Page 2 of 2 China cyber-war: don't believe the hype
By Peter Lee
And President Obama, in his usual thoughtful way, 'fessed up to the fact that it was the United States that started drawing outside the cyber-warfare lines, as the New York Times' David Sanger reported in his privileged account:
Mr Obama, according to participants in the many Situation Room meetings on Olympic Games [the Stuxnet program], was acutely aware that with every attack he was pushing the United States into new territory, much as his predecessors had with the first use of atomic weapons in the 1940s, of intercontinental missiles in the 1950s and of drones in the past decade. He repeatedly expressed concerns that any American acknowledgment that
it was using cyber-weapons - even under the most careful and limited circumstances - could enable other countries, terrorists or hackers to justify their own attacks.
"We discussed the irony, more than once," one of his aides said. Another said that the administration was resistant to developing a "grand theory for a weapon whose possibilities they were still discovering". 
Yes, the irony, if irony is defined as "the refusal to acknowledge that what you are doing is the precise opposite of what you are advocating that other people do."
The word "Stuxnet" does not appear in the official US lexicon of dastardly cyber-attacks, even though, in terms of its severity and irresponsibility (in addition to disabling the Iranian centrifuge facility, the virus spread to 100,000 hosts in 155 countries; oops!) it is truly the poster child for the dangers of the cyber-warfare option.
Instead, the US government has forcefully if not particularly effectively attempted to divert attention from Stuxnet to "Shamoon", a nasty virus that compromised office systems at a couple of Middle Eastern energy giants, Aramco (Saudi Arabia) and RasGas (Qatar) in August 2012, shortly after the Iranians started grappling with their Stuxnet problem.
As part of the Stuxnet misdirection, Shamoon has become the invoked cyber-attack bugbear of choice, despite the fact that, unlike Stuxnet, it was a very conventional hack that erased data from management computers and defaced homescreens with the taunting image of a burning American flag.
There is, of course, no discussion of the distinct possibility that Iran executed the exploit as a piece of cyber-retaliation for Stuxnet, and not as an unprovoked attack. 
Before President Obama acknowledged shared paternity in Stuxnet, the United States was engaged in negotiations with China on the very same cyber-warfare norms that exercised the anonymous source in the Foreign Policy article:
While no one has, with 100% certainty, pinned the Chinese government for cyber-attacks on US government and Western companies, in its 2012 report "Military and security developments involving the People's Republic of China", the US secretary of defense considers it likely that "Beijing is using cyber-network operations as a tool to collect strategic intelligence" ...
The report raises China's unwillingness to acknowledge the "Laws of Armed Conflict", which the Pentagon last year determined did apply to cyberspace ... 
Not unsurprisingly, post-Stuxnet the Chinese government has even less interest in the "Law of Armed Conflict in cyberspace" norms that the United States wants to peddle to its adversaries but apparently ignore when the exigencies of US interests, advantage, and politics dictate.
Instead, the PRC and Russia have lined up behind a proposed "International Code of Conduct for Internet Security", an 11-point program that says eminently reasonable things like:
Not to use ICTs including networks to carry out hostile activities or acts of aggression and pose threats to international peace and security. Not to proliferate information weapons and related technologies.
It also says things like:
To cooperate in combating criminal and terrorist activities which use ICTs [information and computer technologies] including networks, and curbing dissemination of information which incites terrorism, secessionism, extremism or undermines other countries' political, economic and social stability, as well as their spiritual and cultural environment. 
The United States, of course, has an opposite interest in "freedom to connect" and "information freedom," (which the Chinese government regards as little more than "freedom to subvert") and has poured scorn on the proposal.
The theoretical gripe with the PRC/Russian proposal is that it endorses the creation of national internets under state supervision, thereby delaying the achievement of the interconnected nirvana that information technology evangelists assure us is waiting around the next corner - and also goring the ox of West-centric Internet governing organizations like ICANN.
