Why is the West silent on 5-year cyberwar launched by China?

http://www.itworld.com/security/190077/why-west-silent-5-year-cyberwar-launched-china


No threat, no outrage, no reprisals after revelation of attacks on 70 organizations in 14 countries

By Kevin Fogarty

August 04, 2011, 12:16 PM —

There were no big surprises in the reaction of the countries or organizations named as targets of a series of persistent, aggressive, often successful online attacks during the past five years – a campaign described in detail by a report from security vendor McAfee, which became public yesterday.

Most of the victims – 49 U.S.-based corporations and a series of U.S. government agencies as well as companies and government sites in 13 other countries – were well aware of the attack, and more aware of their source than the unnamed "state actor" McAfee admitted to in the report.

“All the signs point to China,” Vanity Fair quotes James A. Lewis, director and senior fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies as saying.

A U.S. Air Force spokesperson said only that the Department of Defense "reported to Congress in 2010 that China is actively pursuing cyber capabilities with a focus on the exfiltration of information, some of which could be of strategic or military utility," according to a story in Reuters.

Which is pretty much what everyone else has been saying for about the same five years or so, during which large-scale data breaches, successful spear-phishing campaigns and long-term, large-scale penetration attempts have been reported against many U.S. military and government facilities.

Other countries are in even worse shape:

"I'm not surprised because that's what China does, they are gradually dominating the cyberworld," according to India-based IT analyst Vijay Mukhi, who talked to Reuters about the vulnerability of South Asian governments. "I would call it child's play (for a hacker to get access to Indian government data) ... I would say we're in the stone age."

No one is really doing much about either defense or prevention, though.

The White House is encouraging federal agencies to tighten their security, according to a White house spokesman quoted in Reuters today.

The chief executive of the International Cyber Security Protection Alliance (ICSPA) – sort of a law-enforcement version of NATO charged with helping member countries track and fight online attacks – said the McAfee report makes the threat of cyberwarfare irrefutable, apparently to those few people computer-savvy enough to spell "Internet" correctly without knowing that connecting "Internet" and "security" makes a cliched oxymoron more popular and more accurate even than pairing "military" and "intelligence."

Despite its mission to reinforce cybercrime units internationally, ICSPA boss John Lyons put the onus of self-protection on potential victims themselves:

"Businesses that have mainstream exposure to the Internet and that are dependent upon technology for their survival must now surely take the threat seriously," Lyons told Reuters.

Companies that have been breached need to get over their reluctance to admit the attacks and cooperate with each other and with law enforcement to help close gaps that could affect other companies as well, Lyons said.

Absolutely right; everyone involved in IT security has been saying exactly the same thing for 20 years. So far the only change in that reluctance is that companies hacked by non-state groups like Anonymous or LulzSec are now willing to admit it after the hactivists post irrefutable evidence of the attacks.

If someone else doesn't publicize an attack, most companies still avoid mentioning them for fear of copycat attacks and damage to their reputations or stock prices.

Which is largely irrelevant to the main point that a superpower is waging active, open cyberwar against much of the rest of the world to further its own political ends and the commercial fortunes of companies based there.

Individual corporations – however large – are not equipped to respond to those kinds of attacks. They can ramp up technical defenses but, as we saw with the censorship fight between Google and China this spring, corporations are vulnerable to other sorts of pressure – both commercial and temporal.

What would a mid-sized U.S. company do if, for example, a couple of its locally based executives and their families were arrested in Tehran after the home office complained (or simply admitted publicly) that it had been hacked by a group that appeared to be the newly-invigorated cyber-defense force of the Iranian paramilitary?

State-sponsored digital attack and espionage efforts are not the kind of thing for which any company is equipped to respond.

Despite theories that giant global corporations could punish unfriendly governments by closing facilities, shedding jobs and refusing to do business impoverished countries need to survive – a corporation-as-puppetmaster trope common in cyberpunk novels such as those by Bruce Sterling, William Gibson that popularized the concept of "cyberspace" – national governments have far more power to punish corporations than vice versa.

Earlier this year, when conflict over censorship prompted Google to threaten to pull out of China, the Chinese government was clearly worried it would lose a major player in the global economy. It wasn't worried enough to change its policies or plan to replace Google by heavily promoting a homegrown search service it could control more effectively, but they were clearly a little concerned.

Google gave in.

It was a more serious threat when Egypt arrested a mid-level Google executive for participating in the online arguments and discussions that eventually led to the overthrow of the government there in February.

Egypt is not Somalia, whose whole piratical expeditionary force could be overwhelmed by a couple of coast guard cutters or Navy missile cruisers.

Egypt is far too powerful militarily and in its ability to enforce laws within its own borders than most (if any) corporations could manage.

And China – identified by enough DoD and third-party investigations as the source of a long series of dramatic penetrations of U.S. facilities during the past few years – is a much larger step in the international hierarchy above Egypt than Egypt is above Somalia.

Which is probably why neither U.S. nor British government spokespeople said anything of substance about reprisals, defense, additional security measures or any of the other kinds of responses we've come to expect following either major or minor outrages from foreign countries.

