Schneier on Security

joequant • March 14, 2013 10:35 AM

It’s a bit more complicated than nationalism. One thing that makes it complicated is that multinational corporations are major “non-state actors” that have interests that are separate from those of various nation-states. Most Chinese state-owned enterprises are have strong business relationships with Western multinationals which means that both Chinese SOE’s and Western multinationals have interests that are separate from those of their governments.

Also, it’s not surprising to me that we have entered a period of nationalism since there isn’t any other obvious ideology. Something important about the Cold War was that it wasn’t about nationalism. It was “capitalism versus communism” so it was quite possible for a patriotic Russian, German, Korean, or Chinese to work in American interests because they really weren’t fighting for the United States but rather fighting for democracy. If it was a battle between communism and capitalism, then it doesn’t take a genius to figure out what side most multinational corporations would support. But today, the battle is between various forms of capitalism (China has a state sponsored capitalist system, but it’s still basically a capitalist system) and so there’s no obvious side for an MNC to support.

This is also one of the consequences of the US war in Iraq or Afghanistan. In 1995, it was possible for some who was patriotically Chinese to support US foreign policy on the idea that American democracy was the best possible system, and to put it crudely that Americans could run China better than the current Chinese government could. I don’t think that after Iraq or Afghanistan that many people in either China or the US think that a US-run China would work better than the current government, and given that to be the case, there’s no general ideology that the US can use to justify its actions other than national self-interest.

joequant • March 14, 2013 10:48 AM

I really don’t think that the major SOE’s are benefiting from massive IP theft. Ironically in the field of software it’s usually the reverse. Western software companies face massive consumer pirating, but the odd things is that most large state-owned enterprises and government agencies have paid up software licenses. This is because SOE’s are usually cash-rich so they find it easier to just pay for the licenses, and in exchange they get support and the really important pieces of IP in the form of know-how.

One thing that makes commercial secrets different from military secrets is that there isn’t a single commercial secret that a for-profit company wouldn’t be willing to hand over if given the right amount of money. So the aim of preserving a commercial secret is to merely implement rules that maximizes the amount of money that someone (like the Chinese government) finds it necessary to pay.

The other thing is that the entire US educational and technology system depends on cheap Chinese and Indian graduate students. Most of the Politburo have relatives in the US and kids in Harvard and Yale, and Obama’s brother lives in Shenzhen and has a Chinese wife. So nationalism is important but there are also interconnections that make this more than a simple us versus them.

joequant • March 14, 2013 11:14 AM

One other weird thing is that I suspect that Beijing would actually prefer if the US stay a major military power which is perhaps why China keeps funding the US military.

If the US just decided to leave East Asia tomorrow, then within a year, both Japan and South Korea would likely go nuclear and Taiwan would be trying to declare independence, and Beijing would be stuck with trying to figure out what it’s new role was, which would be a major distraction from domestic issues. Also, if the US just called it quits then the Middle East goes up in smoke which then cuts the supply of oil that China depends on.

Yes, the US is annoying, but people are used to it, and it’s been ages since any US administration really did anything like a human rights lecture.

One thing that is interesting is that the US has put the focus on corporate IP which is the issue that China probably cares the least about. The initial story was when someone broke into the New York Times, and I doubt whoever did this was trying to steal the software. So its quite interesting that the initial trigger for this was likely a domestic security operation which is something that the US government interestingly has not objected to. The problem is that if the US objects very loudly for China doing a domestic security operation overseas, then the US can’t do the same thing, even if the target is not China, but say Yemen or Pakistan.

joequant • March 14, 2013 7:27 PM

The thing about analogies is that they prove nothing. Yes, it may be a bad thing if the CDC ignores an influenza outbreak, but we are talking about computer security and not about an influenza outbreak.

And based on the information that has been provided, the NYT computer security was crappy. One curious thing is that getting hacked by the Chinese government is like getting your pockets picked in NYC. Anyone that does anything remotely related to China is going to get a phishing attachment and the attitude that most people that do anything China related toward the NYT is like someone falling for a Nigerian scam. On the one hand, you feel sympathetic for the victim, but on the other hand, you are thinking “what idiots.”

One thing about Chinese hacking is that it’s so common in Washington that it’s not news. It’s news to the NY Times, but they are in NY. The idea that the PLA is behind the NYT hacking is pretty laughable, and from my vantage point it looks like the NYT just doesn’t want to admit to itself how crappy their security was, and claiming that you were hacked by an uber-hacker rather than by an amateur is part of that.

