Chinese Hacking of the US

Chinese hacking of American computer networks is old news. For years we've known about their attacks against U.S. government and corporate targets. We've seen detailed reports of how they hacked The New York Times. Google has detected them going after Gmail accounts of dissidents. They've built sophisticated worldwide eavesdropping networks. These hacks target both military secrets and corporate intellectual property. They're perpetrated by a combination of state, state-sponsored and state-tolerated hackers. It's been going on for years.

On Monday, the Justice Department indicted five Chinese hackers in absentia, all associated with the Chinese military, for stealing corporate secrets from U.S. energy, metals and manufacturing companies. It's entirely for show; the odds that the Chinese are going to send these people to the U.S. to stand trial is zero. But it does move what had been mostly a technical security problem into the world of diplomacy and foreign policy. By doing this, the U.S. government is taking a very public stand and saying "enough."

The problem with that stand is that we've been doing much the same thing to China. Documents revealed by the whistleblower Edward Snowden show that the NSA has penetrated Chinese government and commercial networks, and is exfiltrating -- that's NSA talk for stealing -- an enormous amount of secret data. We've hacked the networking hardware of one of their own companies, Huawei. We've intercepted networking equipment being sent there and installed monitoring devices. We've been listening in on their private communications channels.

The only difference between the U.S. and China's actions is that the U.S. doesn't engage in direct industrial espionage. That is, we don't steal secrets from Chinese companies and pass them directly to U.S. competitors. But we do engage in economic espionage; we steal secrets from Chinese companies for an advantage in government trade negotiations, which directly benefits U.S. competitors. We might think this difference is important, but other countries are not as as impressed with our nuance.

Already the Chinese are retaliating against the U.S. actions with rhetoric of their own. I don't know the Chinese expression for 'pot calling the kettle black,' but it certainly fits in this case.

Again, none of this is new. The U.S. and the Chinese have been conducting electronic espionage on each other throughout the Cold War, and there's no reason to think it's going to change anytime soon. What's different now is the ease with which the two countries can do this safely and remotely, over the Internet, as well as the massive amount of information that can be stolen with a few computer commands.

On the Internet today, it is much easier to attack systems and break into them than it is to defend those systems against attack, so the advantage is to the attacker. This is true for a combination of reasons: the ability of an attacker to concentrate his attack, the nature of vulnerabilities in computer systems, poor software quality and the enormous complexity of computer systems.

The computer security industry is used to coping with criminal attacks. In general, such attacks are untargeted. Criminals might have broken into Target's network last year and stolen 40 million credit and debit card numbers, but they would have been happy with any retailer's large credit card database. If Target's security had been better than its competitors, the criminals would have gone elsewhere. In this way, security is relative.

The Chinese attacks are different. For whatever reason, the government hackers wanted certain information inside the networks of Alcoa World Alumina, Westinghouse Electric, Allegheny Technologies, U.S. Steel, United Steelworkers Union and SolarWorld. It wouldn't have mattered how those companies' security compared with other companies; all that mattered was whether it was better than the ability of the attackers.

This is a fundamentally different security model -- often called APT or Advanced Persistent Threat -- and one that is much more difficult to defend against.

In a sense, American corporations are collateral damage in this battle of espionage between the U.S. and China. Taking the battle from the technical sphere into the foreign policy sphere might be a good idea, but it will work only if we have some moral high ground from which to demand that others not spy on us. As long as we run the largest surveillance network in the world and hack computer networks in foreign countries, we're going to have trouble convincing others not to attempt the same on us.

This essay previously appeared on Time.com.

Posted on June 2, 2014 at 6:37 AM • 63 Comments

Comments

Bob S.June 2, 2014 7:20 AM

Re: "the U.S. doesn't engage in direct industrial espionage".

Are you sure about that?

Anyway:

Clearly the USA has lost the high moral ground, forever. It's a grievous loss and we should all be hopping mad about it. Instead, we continue to hide behind arrogance and fake Exceptionalsim.

Also, I suspect a good many corporate execs who gave in to the patriotism pitch by allowing government intervention into their products and services are worried, sorry or fired now. (Of course some are laughing on the beach of their condo in the islands, too.)

And yet, I think this is just the beginning. Too many people are profiting from the craziness and even more simply don't care.

gggggJune 2, 2014 7:31 AM

"On the Internet today, it is much easier to attack systems and break into them than it is to defend those systems against attack, so the advantage is to the attacker. This is true for a combination of reasons: ..."

The foremost reason is that the NSA has worked long and hard to reach this state.

jbmartin6June 2, 2014 8:33 AM

Perhaps the only reason the US isn't engaging in industrial espionage is that, according to recent remarks by our Vice President, China doesn't innovate and thus has nothing worth stealing.

Just an AustralianJune 2, 2014 8:42 AM

Maybe this is trying to make up to the corporations for peeing in their pond?

Joe KJune 2, 2014 9:15 AM

...the U.S. government is taking a very public stand and saying 'enough.' The problem with that stand is that we've been doing much the same thing to China.

...and the rest of the world, or so I've heard.
Petrobras (Brazil) is just one example mentioned in recent news.

