At the Shangri-La Dialogue in Singapore in June of this year, Defense Secretary Chuck Hagel voiced concern about “the growing threat of cyber intrusions, some of which appear to be tied to the Chinese government and military.” Indeed, earlier this year the long-suspected role of the People’s Liberation Army in cyber espionage was confirmed by Mandiant, a U.S. security firm. Now intrusions seem to be targeted at defense and aerospace industries using the same tactics. Similarly, those Chinese hackers who breached the New York Times computer network last year appear to be mounting intrusions with updated malware. Asked about its connection to the attack against the Times, the Ministry of National Defense replied, accusing “the Chinese military of launching cyberattacks without solid proof is unprofessional and baseless.”
The issue is whether such accusations of Chinese cyber intrusions, which Beijing considers unsubstantiated, are disingenuous because of charges the United States also has conducted cyber activities of its own, such as Stuxnet. President Barack Obama recently dampened European indignation over revelations alleging U.S. spying, based on leaks by Edward Snowden, saying “all nations . . . collect intelligence on each other.” Given that espionage has existed as long as the nation-state, are U.S. and Chinese cyber intrusions really all that different? The Coordinator for Cyber Issues at the State Department has indicated that there is a distinction when cyber intrusions access information for commercial purposes, adding “that’s something that the [United States] doesn’t do.”
What the U.S. has undertaken in this area started when President Barrack Obama ordered the Stuxnet attack on Iran under the program code-named Olympic Games. This advanced and persistent threat was discovered in June 2010 infecting nuclear plants by exploiting previously unidentified zero-day Microsoft vulnerabilities. Stuxnet interferes with the frequency of converter drives to control the speed of and damage the system. It likely put 25 percent of the centrifuges at Natanz out of action in the second half of 2009. The Iranian Minister of Defense Ahmad Vahidi claimed the incident was computer terrorism by dominant powers. This cutting-edge Stuxnet malware was subsequently connected in some fashion with three discoveries:
—The Flame virus infiltrated thousands of computers in Iran and adjacent areas in May 2012 by copying keyboard entries, sifting through emails and text messages, capturing screen shots, and recording microphone sounds. In addition, infected computers scanned and queried Bluetooth devices to create social profiles. This virus takes up 20 megabytes, making it 20 times larger than Stuxnet, and occupies a command and control network with 50 to 80 domains registered around the world for both built-in and downloadable modules. Flame also shares portions of its code with Stuxnet, for instance, exploiting vulnerabilities in the same printing routine.
—The Gauss virus, so-called because of a name in its code, was found in 2012 on some 2,500 computers, largely in Lebanon. It acquired logins for email as well as instant messaging, social accounts and financial transactions. Targeting banking customers posed the likelihood of cyber espionage by Americans against the Syrian regime and Hezbollah. The Kaspersky Lab, which discovered Gauss, reported it appeared to be written by programmers who created Flame because both viruses used C++ language and shared code and other features.
—The Duqu virus, so named for files used by its key logger to store collected data such as DQx.tmp, was detected in 2011 to be mining data from Hungarian and Iranian computers. Commonalities in the drivers suggest the Duqu and Stuxnet programs were created by the same platform. However, given that cybercriminals often sell platforms that create malware, similarities in code base do not necessarily indicate they came from the same operation.
Stuxnet may well have received American backing, as indicated in newly disclosed budget documents obtained by The Washington Post from Edward Snowden. The virus adhered to international humanitarian law by following principles of distinction and proportionality because it attacked specific gas centrifuges used to highly enrich uranium, operating at a speed unique to machines operated at Natanz. Although it may have been used for civilian programs, it could be reasonably assumed that the facility also had military purposes and therefore posed a legitimate target. Although Stuxnet caused physical damage, the International Group of Experts that developed the Tallinn Manual was divided on whether the damage constituted an armed attack. If the scale and effects of Stuxnet does not meet the qualification for use of force, the cyber operation is not considered unlawful under Rule 10 of the Tallinn Manual. In the other three cases related to Stuxnet, the malware does not seem intended to disrupt or destroy critical cyber systems, assets, and functions, and thus should be regarded as acts of digital espionage at most. State responsibility for acts of cyber espionage is not considered a matter of international law unless particular aspects violate specific international legal prohibitions.
According to the Verizon Data Breach Investigations Report, 96 percent of national and industrial espionage cases were attributed to China. Security firms have issued reports on cyber activities that incriminate the Chinese including the following:
—In 2010, the computer security software firm McAfee investigated Operation Aurora, which resulted in intrusions on Google and more than 30 other U.S. companies by an advanced persistent threat. Aurora used social engineering to lure employees to a Website link that loaded malicious code via an unknown, zero-day Internet Explorer 6.0 vulnerability, which eventually exfiltrated data to servers in Taiwan. While Google claimed the attack originated in China, the most irrefutable evidence found by the information security firm SecureWorks was a snippet of source code used in the backdoor Trojan planted by the exploit called Hydraq, which matched a sample mentioned in a Chinese-language paper on mathematical algorithms.
—In February 2011, cyber intrusions dubbed Night Dragon were revealed to have begun in November 2009 against oil, energy, and petrochemical industries as well as company executives in Greece, Kazakhstan, Taiwan, and the United States. Intrusions targeted sensitive competitive proprietary activities and project-financing information on oil and gas field bids and operations. McAfee discovered circumstantial evidence attributable to China, including a hosting service in Shandong Province, data exfiltration from Beijing-based IP addresses during the Beijing workday, and use of hacking and remote administration tools of Chinese origin.
