China’s Cyberattacks — At What Cost?

A ChinaFile Conversation

James Fallows: Here are some initial reactions on the latest hacking news.

  • We call this the “latest” news because I don’t think anyone, in China or outside, is actually surprised. In my own experience in China, which is limited compared with many of yours, I’ve seen the omnipresence and intrusiveness of surveillance change. Back in the mid-1980s, there were still significant remnants of the Mao-totalitarian surveillance state. Few enough foreigners that you were always noticed; fairly ham-handed hotel and telephone bugging systems; even the excitement of sometimes being tailed. Then over the past decade, it seemed to me as if the system was generally too busy and decentralized to pay attention, unless you were doing something particularly attention-worthy. The big question about China in the late Hu Jintao and early Xi Jinping years is whether the overall liberalization of the past thirty-five years has gone into reverse—or is merely in a temporary slowdown. It’s the same question raised by this episode.
  • Many people outside China marvel at the suaveness and far-seeing strategy of its diplomatic and “soft-power” efforts. I more often marvel at the reverse. The treatment of the New York Times is a classic example. Arguably no handful of foreigners has more influence on how China is seen around the world than the NYT’s China team. And if not just them, then also the Wall Street Journal, the BBC, CNN, the commanding heights of the Western news system. A really suave Chinese system would engulf these people with love-bombing, a charm offensive, whatever you want to call it. But on the contrary, the more influential the foreign news source, the more likely they are to be reminded of the harshest aspects of the mixture of control and chaos in the Chinese state.
  • It’s a reminder of a darker reality for foreigners in these news organizations. They (we) may be annoyed, watched-over, and so on. But the people truly in jeopardy are the Chinese citizens who cooperate and provide information. In the particular case of Wen Jiabao, it appears that the formidable David Barboza was working strictly from official Chinese documents. More power to him. But the general moral complications of asymmetric risks remain, and are important.
  • General Theory Part 1: Every government, everywhere, is strongly tempted to go after leakers when some difficult/embarrassing story comes out. There are no “special Chinese characteristics” about that impulse.
  • General Theory Part 2: This effort usually backfires on the particular regime that attempts it.
  • Corollary 2A: When an entire regime relies on an information-control strategy, it is getting on the wrong side of a variety of modern fundamental forces. If China were a small country (like Cuba), or if it could still be feasibly cut off from foreign contact and information flow (like North Korea), or if information flow therein still relied on samizdat or even fax (like the end-stage Soviet Union), a strategy of maintaining legitimacy by not letting people know might work. Obviously none of those situations prevails in China.
  • General Theory Part 3: I hope that everyone participating in this exchange, or reading this exchange, practices good “password hygiene.” In particular, if you use Gmail please turn on its “two-step verification” system. It is a slight nuisance, but it makes it significantly harder for anyone to take over your account remotely. If you don’t use Gmail, try to find a system that allows similar two-step protection. (Though it’s not clear whether that would have helped in these attacks.)
  • General Theory Part 4: China’s Foreign Ministry spokesperson yesterday came within an inch of saying that foreign criticism of these hacking attacks “hurt the feelings of the Chinese people.” I still have hope that we’ll hear that phrase, perhaps in a Global Times editorial these next few days. Here is what Hong Lei of the Foreign Ministry actually said: "To arbitrarily assert and to conclude without hard evidence that China participated in such hacking attacks is totally irresponsible. China is also a victim of hacking attacks. Chinese laws clearly forbid hacking attacks, and we hope relevant parties takes a responsible attitude on this issue."
  • General Theory Part 5: Go back to point 3.

Over to you, fellow panelists.

Comments

I agree with much of James’s analysis. I might part company with him, though, on the question of whether a “strategy of maintaining legitimacy by not letting people know” can work. It’s tempting to think that a group of stolid Communist Party bureaucrats in late middle age with identically-dyed hair have the same grasp of the internet that your mother has of the remote control for the TV. But the proof of the pudding is in the eating: the Party has shown itself to be remarkably sophisticated in its ability to control what Chinese people know and think even in these wired times.

Take the Great Firewall, for example – China’s blocking of foreign web sites that might provide information the government doesn’t want its citizens to know about. Sure, it can be evaded if you know what you’re doing, but how many Chinese citizens actually do take the trouble to evade it? For a long time, many people relied on VPNs (virtual private networks) to access blocked sites, but China’s web police have now figured out how to block those in many cases.

And suppose you as a Chinese citizen do find information that would jeopardize the Party’s legitimacy – what do you do with it? On-line information does not spread itself; it needs humans to pick it up and spread it. That human information-spreader, if in China, can be identified and caught by the authorities pretty easily. His email and text messages are monitored for tell-tale keywords; he cannot publish an article or give a speech about what he knows; he can’t organize a meeting to discuss it.