Already the Chinese are retaliating against the U.S. actions with rhetoric of their own. I don't know the Chinese expression for 'pot calling the kettle black,' but it certainly fits in this case.

But, um, not in Brazil's. Just for example.

The only difference between the U.S. and China's actions is that the U.S. doesn't engage in direct industrial espionage.

I seem to recall a smart feller once saying, somewhere, that
Absence of Evidence is not Evidence of Absence.

Epistemology is pretty awesome.

That is, we don't steal secrets from Chinese companies...

Is that use of "we", like, editorial policy at Reader's Digest or
something?

...and pass them directly to U.S. competitors.

Well, for *some* value of the term "directly", no doubt that is
true.

And if you listen closely, you might hear the doleful sounds of very
small violins, playing for Exxon-Mobil.

BardiJune 2, 2014 9:45 AM

"That is, we don't steal secrets from Chinese companies and pass them directly to U.S. competitors."

What makes you so certain?

Released documents from Snowden would indicate otherwise.

hahJune 2, 2014 10:03 AM

Yeah, whatever moral high ground the U.S. might have been able to claim in this domain has been pissed away over the past ten years by their overzealous spy organizations. They not only built mass-surveillance infrastructure and started using it against *everybody*, but they've been doing the same sort of targeted attacks against the Chinese and everyone else.

The right hand of the U.S. govt can't complain about the Chinese hacking them without looking like hypocritical assholes, because of what their left hand has been off doing with minimal/no effective oversight.

aboniksJune 2, 2014 10:22 AM

Moral high ground isn't going to keep your networks safe, even if you're actually standing on it.

Perpetuating the public fantasy that our houses would be more secure if we were not burglars is dangerously irresponsible. The golden rule does not apply to security.

Bob S.June 2, 2014 10:39 AM

We have given up our standing as beacon of liberty and freedom for the entire world by abandoning the high ground for the gutter of thieves, liars and crooks.

It means we cannot judge others morality, conduct and ethics or credibly hold them accountable for lapses.

Without integrity and honor, we have nothing, including "security".

Without the golden rule, there are no rules. Not a good way to live for anyone or any country.

We have given up too much for the excuse of security.

aboniksJune 2, 2014 10:57 AM

That sounds nice, Bob, but it's got nothing to do with reality.

Being morally upright, while generally a laudable practice, doesn't keep you any more safe than being despicable and underhanded does.

People breaking into your network aren't doing it because you're a big meanie, they're doing it because you have something they want. Framing a security debate in moral terms encourages people to think that they are "safer" simply because they aren't actively malicious.

It's crap, and it's counterproductive.

"Oleg Pliss" didn't just hijack the equipment of "bad people".

MikeAJune 2, 2014 11:05 AM

@aboniks

Actually, if I were a burglar, targeting another burglar's house is not so daft. Which house has a better ROI, the one with one big-screen TV and a couple laptops, or the one with a dozen of each? Which homeowner is less likely to file a police report? Of course, on the other side of the coin, which is more likely to have decent locks, and a gun in the nightstand? Knowing these things we can take steps to mitigate the risk. The claim that lying down with dogs is uncorrelated with the incidence of fleas is not supported by the evidence.

Any thief is going to do better in a town with a "bent" locksmith, too.

DaveJune 2, 2014 11:11 AM

@aboniks How about the idea that our houses would be more secure if we were not lazy burglars who compromised housing standards to make our thieving ways easier, apparently not caring that we were weakening our own walls as well?

And you may scoff at being able to claim the moral high ground, but it's been a cornerstone of our foreign policy since at least the Monroe Doctrine. Our electronic security isn't the only thing the NSA's shenanigans have weakened.

Hearts and MindsJune 2, 2014 11:30 AM

@aboniks

Maintaining moral high ground is not about giving up your weapon. It's about how you use your weapon.

It seems you vastly underestimate the ongoing psychological advantage one achieves over their competitors by maintaining the moral high ground.

Mr. PragmaJune 2, 2014 11:32 AM

Bob S. (June 2, 2014 10:39 AM)

That sounds touching and as if you had understood something important.

Unfortunately though that's not the case.

The usa *never* held the moral high grounds. And your statement is actually a striking illustration of us-american ignorance, arrogance, and self-delusion.

You didn't hold the moral high grounds - it just pleased you do believe that image that you had painted yourself in the first place and you had a chance to do so (you also pleased to consider yourself a "beacon of freedom" etc blabla) because your leaders did not make the reality shockingly clear. Well, now they do. So, quite often behind us-american "self-criticism" is little more than lamenting and arrogance, yes, arrogance; the arrogance to consider oneself (de nature? by God's blessing?) the leading nation, the freedom and democracy beacon, blabla - short: exceptionalism, which again is just a bent and irrational perspective to excuse ones hybris and bullying.

Or to say it more in your words: You had to give up your ignorant, arrogant, and self-delusional belief to be a beacon of liberty and freedom for the entire world because your government, agencies, and corporations did not any longer let you have a chance to ignore the simple fact that they always were a gutter of thieves, liars and crooks.

