April 1st, 2015

New Chinese Cyberattacks: What’s to Be Done?

Chinafile conversation featuring Steve Dickinson, Jason Q. Ng, Isaac Mao and Collin Anderson. Source: Chinafile 1/4/2015

screenshot_2015-03-31_17.04.36

Starting last week, hackers foiled a handful of software providers that promote freedom of information by helping web surfers in China reach the open Internet. The attacks that drastically slowed the anti-censorship services of San Francisco-based GitHub and China-based GreatFire.org emanated from computers around the world. Unbeknownst to their owners, attacking computers apparently were infected by code triggered by using the advertising or analytics tools of Baidu, China’s largest search engine—a company whose shares are traded on the NASDAQ exchange. Baidu has said it has found no security breaches and is working with other organizations to get to the bottom of the attacks. Have the latest cyberattacks, as some coverage has suggested, “weaponized” the computers of unsuspecting global netizens? What should governments, businesses, and individuals do about this apparent spread of China’s official command-and-control vision of the Internet beyond its borders? —The Editors

Responses

Wednesday, April 1, 2015 – 6:01am

The Chinese have already weaponized the Internet. They assume that everyone else has done the same thing. China does not see the Internet as a benign force. They see the Internet as a weapon aimed at their heart. It is therefore completely natural that they will respond to what they see as threats directed at China that originate on the Internet.

One method they will use for protection is to create a Chinese sovereign Internet. Within China, the Internet will be entirely in the control of the Chinese authorities. This is a Balkanization of the Internet. The Chinese authorities understand this and welcome the result.

The problem for the Chinese is then is what to do about attacks against China that come from outside of the borders of China. They have a two-prong policy. First, the Great Firewall will block access to China. This is the primary strategy. Second, where the Great Firewall is not effective, China will strike back, using the open Internet as a weapon. This is exactly what is happening in the current GitHub denial of service attack.

Officials of the Chinese government and their academic advisors believe that their actions are completely justified. Every country has a right to self-defense and China is simply exercising that basic right. For this reason, cross border discussions asking the Chinese to stop this practice will fail. That is, this kind of attack is not an example of malicious hacking. From the Chinese point of view, it is legitimate self defense.

So what can be done? There are three basic strategies:

  1. Submit to the will of the Chinese and remove all content that the Chinese see as a threat to their interests.
  2. Understand the threat and install countermeasures specifically designed to deal with the threat from China and other countries with a similar basic approach.
  3. Attack back, understanding that cyber-war is still war and that any counter-attack may result in unanticipated consequences: more extreme damage, blowback, collateral damage, and the like.

Since no one in the U.S. has made any effort to understand the Chinese position, no one is publicly taking any steps that are likely to have any practical impact. I therefore expect that capitulation will be the most common response. Capitulation is fine when you are small and weak. Capitulation is humiliating when you pretend otherwise.

 

Wednesday, April 1, 2015 – 11:08am

Steve Dickinson identifies two of the more commonly suggested—albeit unlikely to pass—responses to the recent DDoS on GitHub and GreatFire and to similar future cyberattacks that are suspected to come from China:

  1. Remove content that Chinese officials deem objectionable—and based on the recently formed Cyberspace Administration of China’s (CAC) own articles, they clearly find GreatFire’s work objectionable.
  2. Attack back, be it with sanctions or a “proportional” cyber response—as the U.S. military is thought to have done to North Korea’s Internet after the Sony Pictures Entertainment hack.

While vigilante groups like Anonymous might respond, the latter is doubtful partly because it’s notoriously hard to attribute DDoS attacks beyond a shadow of a doubt, but mostly because China is not North Korea. The former is unlikely because GitHub, and particularly GreatFire, have publicly stood on the side of open Internet and all the expectations that come with it: freedom of expression, access to information, and transparency in code (which serves as de facto law on the Internet). In 2013, GitHub was blocked in China allegedly either due to hosting a browser plugin that allowed you to “hack” the Railway Ministry’s ticketing website or because it hosted circumvention software and sensitive news; whatever the case might have been, user outrage in China’s programming community forced officials to relent and re-open access to GitHub.

This Chinese capitulation gave credence to the developing notion of “collateral freedom” which many of GreatFire’s services are built on: in short, host censored content on general online services like GitHub, content delivery networks, or Google Docs, and leverage the many “legitimate” users of these sites in a high-stakes dare—shut down the entire service and face criticism by businesses and people who just want to see cat videos, or leave the sensitive material up.

What’s interesting to me is that both collateral freedom and this latest cyberattack on GitHub both rely on the same thing: leveraging the many passive, apolitical users of the Internet. In the GitHub attack’s case, it is random Internet surfers around the world who happen to view a webpage with Baidu’s analytics code installed on it that instigate the flood of requests to GitHub’s servers. For GreatFire, it is the mass of users who through their typical usage of an online service implicitly express support for it. In both cases, surfing the web has become “weaponized,” with all the unintended consequences that come with that.

We can all agree that the first type is an unhealthy act if we want to ensure the Internet remains a robust, innovative, and secure space. However, though I fully support GreatFire’s implementation of collateral freedom, the ethical question of whether the potential collateral damage—sites shut down, servers disrupted, innocent users denied access to online services because governments decide the threats outweigh the benefits of allowing the host of objectionable materials to stay online—that comes from a collateral freedom counter-“attack” is worth considering, even if only to develop yet stronger arguments in favor of it. Over the past week, there were no doubt some inconvenienced Chinese and non-Chinese GitHub users who didn’t necessarily believe in GreatFire’s mission 100%. They did not enlist to provide strength to GreatFire’s work or offer to potentially sacrifice their connectivity to GreatFire’s cause, and yet GreatFire was able to harness their web traffic for power. There are unintended consequences when merely surfing the web becomes a weapon—be it for an open Internet or not.