—In August 2011, McAfee revealed an international hacking campaign called Operation Shady RAT. Not only were the governments of Canada, India, Taiwan and Vietnam infiltrated, but so were companies dealing in construction, steel, energy, technology, telecommunications, media, sports, economics and real estate. Access to one command and control server operated by the intruders disclosed standard procedures for targeted intrusions. While the servers were eventually located in Beijing and Shanghai, state media denied that China was behind the campaign and condemned the suggestions to the contrary as irresponsible.
—In June 2013, the Kaspersky Lab revealed that the NetTraveler cyber espionage campaign was aimed at more than 350 high-profile targets, which included governments, oil companies, defense contractors, activists and universities in 40 nations. NetTraveler exploited two publicly known vulnerabilities found in Microsoft Office on machines that are not patched to the latest Microsoft updates. Kaspersky describes NetTraveler as a malicious data exfiltration tool used by a medium-sized threat actor from China, which is comprised of roughly 50 individuals who are mostly native speakers of Chinese.
Despite its connections to these intrusions, Cui Tiankai, the Chinese ambassador to the United States, claimed that thus far no one has presented “evidence that could stand up in court, to prove that there is really somebody in China, Chinese nationals, that are doing these things.” He further commented that “Cyberattacks can come from anywhere in the world. Even if you locate a computer, you cannot say that computer belongs to the government of that particular country.”
This rationale is defendable as proof of origin is complicated by the routing of attack traffic and exfiltration of information through compromised servers in a third country. Finding servers in nations or malware that contain national language characters does not necessarily provide sufficient evidence to confirm any government endorsed or commissioned a given attack. For example, China may have been responsible for attacks on South Korean banks and television networks in March 2013 based on Chinese words and other clues in the malware. However such indicators are commonly used by cyber attack designers for disinformation and were even found in Stuxnet.
Regardless of the source, the cost to the United States in intellectual property (product plans, research results, and customer lists) and confidential business information (trade secrets, exploration data, and negotiating strategies) amounts to billions of dollars. Corporate losses are multiplied if Beijing provides state-owned enterprises with data and information extracted by cyber espionage to improve their competitive edge, cut research and development timelines and reduce cost. Chinese espionage aimed at the U.S. government and defense sector threatens military operations and readiness. The Pentagon made allegations against China for the first time in its latest annual report to Congress, alluding to the use of “computer network exploitation capability to support intelligence collection against the U.S. diplomatic, economic, and defense industrial base sectors that support U.S. national defense programs.”
In remarks made at the Brookings Institution in June 2013, General Martin Dempsey, Chairman of the Joint Chiefs of Staff, conceded that efforts to gain access to intelligence and information are acceptable government practices. However, the larger problem is the nature of intrusions. Moreover, Dempsey said the Chinese “niche in cyber has been theft of intellectual property” and “their view is that there are no rules of the road in cyber, there are no laws they’re breaking.”
Because no standards of conduct exist, Washington asked Beijing to meet in order to establish rules of the road. The first round of talks by the U.S.–China Cybersecurity Working Group was held in July 2013 and the second is scheduled for this autumn. Any success will depend on advancing concrete rules, to include the norm of state responsibility under which states are held responsible for attacks originating from their territory. Similar efforts to establish an open exchange are implicit in the bilateral dialogue on U.S.–Russian Cooperation on Information and Communications Technology Security. The two nations have created a new working group to assess emerging threats and moved forward on confidence-building measures to share threat indicators, communicate incidents and manage crisis situations.
Any rules must contend with the immensity of diplomatic efforts necessary for cyber investigations when compromised servers are in multiple nations. Beside investigations initiated by states, gathering evidence to introduce in court from intermediary states is challenging. The Budapest Convention on Cybercrime outlined the widest possible means of cooperation to investigate crimes involving “computer systems and data, or for the collection of evidence in electronic form of a criminal offence.” The Convention provided arrangements to stem cross border crimes while recognizing divergent interpretations of national sovereignty. Only 35 nations, largely in Europe, in addition to Canada, Japan, South Africa, and the United States have acceded to the treaty, although many others are in various stages of ratifying it. By signing the treaty, China, Iran and Russia would mandate international cooperation in investigating future cybercrimes.
To protect trade secrets and proprietary information while talks on rules proceed, the first priority is to have defenses in place. Prudent measures emphasize the continual deployment of solutions to protect multiple threat points including network, endpoint, web, and email security. The Critical Security Controls, now led by the independent Council on CyberSecurity, offer technical measures that can monitor networks and systems, detect attack attempts, identify compromised machines, and interrupt infiltration. One chief information security officer advised going beyond defense-in-depth with various partners, to apply multiple solutions on each layer for defense-in-breadth. The Critical Security Controls identify commercial tools to detect, track, control, prevent and correct weaknesses or misuse at threat points. Indeed, such measures could even be used by Chinese companies that have been hacked, immobilized, or sabotaged by their domestic competitors.
This behavior to gain economic advantage is indicative of the U.S. position on how Chinese cyber intrusions are different. Recent revelations and cases do confirm U.S. conduct of computer network exploitation to obtain intelligence data, but no apparent evidence counters Pentagon insistence that the United States does not engage in economic espionage.
Scott Jasper is a lecturer at the US Naval Postgraduate School in Monterey, California, and the editor of Conflict and Cooperation in the Global Commons.