New Chinese Cyberattacks: What’s to Be Done?

Starting last week, hackers foiled a handful of software providers that promote freedom of information by helping web surfers in China reach the open Internet. The attacks that drastically slowed the anti-censorship services of San Francisco-based GitHub and China-based GreatFire.org emanated from computers around the world. Unbeknownst to their owners, attacking computers apparently were infected by code triggered by using the advertising or analytics tools of Baidu, China’s largest search engine—a company whose shares are traded on the NASDAQ exchange. Baidu has said it has found no security breaches and is working with other organizations to get to the bottom of the attacks. Have the latest cyberattacks, as some coverage has suggested, “weaponized” the computers of unsuspecting global netizens? What should governments, businesses, and individuals do about this apparent spread of China’s official command-and-control vision of the Internet beyond its borders? —The Editors

Comments

The Chinese have already weaponized the Internet. They assume that everyone else has done the same thing. China does not see the Internet as a benign force. They see the Internet as a weapon aimed at their heart. It is therefore completely natural that they will respond to what they see as threats directed at China that originate on the Internet.

One method they will use for protection is to create a Chinese sovereign Internet. Within China, the Internet will be entirely in the control of the Chinese authorities. This is a Balkanization of the Internet. The Chinese authorities understand this and welcome the result.

The problem for the Chinese is then is what to do about attacks against China that come from outside of the borders of China. They have a two-prong policy. First, the Great Firewall will block access to China. This is the primary strategy. Second, where the Great Firewall is not effective, China will strike back, using the open Internet as a weapon. This is exactly what is happening in the current GitHub denial of service attack.

Officials of the Chinese government and their academic advisors believe that their actions are completely justified. Every country has a right to self-defense and China is simply exercising that basic right. For this reason, cross border discussions asking the Chinese to stop this practice will fail. That is, this kind of attack is not an example of malicious hacking. From the Chinese point of view, it is legitimate self defense.

So what can be done? There are three basic strategies:

  1. Submit to the will of the Chinese and remove all content that the Chinese see as a threat to their interests.
  2. Understand the threat and install countermeasures specifically designed to deal with the threat from China and other countries with a similar basic approach.
  3. Attack back, understanding that cyber-war is still war and that any counter-attack may result in unanticipated consequences: more extreme damage, blowback, collateral damage, and the like.

Since no one in the U.S. has made any effort to understand the Chinese position, no one is publicly taking any steps that are likely to have any practical impact. I therefore expect that capitulation will be the most common response. Capitulation is fine when you are small and weak. Capitulation is humiliating when you pretend otherwise.

Steve Dickinson identifies two of the more commonly suggested—albeit unlikely to pass—responses to the recent DDoS on GitHub and GreatFire and to similar future cyberattacks that are suspected to come from China:

  1. Remove content that Chinese officials deem objectionable—and based on the recently formed Cyberspace Administration of China’s (CAC) own articles, they clearly find GreatFire's work objectionable.
  2. Attack back, be it with sanctions or a “proportional” cyber response—as the U.S. military is thought to have done to North Korea’s Internet after the Sony Pictures Entertainment hack.

While vigilante groups like Anonymous might respond, the latter is doubtful partly because it’s notoriously hard to attribute DDoS attacks beyond a shadow of a doubt, but mostly because China is not North Korea. The former is unlikely because GitHub, and particularly GreatFire, have publicly stood on the side of open Internet and all the expectations that come with it: freedom of expression, access to information, and transparency in code (which serves as de facto law on the Internet). In 2013, GitHub was blocked in China allegedly either due to hosting a browser plugin that allowed you to “hack” the Railway Ministry’s ticketing website or because it hosted circumvention software and sensitive news; whatever the case might have been, user outrage in China's programming community forced officials to relent and re-open access to GitHub.

This Chinese capitulation gave credence to the developing notion of “collateral freedom” which many of GreatFire’s services are built on: in short, host censored content on general online services like GitHub, content delivery networks, or Google Docs, and leverage the many “legitimate” users of these sites in a high-stakes dare—shut down the entire service and face criticism by businesses and people who just want to see cat videos, or leave the sensitive material up.