Btw. I'm particularly amused by the beloved americanism (read: idiocy) "for the entire world" - and that from the people, many of whom have difficulties to point at their own country on a globe, let alone all those countries where they marauded, wanton killed and regime changed, etc.
You'd better pray to your God that "the whole world" doesn't pay the usa back in kind ...

Kent BorgJune 2, 2014 11:34 AM

The NSA considers vulnerabilities as assets to be collected, not bugs to be fixed.

A little like if the Energy Department engineered blackouts.

We need computers and communication, yet the National Security Agency's low-road only undermines their security. The high-road would be to help secure these systems.

-kb

aboniksJune 2, 2014 11:35 AM

@Dave

I'm not scoffing at it all, I'm recognizing that it's not relevant to the subject at hand, namely network espionage.

You can use moral standing as a real-world shield against meat-based aggression, but it only works because there's an audience that can be convinced that you are worth defending or allying with. It's useful for keeping real objects like troops and bombs from moving around the world and killing your people, or people you have an interest in protecting. You can even use it to protect your economy, although that a harder sell.

It does nothing to help you stop an adversary from perpetrating a largely invisible, apparently victimles, blood-free attack on a hard drive where the only casualty is a piece of proprietary data that has been duplicated. There's no invasion to show on the news. No smoking gun or bleeding child to carry out into the forum and use as a rallying cry for the audience.

Even if the US *had* moral high ground on the issue of network intrusion and corporate espionage, it wouldn't stop anyone from targeting us.

Better network security would. Framing this in terms of morality may have some propaganda value at home, but no one at a governmental level in any country is going to take it seriously. They'll just have their technicians keep right on cracking.

aboniksJune 2, 2014 11:38 AM

Or rather, I should say, better network security wouldn't keep us from being targeted, but it would be a damn sight more effective at keeping our data under lock and key than "just being better people" will.

aboniksJune 2, 2014 11:59 AM

@ Hearts and Minds

"Maintaining moral high ground is not about giving up your weapon. It's about how you use your weapon."

Unfortunately this isn't a field of endeavor in which "the best offense" is of any practical defensive value. We're not selling tanks and tractors to jigoists, we're trying to keep people from copying data.

The best defense in this case is literally a better defense, not a bigger stick or a stick swung with more skill.

BPJune 2, 2014 12:08 PM

We'll hear howls from the US when China indicts and arrests a US businessman from a US corporation while he or she is in China. This is going to inevitably happen and some poor soul is going to get hurt. It's not going to be pretty. Hypocrisy always has blowback.

JacobJune 2, 2014 12:13 PM

@abonics "The best defense in this case is literally a better defense, not a bigger stick or a stick swung with more skill."

I'd say yes, we need a bigger stick and to skillfully use it to hit our congressmen comes election time. Only then they will rein in the offensive and well-funded hippo in the room.

Joe KJune 2, 2014 12:21 PM

@DB

We'll hear howls from the US when China indicts and arrests a US businessman from a US corporation while he or she is in China.
LOL, if only.

And I bet it would be hard to hear much howling
over all the applause.

aboniksJune 2, 2014 12:37 PM

@ Jakob

I won't deny that some political changes at home would be welcome, starting with the ~50% of the disengaged public getting up and voting from an informed position.

Honestly though, domestic (and international) political change isn't a silver bullet here. This is a much more fundamental issue than who is nominally in charge of signing the checks in our little corner of the world.

When we put sensitive data on public facing networks, we are by default sharing them with anyone who has the technical means to access them. Putting a shorter leash on NSA and Co. will undoubtedly help keep the existing and future technologies from being sabotaged and broken before they hit the shelves, and result in more secure systems, but that only narrows the field of opponents who will have the capacity to get to our secrets.

Many people have grasped the metaphor that the weakest link in the chain is the problem, which is good. Unfortunately there's still a security mythos that leads them to believe that the "best" solution is making stronger chains, when in fact it much more effective not to put your secret on the chain at all.

Coyne TibbetsJune 2, 2014 12:51 PM

@Bardi: "'That is, we don't steal secrets from Chinese companies and pass them directly to U.S. competitors.'

"What makes you so certain?"


The statement is just more of their doublespeak. They qualified it with the word "directly," which makes the statement strictly true if they pass their stolen industrial secrets via an intermediary of some kind.

So, of course, that's what they're doing.

David HendersonJune 2, 2014 1:22 PM

@ Bob S

American exceptionalism seems to be ingrained in Anglo-American culture since medieval times. Looking further back, its part of our Judeo-Christian heritage.

I'm rereading "The Cousins Wars" by Kevin Phillips on the similarity between British civil wars(Cromwell etc), the American Revolution and the American civil war. This book splits the Anglo-American community into two components: one generally aristocratic and driven by imperial motives, the other generally democratic and driven by manifest destiny.

I leave it to others to decide which component the current NSA information grabbing operations belong.

aboniksJune 2, 2014 1:40 PM

@David Henderson

Exceptionalism is universally human. Widen your scope and you'll see it in every culture as far back as you care to go. It's just an extension of pack dynamics and Othering..."us vs them" requires that "we" are perceived as behaviourally unique (usually superior). It's just another myth humans tell each other around the campfire.

