taken several steps to defend its own cyberspace,
established cyber war military units, and
laced U.S. infrastructure with logic bombs.
While developing cyber strategy, China also made use of private hackers closely aligned with the state’s interests. The U.S.-China Economic and Security Review Commission estimates that there are up to 250 groups of hackers in China that are sophisticated enough to pose a threat to U.S. interests in cyberspace. We saw something of their early capabilities in 1999, when the United States led a NATO air campaign to stop the slaughter in Kosovo by Serbian forces. The U.S. had all but perfected its smart weapons and used them to eliminate the Serbians’ Soviet-era military apparatus without losing a single American life (one U.S. warplane went down due to mechanical failure). Unfortunately, smart weapons can’t make up for bad intelligence. Six bombs dropped from U.S. aircraft hit the precise coordinates provided to the mission planners by the CIA. The target was supposed to be the Yugoslav Federal Directorate for Supply and Procurement, a planning agency of the Serbian military. The coordinates, however, were about 900 feet off from the Directorate and exactly on top of the Chinese embassy.
The Chinese held protests outside U.S. embassies and consulates, issued condemnatory statements within the UN and other bodies, and demanded compensation for the victims and their families. After the embassy bombing, U.S. and NATO websites were targeted with denial of service attacks. Government agencies had their in-boxes stuffed with spam messages protesting the bombing. Some NATO webpages were forced down, while others were defaced. The attacks did little damage to U.S. military or government operations. The effort amounted to little more than what we call “hacktivism” today, a fairly mild form of online protest. It was, however, a first use of cyberspace by China to protest. Chinese hacktivists did it again in 2001, when a U.S. “spy plane” allegedly entered Chinese airspace and was forced by Chinese fighter jets to land in China. However, while these Chinese citizen hackers were launching their primitive denial of service and spam attacks, China’s intelligence-industry partnership was also busy.
The Chinese government went after two underpinnings of the U.S. computer industry’s dominance of networking technology, Microsoft and Cisco. By threatening to ban Chinese government procurement from Microsoft, Beijing persuaded Bill Gates to provide China with a copy of its secret operating system code. Microsoft had refused to show that same code to its largest U.S. commercial customers. Then China copied the Cisco network router found on almost all U.S. networks and at most Internet service providers. Cisco had a manufacturing plant for the routers in China. Chinese companies then sold counterfeit Cisco routers at cut-rate discounts around the world. The buyers allegedly included the Pentagon and other federal government entities. Counterfeit routers started showing up on the market in 2004. Three years later, the FBI and the Justice Department indicted two brothers who owned a company called Syren Technology for selling the counterfeit routers to a customer list that included the Marine Corps, the Air Force, and multiple defense contractors. A fifty-page report authored by the FBI and circulated within the technology industry concluded that the routers could be used by foreign intelligence agencies to take down networks and “weaken cryptographic systems.” Meanwhile, another Chinese company, Huawei, was selling similar routers throughout Europe and Asia. The major difference was that, unlike the counterfeits, these routers did not say Cisco on the front. Their label said Huawei.
With intimate knowledge of the flaws in Microsoft and Cisco software and hardware, China’s hackers could stop most networks from operating. But wouldn’t the Chinese be vulnerable, too? They would be, if they used the same Microsoft and Cisco products we do. As part of the deal with Microsoft, the Chinese modified the version sold in their country to introduce a secure component using their own encryption. Hedging their bets, they also developed their own operating system, called Kylin, modeled on the stable open source system known as Free BSD. Kylin was approved by the People’s Liberation Army for use on their systems. China allegedly also developed its own secure microprocessor for use on servers and Huawei routers. The Chinese government is trying to install “Green Dam Youth Escort” software on all of its computers, allegedly to screen for child pornography and other prohibited material. If they get it to work, and proliferate it on all their systems, Green Dam could also scan for malware installed by enemy states.