Even more important than China's powerful military and arsenal of ICBMs is the huge chunk of the Western economy China owns as our second-largest trading partner and largest creditor.

The U.S. could protest cyberattacks by sending a couple of aircraft-carrier groups to the China Sea for a little gunboat diplomacy, but it would be pretty embarrassing if China were to just repossess the whole fleet as partial repayment of the $1.2 trillion the U.S. owes it.

We'd end up having to pay off the whole debt just to get the boats back—plus whatever huge fee there would be for the towing and daily storage fee at the aircraft-carrier impound lot, and that's a lot of money to spend for bit of saber-rattling that would be futile in the real world and irrelevant in the virtual one.

It would be much more diplomatic, much more effective and much less expensive to respond digitally by building digital defenses able to keep cyberspies out, or at least identify the information they shouldn't be allowed to take and keep that in.

There have certainly been enough attempts to build a force able to do that. In 2009 the newly sworn-in Obama Administration swore to build a swank new facility and powerful new cybersecurity military force.

Unfortunately, the U.S. military – the federal agent most prepared for large-scale, sophisticated cyber defense and counterattack – isn't remotely prepared for any serious effort at cyberwar, according to a Government Accountability Administration report released last week.

Its efforts in cybersecurity have been so uncoordinated between services, inconsistent in its execution and uncertain in its goals, that the DoD admitted earlier this week it essentially has no coherent or effective plan to defend the U.S. against cyberattack.

And, despite threats spoken in harsh voices from under large hats at the Pentagon that attacks made entirely in cyberspace could be made kinetic if foreign hackers ticked them off badly enough, the DoD has done little but agree with the GAO report that it needs to get its staff together on the whole cyberwar thing, and will do so any day now.

So it's not surprising there hasn't been much response to the shameful record revealed in McAfee's report this week.

Part of the reason is that the revalations didn't surprise anyone.

Most of the reason is that, despite knowing in detail about the continued risk as well as the nature, source and method of the attacks, none of the Western "state actors" on the receiving end of five years worth of sustained and consistent attacks has done a damn thing to stop them.


Governments, IOC and UN hit by massive cyber attack

http://www.bbc.co.uk/news/technology-14387559

By Daniel Emery Technology reporter, BBC News
Anon hacker The report says the cyber attacks had been going on since 2006

IT security firm McAfee claims to have uncovered one of the largest ever series of cyber attacks.

It lists 72 different organisations that were targeted over five years, including the International Olympic Committee, the UN and security firms.

McAfee will not say who it thinks is responsible, but there is speculation that China may be behind the attacks.

Beijing has always denied any state involvement in cyber-attacks, calling such accusations "groundless".

Speaking to BBC News, McAfee's chief European technology officer, Raj Samani, said the attacks were still going on.

"This is a whole different level to the Night Dragon attacks that occurred earlier this year. Those were attacks on a specific sector. This one is very, very broad."

Dubbed Operation Shady RAT - after the remote access tool that security experts and hackers use to remotely access computer networks - the five-year investigation examined information from a number of different organisations which thought they may have been hit.

"From the logs we were able to see where the traffic flow was coming from," said Mr Samani.

"In some cases, we were permitted to delve a bit deeper and see what, if anything, had been taken, and in many cases we found evidence that intellectual property (IP) had been stolen.

"The United Nations, the Indian government, the International Olympic Committee, the steel industry, defence firms, even computer security companies were hit," he added.

China speculation

McAfee said it did not know what was happening to the stolen data, but it could be used to improve existing products or help beat a competitor, representing a major economic threat.

"This was what we call a spear-phish attack, as opposed to a trawl, where they were targeting specific individuals within an organisation," said Mr Samani.

"An email would be sent to an individual with the right level of access within the system; attached to the message was a piece of malware which would then execute and open a channel to a remote website giving them access.

"Once they had access to an organisation, they either did what we would call a 'smash-and-grab' operation, where they would try and grab as much information before they got caught, or they sometimes embedded themselves in the network and [tried to] spread across different systems within an organisation."

Mr Samani said his firm would "not make any guesses on where this has come from", but China is seen by many in the industry as a prime suspect.

Jim Lewis, a cyber expert with the Centre for Strategic and International Studies, was quoted by the Reuters news agency as saying it was "very likely China was behind the campaign because some of the targets had information that would be of particular interest to Beijing".
Lulzsec Logo Experts warned that commercial espionage was a bigger threat to business than Lulzsec and Anonymous.

"Everything points to China. It could be the Russians, but there is more that points to China than Russia," Lewis said.

However, Graham Cluley - a computer-security expert with Sophos, is not so sure. He said: "Every time one of these reports come out, people always point the finger at China."

He told BBC News: "We cannot prove it's China. That doesn't mean we should be naive. Every country in the world is probably using the internet to spy.

"After all, it's easy and cost-effective - but there's many different countries and organisations it could be."

Mr Cluley said firms were often distracted by the very public actions of LulzSec and Anonymous, groups of online activists who have hacked a number of high-profile websites in recent months.

"Sometimes it's not about stealing your money or publicly leaking your data. It's about quietly stealing your information, which can have a very high political, military or financial value.

"In short, don't let your defences down," he added.