The whole concept of "American Exceptionalism" is a self-referential blind alley.

NobodySpecialJune 2, 2014 2:52 PM

Clive will probably remember the details but the US govt was convicted in a french court for intercepting details of a radar contract with Brazil (IIRC) and giving a US company the edge in negotiations.

ChristianJune 2, 2014 3:08 PM

Keeping the moral highground for the US is not important for defense.

Its for the offense. For a country that went into Iraq 2003 based on false proofs and killing 30k+ humans morale highground is important.

Russia would never have gotten away with killing 30k+ people.

Or murdering some thousand people drone strikes in Pakistan.

MauroSJune 2, 2014 3:16 PM

"The only difference between the U.S. and China's actions is that the U.S. doesn't engage in direct industrial espionage."

How can you be sure? How to prove a negative?

Given the level of "integration" between the NSA and some companies, especially telecoms and software companies, I think it's remarkable NOT to assume that NSA would be "repaying the favors" or at least "placate their rage" with industrial espionage.

Anon10June 2, 2014 6:58 PM

The part about moral high ground is naive. If the US abolished the NSA, there's no reason to think foreign hacking of US systems would stop or even slow down. Major foreign powers, like China and Russia, act in what they perceive their real economic and national security interests to be. Thinking the country responsible for Tiananmen Square is interested some civil libertarian notion of moral high ground is delusional.

As to industrial espionage, is there really much to be gained for the US? In what technologies, is the US not a world leader?

Bob S.June 2, 2014 9:22 PM

After 9-11 the USA had the high ground to pursue bin Laden and then of course promptly threw that away with Iraq, etc.

I think it's naive to say Americans and the world expect or accept the US government becoming some lawless, corrupt, immoral, unethical banana republic so as to make us stronger in the fight against computer hackers. We defeated Hitler without becoming Nazis, we can fight cyber thieves without becoming a criminal state. The rule of law must be upheld!

I think it's naive to think thieves, liars and crooks know how to make us more secure than honest people and ethical government. I think it's naive to think the people of this country accept being treated like enemies, adversaries and common criminals in the name of security.

I say some Americans think Exceptionalism means the USA is excepted and exempted from the rule of law and common morality. That's wrong. I think the NSA and it's counterparts have gone rogue in violation of long standing law as well as the spirit and intent of the Constitution, and it does NOT make us safe or safer. I think the President, Congress and the Supreme Court won't stop them, either. I think the world no longer has any respect for us because it's plain the NSA et al have lost all credibility on the world stage.

I think we as Americans have given up too much for the false hope and promise of perfect security.

As for the USA leading technology, that's ridiculous. We gave all that away years ago in the name of free trade. Try to buy a hammer made in the USA, or a TV.

I think the ugly support for unethical conduct and lawlessness mentioned here today is a sad sign of our decline.

Those who glorify and wallow on the low road: Shame on you.

You know who you are.

DBJune 2, 2014 10:06 PM

Well said, Bob S. Those are the people who will cause total ruin of our country. I only really fear that American world military and cultural dominance may bring the whole world down into the gutter with it, instead of the opposite like we should be doing and lifting people out of the gutter.

DBJune 2, 2014 10:13 PM

As a follow up, a few people have expressed the idea that being moral doesn't protect you... well... yeah.. no duh... obviously that's true. You don't have morals to protect yourself from thieves, you have morals because IT IS THE RIGHT THING TO DO.... and also you have a bit of ACTUAL DEFENSE to protect yourself at the same time!

So stop destroying security in the name of making invasive unethical surveillance easier. That's retarded. Get some actual real security research going, and implement it already. That's actual defense. And at the same time, hold ourselves up to a high moral standard, as a separate, but more or less should-be-unrelated point.

FigureitoutJune 2, 2014 10:53 PM

aboniks
--You completely skipped over the main point of Dave's post. That...which has been tossed and turned on this blog and elsewhere over the years...of gov't agencies deliberately weaking Algorithms, Hardware, Protocols, Laws, and in turn the People. GSM, AES (TDES is apparently still in use at ATMs), x86, Javascript, EMAIL, Windows, and on and on and on. I (meaning anyone who studies just a little and downloads some software) can launch easy attacks that are frickin' scripted and can own a lot of people at any given time. Those people are called "script kiddies" and they can own some important systems very easily today, like a joke. A rogue gov't that goes against even its own people is going to cause a "revolution" of sorts, or just mere collapse due to economic depletion and a waste of talent (which I believe is more likely, and the signs are there).

Chris AbbottJune 2, 2014 11:11 PM

@BP

That's frighteningly possible. At this point, everybody should be doing whatever they can to de-escalate this pissing contest. It can only get worse otherwise.

SkepticalJune 3, 2014 1:49 AM

The only difference between the U.S. and China's actions is that the U.S. doesn't engage in direct industrial espionage. That is, we don't steal secrets from Chinese companies and pass them directly to U.S. competitors. But we do engage in economic espionage; we steal secrets from Chinese companies for an advantage in government trade negotiations, which directly benefits U.S. competitors. We might think this difference is important, but other countries are not as as impressed with our nuance.