In addition to Green Dam, there is the system that U.S. wags call the Great Firewall of China. Not really a firewall, the government-run system screens traffic on ISPs for subversive material, such as the Universal Declaration of Human Rights. The system engages in something called “Domain Name System hijacking,” sending you to a Chinese government clone of a real site when you are in China and try to go, for example, to the webpage of a Christian evangelical organization. It also has the ability to disconnect all Chinese networks from the rest of the global Internet, something that would be handy to have if you thought the U.S. was about to launch a cyber war attack on you. James Mulvenon, one of the leading American experts on China’s cyber war capabilities, says that taken together, Green Dam, the Great Firewall, and other systems represent “a substantial investment by Chinese authorities in enhanced blocking, filtering, and monitoring” of their own cyberspace.
By 2003, China had announced the creation of cyber warfare units. Housed at the naval base on Hainan Island are the Third Technical Department of the PLA and the Lingshui Signals Intelligence Facility. According to the Pentagon, these units are responsible for offense and defense in cyberspace, and have designed cyber weapons that have never been seen before and that no defenses have been designed to stop. In one publication, the Chinese listed ten examples of such weapons and techniques:
planting information mines
conducting information reconnaissance
changing network data
releasing information bombs
dumping information garbage
disseminating propaganda
applying information deception
releasing clone (sic) information
organizing information defense
establishing network spy stations
China did establish two “network spy stations,” not far from the U.S., in Cuba. With the permission of the Castro government, the Chinese military created a facility to monitor U.S. Internet traffic and another to monitor DoD communications. At about the same time China announced the creation of its cyber warfare units, the U.S. experienced one of the worst episodes of cyber espionage to date. Known as Titan Rain, the U.S. code name given to the case, the incident involved the extraction of between 10 and 20 terabytes of data off the Pentagon’s unclassified network. The hackers also targeted the defense contractor Lockheed Martin, other military sites, and, for reasons that remain hard to fathom, the World Bank. Vulnerabilities in Pentagon and other targeted networks were systematically identified and then exploited to extract information through servers in South Korea and Hong Kong. Investigators were able to trace the flow from these intermediate servers back to a final server in Guangdong, China. U.S. Air Force Major General William Lord directly and publicly attributed the attacks not to Chinese hacktivists, but to the Chinese government.
By 2007, the Chinese government seemed to be involved in a widespread series of penetrations of U.S. and European networks, successfully copying and exporting huge volumes of data. The Director of the British domestic intelligence service MI5, Jonathan Evans, wrote letters to 300 leading companies in the U.K., advising them that their networks had probably been penetrated by the Chinese government. Evans’s counterpart in Germany, Hans Remberg, also accused the Beijing government, this time of hacking into the computer of Angela Merkel, the German Chancellor.
The computer espionage also went after a high-ranking American, hacking into the computer of Secretary of Defense Robert Gates. Later, Chinese operatives copied information off of U.S. Secretary of Commerce Carlos Gutierrez’s laptop when
he visited Beijing, then attempted to use that information to gain access to Commerce Department computers. Commenting on the Chinese, Gates’s Deputy Undersecretary, Robert Lawless, admitted that they have “a very sophisticated capability to attack and degrade our computer systems…to shut down our critical systems. They see it as a major component of their asymmetrical warfare capability.”
In 2009, Canadian researchers uncovered a highly sophisticated computer program they dubbed GhostNet. It had taken over an estimated 1,300 computers at several countries’ embassies around the world. The program had the capability to remotely turn on a computer’s camera and microphone without alerting the user and to export the images and sound silently back to servers in China. A top target of the program were offices related to nongovernmental organizations working on Tibetan issues. The operation ran for twenty-two months until discovered. The same year, U.S. intelligence leaked to the media that Chinese hackers had penetrated the U.S. power grid and left behind tools that could be used to bring the grid down.