What’s interesting to me is that both collateral freedom and this latest cyberattack on GitHub both rely on the same thing: leveraging the many passive, apolitical users of the Internet. In the GitHub attack's case, it is random Internet surfers around the world who happen to view a webpage with Baidu’s analytics code installed on it that instigate the flood of requests to GitHub’s servers. For GreatFire, it is the mass of users who through their typical usage of an online service implicitly express support for it. In both cases, surfing the web has become “weaponized,” with all the unintended consequences that come with that.

We can all agree that the first type is an unhealthy act if we want to ensure the Internet remains a robust, innovative, and secure space. However, though I fully support GreatFire’s implementation of collateral freedom, the ethical question of whether the potential collateral damage—sites shut down, servers disrupted, innocent users denied access to online services because governments decide the threats outweigh the benefits of allowing the host of objectionable materials to stay online—that comes from a collateral freedom counter-“attack” is worth considering, even if only to develop yet stronger arguments in favor of it. Over the past week, there were no doubt some inconvenienced Chinese and non-Chinese GitHub users who didn’t necessarily believe in GreatFire’s mission 100%. They did not enlist to provide strength to GreatFire’s work or offer to potentially sacrifice their connectivity to GreatFire’s cause, and yet GreatFire was able to harness their web traffic for power. There are unintended consequences when merely surfing the web becomes a weapon—be it for an open Internet or not.

Finally, while some may argue that this latest attack on GitHub and recent disruptions to Google services in China show possible signs of cracks in collateral freedom, I want to touch on Dickinson’s third possible response: install countermeasures to mitigate future threats from China. There have been past incidents where Chinese Internet traffic was misdirected by the Great Firewall to hapless, unknowing foreign websites. A post by Craig Hockenberry, who experienced a similar DDoS, ends on a chilling note: as a last resort to prevent his server from being flooded, he blocked all Chinese users from accessing his site. While it’s arguable whether that would have helped GitHub in this case since the malicious attack utilized a global base to recruit its botnet, blocking Internet traffic coming from Chinese IP addresses has been mentioned as an option in the toolkit to prevent such attacks. This is an alarming thought. The Great Firewall is effective enough as it is; those on the side of an open Internet shouldn’t be doing the GFW’s job for it.

Last note: I hope Baidu is livid that this attack went down under their name. Let’s hope they and other Chinese tech companies made it clear to the folks at CAC (if they were indeed the ones who ordered it) that this sort of thing can’t ever happen again.

For years I’ve had a “dog-chasing-its tail” theory about China’s never-ending loop of politics-related censorship: eventually, the censors will end up biting themselves.

The Github-GreatFire.org (Baidu) hacking case gives us a chance to test this theory. We’re now seeing how vulnerable China's Internet is—both technically and politically.

I'd go so far as to predict current Chinese Internet policy will spur future surprises, disasters far beyond simple DDoS attacks from the outside, and will more likely result in attacks from the inside.

One more thing, from a personal vantage point: my current project, the smart headphones startup Aivvy is fully hosted on Github. We’ve worked non-stop on it for thousands of working hours. If Github doesn’t recover from this latest denial of service attack, should we seek compensation from Baidu? This would surely be more convenient than requesting redress from the Chinese government. I'd love to see some legal opinions on this matter of public interest.

China’s exploitation of international demand for Internet services offered by companies such as Baidu echoes similar programs by American and British intelligence agencies disclosed by Edward Snowden (such as QUANTUMINSERT). There are fundamental parallels at play in these two cases—around the principles of Internet networking, computer security and economics; however, differing reactions suggest two very different visions for the development of the Internet, one of which, offers little space to the general public to protect themselves or to articulate their own interests.

Just as Western intelligence actors can leverage their control of key points of international Internet traffic, China exercises such controls through licensing monopolies to highly-supervised domestic companies, such as China Telecom and China Unicom. This power position, complemented by regulatory policies and network infrastructure, constitutes the “Great Firewall,” and is the means by which authorities curtail the free flow of information from abroad.

The attacks on GreatFire and GitHub, sites that helped Chinese netizens to reach the open Internet, are the latest evidence of the opacity of the global web. It is not necessarily transparent to web users where they are retrieving content from, who has the ability to modify or monitor that traffic for malign purposes, and what additional resources are loaded on to their computers by websites they visit. In the case of the attacks on GreatFire and GitHub, a website analytics tool loaded from Chinese services without visitors’ awareness, providing no functionality for them, was intercepted by the Great Firewall to invisibly press their computers into malicious service. The visitor’s web browser began to participate in the unsophisticated attack against GreatFire in blind trust, which caused tens of thousands of dollars of damages to the organization. The source of this new web traffic went largely unattributed, with each infected computer generating a series of requests every few minutes, which, en masse, overwhelmed the targets, GreatFire and GitHub. The flood of traffic continued over the course of a week until Github took measures to break the attack, causing alerts to display on the unwitting participants’ browsers.