Many are looking at the distinction conceptually as an ethical question. This approach misses the point, and I think it explains the slightly mystified tone some have in wondering why the distinction matters.

That is, they ask whether there is any moral difference between spying for national economic advantage in a treaty negotiation, and spying for (arguably) national economic advantage in the course of commercial competition.

They look at the ethically relevant conceptual similarities, and then stare in disbelief at those who claim that the distinction is important. And, in turn, the latter are simply puzzled as to why the former group "doesn't get it."

The ethical question is important. It is worthy of time, thought, and discussion. But it's actually not the question that reveals why the distinction is important, and it completely misses the reasons for which the US, and other nations, are attaching much greater importance to it.
_________________________________________________________________

So let's ask the question from a different vantage.

How important is the distinction to the development of global free trade?

The answer is contingent on empirical factors: it depends on the magnitude of commercial espionage being conducted and the magnitude and direction of the effect trade treaty espionage.

In other words, the importance of the distinction rests not on conceptual differences but on empirical differences in the effects of trade treaty espionage and commercial espionage.

Trade Treaty Espionage

I actually don't think espionage during trade treaty negotiations makes a substantial difference relative to other factors, usually. The relative economic interests for example, surely a much larger factor, can be derived easily from open source intelligence and will inform the positions of all parties involved.

Indeed, much of the criticism of free trade policy is that free trade agreements are heavily biased in favor of powerful countries with leverage. These arguments have little trouble adducing evidence showing the significance of leverage that has nothing to do with espionage.

Commercial Espionage

Until several years ago, I would have said that this is of insufficient magnitude to matter much (though the lack of appropriate IP protections internationally was, and is, a major problem).

However, a combination of the easy scale-up of network intrusion operations, the enormous number of trade secrets that sit on network exposed devices, and hugely increased incentive to steal those secrets, has (perhaps predictably) resulted in a current magnitude, and a sharp direction of increase, that the impact on global free trade can be highly significant.

I don't think any reader here needs to be persuaded of the truth of the last paragraph, but by way of additional background and support, let me quickly mention two useful references, one lengthy and one that can be read quickly.

This 100 page, well sourced, report chronicles the magnitude of the losses from IP theft generally, and the secondary effects of such losses (the policy proposals however are sometimes very unpersuasive). The report estimates the losses in 2012 to be around 320 billion US dollars (about the equivalent of US exports to Asia that year, and cites estimates below and above that figure). Although the report goes beyond commercial espionage, the incentives for commercial espionage and the size of its effects are closely linked to the other IP issues the report discusses.

This Financial Times article published just prior to Snowden does fair work of describing the increasing importance of the issue, the dangers that it creates, and the clear need for the US to escalate its response.

_____________________________________________________________

So looking at the distinction between the two activities in terms of their respective effects on important policies, we can see why the distinction matters so much, and why consensus has developed that the US has no choice but to escalate its response.

This has little to do with US and PRC national security espionage; neither country expects the other to stop doing so. Instead this has to do with defining and defending certain norms of behavior that can allow free trade in an information-centric global economy to flourish.

That said, one can usefully link concern about PRC national security espionage with concern about Chinese commercial espionage.

As Ross Anderson expounded upon last week, and as Nick P in particular has explained carefully and often with useful source material, the nature of networks and the tighter linking of networked systems means that security of commercial systems can have implications for the security of military systems. The division between the two, once tenable, has become more difficult to control.

Both of those points flow perfectly into Bruce Schneier's argument that it is very unlikely, and increasingly unlikely, that we can provide security for some parties and some systems, and not for others.

I have to say that I'm not fully persuaded that a security differential cannot be maintained, even if in certain cases it may be difficult to impossible. I would really like to see the argument elaborated upon.
_______________________________________________________________

The takeaway is this:

The distinction is very important from the perspective of policy and global trade due to the current empirical differences in how trade treaty espionage and commercial espionage affect free trade and IP generally.

This is the case even if we find the two types of actions to be highly similar, and the distinction unimportant, from an ethical vantage.

Put differently: the distinction is mere nuance, perhaps, if the question is "is one act more ethically defensible than the other"; great importance if the question is "which one, as practiced, is the more pressing policy issue".

While the media will focus on the "which one is worse" angle, because that's the most relatable angle, which will attract the widest audiences and which also allows everyone to have an opinion, that angle misses the real problems being faced and the real forces that are shaping the actions of the US and the PRC.

This also provides an opportunity for those who are more interested in a practical, responsible, balanced approach to improving information policy and security than they are in playing the "which country is worse" game, or the "let's demonize the government" game, or the "us against them" game.

Commercial espionage is an issue on which opinions of those across the political spectrum converge; it is an issue favorable to those who advocate better information security policies; and it is an issue that links, in interesting and as yet unexploited ways, to consumer privacy and individual control of personally identifying information.

Joe KJune 3, 2014 3:35 AM

So, the US issues impotent indictments of 5 Chinese dudes: Huang
Zhenyu, Wen Xinyu, Sun Kailiang, Gu Chunhui, and Wang Dong.

For whose consumption is this limp-ass spectacle intended?

Could it be intended for international consumption? In an
international context, doesn't this just make the US a laughingstock?