The extent of Chinese government hacking against U.S., European, and Japanese industries and research facilities is without precedent in the history of espionage. Exabytes of data have been copied from universities, industrial labs, and government facilities. The secrets behind everything from pharmaceutical formulas to bioengineering designs, to nanotechnology, to weapons systems, to everyday industrial products have been taken by the People’s Liberation Army and by private hacking groups and given to China, Inc.
In the latest incident to become public, Google revealed its discovery of a highly sophisticated campaign targeting both the company’s intellectual property and the e-mail accounts of leaders in the Chinese dissident movement.
The hackers used advance “spear-phishing” techniques to dupe senior Google executives into visiting websites where malware would automatically be downloaded onto their computers to give the hackers root access. While most phishing scams cast a wide net and try to catch a few peope who are gullible enough to fall for Nigerian scammer e-mails, spear-phishing specifically targets an individual, figures out who their acquaintances are on Facebook or Linked-in, and then tailors a message to look like it is from someone they would trust. If you were a senior research scientist at Google, you might have received an e-mail containing a link to a website that looked like it was from a colleague. The message might have said, “Hey, Chuck, I think this story will interest you…” and then provided a link to fairly innocuous site. When the target clicked on the link and visited the site, the hackers used a zero-day flaw in Internet Explorer, one that was not publicly known and had yet to be patched, to download the malware silently and in such a fashion that no antivirus software or other measures would detect it. The malware created a back door to the computer so the hackers could maintain their access and used the first compromised computer to work their way across the corporate network until they reached the servers containing the source code, the crown jewel of a software company.
When Google’s scientists figured out what was going on in mid-December, they traced back the hacking to a server in Taiwan, where they found copies of their proprietary information and those of at least twenty other companies, including Adobe, Dow Chemical, and the defense contractor Northrop Grumman. From there, they traced the attacks back to Mainland China, and then went to the FBI, making their public announcement of the hacking and plans to exit the Chinese market in mid-January.
Some will suggest that war with China is, in any event, unlikely. China’s dependence on U.S. markets for its manufactured goods and the trillions the country has invested in U.S. Treasury bills mean that China would have a lot to lose in a war. One Pentagon official who spoke on the condition of anonymity isn’t so sure. He points out that the economic meltdown in the U.S. has had a secondary effect in China that has put millions of Chinese factory workers out on the streets. The Chinese government has not shown the kind of concern that we expect in the West and is not apparently worried about any weakening of its grip on the Chinese people. The lesson the Pentagon official takes away is that China can take economic lumps and may well do so if the gains from warfare are perceived as high enough.
What might such gains be? The trite answer one often hears is that China may find itself forced to stop Taiwan from implementing a declaration of independence. When serious analysts weigh the prospects of open conflict with China, however, they see it playing out over the open waters of the South China Sea. The Spratly Islands are not exactly a tourist destination. They are not exactly islands. If all were piled up together, the reefs, sandbars, and rocks in the South China Sea would amount to less than two square miles of land. That two square miles of land is spread out over more than 150,000 square miles of ocean. It’s not the islands that China, Vietnam, Taiwan, Malaysia, the Philippines, and Brunei are feuding over, but what is under them and around them. The reefs have some of the largest remaining stocks of fish in the world, a resource not to be discounted among the growing and hungry nations that lay claim to the waters. The islands also skirt the critical trade route that links the Indian Ocean to the Pacific nations through which a large majority of the world’s oil flows out of the Middle East. Then there are the Spratlys’ oil and gas. Undeveloped fields estimated to hold more natural gas than are Kuwait, currently home to the fourth-largest reserves in the world, could fuel the economies of any of the countries for decades to come. Oil fields in the islands are already well developed, often with platforms established by several nations drawing out of the same reservoir.
If China decides to flex its newly developed military muscle, it may very well be in an attempt to wrest these islands from its neighbors, a scenario explored as a tabletop exercise later in the book. If China does seize the islands, the U.S. could, though reluctantly, be drawn into a response. The U.S. has established security guarantees with both the Philippines and Taiwan. Chevron has helped Vietnam develop the offshore oil fields that that nation claims.