Finally, while some may argue that this latest attack on GitHub and recent disruptions to Google services in China show possible signs of cracks in collateral freedom, I want to touch on Dickinson’s third possible response: install countermeasures to mitigate future threats from China. There have been past incidents where Chinese Internet traffic was misdirected by the Great Firewall to hapless, unknowing foreign websites. A post by Craig Hockenberry, who experienced a similar DDoS, ends on a chilling note: as a last resort to prevent his server from being flooded, he blocked all Chinese users from accessing his site. While it’s arguable whether that would have helped GitHub in this case since the malicious attack utilized a global base to recruit its botnet, blocking Internet traffic coming from Chinese IP addresses has been mentioned as an option in the toolkit to prevent such attacks. This is an alarming thought. The Great Firewall is effective enough as it is; those on the side of an open Internet shouldn’t be doing the GFW’s job for it.

Last note: I hope Baidu is livid that this attack went down under their name. Let’s hope they and other Chinese tech companies made it clear to the folks at CAC (if they were indeed the ones who ordered it) that this sort of thing can’t ever happen again.

 

Wednesday, April 1, 2015 – 2:50pm

For years I’ve had a “dog-chasing-its tail” theory about China’s never-ending loop of politics-related censorship: eventually, the censors will end up biting themselves.

The Github-GreatFire.org (Baidu) hacking case gives us a chance to test this theory. We’re now seeing how vulnerable China’s Internet is—both technically and politically.

I’d go so far as to predict current Chinese Internet policy will spur future surprises, disasters far beyond simple DDoS attacks from the outside, and will more likely result in attacks from the inside.

One more thing, from a personal vantage point: my current project, the smart headphones startup Aivvy is fully hosted on Github. We’ve worked non-stop on it for thousands of working hours. If Github doesn’t recover from this latest denial of service attack, should we seek compensation from Baidu? This would surely be more convenient than requesting redress from the Chinese government. I’d love to see some legal opinions on this matter of public interest.

 

Wednesday, April 1, 2015 – 10:32pm

China’s exploitation of international demand for Internet services offered by companies such as Baidu echoes similar programs by American and British intelligence agencies disclosed by Edward Snowden (such as QUANTUMINSERT). There are fundamental parallels at play in these two cases—around the principles of Internet networking, computer security and economics; however, differing reactions suggest two very different visions for the development of the Internet, one of which, offers little space to the general public to protect themselves or to articulate their own interests.

Just as Western intelligence actors can leverage their control of key points of international Internet traffic, China exercises such controls through licensing monopolies to highly-supervised domestic companies, such as China Telecom and China Unicom. This power position, complemented by regulatory policies and network infrastructure, constitutes the “Great Firewall,” and is the means by which authorities curtail the free flow of information from abroad.

The attacks on GreatFire and GitHub, sites that helped Chinese netizens to reach the open Internet, are the latest evidence of the opacity of the global web. It is not necessarily transparent to web users where they are retrieving content from, who has the ability to modify or monitor that traffic for malign purposes, and what additional resources are loaded on to their computers by websites they visit. In the case of the attacks on GreatFire and GitHub, a website analytics tool loaded from Chinese services without visitors’ awareness, providing no functionality for them, was intercepted by the Great Firewall to invisibly press their computers into malicious service. The visitor’s web browser began to participate in the unsophisticated attack against GreatFire in blind trust, which caused tens of thousands of dollars of damages to the organization. The source of this new web traffic went largely unattributed, with each infected computer generating a series of requests every few minutes, which, en masse, overwhelmed the targets, GreatFire and GitHub. The flood of traffic continued over the course of a week until Github took measures to break the attack, causing alerts to display on the unwitting participants’ browsers.

Herein rests a new conflict between private entities and the governmental organizations that can unilaterally intercept or manipulate Internet traffic for the purpose of espionage or imposing information controls. The repurposing of the Great Firewall to control traffic both outside and inside China further contributes to China’s attempts to fragment the global Internet. This time, rather than removing content deemed objectionable by the Party from the reach of web users sitting inside China, Chinese Internet authorities have taken steps to undermine international confidence in the integrity of Chinese Internet services and demonstrated the limits of the country’s commitment to cybersecurity. Unlike with censorship, where a web user can employ a virtual private network to leap the Great Firewall, there is little a member of the general public can do to prevent their home computer from being enlisted in a denial of service attack.

Even if web users avoid obviously Chinese sites such as Baidu altogether, international web sites could be using Chinese advertising and analytics tools in order better to reach and measure their growing target audience inside China. A website visitor would not necessarily know that his browser had interacted with a Chinese site and its services. Individuals are now caught in the middle of a contest between the private sector and governments, and amongst governments.

After the Snowden revelations, companies such as Google and Yahoo! reacted to a loss in international confidence in their services by raising the level of encryption used to protect their customers. Moreover, the companies challenged the American government in the public sphere and in courts over the legality of the government’s activities. Chinese companies have not taken, and may not be able to take without repercussions, similar steps to protect users against abuse by local government agencies. If they can, they are unlikely to do so without outside pressure from stockholders or regulators challenging their public reputation, market share, and financial security. Ambitious companies such as Baidu will have to contemplate whether Chinese Internet policy makes them subject to further abuse, therefore undermining the international reputation of their services and limiting their ability to expand globally. Until then, governments, advocates for a free Internet, and regular web users must challenge the cybersecurity commitments of China and call into question the attractiveness of doing business with Chinese Internet companies operating under such self-defeating conditions.