Post a Comment On: China Matters

Color me skeptical about the Sunday Times report that Edward Snowden’s archive got cracked.  Not saying it couldn’t happen despite 256 bit encryption, accidents do happen, but the story as presented reeks of psyops bullshit unloaded by the NSA-GCHQ team with the help of obliging media in the UK.

What I think is happening is that the United States is upping its game…in public cyberattribution.


Honestly parsing and presenting a cyberattribution dossier is a thankless job.  Remember how the Obama administration looked foolish on the Sony hack?

Sure you don’t.  That was so…four months ago.

Here’s what I wrote back then on the occasion of the rollout of the US government’s Cyber Threats Intelligence Integration Center:

According to AP (actually, according to AP’s Ken Dilanian, the notoriously obliging amanuensis  to the US security establishment ):
White House cybersecurity coordinator Michael Daniel has concluded that cyberintelligence at the moment is bedeviled by the same shortcomings that afflicted terrorism intelligence before 9/11 — bureaucracy, competing interests, and no streamlined way to combine analysis from various agencies, the official said.

The hack on Sony's movie subsidiary, for example, resulted in a variety of different analytical papers from various agencies. Each one pointed to North Korea, but with varying degrees of confidence.


… As I argued in various venues recently with reference to the Sony hack, for purposes of semiotics (clear messaging, positioning, blame avoidance, and signaling of US government intentions) if not forensics (proving whodunit), painting a convincing, action-worthy cyberbullseye on the back of some foreign enemy is a major challenge for governments these days.
When some high-profile outrage like Sony occurs, the US government has to make a prompt show of control, capability, and resolve.  Letting a bunch of data nerds chew over the data for a few weeks and spit up an equivocal conclusion like “It looks like the same guys who did this did that, and maybe the guys who did that were…” doesn’t quite fill the bill. 
Which is pretty much what happened on Sony.  Various private sector and government actors all stuck their oar in, contradictory opinions emerged, messaging was all over the map. 
…  By establishing a central clearing house for relevant information, the US government is on the right side of the information symmetry equation.  “You say you think this, but you don’t know this, this, and this, or the stuff we can’t tell you because it’s classified above your clearance.” 
And even if the real takeaway from the investigatory process still is “It looks like the same guys who did this did that, and maybe the guys who did that were…” it comes out as “The Cyber Threats Intelligence Integration Center has attributed this cyberattack to North Korea with a high degree of confidence.  By Executive Order, the President has already commanded CyberCommand to make a proportional response.”
You get the picture.
So I expect jobs one and two and three for CTIIC will be to generate persuasive dossiers for backgrounding, leaking, whatever on the PRC, North Korea, and the Russian Federation, to be deployed when some mysterious alchemy of evidence, circumstance, and strategy dictate that one of them has to get tagged as The Bad Guy for some cyberoutrage.
Fast-forward, to employ a quaint VHS-era term, to June 5.  Ellen Nakashima lays out the administration position on the OPM hack in a Washington Post article remarkable for its completely categorical no-two-ways-about-it statement that “China” had dunnit:


With a series of major hacks, Chinabuilds a database on Americans
China is building massive databases of Americans’ personal information by hacking government agencies and U.S. health-care companies, using a high-tech tactic to achieve an age-old goal of espionage: recruiting spies or gaining more information on an adversary, U.S. officials and analysts say.

Groups of hackers working for the Chinese government have compromised the networks of the Office of Personnel Management…

 [caption]
China hacked into the federal government’s network, compromising four million current and former employees' information. The Post's Ellen Nakashima talks about what kind of national security risk this poses and why China wants this information. (Alice Li/The Washington Post)
…
U.S. officials privately said China was behind it. … “This is an intelligence operation designed to help the Chinese government,” the China expert said.

Emphasis added, natch.
Either the US has spectacularly upped its forensics game since Michael Daniel’s rueful reflections in February or (my theory)…
The great minds were sitting around a table in Washington and concluded:
“We can’t prove this was a Chinese hack, but let’s turn this around.  Nobody can disprove this was a Chinese hack, so nobody can prove us wrong when if we declare without qualification it was a Chinese hack.  So let’s just go for it.”
Parenthetically, I might point out that one problem I see is, If with categorically and openly identifying the PRC as source of the hack is that we should immediately and openly retaliate at a commensurate level.  Otherwise, where’s our national credibility & deterrence?  Still waiting for the shoe to drop on that one.
The tip-off for me that the WaPo was carrying Obama administration water with this totally backgrounded mostly anonymous scoop was this:

The big-data approach being taken by the Chinese might seem to mirror techniques used abroad by the NSA, which has come under scrutiny for its data-gathering practices under executive authority. But in China, the authorities do not tolerate public debate over the proper limits of large-scale spying in the digital age.