Simon: mongering because they just want billions of dollars bigger budgets.

It happens to be true. It’s not a necessarily a bad thing, because part of the job of any politician (and this applies both to Beijing and Washington) is to manage the press and to influence public opinion, and people think emotionally. A lot of public relations is to get people to focus (or not to focus) on something, and those are basically emotional decisions. There are some well known tricks for doing that. One trick is that if you want someone to not think about A, you get them to think about B. If you want to get someone to think about A, you tell a story with high emotional content.

If you look at the recent newspaper articles in the US press, it’s pretty clear that someone has an agenda. The most recent stories are on how important homeland and cybersecurity is, and how much of a waste of money the F-35 is. Reporters are dependent on politicians for information, and politicians have agendas. They aren’t necessarily a bad agenda. If you honestly believe that issue X is important, then “scare mongering” is part of the political toolkit.

One fortunate thing is that no one in Washington is looking for an excuse to have a war with China and no one in Beijing is looking for an excuse to have a war with the United States. This is not like the situation in 2001 when lots of people were just looking for any reason they could for invading Iraq. Also, the agenda of whoever is feeding stories to the Washington Post doesn’t seem to be in conflict with Beijing’s agenda. If the US spends more money on homeland security and less money on the F-35, then I think that Beijing would think that this is just dandy.

If you look at the way that the US government is handling the situation, you see the standard procedure for burying a story (i.e. high profile actions that are intended to do nothing.) I’ve been a little surprised (and somewhat relieved) at how little China-bashing there has been.

joequant • March 15, 2013 9:28 AM

I think that one obvious fact that has been missed is that somehow the Chinese security services and military have ended up with a working relationship with the Chinese hacker underground that just doesn’t exist in the United States. You have communities of Chinese hackers that have ended up being rather nationalistic, and the Chinese government has managed to tap into this youthful enthusiasm and energy. Part of the reason that the Chinese government is at best turning a blind eye to patriotic hacking is the knowledge that if the Chinese government cracks down on hackers, then they’ll turn all of that energy and knowledge against the Party.

One thing that concerns me is that if you start talking about things as if it were a “war” then it’s pretty obvious that the US approach is a bureaucratic top-down approach that just is not going to work. The Chinese military came to power as a result of a guerrilla war, and so that sort of guerrilla thinking is part of Chinese national strategy and it works pretty well in cyberspace. We’ve just seen the consequences of fighting an insurgency with bureaucracy in Iraq and Afghanistan and the results weren’t pretty. Just look at the US approach to cybersecurity. Meetings, budgets, and metrics.

The most important part of winning an insurgency is hearts and minds, and if the US military really wants to get serious about cybersecurity, then it needs to start getting the support (or at least non-opposition) of the Western hacker underground. Maybe dropping charges against Bradley Manning might be a start. China has it’s share of Kevin Mitnick’s and Aaron Swartz’s, and at some point I suspect that the Party offered them a choice. They can either hack the Party and get a long prison term, or if they agree to direct their energies elsewhere, then the government is going to leave them alone. The thing is that the FBI isn’t giving American hackers that sort of choice so waving the flag isn’t an option.

Faced with this sort of choice, pretty soon you are going to have a lot of red hackers, and I can’t help but think that at some point in the last month some group of hackers got a thank you note from the Ministry of State Security for a job well done and the more the NYT rails against hackers, the more of an ego boost that they have.

What I find bizarre is that the Obama administration is trying to get the Chinese government to sign on to a “corporate war against hackers” and I think that the people in Beijing realize what a stupid idea that is. If you don’t keep lots of angry young men busy hacking corporate America, then they are going to start thinking of ways of overthrowing the Chinese government. If you are nice to angry young men eventually they become less angry middle aged men that end up starting high tech companies.

joequant • March 15, 2013 11:50 AM

Clive: The Chinese political system is run as a series of fiefdoms via patronage.

Some of it, but most of it isn’t. The trouble with patronage systems is that they allow the patron to act independently of the Party so the central government will move people around specifically to prevent patronage networks from forming.

It’s better to compare the Chinese system to a birdcage. There are certain things that you are not allowed to do. As long as you don’t cross those lines, you can do what you want. Hacking domestic computer systems is in the list of forbidden things. Hacking foreign systems isn’t. The US government considers hackers evil. As long as they don’t hack Chinese systems, the Chinese government doesn’t.

