"A Lot of Attacks from Western Countries Go through China," Says Bruce Schneier

The attack on Sony Pictures over the film The Interview was perpetrated by North Korea, according to security expert Bruce Schneier.

The former chief technology officer of BT Managed Security Solutions, now CTO at Resilient Systems, had expressed scepticism at the time of the attack that the secretive dictatorship had been behind the attack, motivated by the theme of the film: two hapless American agents who were supposed to assassinate the country's leader, Kim Jong-un.

But in a video keynote speech at LinuxCon 2015, Schneier claimed that he had changed his mind. "Many of us, including myself, were skeptical for several months. By now it does seem obvious that it was North Korea, as amazing as that sounds," he said.

The country had demonstrated its sensitivity to the portrayal of its "dear leader" when, a few months prior to the attack on Sony Pictures over the film, a hairdresser in Ealing was visited by two senior diplomats from the North Korean embassy in London and told he couldn't do that because it was "very disrespectful".

"The target [in the Sony Pictures attack] was not critical infrastructure," said Schneier. "If you made a list of what we thought were foreign targets, a movie company wouldn't be in our top-100. Yet it seems that the first destructive attack by a nation-state against the US was against a movie company."

Schneier claimed that the world is in the early stages of a cyber-arms race in which there are few ground rules, and in which the fall-out from an attack could have global repercussions. For example, an attack on one country's banking infrastructure could have devastating economic consequences, not just on that country, but its trading partners too, and across the wider global financial system.

"Unfortunately, we're in the early years of a cyber arms race. We're seeing a lot of stockpiling of cyber weapons, both by the US and Western countries [and] by China, Russia, and other countries. There's a lot of rhetoric about cyberwar," said Schneier. He added: "What concerns me is that we're all going to be in the blast radius."

The trouble is, though, he continued, that it is often difficult to discern exactly where an attack is coming from and who's behind it. For example, he said, Iranian authorities only realised that Stuxnet was aimed at their nuclear research facilities following press reports.

"It's easy to 'false-flag'," he said. "It's easy to pretend your attack comes from somewhere else. My belief is [that] a lot of attacks from the Western countries go through China, simply because everyone knows a lot of attacks go through China, and that's a perfect way to hide where you're from."

Lackadaisical security in China has been used for two decades by people perpetrating cyber attacks, as well as lower-grade security issues, such as sending spam - China and South Korea, for example, used to be notorious for the open-relays on email servers that were exploited by spammers to send billions of spam messages, while the operators of the email servers didn't seem to care that they were being exploited in this way.

As a result of an internet riddled with insecurities, it's not just easy for an attacker to hide, but equally easy to "false flag", warned Schneier - a covert attack by one party intended to make it look like the attack came from someone else.

"It's easy to false flag. It's easy to pretend your attack comes from somewhere else," he said. "My belief is a lot of attacks from the Western countries go through China, simply because everyone knows a lot of attacks go through China, and that's a perfect way to hide where you're from."

What is worse, though, is that the advantage on the internet is very much with attackers, and that "a sufficiently funded, skilled, motivated adversary will get in... we have to figure out how to deal with that".

Categories: Articles, Text

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.