The piece was written June 5, three days after the Obama administration had put the Snowden unpleasantness behind it and totally regained the moral high ground, in its own mind if nobody else’s, by replacing the Patriot Act with the USA Freedom Act a.k.a. "Uniting and Strengthening America by Fulfilling Rights and Ending Eavesdropping, Dragnet-collection and Online Monitoring Act."
Now, with the legalities of the US cyberprograms re-established, it was time to stop playing defense and go on offense against those public-debate-intolerant Chinese!
And that means relaunching the China cyberoutlaw product!  With the story of a hack that had, if I understand Nakashima’s account correctly, had occurred in December 2014!
Again, it is perhaps little remembered except by me that a key US objective for the Xi Jinping—Barack Obama summit in Sunnylands in June 2013 was to cap an eighteen month public opinion campaign against PRC cyberoffenses with a personal rebuke by President Obama and the presentation of an embarrassing dossier to Xi Jinping.
If, as I did, one googled “Xi Jinping cyberwarfare” on June 3, 2013, the first four pages of results included hits like these, indicating that the Western press was energetically singing from the same cyberwar hymnal: China Doesn't Care if Its 'Digitalized' Military Cyberwar Drill Scares You Atlanticwire China Is Winning the Cyber War Because They Hacked U.S. Plans for Real War Atlanticwire
Krauthammer to Obama: Launch cyber war on China
Fox News
China Is Our Number One National Security Threat
International Business Journal
House Intelligence Chairman: US “Losing” Cyber-War
Wall Street Journal
US Says China Is Stepping Up Cyber War
Financial Times
U.S. China Cyberbattle Intensifies
Politico
Just a reminder; these headlines are from June 2013, not June 2015.
In this case, the China Matters serendipity engine was firing on all cylinders; three days later the Washington Post and Guardian newspapers published their first revelations from Edward Snowden, fundamentally skewing the frame of the Chinese cyberwarfare story.
I’ve always wondered if the timing of Snowden’s revelations had something to do with the hypocrisy of the world’s biggest cybersnoop trying to stick that label on the PRC.
Anyway, the Obama administration has had two years to lick its wounds, do damage control, and reboot the program.
And guess what!  Xi Jinping’s coming to the United States again in September!  This time we’ll be ready for him fer sure!  Snowden discredited!  NSA on top! PRC in doghouse!
I must state here that I believe that PRC cyberespionage program is massive, government-backed, full spectrum, and actively exploring offensive capabilities.  But I also think that the US tactics are destabilizing and escalatory & have more to do with maintaining the US cyberadvantage as part of the burgeoning and profitable China-threat milsec business than they do with diminishing the threat to the American people from PRC cybermisbehavior.
And I take the current spate of news stories as part of an effort to get us used to perpetual cyberwar, just as we were bombarded with stories about malevolent Muslims in the last decade to reconcile us the the Global War on Terror, the erosion of civil liberties, and expensive and perpetual conflicts.
At this time, a trip down memory lane is warranted for people who have forgotten how the Obama administration methodically rolled out PRC Cyberthreat v. 1.0, the buggy pre-Snowden product, and are perhaps not connecting the dots on the rollout of PRC Cyberthreat v. 2.0, Now Bigger and Scarier! and how this might be a factor in the headlines blaring out of their newspapers & TVs & tablets.
Below the fold, for the sake of posterity, a lengthy recap on the first abortive US salvo in the China cyberthreat propaganda war.
What I wrote back in April 2012:
The Barack Obama administration went public with its case against China in November 2011, with a report on industrial espionage titled Foreign Economic Collection. It described China rather generously as a "Persistent Collector" given the PRC's implication in several high-profile industrial espionage cases and soft-pedaled the issue of official Chinese government involvement. The report stated:
US corporations and cyber-security specialists also have reported an onslaught of computer network intrusions originating from Internet Protocol (IP) addresses in China, which private sector specialists call "advanced persistent threats." Some of these reports have alleged a Chinese corporate or government sponsor of the activity, but the IC [intelligence community] has not been able to attribute many of these private sector data breaches to a state sponsor. Attribution is especially difficult when the event occurs weeks or months before the victims request IC or law enforcement help. [5]
A month later, in December 2011, US criticism of China became a lot more pointed. Business Week published an exhaustive report on Chinese cyber-espionage, clearly prepared with the cooperation of federal law enforcement authorities as it named and described several investigations:
The hackers are part of a massive espionage ring codenamed Byzantine Foothold by US investigators, according to a person familiar with efforts to track the group. They specialize in infiltrating networks using phishing e-mails laden with spyware, often passing on the task of exfiltrating data to others.