So the Chinese proposal is going exactly nowhere.
The (genuine) irony here is that the Chinese and Russians are showing and driving the rest of the world in their response to the undeniable dangers of the Internet ecosystem, some of which they are themselves responsible for but others - like Stuxnet - can be laid at the door of the US.
In response to hacking, the Internet as a whole has evolved beyond its open architecture to a feudal structure of strongly-defended Internet fortresses, with cyber-surfs free to roam the undefended commons outside the gates, glean in the fields, and catch whatever deadly virus happens to be out there.
In recent months, the word "antivirus" has disappeared from the homepages of Symantec and MacAfee as they have recognized that their reference libraries of viruses can't keep up with the proliferation of millions of new threats emerging every year, let alone a carefully weaponized packet of code like Stuxnet, and protect their privileged and demanding users. Now the emphasis - and gush of VC and government money - has shifted to compartmentalizing data and applications and detecting, reducing the damage, and cleaning up the mess after a virus has started rummaging through the innards of an enterprise.
In other words, the Internet fortresses, just like their medieval analogues, are increasingly partitioned into outer rampart, inner wall, and keep - complete with palace guard - in order to create additional lines of defense for the lords and their treasure.
In other words, they are starting to look like the Chinese and Russian national internets.
Despite the precautions, there will always be people vulnerable to social engineering (clicking on a dodgy attachment or link while at work), and there will always be more talented and motivated hackers. And maybe more talented hackers aren't even necessary.
Barbara Demick of the Los Angeles Times located the personal blog of a PLA cyber-drudge who, in addition to blathering about the presumably classified details of his hacking job (such as perfecting a Trojan known as "Back Orifice 2000"), moaned the boredom of hacking for The Man, and the embarrassment of looking like a loser at his high school reunion:
My only mistake was that I sold myself out to the country for some minor benefits and put myself in this embarrassing situation. 
Critical observers declared that the alleged PLA intrusions documented by Mandiant were conducted by the B Team, inviting the analogy that military hacking is to hacking as military music is to music:
Jaime Blasco, labs director at security tools firm AlienVault, described APT1, aka Comment Crew [which Mandiant associated with 61398], as one of the more successful hacking group based on the number of targets attacked - but not necessarily on the skill level of its members.
"APT1 is one of the less sophisticated groups," Blasco said. "They commonly reuse the same infrastructure for years and their tools are more or less easy to detect. The techniques they use to gain access to the victims are more based on social engineering and most of the times they don't use zero-days exploits to gain access." 
Even so, they were inside the New York Times for months (part of that time, admittedly, they were being tracked and analyzed by Mandiant).
Bottom line: attacks will happen, attacks will succeed, and reliable (or more likely, probable) attribution will emerge only in the days and weeks after detection (detection itself might be a matter of years) through the grinding application of forensics, correlation of information in massive databases, and anxiously parsing leads for reliability and to try and filter out dangerous disinformation.
Absolute cyber-safety, through defense or deterrence against an antagonist, is a chimera. The best hope for the Internet might be "peaceful coexistence" - the move toward cooperation instead of confrontation that characterized the US-USSR relationship when it became apparent that "mutually assured destruction" was leading to a proliferation of dangerous and destabilizing asymmetric workarounds instead of "security through terror".
Or, as the Chinese spokesperson put it in Demick's article:
"Cyberspace needs rules and cooperation, not war. China is willing to have constructive dialogue and cooperation with the global community, including the United States," Foreign Ministry spokeswoman Hua Chunying said at a briefing Tuesday. 
It looks like the Obama administration, by carefully and convincingly placing the cyber-theft issue on the table, might be working toward some kind of modus vivendi that leads to a joint reduction of Internet threats - dare I say, win-win solution? - with the PRC.
It remains to be seen if this initiative can withstand the pressures of the US military, security, and technology industries for a profitable threat narrative - and the Obama administration's own inclination toward zero-sum China-bashing.