The country that hacks the entire world's communications. Known for
supporting fascist coups, and deploying a fleet of flying robot
assassins worldwide. And Lockheed, the company that builds that
fleet. Cue violins.

No, it's not intended for international consumption.

And, BTW, saying that the US has now "lost the moral high ground" is
kind of like saying Richard Nixon "lost the moral high ground" when he
black-bagged the opposition party headquarters.

Very strange choice of words.

So the toothless indictment must be for domestic consumption only,
stoking jingoistic fervor among the hopelessly ignorant, amping up
not-so-thinly veiled racism among the bigoted, that sort of thing.
"Pay no attention to your utterly dysfunctional, predatory government
that's waged a ceaseless war against your labor unions for a century,
left you unemployed, and let the bank take your house! Lookit, these
five Chinese dudes pwned Lockheed! Hate the Chinese, not us!"

But there's no need to put words in US officials' mouths. They can
speak for themselves:

http://www.csmonitor.com/World/Security-Watch/Cyber-Conflict-Monitor/2014/0519/US-indicts-five-in-China-s-secret-Unit-61398-for-cyber-spying-on-US-firms-video

“This 21st century burglary has to stop,” David Hickton,
US attorney for the Western District of Pennsylvania, said Monday in a
statement. “This prosecution vindicates hard-working men and women in
western Pennsylvania and around the world who play by the rules and
deserve a fair shot and a level playing field.”

ROFLMAO. "Vindicates", really? More like, "insults the intelligence
of".

Hard to believe that shit works at all anymore. But that must be what
the militarised police force is for. The beatings will continue until
morale improves!

tJune 3, 2014 4:34 AM

@jbmartin6

Perhaps the only reason the US isn't engaging in industrial espionage is that, according to recent remarks by our Vice President, China doesn't innovate and thus has nothing worth stealing.

This may be true. But saying it is so arrogant that it becomes counter-productive.

And other non-US countries can be quite innovative with a lot of things worth stealing. If you look back in the last 40 or 50 years, an amazing amount of stuff emerged in Europe but were mostly developed in the US. You may like to call it "fair competition". Or use any other name...

So, saying that the U.S. doesn't engage in direct industrial espionage is a joke. Of course, European countries also do the same but their agencies cannot compete with the NSA in terms of fundings. So, in the end, the US and China are probably the two largest secret stealers today.

PhilJune 3, 2014 7:48 AM

Any informed person knows that the U.S.A. has lost the moral high ground, at least since the cold war when, among it's many reprehensible actions, supported brutal dictators, commited atrocities in the name of democracy and freedom (read : national interests) . The only high ground it has is with it's own mostly ignorant population over world affairs.

Clive RobinsonJune 3, 2014 8:04 AM

I can tell from many of the comments on this page that people do not know the history of the US when it comes to stealing IP.

Basicaly right upto the 1990s the US have been at it one way or another.

One commentator made the immortal comment that "The first true US invention patented was for condensed milk, everything prior to that was stolen".

One method used of busting patents held by non US entities untill fairly recently was the "submarine patent" another which was used to break the patent on liquid crystals and is still valid is to get a judge to rule that the terms in the patent being struck down "are to broad".

As any knowledgable patent lawyer will tell you the US has no moral high ground when talking about IP misapropriation.

The current shenanigans involving the USTR over the TPP where congressmen are complaining that the USTR is making themjump through hoops to get appropriate security clearances, then only talking to them after the USTR has made agreements with corps and trade bodies who don't have clearances...

Further as with the kerfufull in Australia it's become clear that the USTR has made it a condition that other countries representatives must keep the negotiations of the TPP secret from their own elected politicos and corps and trade bodies. Further Canada is very unhappy as is New Zeland over the antics of the USTR. And there are claims that some private discussions have become known inexplicably to USTR and the finger is getting pointed at the NSA.

This would not be the first time the NSA had been caught spying on other trade delegation members including bugging an aircraft of a Japanese trade delegation some years ago.

A number of years ago I was involved with an international contract worth a considerable sum. Amongst other nations biding for the work was the USA and France, and it quickly became clear that they were tripping over each other to put other nations under surveillance, like some story from MAD magazines Spy-v-Spy.

dgmJune 3, 2014 8:14 AM

I have to agree with aboniks above. The moral high ground is not going to keep our networks safe. Using the moral high ground is less effective even than security by obscurity.

The moral high ground is nice place to be philosophically. And it can be quite effective for recruiting and for defusing ill will. But it isn't at all relevant to using the Internet for espionage, especially industrial espionage.

SkepticalJune 3, 2014 10:54 AM


To Moderator: Just a heads up that a comment of mine was snagged in the spam filter.

@Clive: Your comments re lax US IP protection are applicable largely to the 18th and 19th centuries (the two comments that are applicable to more recent years: "submarine patents" don't enable IP misappropriation, and overly broad claims in a patent are obviously problematic). While the US patent system has many problems, inadequate protection of IP isn't one of them and has not been for a very long time.

Clive RobinsonJune 3, 2014 11:59 AM

@ Skeptical,

There was nothing lax about the US patent system, and the abuses to which it was put, they were doing to Europe and other parts of the world, exactly what the US is now accusing China of.