Segmented tasking among various groups and sophisticated support infrastructure are among the tactics intelligence officials have revealed to Congress to show the hacking is centrally coordinated, the person said. US investigators estimate Byzantine Foothold is made up of anywhere from several dozen hackers to more than one hundred, said the person, who declined to be identified because the matter is secret. [6]
United States security boffin Richard Clarke had this to say about Chinese cyber-espionage in an interview with Smithsonian magazine:
"I'm about to say something that people think is an exaggeration, but I think the evidence is pretty strong," he tells me. "Every major company in the United States has already been penetrated by China."

"What?"

"The British government actually said [something similar] about their own country."

Clarke claims, for instance, that the manufacturer of the F-35, our next-generation fighter bomber, has been penetrated and F-35 details stolen. And don't get him started on our supply chain of chips, routers and hardware we import from Chinese and other foreign suppliers and what may be implanted in them-"logic bombs," trapdoors and "Trojan horses," all ready to be activated on command so we won't know what hit us. Or what's already hitting us. [7]
Some big numbers are being thrown around to publicize the Chinese threat.

Business Week's report, while admitting the woolliness of its methodology, stated that losses to American companies from international cyber-espionage amounted to US$500 billion in a single year.

Scott Borg, director of a non-profit outfit called the US Cyber Consequences Unit told Business Week:
"We're talking about stealing entire industries ... This may be the biggest transfer of wealth in a short period of time that the world has ever seen."
Beyond these apocalyptic economic and military scenarios, we might also descend to the personal and political and point out that Google, a favorite target of Chinese cyber-attacks, is Obama's friend, indispensable ally, brain trust and source of personnel in the high-tech sector.

Connect the dots, and it is clear that the Obama administration, in its usual meticulous way, is escalating the rhetoric and preparing the public and the behind-the-scenes groundwork for major pushback against China in the cyber-arena.

And in March 2013, a few weeks before Sunnylands,  I wrote:

[National Security Advisor] Donilon came up with a nuanced approach to Chinese cyber-mischief during his speech to the Asia Society…

Bypassing the issue of cyber-spying against military and government targets that probably falls into the grey area of "everybody does it and why shouldn't they", and defining and limiting the issue to a specific and remediable problem - the massive state-sponsored PRC program of industrial and commercial espionage against Western targets - Donilon's framing placed "cyber-theft" in a category similar to the intellectual property gripe, also know as systematic piracy of US software, as an info strategy condoned by the Chinese government: … This rather unexceptionable and reasonable demand that the PRC reign in its gigantic program of economic/commercial hacking, i.e. cyber-enabled theft as Donilon put it, and give US businesses a break, was not good enough for the Christian Science Monitor, which has apparently shed, together with its print edition, the sober inhibitions that once characterized its news operations.

The CSM's headline:
US tells China to halt cyberattacks, and in a first, lays out demands

Obama's national security adviser, Thomas Donilon, spelled out a more aggressive US stance on the cyberattacks, saying China must recognize the problem, investigate it, and join in a dialogue. [4]
Note in the CSM story the effortless slide down the slippery slope from cyber-theft to cyber-espionage to cyber-attacks (and for that matter, "should" and "needs" to "demands"). Well, fish gotta swim, birds gotta fly, and eyeballs have to be wrenched from their accustomed paths and turned into click-fodder.

And don't get me started on the Pentagon: 
A new report for the Pentagon concludes that the US military is unprepared for a full-scale cyber-conflict with a top-tier adversary. The report says the United States must increase its offensive cyberwarfare capabilities. The report also calls on the US intelligence agencies to invest more resources in obtaining information about other countries' cyberwar capabilities and plans.

The Washington Post reports that the report says that the United States must maintain the threat of a nuclear strike as a deterrent to a major cyberattack by other countries. The report notes that very few countries, for example, China and Russia, have the skills and capabilities to create vulnerabilities in protected systems by interfering with components.

