Why is the West silent on 5-year cyberwar launched by China?
No threat, no outrage, no reprisals after revelation of attacks on 70 organizations in 14 countries
There were no big surprises in the reaction of the countries or organizations named as targets of a series of persistent, aggressive, often successful online attacks during the past five years – a campaign described in detail by a report from security vendor McAfee, which became public yesterday.
Most of the victims – 49 U.S.-based corporations and a series of U.S. government agencies as well as companies and government sites in 13 other countries – were well aware of the attack, and more aware of their source than the unnamed "state actor" McAfee admitted to in the report.
“All the signs point to China,” Vanity Fair quotes James A. Lewis, director and senior fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies as saying.
A U.S. Air Force spokesperson said only that the Department of Defense "reported to Congress in 2010 that China is actively pursuing cyber capabilities with a focus on the exfiltration of information, some of which could be of strategic or military utility," according to a story in Reuters.
Which is pretty much what everyone else has been saying for about the same five years or so, during which large-scale data breaches, successful spear-phishing campaigns and long-term, large-scale penetration attempts have been reported against many U.S. military and government facilities.
Other countries are in even worse shape:
"I'm not surprised because that's what China does, they are gradually dominating the cyberworld," according to India-based IT analyst Vijay Mukhi, who talked to Reuters about the vulnerability of South Asian governments. "I would call it child's play (for a hacker to get access to Indian government data) ... I would say we're in the stone age."
No one is really doing much about either defense or prevention, though.
Megacorps view this stuff the same way they view the rampant theft at retail stores. It's a cost of doing business and it's passed on to competitors. It's only worth fighting to the extend that they can get a competitive advantage over their competitors to improve their margins. Given that the effort required to have a meaningful affect on the "hackers" is quite large and the return on that investment is quite small, it doesn't happen and the cost is just passed on to customers.
The White House is encouraging federal agencies to tighten their security, according to a White house spokesman quoted in Reuters today.
The chief executive of the International Cyber Security Protection Alliance (ICSPA) – sort of a law-enforcement version of NATO charged with helping member countries track and fight online attacks – said the McAfee report makes the threat of cyberwarfare irrefutable, apparently to those few people computer-savvy enough to spell "Internet" correctly without knowing that connecting "Internet" and "security" makes a cliched oxymoron more popular and more accurate even than pairing "military" and "intelligence."
Despite its mission to reinforce cybercrime units internationally, ICSPA boss John Lyons put the onus of self-protection on potential victims themselves:
"Businesses that have mainstream exposure to the Internet and that are dependent upon technology for their survival must now surely take the threat seriously," Lyons told Reuters.
Companies that have been breached need to get over their reluctance to admit the attacks and cooperate with each other and with law enforcement to help close gaps that could affect other companies as well, Lyons said.
Absolutely right; everyone involved in IT security has been saying exactly the same thing for 20 years. So far the only change in that reluctance is that companies hacked by non-state groups like Anonymous or LulzSec are now willing to admit it after the hactivists post irrefutable evidence of the attacks.
If someone else doesn't publicize an attack, most companies still avoid mentioning them for fear of copycat attacks and damage to their reputations or stock prices.
Which is largely irrelevant to the main point that a superpower is waging active, open cyberwar against much of the rest of the world to further its own political ends and the commercial fortunes of companies based there.
Individual corporations – however large – are not equipped to respond to those kinds of attacks. They can ramp up technical defenses but, as we saw with the censorship fight between Google and China this spring, corporations are vulnerable to other sorts of pressure – both commercial and temporal.
What would a mid-sized U.S. company do if, for example, a couple of its locally based executives and their families were arrested in Tehran after the home office complained (or simply admitted publicly) that it had been hacked by a group that appeared to be the newly-invigorated cyber-defense force of the Iranian paramilitary?
State-sponsored digital attack and espionage efforts are not the kind of thing for which any company is equipped to respond.
Despite theories that giant global corporations could punish unfriendly governments by closing facilities, shedding jobs and refusing to do business impoverished countries need to survive – a corporation-as-puppetmaster trope common in cyberpunk novels such as those by Bruce Sterling, William Gibson that popularized the concept of "cyberspace" – national governments have far more power to punish corporations than vice versa.
Earlier this year, when conflict over censorship prompted Google to threaten to pull out of China, the Chinese government was clearly worried it would lose a major player in the global economy. It wasn't worried enough to change its policies or plan to replace Google by heavily promoting a homegrown search service it could control more effectively, but they were clearly a little concerned.
It was a more serious threat when Egypt arrested a mid-level Google executive for participating in the online arguments and discussions that eventually led to the overthrow of the government there in February.
Egypt is not Somalia, whose whole piratical expeditionary force could be overwhelmed by a couple of coast guard cutters or Navy missile cruisers.
Egypt is far too powerful militarily and in its ability to enforce laws within its own borders than most (if any) corporations could manage.
And China – identified by enough DoD and third-party investigations as the source of a long series of dramatic penetrations of U.S. facilities during the past few years – is a much larger step in the international hierarchy above Egypt than Egypt is above Somalia.
Which is probably why neither U.S. nor British government spokespeople said anything of substance about reprisals, defense, additional security measures or any of the other kinds of responses we've come to expect following either major or minor outrages from foreign countries.
The U.S. could protest cyberattacks by sending a couple of aircraft-carrier groups to the China Sea for a little gunboat diplomacy, but it would be pretty embarrassing if China were to just repossess the whole fleet as partial repayment of the $1.2 trillion the U.S. owes it.
We'd end up having to pay off the whole debt just to get the boats back—plus whatever huge fee there would be for the towing and daily storage fee at the aircraft-carrier impound lot, and that's a lot of money to spend for bit of saber-rattling that would be futile in the real world and irrelevant in the virtual one.
It would be much more diplomatic, much more effective and much less expensive to respond digitally by building digital defenses able to keep cyberspies out, or at least identify the information they shouldn't be allowed to take and keep that in.
There have certainly been enough attempts to build a force able to do that. In 2009 the newly sworn-in Obama Administration swore to build a swank new facility and powerful new cybersecurity military force.
Unfortunately, the U.S. military – the federal agent most prepared for large-scale, sophisticated cyber defense and counterattack – isn't remotely prepared for any serious effort at cyberwar, according to a Government Accountability Administration report released last week.
Its efforts in cybersecurity have been so uncoordinated between services, inconsistent in its execution and uncertain in its goals, that the DoD admitted earlier this week it essentially has no coherent or effective plan to defend the U.S. against cyberattack.
And, despite threats spoken in harsh voices from under large hats at the Pentagon that attacks made entirely in cyberspace could be made kinetic if foreign hackers ticked them off badly enough, the DoD has done little but agree with the GAO report that it needs to get its staff together on the whole cyberwar thing, and will do so any day now.
So it's not surprising there hasn't been much response to the shameful record revealed in McAfee's report this week.
Part of the reason is that the revalations didn't surprise anyone.
Most of the reason is that, despite knowing in detail about the continued risk as well as the nature, source and method of the attacks, none of the Western "state actors" on the receiving end of five years worth of sustained and consistent attacks has done a damn thing to stop them.
Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.