Saturday, September 19, 2009

Computer Attacks From China Leave Many Questions



Computer Attacks From China Leave Many Questions


No aspect of China’s defense industry and strategy is more of a mystery than its cyberwarfare capability.

Beijing’s wide-ranging probes of U.S. military computer networks remain highly classified, and experts disagree over the motives — is it mere curiosity or preparation for something more ominous?

One of the most famous attacks on U.S. government computers took place in 2004, when a systematic assault on U.S. computers was traced back to Guangdong province in southern China. Attacks focused on U.S. military and commercial arms industry computer networks.

Behind Titan Rain

The attack, now dubbed Titan Rain, was an attempt to collect information from computer files. However, who was responsible for the attacks is unclear.

Confounding U.S. understanding is a generation gap in research circles that deal with China. Many older China analysts are unfamiliar with computer hacker terminology such as data condoms, Golden Shield, Botnets, the Panda Burning Incense virus and Titan Rain, prompting some to dismiss the issue’s magnitude.

Given complex computer systems are vital to the U.S. military for everything from education and acquisitions, to reconnaissance and intelligence, to logistics and operations, securing these massive networks against mounting probes and attacks is vital.

The issue was underscored in April, when hackers over the course of two weeks attacked Estonia’s state Web sites in the wake of a dispute with Russia. Moscow denied involvement, but NATO dispatched specialists to the Baltic country. President George W. Bush said the attacks served as a “lesson” for the United States.

“The key mystery for the U.S. is to understand precisely why China has been doing these kinds of cyber probes of U.S. networks,” said China specialist Michael Pillsbury, lauding congressional testimony earlier this year by Marine Corps Gen. James Cartwright, then the chief of the U.S. Strategic Command. Cartwright was recently confirmed by the Senate to become the vice chief of the Joint Staff.

In the report to Congress by the U.S.-China Economic and Security Review Commission in June, Cartwright warns that China is using “cyber reconnaissance” to probe U.S. computer networks for information and identifying weaknesses.

“China is actively engaging in cyber reconnaissance by probing the computer networks of U.S. government agencies as well as private companies. The data collected from these computer reconnaissance campaigns can be used for myriad purposes, including identifying weak points in the networks, understanding how leaders in the United States think, discovering the communication patterns of American government agencies and private companies, and attaining valuable information stored throughout the networks,” the report states.

“I think that we should start to consider that regret factors associated with a cyber attack could, in fact, be in the magnitude of a weapon of mass destruction.”

The problem, according to Pillsbury, is the “strident” split within the U.S. government over China’s strategic goals.

Curious or Threatening?

“If China’s probes of U.S. networks are actually designed to prepare a cyber strike, then our national strategy toward China seems naive and will need to be replaced,” he said.

“If the Chinese are just curious and just probing the U.S. in order to protect themselves and merely to threaten Taiwan not to go independent, then our current strategy since 1979 of aiding China’s prosperity and stability make a lot of sense and should be continued by the next president. So the devil is in the details of these Chinese probes.”

“A potential first strike using cyberwarfare would be damaging, but it probably would not cripple the United States’ defense capacity,” said Larry Wortzel, commissioner of the U.S.-China Economic and Security Review Commission. “Moreover, if the U.S. could attribute such an attack to China, and it probably could, it need not restrict itself to retaliating in kind.”

James Lewis, director of the Technology and Public Policy Program at the Center for Strategic and International Studies, Washington, has written extensively on cyberwarfare.

“China [and Russia] are increasingly unrestrained in their use of cyber attacks,” Lewis said. “They probably assume that since the tracks are largely untraceable, they don’t run much risk. Eventually, there will be some incident that gets them into trouble. I don’t have a sense that China’s leaders are either aware of the risks they are running with cyber attacks or that they’ve calculated the risks correctly.”

Part of the problem might have to do with doctrine.

The Pentagon’s 2007 annual report to Congress on China’s military power admits there is “no evidence of a formal Chinese computer network operations (CNO) doctrine.”

“China’s CNO concepts include computer network attack, computer network defense and computer network exploitation,” the report says. “The PLA [People’s Liberation Army] sees CNO as critical to achieving ‘electromagnetic dominance’ early in a conflict. Although there is no evidence of a formal Chinese CNO doctrine, PLA theorists have coined the term ‘Integrated Network Electronic Warfare’ to prescribe the use of electronic warfare, CNO and kinetic strikes to disrupt battlefield network information systems.”

The report describes using a cyber attack as a first-strike option:

“The PLA has established information warfare units to develop viruses to attack enemy computer systems and networks, and tactics and measures to protect friendly computer systems and networks. In 2005, the PLA began to incorporate offensive CNO into its exercises, primarily in first strikes against enemy networks.”

Lewis said China’s Ministry of State Security (MSS) has “two bureaus that develop and use cyber capabilities: the General Staff 3rd Department looks at info warfare, and the Beijing Military command [the country’s biggest] practices information warfare.

“MSS and the PLA have research labs around the country [some associated with universities, like the Beijing Institute of Technology] that develop software products,” he said. “There may also be a connection between the Chinese hacker community and the MSS.”

Cyber Doctrine

Despite the difficulty in identifying the source of cyber attacks, Wortzel argues there is clear doctrinal evidence that cyberwarfare is an integral part of China’s war-fighting strategy.

“It is clear from doctrinal material written by PLA officers that cyberwarfare is a major part of the Chinese military’s war-fighting doctrine. The PLA has technical reconnaissance bureaus, special technical warfare units and electronic warfare organizations in its main forces in a number of military regions,” he said.

“The book, ‘A New Discussion on Information Warfare (Xinxi Zhan Xin Lun),’ published by the Academy of Military Science in 2004, makes it clear that cyberwarfare is an integral part of the strategic, operational and tactical levels of war for the PLA.”

China makes an enormous effort to control the Internet inside its borders. China’s domestic communications intelligence program, the Golden Shield, monitors the Internet.

The effort in developing Golden Shield has produced dividends for the intelligence community. Techniques to monitor domestic e-mails and Web sites have created new techniques to spy on foreign computers.

China is well known for being the origin of malicious attacks that deface or disable Web sites that are politically offensive to the Chinese Communist Party, but the perpetrators are hard to identify. A 1998 attack on computer networks in the Pentagon was blamed on the PLA, but later turned out to be committed by bored teenagers in California.

In July, a Chinese human rights Web site, 64tianwang, maintained in the United States by human rights activist Huang Qi, was attacked by Chinese hackers. The Web host managed to keep the site running despite the attacks. The question remains: Was it an attack by individual hackers, or was the attack sponsored by the Chinese government?

In 2002, China was accused of attempting to break into the Dalai Lama’s computer network, managed by the Tibetan Computer Resource Centre. One virus planted in the system was designed to send information back to China. Still, the culprit was not clearly identified.

Lewis argues that China is susceptible to being used as a platform for third-country attacks because its networks are vulnerable, due largely to the widespread use of pirated software and legacy equipment that is old and unsecure.

China is not immune to computer viruses or hacker attacks. Chinese media reports state that 35 million Chinese computers were infected in the first six months of this year.

In February, Chinese Public Security Bureau officials arrested six hackers accused of distributing the Panda Burning Incense virus for profit. The virus attacks the Windows operating software system by turning icons of executable files into cute pandas holding three incense sticks, a form of prayer in Chinese temples.