The report emphasizes that defensive cyber capabilities are not enough, and that the United States must have offensive cyber capabilities which, when needed, could be used either preemptively or in retaliation for a cyber attack by an adversary. [5]
Security consultant Bruce Schneier addressed the threat inflation issue (and the dangers of trying to design and justify retaliation in the murky realm of cyberspace) in a blog post on February 21: 
Wow, is this a crazy media frenzy. We should know better. These attacks happen all the time, and just because the media is reporting about them with greater frequency doesn't mean that they're happening with greater frequency.

But this is not cyberwar. This is not war of any kind. This is espionage, and the difference is important. Calling it war just feeds our fears and fuels the cyberwar arms race.

In a private e-mail, Gary McGraw made an important point about attribution that matters a lot in this debate.

Because espionage unfolds over months or years in realtime, we can triangulate the origin of an exfiltration attack with some certainty. During the fog of a real cyber war attack, which is more likely to happen in milliseconds, the kind of forensic work that Mandiant did would not be possible. (In fact, we might just well be "Gandalfed" and pin the attack on the wrong enemy.)

Those of us who work on security engineering and software security can help educate policymakers and others so that we don't end up pursuing the folly of active defense.

I agree.

This media frenzy is going to be used by the US military to grab more power in cyberspace. They're already ramping up the US Cyber Command. President Obama is issuing vague executive orders that will result in we-don't-know what. I don't see any good coming of this. [6]
Not to worry, is the US attitude.

A head-to-head conventional war with China isn’t likely, despite the overheated imagination displayed in the AirSea Battle scenario, and it is difficult to identify any satisfying proxy battlefield in meatspace where the PRC and the USA might be tempted to slug it out.
But cyberwarfare?...Bring it!
The Department of Defense has a “Cyber Command” which, it revealed to the Washington Post, is muscling up from 500 staff to 4000 “cyberwarriors”.
The Post interviewed William J. Lynn III, identified as one of the maestros of the DoD’s cyber strategy:
“Given the malicious actors that are out there and the development of the technology, in my mind, there’s little doubt that some adversary is going to attempt a significant cyber-attack on the United States at some point…The only question is whether we’re going to take the necessary steps like this one to deflect the impact of the attack in advance or… read about the steps we should have taken in some post-attack commission report.”

The DoD is keen to emphasize that its cyberwarriors will be primarily playing defense, understandable considering the vulnerabilities of America’s immense, dispersed, highly integrated and—and the case of the power grid, at least—rather decrepit national infrastructure.
But of course there will be “combat mission forces”:
The combat mission forces, one of the three divisions of Cyber Command will launch cyber-attacks alongside traditional military offensives.

“This new class of cyber warrior would be responsible for penetrating the machines behind identified attack sources, installing spyware to monitor connections to those machines, and following the trail back to the desktop of the attacker. They would have to research and exploit vulnerabilities, craft malware, operate honey pots, and even engage in targeted Denial of Service attacks,” Richard Stiennon, chief research analyst at IT-Harvest, told GlobalPost.


Contra Dr. Stiennon’s assertions, I don’t think that the DoD really believes that the scope of Cyber Command combat missions will be limited to delectable honey pots and “even” targeted Denial of Service attacks.
Not when the cyberwar scenarios, according to Leon Panetta, include our enemies derailing trains, contaminating water supplies, or shutting down power grids.  We’re going to be able to do that, too.
The United States security/military apparatus apparently feels that it can "win the Internet" by harnessing the power of the invincible American technological knowhow to the anti-Chinese cyber-crusade.

In another of the seemingly endless series of self-congratulatory backgrounders given by US government insiders, the godlike powers of the National Security Agency were invoked to Foreign Policy magazine in an article titled Inside the Black Box: How the NSA is helping US companies fight back against Chinese hackers: 
In the coming weeks, the NSA, working with a Department of Homeland Security joint task force and the FBI, will release to select American telecommunication companies a wealth of information about China's cyber-espionage program, according to a US intelligence official and two government consultants who work on cyber projects. Included: sophisticated tools that China uses, countermeasures developed by the NSA, and unique signature-detection software that previously had been used only to protect government networks.

Very little that China does escapes the notice of the NSA, and virtually every technique it uses has been tracked and reverse-engineered. For years, and in secret, the NSA has also used the cover of some American companies - with their permission - to poke and prod at the hackers, leading them to respond in ways that reveal patterns and allow the United States to figure out, or "attribute," the precise origin of attacks. The NSA has even designed creative ways to allow subsequent attacks but prevent them from doing any damage. Watching these provoked exploits in real time lets the agency learn how China works. 
And amid the bluster, a generous serving of bullshit: 
Now, though, the cumulative effect of Chinese economic warfare - American companies' proprietary secrets are essentially an open book to them - has changed the secrecy calculus. An American official who has been read into the classified program - conducted by cyber-warfare technicians from the Air Force's 315th Network Warfare Squadron and the CIA's secret Technology Management Office - said that China has become the "Curtis LeMay" of the post-Cold War era: "It is not abiding by the rules of statecraft anymore, and that must change."

