s Liberation Army’s Third Department (which monitors foreign telecommunications) and Fourth Department (responsible for electronic countermeasures). The groups are structured to systematically penetrate computer systems, said Dr. Larry M. Wortzel, commissioner for the US-China Economic and Security Review Commission, in testimony.

For example, Chinese spies were said to have hacked the offices of German Chancellor Angela Merkel, along with other German ministries. German paper Spiegel said that officials found the hack and stopped the theft of 160GB of data that was in the process of being copied from German computers.

The hacking of German machines was more widespread, according to a leaked cable from the US State Department, which identified intrusions at “a wide variety of German organizational levels to include German military, economic, science and technology, commercial, diplomatic, research and development”.

The cable also indicated that China specifically targeted attacks that would help it benefit commercially or politically. “German intelligence reporting indicates an increase in activity was detected immediately preceding events such as German Government, or commercial, negotiations involving Chinese interests”, it said.

In this way, attacks against states can bleed over into commercially motivated attacks against private parties. Operation Night Dragon was an alleged infiltration by Chinese actors against five major oil and gas companies, in an attempt to steal proprietary information. McAfee, which documented the attack, warned that the hackers had stolen data related to bidding contracts and financial data concerning oil field exploration. They had also copied proprietary industrial processes, it warned.

Other attacks have been identified against Canadian interests. Canadian media has reported that Chinese hackers compromised the Canadian Treasury Department in 2011, causing computers to be taken offline for a period while the problem was rectified.

The US isn’t immune, either. The State Department implicated Chinese actors in Operation Byzantine Candor, which targeted US government computers via ISPs. The attackers gained access to lists of emails and password hashes, along with other data. Those behind the operation had infiltrated hundreds of US government and private defense contractor systems since 2002, according to internal documents.

Rules of Engagement

All this is demonstrably aggressive, but does it constitute cyberwarfare? The term is tossed around a lot in security circles, but its definition has serious ramifications. What level of cyberattack would constitute an act of war, and have the Chinese perpetrated one?

The US and some allies have taken cyberattacks as acts of war under the Law of Armed Conflict (LOAC), says Jeffrey Carr, CEO of boutique security consulting firm Taia Global, and author of Project Grey Goose, an analysis of Russian cyberwarfare. However, this doesn’t extend itself to acts of espionage, he warns.

“The only legitimate instance of cyberwarfare would be when it is done in conjunction with kinetic attacks, or when the cyber attack has caused so much damage on its own that an armed response is justified under the LOAC”, he says.

In this context, attacks on oil company contract data and ministerial computers do not constitute an act of war. Chinese hackers were, however, said to have penetrated the US electrical grid, installing malware that could be used to disrupt the system whenever the attackers deemed it ready, according to a 2009 report in the Wall Street Journal.

In his aforementioned testimony, Larry Wortzell described a Chinese doctrine of Integrated Network Electronic Warfare, which marries cyberattacks with kinetic strikes, and space warfare. The idea was, said Wortzell, to incapacitate large portions of an enemy’s operations at the onset of any conflict.

A ‘Special’ Relationship

This all sounds very Cold War-like, save for one thing: the economic relationship between China and the US is warm and cozy. The US imported $400bn from China in 2011, and exported only $103bn back, leaving a $295bn trade deficit. This deficit is constantly rising, following a fall in 2009, directly after the financial crisis. The US needs China for its cheap labor and goods. China needs the US for its exports.

Carr says that this is the primary reason why China wouldn’t want to attack the US. “It mostly limits its activities to cyber espionage for two primary purposes: firstly to accelerate its technological development and secondly to identify and arrest dissidents”, he says.

Nevertheless, its capacity for espionage is huge, and as Darren Hayes, computer information systems program chair at Pace University in New York argues, its motivations are strong. “China doesn’t want to be regarded as the factory of the world. It wants to be a world leader, which makes it different to India and others”, he observes.

“It’s looking to cut corners by advancing itself a lot faster, by stealing intellectual property”, Hayes warns. “It’s not just missile defense systems. It’s other, weaker institutions too, such as universities that were involved in government projects.”