One thing that worries me is that I think the US government is missing the big problem. It’s not that the Chinese government is “stealing precious intellectual property”, it’s that the Chinese government has created an environment that shockingly is more friendly to people with computer and technological skills than the US has. For someone that can speak Chinese and work a computer, there are tons more opportunities in China than in the United States. I mean if the US is outsourcing technology jobs to China and India, then why would someone with computer skills want to immigrate to the US?

joequant • March 15, 2013 10:52 PM

One problem with describing this as a “war” is that in a real war, people die and people kill. People are willing to die and kill over freedom and democracy, and there are some resources (oil) that are important enough that people are willing to sacrifice their lives and the lives of their kids over. Intellectual property is not one of them.

One big change over the last few years is that the United States has seriously lost a lot of its “soft power” and respect all over the world including China. In 1989, the youth of China looked at the US as standing for democracy, and democracy is something that people are willing to stand in front of a tank over. If the main issue now is corporate IP theft, then no one is going to stand in front of a tank over that. Until 2008, even if the US didn’t stand for democracy, it stood for prosperity and a fair and non-corrupt economic system, but even that has blown up. If the US stands for advancing US national interests or helping US corporations do business, that’s fine, but don’t expect anyone in China to stand in front of a tank for you.

So before we talk about a war, you need to explain what the war is about. If it’s not something worth dying for or killing for then it’s not a war.

One other thing is that it’s not surprising that the internet has been carved up because different nations have different interests. The primary interest of the Chinese government is political control, but that leads to some odd compromises.

For example, P2P is very strictly banned in China, but the government allows and even encourages file sharing sites. You can get pirated copies of the latest movies and music on all of the major Chinese search engines and file sharing sites, and the government allows this because they can and do monitor the sites for political content, and they know that if they close those sites, people will go to P2P which is harder to monitor. In addition, letting people download pirated music and movies is part of the “bread and circuses” strategy.

You don’t hear much about this in the West, because the MPAA is not complaining, and the MPAA is not complaining because most of these sites block non-China connections, and require you to register with a Chinese cell phone number. The government likes this because by registering with a cell phone, they can monitor you and know that you are just downloading movies, and the MPAA likes this because this means that the Chinese file sharing sites are off limits to non-Chinese which means that they don’t lose any money that they wouldn’t have had anyway.

One other odd thing about China is that Chinese law is very strict about private sites sharing user information. Under a strictly enforced Chinese law it is illegal for a website to share user information with another site. There is also a strictly enforced Chinese law that prohibits spamming and private collection and sales of database. There are political considerations here. Basically the Chinese government does not want non-government institutions to have databases that the government cannot control.

Also, they want to reduce resistance to people providing personal data. If people think they are going to be spammed they are going to be more likely to hide themselves, whereas if they know that the only people that have access to the information are the police and the Communist Party, they are more likely to provide it. If you are a political dissident, yes you want to hide your tracks, but most people aren’t political dissidents and find telemarketers more annoying than the Ministry of State Security, so they don’t object to giving information to the MSS as long as the spammers don’t get it.

(Something else that’s different from the US is attitudes toward identification cards and national ID numbers. In China, asking someone to show you their identification card or give them your national ID number is like asking them to drop their pants. If you ask someone off the street to see their ID card, they will ask you to show them your police ID, and if you are not a police official or someone that has specific legal authorization to ask for ID (i.e. a bank, a medical doctor, a tax official, or getting a cell phone number), they’ll tell you to get stuffed.)

Part of the political strategy of the Communist Party is “ease” and “convenience” so as it make it difficult for a political dissident to hide. If the Party makes music and movie file sharing easy, then if you start using P2P software, you stick out, at which point you get a invitation to chat with State Security to see what you are up to. Similarly if everyone routinely gives up their cell number to register online and that cell number can be traced an ID card, the few people that don’t get noticed. Paradoxically, that can result in more privacy if you aren’t a political dissident.

Getting back to ideas. Wars are about ideas. However, it’s really difficult to present any current conflict between the US and China as a simple one between freedom (YAAAAHHHH!!!) and oppression (BOOOOOOO!!!!!). That might be a good thing because if it’s just about nations rather than ideas then it starts looking like a conflict between sports teams, and if that’s the case people are going to start having some serious thoughts as to whether it’s worth it before pulling the trigger. Yes, Yankees and Red Sox fans will fight each other online, but no one sane is going to die or kill anyone over baseball.