Time to start announcing hack attacks

After the revelation a few days ago that Chinese crackers have been targeting the email accounts of New York Times journalists since October, it now seems that they were doing the same thing at the Washington Post in 2011:

Post company officials confirmed the broad outlines of the infiltration, which was discovered in 2011 and first reported by an independent cybersecurity blog on Friday. But they did not elaborate on the circumstances, the duration of the intrusion or its apparent origin.
These attacks are disturbing in what they appeared to be looking for. This was not commercially valuable information; the attackers were sifting through email looking for information and reports pertaining to Chinese politics and politicians, plus activism around China. These are not bored American teenagers looking around NASA computers for evidence of UFOs, nor even Russian groups aiming to grow and farm botnets for hard cash. These attacks are unmistakably directed to benefit the Chinese government and its security services:
China's cyber-espionage assists the government's broader efforts to quell internal dissent by identifying activists and dissidents and tracking them through their e-mail.
Make no mistake, these guys are at least being paid by the Chinese government, if not formally employed by them. Given the control exercised by the Great Firewall of China, they'll be able to see a concerted series of attacks against Western news agencies from inside China; if they're in the clear then the keyword monitoring will flag up the connections, and if they're SSH then normally they'd be shut down. If those attacks are being allowed through, it's because they're on a whitelist.

Famously, Google announced in 2011 that that China seemed to be conducting an organised campaign of information theft:

...we recently uncovered a campaign to collect user passwords, likely through phishing. This campaign, which appears to originate from Jinan, China, affected what seem to be the personal Gmail accounts of hundreds of users including, among others, senior U.S. government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists.
The goal of this effort seems to have been to monitor the contents of these users' emails, with the perpetrators apparently using stolen passwords to change peoples' forwarding and delegation settings.
These guys have a lot of form for this kind of activity.

So now we know that this is going on, what are we going to do about it? Ah, that's the 64 million yuan ($10.2m) question:

"If every company reported when it was hacked and who it was hacked by, it would be harder [for China] to get away with it," said one industry official, speaking on condition of anonymity because he was not authorized by his company to speak on the record.
I'm not so sure that's the case, although I would certain applaud wider reporting of China-originating attacks. It used to be that companies refused to report successful cyber attacks in order to avoid embarrassment. Today, I would claim that there is no shame in being targeted by Chinese attacks; Google and Intel have publicly reported attacks, so that's illustrious company to be in. (I suspect Intel was more a case of commercial espionage, for the record). We should certainly get a better idea of where China is attacking and what they want. But how to stop it? Short of trade sanctions - and that's a Pandora's Box if ever I saw one - what can we do to make the Chinese government care enough to stop these attacks?

The only approach I can think of which might work is sufficient publicity to shame and embarrass the Chinese government. Shine the spotlight on China's human rights abuses and the infrastructure such as the Great Firewall of China and the Ministry of State Security which facilitates them. Google chairman Eric Schmidt has a new book that makes clear what a danger he sees in modern China:

The disparity between American and Chinese firms and their tactics will put both the government and the companies of the United States as a distinct disadvantage [...] the United States will not take the same path of digital corporate espionage, as its laws are much stricter (and better enforced) and because illicit competition violates the American sense of fair play.
Could it be time to start blocking Chinese telecoms firms from bidding on providing services or equipment to major US companies and the US government, on security grounds?

No comments:

Post a Comment

All comments are subject to retrospective moderation. I will only reject spam, gratuitous abuse, and wilful stupidity.