The simple fact is the US plundered as and where it felt it could, be it ideas or physical resources, now it feels it's got to the point where it is becoming obvious the only way is down, it's drawn up the draw bridge and trying to turn it's blatant hostile theiving activities into what it thinks is a moral high ground....

What is obvious to those in science and industry is that such fervant nationalistic activities are not relevant to the way the rest of the world now functions. It's only the bought and payed for politicos banging the drum to mislead the gulable that the legislation created by corps and their lobyists --that the politico has not even bothered to read befor sponsoring it-- is good for the gulable, not the plutocrats paying for it.

DON'T believe for one moment that slapping rouge on a pigs face and a tutu round it's ass is ever going to make it look like a lady.

David Dyer-BennetJune 3, 2014 2:59 PM

I'm glad the gummint has taken this into the realm of diplomacy / international relations. It's especially brave given that our own hands aren't completely clean. To me, the important point is that *this stuff is wrong*; escalating that discussion is all to the good, even if part of what it shows is that our own government has done things that are wrong (shock! horror!). Part of stopping them is getting widespread agreement that these things are wrong.

(Shouldn't be done short of war, or short of a real not secret warrant procured based on reasonable suspicion, anyway.)

name.withheld.for.obvious.reasonsJune 3, 2014 3:08 PM

In the last week there have been a number of behavioral changes in domestic network performance and activity. First, DNSSEC and IPv6 changes across platforms--at the same time changes to network mapping strategies and methods (clients connecting to services) that expose the client to more accurate (beyond the MAC address) profiles.

The level of paranoia is escalting the response to public networks and indirectly affecting the citizenry. If you remember last week I posted a tidbit that NSA is turning the "Surveillance System" inward--well it seems to include an outward component. So, if you're a federal employee and think that any risky (and more importantly, the appearnce of risky) behavior will follow you beyond the office--it seems to be in effect prior to any "lawful" instrument. This is pre-law, a tool to act as a pre-crime response to "potential" crimes. What's next, pre-thought thught control--let's just cut to the chase and give everyone a labotomy.

SkepticalJune 3, 2014 6:05 PM


To Moderator: Thanks for posting the comment that was caught in the spam filter.

@Clive: The simple fact is the US plundered as and where it felt it could, be it ideas or physical resources, now it feels it's got to the point where it is becoming obvious the only way is down, it's drawn up the draw bridge and trying to turn it's blatant hostile theiving activities into what it thinks is a moral high ground....

The US is asking the PRC to stop stealing things from companies in order to enrich companies owned and run by the PRC.

It's not something that the US does, so they're not asking the PRC to play by different rules.

I'm not sure what you think is terribly unreasonable about the US request.

What is obvious to those in science and industry is that such fervant nationalistic activities are not relevant to the way the rest of the world now functions.

What are you on about? Asking China to stop stealing private property to enrich companies owned by the Chinese Government is a "fervent nationalistic" activity?

It's only the bought and payed for politicos banging the drum to mislead the gulable that the legislation created by corps and their lobyists --that the politico has not even bothered to read befor sponsoring it-- is good for the gulable, not the plutocrats paying for it.

What legislation are you talking about?

Gerard van VoorenJune 3, 2014 6:27 PM

@ Skeptical

"It's not something that the US does, so they're not asking the PRC to play by different rules."

Brilliant line. So you are saying that anything what the US does is something that other countries can do as well (...and get away with it).

That's an interesting vision.

OMFGJune 3, 2014 7:15 PM

with all respect Mr Schneier, I believe the whole storie is a load of bullshit, to lead us down the road of they need more control of the internet to keep us safe.

I also want to point out that the US has sold the Chinese and Japan I ton of our tech patents. Then lets add on, that every single mother board on every single computer and every electronic device is made in China.(backdoors anyone) This isn't 1970, The Chinese can make any thing we can and for a lot less money.

That Phone in your pocket was made in China, you watch a made in China TV, MADE IN USA is History.
There would be no point what so ever for them to hack the Steel workers Union .Unless they were trying to confirm its 1/50 the size it once was because China makes all that stuff also.
Mr Schneier is a security expert, we all know physical access is huge on the list, and the people that are supposed to be keeping us safe,couldn't even keep there own data safe and got there data taken by a walmart pen drive.

Last comment if anyone is buying that the government can name the people behind such an attack, thats a joke. They might have an IP address ,there is no way in hell they got 5 names of Chinese hackers in China. They are just trying to make us think they are that good. They couldn't and still have not stopped wikileaks . The Chinese know how to use Tor and all the toys they are not fools.

Its simpleJune 3, 2014 7:21 PM

It them same old trick they been using for years, DONT LOOK AT WHAT WERE DOING LOOK OVER THERE. And all Americans will say we need all this illegal spying to be safe from Chinese hackers. Forgetting that the Chinese can probably remote flash your bios since they made it.

lolJune 3, 2014 8:12 PM

"In the last week there have been a number of behavioral changes in domestic network performance " I guess people have been sleeping many years,

I have been using the same domain for latency tests about 15-20 years at one time it was 19MS not that long ago its now over 100ms. A bit ago there were huge jumps in latency at my home.