Indeed, in one case the suppression of information succeeded so spectacularly that it backfired. On June 4th, 2007, an advertisement appeared in the Chengdu Evening News that said, “Salute to the mothers of the strong victims of 64.” It’s very unlikely that the clerk who accepted the advertisement would never have deliberately put himself or herself in jeopardy by letting this advertisement be published. What’s much more likely is that the government’s attempt to efface the memory of June 4th was so successful that the clerk had no idea of the significance of those two digits.

The question Jim Fallows raises that most intrigues me is the paradox between how much China has changed, and how little China has changed.

This paradox has become abundantly evident in the the hacking attacks just revealed by The New York Times. Although these are hardly the first cases of large scale intrusions that have also been discovered and attributed to the Chinese by other American organizations, we see in these attacks an up-dated expression of the old Leninist (and perhaps also Confucian) urge to control with new technology and strategy. As part of the evolutionary process, propaganda has morphed into PR and a very manipulative push to win soft power. That such efforts are more reminiscent of a large luxury goods company seeking to brand itself with a mass advertising campaign that is bought and paid for is one of the great ironies of the Chinese Communist Party's progress into modernity. Utterly missing is any recognition of the real source of soft power, namely, that the best forms of such beguiling traits come from a more natural evolutionary process, whereby a country spontaneously develops winsome cultural and political traits that make people naturally want to live there by means of what Jim calls “love-bombing, a charm offensive, whatever you want to call it.” China so desperately wants to be “loved,” and so lacks confidence that its current system is capable of winning such affections, that it hopes it can contrive soft power power by controlling what people say and think, and then paying for a massive ad and media campaign to go along with it. They just don't want to leave anything to chance.

This means that Chinese officials have been unwilling to relinquish any of their earlier pretension at controlling the field through the surveillance and monitoring of everything and everyone they can. And so it is quite logical that they are now availing themselves of all the world’s latest technology not only to create “The Great Firewall,” but now more recently to indulge in mass hacking into the communcations sytems of organizations—especially media outlets and government—that are not willing to play along with the Party’s sense of urgency about its image-maintenance campaign. In a certain sense, even while China has opened up in arresting new ways, by fortifying its control mechanisms and ability to intrude into people's lives in new and troubling ways, it has also been closing down. And, as it has regained “wealth and power” and its global pretensions have grown, it is now also tempted to apply these same new and very effective methods of electronic control to outside people and institutions. Here, we are truly seeing one of the more mutant forms of globalization.

 

Fascinating comments in from Jon Lindsay, Research Fellow at the University of California Institute on Global Conflict and Cooperation (IGCC), and a member of the Project on the Study of Innovation and Technology in China. He focuses on the impact of the information revolution on international relations, with a focus on cybersecurity, the political economy of information security in China, and unconventional warfare. His comments:

1. I never cease to be amazed, although not surprised, at the brazen insecurity of the Communist Party. In the middle of a leadership transition wracked by scandal, and angry that the New York Times was disclosing publicly available data about Wen Jiabao's family finances, someone thought it was a good idea to go rummaging through the networks of the U.S. paper of record, presumably looking for human sources in China to go after.

2.Chinese tradecraft, true to form, was pretty sloppy. (The reason we know about all the Chinese exploits over the past decade is that we have become very good at detecting all the clues their hackers leave around.) The hacking in this case appears to have started after the NYT received verbal warning about consequences from a Chinese official, then proceeded using signatures and command and control servers which had been used in prior attacks against China watchers and defense contractors. So much for the attribution problem.

3. If your tradecraft is sloppy and you're going after the NYT, then you have to figure you're going to get outed, and in a big way. Don't pick fights with someone who buys ink by the barrel and all that. Either there are some incompetent rogue actors in the People’s Liberation Army, possible but unlikely, or the hubris of the Communist Party and the PLA 3rd Department (which is responsible for monitoring the telecommunications of foreign armies and producing finished intelligence based on the military information collected) is great enough to think they would get away with it, or in the logic of the Party, the value of the information they sought outweighed the risk of compromise. This latter option really tells you something about the paranoia in the Party.

4. One reason that Chinese tradecraft has not improved over the years and that the cost calculation may underweight consequences is that there haven't been any consequences for China. The first U.S. response was to focus on better defenses, then better information sharing between government and firms. Defense is hard for a number of reasons, and it has had some effect in causing the Chinese to up their game a bit and also to develop a lot of knowledge in the infosec community about Chinese techniques. The second was for U.S. officials to explicitly name and shame China. But there hasn't been any other real sanction tied to Chinese hacking. We say we don't like it. They say it isn't happening. The band plays on.