Herein rests a new conflict between private entities and the governmental organizations that can unilaterally intercept or manipulate Internet traffic for the purpose of espionage or imposing information controls. The repurposing of the Great Firewall to control traffic both outside and inside China further contributes to China’s attempts to fragment the global Internet. This time, rather than removing content deemed objectionable by the Party from the reach of web users sitting inside China, Chinese Internet authorities have taken steps to undermine international confidence in the integrity of Chinese Internet services and demonstrated the limits of the country’s commitment to cybersecurity. Unlike with censorship, where a web user can employ a virtual private network to leap the Great Firewall, there is little a member of the general public can do to prevent their home computer from being enlisted in a denial of service attack.

Even if web users avoid obviously Chinese sites such as Baidu altogether, international web sites could be using Chinese advertising and analytics tools in order better to reach and measure their growing target audience inside China. A website visitor would not necessarily know that his browser had interacted with a Chinese site and its services. Individuals are now caught in the middle of a contest between the private sector and governments, and amongst governments.

After the Snowden revelations, companies such as Google and Yahoo! reacted to a loss in international confidence in their services by raising the level of encryption used to protect their customers. Moreover, the companies challenged the American government in the public sphere and in courts over the legality of the government’s activities. Chinese companies have not taken, and may not be able to take without repercussions, similar steps to protect users against abuse by local government agencies. If they can, they are unlikely to do so without outside pressure from stockholders or regulators challenging their public reputation, market share, and financial security. Ambitious companies such as Baidu will have to contemplate whether Chinese Internet policy makes them subject to further abuse, therefore undermining the international reputation of their services and limiting their ability to expand globally. Until then, governments, advocates for a free Internet, and regular web users must challenge the cybersecurity commitments of China and call into question the attractiveness of doing business with Chinese Internet companies operating under such self-defeating conditions.

I find that the discussion of this matter avoids the real issues and is also unfair. For example, it makes little sense to make accusations against Baidu. This was a DDoS attack that simply made use of Baidu. They were just the tool for the PRC Government. The government did it, not Baidu. This kind of “let’s blame Baidu” talk just illustrates to me why a solution other than capitulation will not be reached. An assault on Baidu would be an example of what I call “collateral damage.”

That could happen, but would do nothing to resolve the fundamental problem. The fundamental issue was: there was an attack by the Chinese government against a U.S. company located within U.S. territory. It is not a business issue. It is a criminal law/military issue. If the U.S. authorities look away, the Chinese government then sees it has a green light to act in this way in the future. This is what is called “capitulation.” I don’t even know the basis of the capitulation: fear, greed, bigger plans in the works?

Some analysts have suggested that the Chinese great firewall and the attacks on their opponents outside of China are “self defeating.” I wonder in what way the Chinese attacks are self defeating? To argue this point, you would have to clearly state the goal of the P.R.C. government and then determine whether or not the goal has been achieved. I do not see anyone doing that. They just assume the goal is some version of the U.S. goal, which is to make the most money possible on the Internet. This is not the goal of the Chinese government in any way. What the Chinese government wants is absolute control of a national intranet. Perhaps what they are doing is not the best way to achieve this goal. But then, what is the best way? I do not see any of the analysts suggesting that they can help the P.R.C. authorities make an even tighter, more thoroughly controlled national intranet. So in this sense, the “self defeating” analysis has no meaning at all for the Chinese government authorities.

I have always found the discussions from the Internet freedom activists on these issues to be difficult to understand. The “its self defeating” argument is one of those arguments. If the Great Firewall and the hacking attacks are self defeating, why do the Chinese continue to do it? Do people really think the P.R.C. authorities do not know what is going on? They certainly do know what is going on and their actions are well thought out and intentional.

Take the current situation: we now all know if you poke China, you should expect to get poked back. What is so hard to understand about that? If your own government does not protect you, then you are on your own. What is so hard to understand about that? That is the current reality, and that is exactly the message the Chinese authorities intend to convey.