Now Prove It

The problem with many of these attacks, whether classified as cyberwarfare or mere espionage, is proving who did it. “There has been a lot of speculation but no direct attribution”, says Alex Kuzmin, head of the CERT-GIB investigation team at Russian security company Group-IB.

The most that can be said of many attacks is that they are believed to have originated from the PRC. Accounts of attacks will frequently refer to IP addresses and servers in mainland China or Taiwan, but it can be difficult to link these to the government, or individuals working on behalf of the state. Governments frequently look for plausible deniability when executing attacks, and it is plausible that computers used to control attacks on foreign interests could have been compromised and then manipulated by others.

“We must be cautious to rush to judgment in spite of circumstantial or other evidence”, says the 2009 GhostNet report by the Canada-based Information Warfare Monitor. It posits alternative explanations for its findings, among these the discovery that the long-term GhostNet cyber espionage operation had a command-and-control center based primarily in China. The joint research venture ultimately refused to identify an attacker.

However, Pace’s Hayes is unwilling to let China off the hook so easily. “These attacks are occurring with regular shifts in the work cycle”, he contends, citing analyst sources of his who work within US government agencies. He argues that evidence such as this, showing attacks happening during Chinese working hours, point to attackers working during the daytime in China. “Between the time when people normally clock in and out are when the attacks happen.”

The US National Counterintelligence Executive (NCIX) submitted a Congressional report in which it blamed “Chinese actors” for intruding on computer systems, including those of Fortune 500 manufacturing corporations. But again, these accusations are vague. It couldn’t say who was responsible for these attacks within China, and when it fingered China for stealing several terabytes of data relating to the development of the F-35 Lightning II fighter plane, it said that attackers “probably” operated from there.

Google tied attacks on its own systems closely enough to the Chinese that it took action against the government there. In January 2010, it announced that it would operate an unfiltered search engine following a series of attacks against its own servers, and against Google email accounts operated by Chinese activists. However, even Google, with direct and intimate knowledge of the attacks on its own servers, failed to directly accuse the Chinese government of hacking its systems.

Chinese McCarthyism

While the Chinese are undoubtedly behind a lot of these attacks, we should take care before singling them out, says Carr, who warns of what he calls “a rising tide of Sinophobia” regarding cyberattacks.

“While China certainly does engage in many of these attacks, they are blamed for almost all of them – which is wrong. At least 30+ countries now have the capability to engage in cyber warfare and espionage”, he says, adding that at least a dozen are as active as China. These include Russia, France, Germany, Israel, Taiwan, South Korea, Brazil, India, Turkey, and Iran.

The picture is muddied by the internal structure of the Chinese hacking community. On the one hand, the Chinese government is known to be pursuing a network-centric military (as is the US). But unlike the US, its cultural and social structure has created a strong cadre of independently motivated hacking groups that are extremely patriotic.

In his book about Chinese hackers, The Dark Visitor, Scott Henderson discusses the rise of these groups in the mid-90s. They began as patriotic groups, and were involved in some attacks against political targets such as Indonesia, defacing websites with political messages. They have since devolved into financially motivated cybercriminal groups that target Western users.

“China is the only country in Asia nowadays with a truly organized underworld following Russia’s pattern”, argues Alex Kuzmin. “Other Asian countries do have their own cybercrime structure, but not at this level.”
Is there anything to be done against the threat from China, whether state-sponsored or from independent groups? Probably even less so than there is against other countries, argues Hayes.

“China’s so big that there just won’t be any kind of sanctions against them for these actions”, he predicts.
Perhaps so. Less than six months after announcing that it would re-evaluate its business in China, Google said that it would be relocating its servers back in China. And what of the huge hack that compromised Google’s single sign-on system and snooped on Chinese activists? Nothing at all was said.

There is a war of sorts going on between China and the US, just as there is between the US and many other countries. The war is economic, and electronic, and it is perhaps the most Orwellian of all. It involves a form of doublethink in which companies create trading relationships so strong that huge swathes of one’s supply chain rests on the activities of another. In this bizarre world, not a shot is fired. Instead, secrets are being stolen, byte by byte.

What’s hot on Infosecurity Magazine?