Alternatively, we might be deterred from intervening against China in the Pacific Rim if the costs of doing so would be significant damage or disruption at home. According to Defense Secretary Robert Gates, cyber attacks “could threaten the United States’ primary means to project its power and help its allies in the Pacific.” Is that enough to deter the U.S. from a confrontation with China? If the possibility of China crippling our force projection capability is not enough to deter us, maybe the realization of our domestic vulnerabilities to cyber attack would be. The alleged emplacement of logic bombs in our electric grid may have been done in such a way that we would notice. One former government official told us that he suspects the Chinese wanted us to know that if we intervened in a Chinese conflict with Taiwan, the U.S. power grid would likely collapse. “They want to deter the United States from getting involved militarily within their sphere of influence.”
The problem is, however, that deterrence only works if the other side is listening. U.S. leaders may not have heard, or fully understood, what Beijing was trying to say. The U.S. has done little or nothing to fix the vulnerabilities in its power grid or in other civilian networks.
A SCORE OF OTHERS
I focused on China because its cyber war development has been, oddly, somewhat transparent. U.S. intelligence officials do not, however, rate China as the biggest threat to the U.S. in cyberspace. “The Russians are definitely better, almost as good as we are,” said one. There seems to be a consensus that China gets more attention because, intentionally or otherwise, it has often left a trail of bread crumbs that can be followed back to Tiananmen Square.
The Russian nongovernmental hackers, including large cyber criminal enterprises, are a real force in cyberspace, as was demonstrated in the attacks on Estonia and Georgia discussed in chapter 1. The hacktivists and criminals are generally thought to be sanctioned by what used to be called the Sixteenth Directorate, a part of the infamous Soviet intelligence apparatus known as the KGB. Later it was called FAPSI. Few American intelligence off
icers could ever remember what FAPSI stood for (it’s the Russian acronym for: Federal Commission for Government Communications and Information), they just knew it was “Moscow’s NSA.”
Like America’s NSA, FAPSI started out doing code making and breaking, radio intercept, bugging, and wiretapping. As soon as the Internet appeared, however, FAPSI was on to it, taking over the largest ISP in Russia, later requiring all Russian ISPs to install monitoring systems that only FAPSI could access. Of course, during the rise of the Internet, the Soviet Union ended, and so, theoretically, did the KGB and FAPSI. In fact, the organizations merely put up their headquarters with new names. After several changes, in 2003 FAPSI became the Service of Special Communications and Information. Not all of their placarded buildings are in Moscow. In the southern city of Voronezh, FAPSI, as many Russians still call it, runs what might be the largest (and certainly one of the best) hacker schools in the world. By now, of course, they are probably calling themselves cyber warriors.
Other nations known to have skilled cyber war units are Israel and France. U.S. intelligence officials have suggested that there are twenty to thirty militaries with respectable cyber war capability, including those of Taiwan, Iran, Australia, South Korea, India, Pakistan, and several NATO states. “The vast majority of the industrialized countries in the world today have cyber-attack capabilities,” said former Director of National Intelligence Admiral Mike McConnell.
WHEN CYBER WARRIORS ATTACK
You may by now believe that there are cyber warriors, but in addition to jamming Internet sites what can they do, really? Obviously, we have not had a full-scale cyber war yet, but we have a good idea what it would look like if we were on the receiving end. Imagine a day in the near future. You are the Assistant to the President for Homeland Security and you get a call from the White House Situation Room as you are packing up to leave the office for the day, at eight p.m. NSA has issued a “CRITIC” message, a rare alert that something important has just happened. The one-line message says only: “large scale movement of several different zero day malware programs moving on Internet in the US, affecting critical infrastructure.” The Situation Room’s Senior Duty Officer suggests that you come down and help him figure out what is going on.
Cyber War: The Next Threat to National Security and What to Do About It Page 7