Flashpoints

Wrong on China Cyber Assaults

Recent Features

Flashpoints

Wrong on China Cyber Assaults

Why blaming the Obama administration for US firms’ cyber vulnerabilities misses the point.

Richard Clarke’s inflammatory article for the Wall Street Journal, ‘China's Cyber assault On America,’ overflows with mistakes, logical inconsistencies and a serious lack of understanding of how targeted cyber attacks work at a granular level.

Clarke tries to draw a parallel between the Obama administration’s protection of Libyan dissidents from Gaddafi and his lack of protection for US citizens from cyber attacks from China, when he knows perfectly well that the president's authority over military actions as commander-in-chief is completely different from his authority over US corporations, which is zero.

Later, he argues that ‘cyber criminals don’t hack defence contractors — they go after banks and credit cards.’ In fact, the Zeus and Hilary Kneber hacker crews have been conducting cyber espionage attacks against government and military employees using the same malware that they use in financial crime since at least February 2010. Brian Krebs and I both wrote about it back then and we were both attacked by those same crews because of it. The use of these gangs is believed to be the modus operandi of the Russian and Ukrainian governments. I delve into this process in detail in my book and will expand on it in the second edition. 

The most recent example of these gangs running cyber espionage operations occurred in January, 2011 with the White House eCard spear phishing attack. Governments around the world have informal relationships with criminal hackers that allow them a safe harbour to conduct cybercrime as long as they also conduct cyber espionage or other types of cyber ops for their host government as needed. The Russian Federation is known to have been conducting cyber espionage against foreign firms for years and yet their name is almost never mentioned in conjunction with attacks from which they would clearly benefit. They even use the same M.O. (spear phishing) and have a prime minister who has stated publicly that he used to run industrial espionage operations when he was with KGB and wishes that the Kremlin had made better use of his team's efforts back then.

Clarke mentions the Congressional logjam on cyber security legislation, but fails to mention that there are over 60 competing bills. He complains about lack of action by a president who has no power over Congress, no power over the companies that own 90 percent of the US grid, and whose cyber security coordinator, Howard Schmidt, is doing the best he can with lots of responsibility and no authority. Richard Clarke has a lengthy career with the federal government at the highest levels, so there’s no reason that I can think of for him not to know that ‘responsibility with no authority’ is the biggest reason that NSA, US-CERT, USCYBERCOM, DHS, FBI and the Executive Office of the President (EOP) can advise but not order companies to harden their networks. I consult with corporations whose CEOs have been visited by one or more three-letter agencies who inform them that their corporate networks are beaconing data to a foreign country, and the executives’ responses are mixed. Some take the hint and make radical changes. Others blow it off entirely as a cost of doing business. That’s the nature of our system of government as well as the nature of business and Clarke surely knows it as well as anyone; which makes me wonder what his motives were for writing this op-ed to begin with. 

This isn’t to say that China isn’t vacuuming huge amounts intellectual property and sensitive data from around the world. Of course it is, but so are many other countries; all of whom have the technical capability of crafting a targeted spear phishing letter that delivers a malicious payload and gives entry to an extended corporate network breach by bad actors leading to the discovery and exfiltration of valuable data.

Further, if the only evidence pointing to China is the use of a Chinese IP address, then you have no evidence at all. Anyone, regardless of their background, who says that only the Peoples Republic of China is conducting these types of attacks couldn’t be more wrong and is harming, not helping, the cyber security posture of the United States.

This is an edited version of an entry that also appears on Carr's blog. Carr is also the author of 'Inside Cyber Warfare: Mapping the Cyber Underworld' (O'Reilly Media, 2009).