5. What should be done? Well, maybe nothing. The NYT is providing far better publicity on this than any U.S. demarche. If part of the issue is alarm over the subversion of the internet and the open democratic conversation it enables, personified by a free and open press, then what better way to advocate for those values than for the press itself to enhance transparency by blowing this operation wide out into the open? As long as name and shame is our policy, then it doesn't get any better than this.

6. Of course, if U.S. policy is in part to advocate for human rights in China by enabling dissidents to communicate and subvert Chinese censorship--i.e., to do something to protect the very sorts of people who the Chinese hackers appear to have been looking for--then we have very little interest in international rules to restrict hacking. Presumably you don't hear about U.S. hacking in China because the National Security Agency’s tradecraft is a lot more solid (and it's lost in the noise of the tremendous insecurity and noise in domestic Chinese networks), as well as because the target set in our case is more focused on national security rather than economics. Furthermore, the activist hacking from the U.S. that isn't directly promoted by the U.S. government is hard to expose because if it is detected, as it must be often, then to publicize it the Chinese would have to publicly talk about internet controls which don't officially exist.

7. I wonder if the human rights angle of this story may actually end up being far more important if viewed by policymakers as an attack on American soil of core American democratic values. It would be one thing to steal New York Times secrets or even to impede an investigation, but to look for sources, presumably with intent to punish, is another thing. This, after all, is what got Clinton so animated after Google was hacked in 2009-2010 in search of dissidents.

8. Going back to the NYT response, it is very interesting that they relied heavily upon a private infosec company for the investigation. There's an interesting sequence of paragraphs that implies that the NYT asked the FBI for help, but they couldn't provide much, so the NYT hired Mandiant, who did a handy job of identifying the perps and bounding the damage into a honeypot, like any good CI investigation. Thanks for nothing, G-Men, we're going to Dick Tracy. The first thing this illustrates is how much of the cybersecurity problem is in the private sector in terms of expertise as well as targets. The second thing it suggests is perhaps the private sector is best equipped to handle this problem. Companies are taking security more seriously and private companies now exist to help them do so.

9. China definitely comes out the loser in this affair, I think. They lose a lot of credibility in their various attempts internationally to shift internet governance to the United Nations and away from informal business networks. A lot of people are going to look at this story and howl about how terribly insecure this shows the internet is and the government should do more to regulate cybersecurity, but I think we will also be able to look at this and point to the broader effectiveness of open market-based networks.

My favorite take: The Onion is generously offering its employees' passwords and personal information to the Chinese government! “China boasts the world’s biggest population, fastest-growing economy, and is the recipient of more foreign direct investment than any other country on the globe. The Onion aims to be on the right side of history, and towards that end, China is also welcome to our employees’ social security numbers, home addresses, and medical and voting histories if ever they would like to see them.”

This conversation seems to have engaged cyberattacks on both the domestic and international fronts. Let me pick up on the latter thread and offer just a few thoughts. I think that the cyberattacks are less about controlling China's image as Orville suggests (although I agree with him that China is committed to doing so) than they are about theft: theft of other people's ideas, conversations, inventions, intellectual property, etc. Cyberhacking is in many respects a more personally-directed enterprise than it might seem when you hear that this NGO or media organization or company was hacked. Cyberhackers are people who are stealing, cheating, and reading other people's personal mail. It is a personal enteprise that very directly attacks people.

Thus when asked the question, "at what cost cyberattacks?" my reaction is rather different from that of my friends and colleagues above. For China, I tend to think in terms of reputational costs and credibility costs. China's eminent foreign affairs official Cui Tiankai--who is rumored to be that country's next ambassador to the United States--has spoken of a trust deficit between the United States and China. On the Chinese side, this often boils down to claims that even as the United States talks the game of engagement, it is trying to contain China. For the United States, however, there is likely no greater source of distrust than cyberhacking. U.S. companies, U.S. media outlets, NGOS, and the U.S. government have all been targeted by Chinese cyberhackers, and in a number of instances, the hackers have been traced back to "university computers used by the Chinese military," as in the New York Times case. It seems unlikely that the same people who have been hacked by Chinese entitites are going to be strong advocates for "trusting" China. So, another cost to China, in addition to its reputation and credibility, is the loss of potential allies. 