I did a traceroute, to that same domain and for the first time ever it went east almost to the pond before it hopped back to the west coast where the domain is located. In 15 years I saw two different routes to that domain that made sense, a northern 3 hopper was the 19ms, and a more southern one that was a bit higher at 4-5 hopes. That was with in a few days of the SOPA protest
I worked for a government run place once that had 100's of IT people,if those are the type of people trying to keep our US networks safe we are screwed, unpatched servers ,not updated software, They were using netscape long after it was over, clueless about basics

name.withheld.for.obvious.reasonsJune 3, 2014 9:54 PM

@ ALL: 3 June 2014 1945 PDT
Steven Aftergood, from the Federations of American Scientists, in an unofficial communication today indicated that the FAS website was experiencing a DDoS attack. What appears to be the underlying issue is the site compromise that instructs the visitor to turn on javascript. There will probably be more to follow; the behavior is reminisent of drive-by or watering hole compromises.

ChrisJune 3, 2014 11:07 PM

Hi just since I happen to be a hobby lockpicker I see an intresting point here since its related.

It so happens that American and Chinese made locks are very easy to pick in general.
There are a couple of locks from those countries that are not, however, even the most difficult locks from USA and China come to no comparison to the equals from Europe or Russia.
Just a note that security needs to be rooted in the mindset.

Look for locks made in Sweden or Finland or Russia and you can bet that you will have a problem trying to lockpick them guaranteed and that goes for EVERY lock made even 60 years ago.

Just a offtopic note here that the mindset of security needs to be rooted
You cant build on sand it will fall sooner or later.

//Chris

JacobJune 4, 2014 12:34 AM

@Chris - how would you compare the picking vulnerabilities of the Israeli locks (Mul-T-Lock and Rav-Bariach (aka RB-Doors)) to the Swedish line in general?

JonJune 4, 2014 1:43 AM

Remember, everyone, that when Edward Snowden did much of his data acquisition, he was not working for the NSA. He was working for Booz Allen Hamilton, one of many corporate contractors.

And the NSA did indeed very deliberately share their information with that industry.

So to say they 'do not share directly' is just flat-out lying. That Booz Allen Hamilton may not (or may) be at this time a direct competitor for Chinese business isn't really relevant to the argument. The NSA does share with its contractors, and that's an industry.

Jon

PS - And if you think the non-disclosure agreements are enforced if a little slipup happens to benefit the likes of Lockheed or Northrop Grumman, you are a better man than I, Gunga Din. J.

JonJune 4, 2014 1:49 AM

PPS - We've already heard of 'parallel construction', where a domestic law enforcement agency takes information clandestinely (and unlawfully) collected and then uses that to start suspicion and surveillance, and by those methods collecting enough evidence for 'probable cause', without mentioning where the initial suspicion came from.

Can't imagine that happening in defense contracting, oh noo.... J.

fajensenJune 4, 2014 9:11 AM

I do not agree that possessing the moral high ground and trustworthiness in general is useless for providing security.

If others believe that favours will be returned in kind, then they are more likely to help. If others believe that favours will not be returned and that "doing the right thing" and helping "the authorities" actually might just turn the attention of those authorities against oneself ... well ... then it is easier to just not share any information one might come across about possible threats and security breaches.

This is a done deal already: The hyper-paranoid, security-state is NOT "someone" that one will voluntarily get involved with in any way. The personal risk is too great.

Brandioch ConnerJune 4, 2014 12:39 PM

I have to disagree with you on one point, Bruce.

If Target's security had been better than its competitors, the criminals would have gone elsewhere. In this way, security is relative.
The criminals automate their attacks against any and all systems that they can reach. In general they are not looking for a specific target. Just anything that they can open.

From what I understand, Target was cracked because an HVAC company was cracked.

The HVAC company was cracked because it was vulnerable. Not because it was associated with Target.

Nick PJune 5, 2014 12:54 PM

@ Brandioch Conner, Bruce

Supporting Brandioch's point is that virtually all POS systems are vulnerable to software, peripheral, and physical attacks.* And the clerks watching them are under-paid and easy to distract. And many stores offer little to no authentication of people claiming to be servicemen for various equipment. Target is actually among the most secure of all retailers in terms of effort they put in. Half their surveillance teams work is pro bono for police organizations because Target is better equipped at the job. That this happened to them shows relative security vs competition had no effect on deterrence. It also implies Target's competition, who focus less on security, are probably *extremely* vulnerable.

* Many run forms of DOS with DMA-enabled peripherals and PC's behind an unlocked compartment. This has been consistent in many stores I've seen. Some upgraded to Windows or Linux POS systems, but it wasn't necessarily a security upgrade. ;)

JardaJune 7, 2014 5:18 PM

The US crook agencies not only spy on China but joyfully on countries they call allies. E.g. Europe, where they spy on diplomats and conduct industrial espionage which in some cases costed European companies contracts. The clowns from the justice department and others should rinse their mouths with bleech next time before they decide to speak. It stinks whenever they open their mouths.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.