"The Cold War enforced norms, and the Soviets and the US didn't go outside a set of boundaries. But China is going outside those boundaries now. Homeostasis is being upset," the official said. [7]
A more impressive and evocative term than "upset homeostasis" to describe the US cyber-war conundrum is "Stuxnet".

The Obama administration's cyber-maneuverings have been complicated and, it appears, intensified, by the problem that the United States "did not abide by the rules of statecraft" and "went outside the boundaries" and, indeed, became the "Curtis LeMay of the post Cold War era" when it cooperated with Israel to release the Stuxnet exploit against Iran's nuclear program.

… Not unsurprisingly, post-Stuxnet the Chinese government has even less interest in the "Law of Armed Conflict in cyberspace" norms that the United States wants to peddle to its adversaries but apparently ignore when the exigencies of US interests, advantage, and politics dictate.

Instead, the PRC and Russia have lined up behind a proposed "International Code of Conduct for Internet Security", an 11-point program that says eminently reasonable things like: 
Not to use ICTs including networks to carry out hostile activities or acts of aggression and pose threats to international peace and security. Not to proliferate information weapons and related technologies.
It also says things like: 
To cooperate in combating criminal and terrorist activities which use ICTs [information and computer technologies] including networks, and curbing dissemination of information which incites terrorism, secessionism, extremism or undermines other countries' political, economic and social stability, as well as their spiritual and cultural environment. [11]
The United States, of course, has an opposite interest in "freedom to connect" and "information freedom," (which the Chinese government regards as little more than "freedom to subvert") and has poured scorn on the proposal.

The theoretical gripe with the PRC/Russian proposal is that it endorses the creation of national internets under state supervision, thereby delaying the achievement of the interconnected nirvana that information technology evangelists assure us is waiting around the next corner - and also goring the ox of West-centric Internet governing organizations like ICANN.

So the Chinese proposal is going exactly nowhere.

The (genuine) irony here is that the Chinese and Russians are showing and driving the rest of the world in their response to the undeniable dangers of the Internet ecosystem, some of which they are themselves responsible for but others - like Stuxnet - can be laid at the door of the US.

In response to hacking, the Internet as a whole has evolved beyond its open architecture to a feudal structure of strongly-defended Internet fortresses, with cyber-surfs free to roam the undefended commons outside the gates, glean in the fields, and catch whatever deadly virus happens to be out there.

In recent months, the word "antivirus" has disappeared from the homepages of Symantec and MacAfee as they have recognized that their reference libraries of viruses can't keep up with the proliferation of millions of new threats emerging every year, let alone a carefully weaponized packet of code like Stuxnet, and protect their privileged and demanding users. Now the emphasis - and gush of VC and government money - has shifted to compartmentalizing data and applications and detecting, reducing the damage, and cleaning up the mess after a virus has started rummaging through the innards of an enterprise.

In other words, the Internet fortresses, just like their medieval analogues, are increasingly partitioned into outer rampart, inner wall, and keep - complete with palace guard - in order to create additional lines of defense for the lords and their treasure.

In other words, they are starting to look like the Chinese and Russian national internets.

…
Absolute cyber-safety, through defense or deterrence against an antagonist, is a chimera. The best hope for the Internet might be "peaceful coexistence" - the move toward cooperation instead of confrontation that characterized the US-USSR relationship when it became apparent that "mutually assured destruction" was leading to a proliferation of dangerous and destabilizing asymmetric workarounds instead of "security through terror".

Or, as the Chinese spokesperson put it in Demick's article: 
"Cyberspace needs rules and cooperation, not war. China is willing to have constructive dialogue and cooperation with the global community, including the United States," Foreign Ministry spokeswoman Hua Chunying said at a briefing Tuesday. [14]
It looks like the Obama administration, by carefully and convincingly placing the cyber-theft issue on the table, might be working toward some kind of modus vivendi that leads to a joint reduction of Internet threats - dare I say, win-win solution? - with the PRC.

It remains to be seen if this initiative can withstand the pressures of the US military, security, and technology industries for a profitable threat narrative - and the Obama administration's own inclination toward zero-sum China-bashing.