We have had eleven days to absorb the implications of wide spread Chinese supported attacks against Google and thirty or so other organizations. The US Secretary of State made one of the most affirmative statements on Internet freedom yet articulated by a government. Various policy analysts have chimed in as well. Some thoughts on what they have said.
George Kurtz, CTO of McAfee, and his team were involved in the analysis of just what happened during these attacks which he dubs “Aurora”. He revealed in his blog on January 14th that the primary mechanism was a Trojan horse that exploited a new vulnerability in Internet Explorer. What is interesting to note is Kurtz’s surprise at the dramatic turn the threatscape has taken.
“All I can say is wow. The world has changed. Everyone’s threat model now needs to be adapted to the new reality of these advanced persistent threats. In addition to worrying about Eastern European cybercriminals trying to siphon off credit card databases, you have to focus on protecting all of your core intellectual property, private nonfinancial customer information and anything else of intangible value. “
There have been many instances of Chinese hacking of US research and defense organizations. To date the US State Department has remained aloof. Hiliary Clinton’s Remarks on Internet Freedom are worth noting because they are the first time a US Secretary of State has so explicitly endorsed Internet freedom and access to information. Full text and video is available here.
"The same networks that help organize movements for freedom also enable al-Qaida to spew hatred and incite violence against the innocent. And technologies with the potential to open up access to government and promote transparency can also be hijacked by governments to crush dissent and deny human rights.
In the last year, we’ve seen a spike in threats to the free flow of information. China, Tunisia, and Uzbekistan have stepped up their censorship of the internet. In Vietnam, access to popular social networking sites has suddenly disappeared. And last Friday in Egypt, 30 bloggers and activists were detained."
The most important thing Ms Clinton said in my opinion:
"On their own, new technologies do not take sides in the struggle for freedom and progress, but the United States does. We stand for a single internet where all of humanity has equal access to knowledge and ideas. And we recognize that the world’s information infrastructure will become what we and others make of it."
Them’s fight’n words and the Chinese reacted in kind. Xinhua, the official news agency of the Chinese government, published a Commentary: Don't impose double standards on "Internet freedom" My favorite quote:
“As is widely recognized, freedom is always relative, and such is also the case with Internet freedom.”
That says it all and the lines are drawn.
Evgeny Morozov, the Yahoo! Fellow at Georgetown University characterized Ms. Clinton’s remarks as laced with cold war rhetoric. He predicted correctly that China would reciprocate with criticism of US restrictions on Internet communications. While Evgeny may denigrate Cold War thinking (keep in mind that he grew up on the wrong side of the Iron Curtain: Belarus) there is something to be said for recognizing China is indeed engaged in regional hegemony and global jockeying for power and control that is reminiscent of the Cold War. Never lose sight of China’s nuclear arsenal, standing army, and caustic rhetoric.
Marcus Ranum got a little heated in his contribution to the discussion. Aside from inferring that all of the rest of people I am quoting here are clueless he had this to offer:
"My prediction for you: The Chinese Government will offer to block access to Google. I.e.: "Want to pull out of China? Here, let us help you." Google will shut up, and the whole thing will blow over."
He might just be right there as Google has yet to carry through on their threat to stop censoring search results at Google.cn.
Bruce Schneier, cryptographer, author, and critic of the TSA, singled out a different aspect of the story. He criticizes the existance of so-called back doors that Google and other Internet services have built in so that they can comply with government demands for information.
“China's hackers subverted the access system Google put in place to comply with U.S. intercept orders. Why does anyone think criminals won't be able to use the same system to steal bank account and credit card information, use it to launch other attacks or turn it into a massive spam-sending network? Why does anyone think that only authorized law enforcement can mine collected Internet data or eavesdrop on phone and IM conversations?”
Schneier may have jumped to conclusions based on too little information. Read this refutation by John Mark Walker here.
L. Gordon Crovitz, the Information Age columnist at the Wall Street Journal invoked the ‘Shores of Tripoli” when he called for Washington to fix the cyber security problem. If you have not heard the story of how Thomas Jefferson finally beat the Barbary Pirates as a shining example of how law enforcement can be effective you have missed out. I first heard the story applied to Internet security in 2004 when Steve Forbes recited it at a dinner he sponsored in California. It is telling that we have to go back 200 years in history to find a good example of the US effectively dealing with brigands. Crovitz calls for a government crackdown, claiming:
"Just as the traders of the 18th century could not protect open sea lanes by themselves, technology companies, even ones as powerful as Google, today cannot keep digital sea lanes open on their own. Washington has started to talk about the seriousness of the problem. Now it needs a plan to fix it."
If he digs into it a bit Mr. Crovitz will find that the government has far less ability to keep the Internet sea lanes open than those who own and operate the networks.
Brahma Chellaney, Professor of Strategic Studies at the Indian Centre for Policy Research gives us the perspective of someone who is a little closer to China. His blog contains a post “A new war, a new frontier”.
“In peacetime, China is intimidating India through intermittent cyber warfare, even as it steps up military pressure along the Himalayan frontier. In a conflict, China could cripple major Indian systems through a wave of cyber attacks. With cyber intrusions against Indian government, defence and commercial targets ramping up since 2007, the protection of sensitive computer networks must become a national-security priority.”
That holds true not just for India. Every country has to realize that the protection of sensitive computer networks must become a national security priority.
Wow, the world has changed this week.