So what to do from here? The bold play by the New York Times to detail its case and out the Chinese suggests that we may have reached an inflection point. More companies, as well as the U.S. government may become more assertive about revealing the fact that they have been hacked and reporting precisely who has done the hacking. The U.S. Department of Justice has also indicated that it may soon begin to go after hackers and state-owned enterprises that benefit from stolen property.  My colleague Adam Segal spends a lot of time working on how the United States and China might better cooperate on cybersecurity--and of course there are fruitful areas in terms of rooting out domestic economic cyber crimes, which both countries face.  Other issues, such as what constitutes appropriate boundaries for internet freedom will remain contentious issues to be hammered out in international forums--with plenty of countries aligned along all parts of the freedom spectrum. In the near term, however, it might be a positive step  toward building the trust that both the United States and China so desperately seek if a group of Chinese scholars, businesspeople, and officials--perhaps along with their American colleagues--could stand together to denounce these cyberattacks as not worthy of the strong, confident, and successful country China is becoming. 

 

It is interesting for me to join in this conversation from Orville's phrase: “paradox between how much China has changed, and how little China has changed.”

The cyberattack on the New York Times, the Wall Street Journal and Bloomberg News immediately reminds their readers about the investigative reports these media have done on Chinese leaders. That might indeed be what triggered these attacks.  Seeing this issue from "control the China Image abroad,” or China’s “soft power seeking" perspective is very useful for us to understand this issue, and therefore raising the question of "at what cost?” 

But I would also like to focus on another phrase in James opening post, “Entire regime relies on an information-control strategy.”

In this light, for the Chinese Party-State, foreign media, including those from the U.S., EU, Japan, and those from India or other parts of the world such as Al Jazeera in Qataror media from Taiwan and Hong Kong, are all in a general category of having an adversarial relationship with such an “information-control strategy.” This status quo of foreign media explains why these journalists, and sometimes the agencies themselves are often under Chinese cyberattack.  The attacks are partially aiming to monitor and intimidate journalists reporting on China, and probably more importantly, aiming to intimidate potential Chinese “sources” to cooperate with these “external hostile forces.”

Today’s Hong Kong media published stories about how Hong Kong journalists routinely come under cyberattack by Chinese security agencies in their China reporting work. In confidential interviews, I also have learned that certain Chinese military units have been using the list of foreign media and foreign human rights NGOs as regular cyberattack training targets, not just to prevent or to punish one specific report about Chinese high politics.

So to me, little has changed in terms of this statement: China’s “entire regime relies on an information-control strategy.” What has remarkably changed is the implementation of such control, which now extends to sophisticated high technology and has gone way beyond of borders of the People's Republic of China.

 

Within about twelve hours of The New York Times story, The Wall Street Journal also ran a long piece discussing its hacking:

In the most recent incident, the Journal was notified by the FBI of a potential breach in the middle of last year, when the FBI came across data that apparently had come from the computer network in the Journal's Beijing bureau, people familiar with the incident said.

The Journal hired consultants to investigate the matter and uncovered a major breach in which hacking groups—it wasn't clear whether they were working together—entered the company's networks, in part through computers in the Beijing office, people familiar with the situation said. The hackers then infiltrated the paper's global computer system, the people said.

Per James Fallows’ points about practicing good security hygiene, it is interesting that the Journal appears to have had no idea they were under attack until the FBI let them know. We may never know how the “FBI came across data that apparently had come from the computer network in the Journal’s Beijing bureau,” but that is a curious revelation. 

Given the minimal direct costs to the hackers and the small chance that this kind of behavior can be diplomatically changed any time soon, companies that are likely targets, and especially leading western media firms that cover China, need to invest much more in their IT security. 

We learned from the New York Times and Wall Street Journal admissions that Bloomberg was attacked but nothing was compromised, which is not surprising given its importance to global financial markets, customer base, and remarkably healthy financial position that allows it to invest heavily in protecting its networks. The New York Times was attacked and compromised but since they had asked AT&T to watch for unusual activity they knew almost immediately they were under attack, though not the full extent of the intrusions. The Wall Street Journal had no idea it was going on until the FBI called. Given the perilous financial state of most Western media firms, network security budgets are unlikely to be as large as needed in the current environment, to the benefit of hackers and cyberspies. 

Not to take away from the seriousness of these hackings, but I do think it is worth pointing out that the timing of the New York Times and Wall Street Journal revelations have led some in the business (and not just competitors) to point out that the Pulitzer Prize submission deadline just passed, 2012 was an amazing year for China journalism, The New York Times, The Wall Street Journal and Bloomberg all had Pulitzer-worthy coverage in 2012, and so perhaps one point of differentiation for the prize committee might have been “our stories were so impactful that the Chinese government decided to hack us.” If these revelations do sway the Pulitzer Committee, China will again have shot itself in the foot.