With respect to this specific event, GitHub is critical to the open source movement as a source repository. The people that use GitHub are the kind of people who support Internet freedom in China because they support Internet/software freedom everywhere. However, GitHub is NOT important to commercial software and Internet multi-nationals. So no one important cares what happens to them. Again, what is so hard to understand about that? They are on their own in a very dangerous place.

I note the recent book entitled The Real Cyber War. The authors characterize quite properly the position of the U.S. as an attempt to maximize economic return from the Internet. The “freedom” thing is a sham. I agree with this. However, it is a mistake to assume that the Chinese have the same “make-the-big-money” goals. They do not. They want power and control, not money. This fundamental difference in point of view makes the discussions of the issue mostly incoherent. Assuming the Chinese side has the same goals as the U.S. side is a standard mistake in dealing with countries like China.

Having said the above, the bottom line is that when any U.S. citizen is attacked by a foreign power on U.S. soil, this is a very significant matter and should be treated that way. But it is a criminal/military/International relations matter, not a commercial matter and not an Internet governance matter. Treating it differently is just an evasion which then amounts to capitulation.

These events symbolize that tensions concerning aggression, attribution, and responsibility in cyberspace are rapidly coming to a head. As Collin indicated, important questions must be asked about public-private interactions in the online sphere, which challenge many of the long-held tenets of state practice.

From the Chinese point of view, the Great Firewall is a critical piece of national security infrastructure that protects against relentless attempts by “foreign hostile powers” to undermine the stability of the regime. The avowed mission of GreatFire.org to unblock censored websites is, in that sense, seen as an act of sabotage that impinges on China’s sovereign right of self-determination.

From the Western point of view, the U.S. not-for-profit organization GreatFire.org, which not only monitors censorship trends on the Chinese Internet, but also seeks to unblock censored information, is a courageous defender of the online rights and liberties of China’s citizens, as well as of the integrity of the global Internet. From this angle, China’s tactics are self-defeating, undermining trust in Chinese businesses and regulators, and risking the Balkanization of the web.

Both positions are self-serving. Western observers gladly forget that long-term damage to strategic interests through a single-minded pursuit of immediate security is not the preserve of the Chinese. One might argue that the Snowden revelations did as much to endanger network integrity as any attack from the Chinese side. If the argument is about human rights, the continued pursuit of what has been called extrajudicial murder by the U.S. provides easy ammunition to allege hypocrisy. The Chinese side often overlooks the fact that its astonishing economic success owes more than a little to the willingness of other states to accommodate China in the global trading system, often at significant domestic cost.

But perhaps more importantly, the only thing these arguments can lead to is a prolonged, unproductive shouting match. We are already seeing an escalation of threats in cyberspace, including the sanctions targeting foreign hackers President Obama announced a few days ago. If this status quo is undesirable, a deal is necessary. This deal can either be made relatively quickly, or, after a prolonged period of strife and recriminations that merely allow for more harm to be inflicted, without shifting the goalposts. In other words: it is time for a bit of realpolitik.

The ingredients of an agreement are relatively simple: defining the nature of online threats to security, defining the role of various parties, including governments, corporations and individual citizens, and defining protocols for the attribution of cyberattacks. However, such a deal would be very difficult to sell internally on either side: it is a characteristic of many governments, and particularly security services, to want others to be bound to rules that they themselves can disregard. Crucially, mutual trust is non-existent at the moment.

One inconvenient truth that the Western side must face is that China may have a better bargaining position. Its chief objective is clearly spelled out in its Internet sovereignty approach: to ensure that everything that might affect the Chinese Internet is under the control of Beijing. While it may not yet have technological parity, it does not, for instance, care about whether or not the Internet balkanizes. China has no overall goal for the global Internet. Rather, it seeks to govern the international aspects of cyberspace on the basis of 19th Century diplomatic principles. Instead of trying to develop a highly complex and new multi-stakeholder model for cybergovernance, it simply assumes a statist model. This defensive posture means that its objectives are much more closely matched to its abilities than the transformative views espoused in the global Internet governance community. Furthermore, it has been able to buttress this position by leveraging its huge domestic market, and requiring that global multinationals play by the government’s rules or do not play at all.

This creates a complex brief for Western politicians and diplomats, who must juggle the ideological integrity of the open Internet agenda, the technological integrity of the Internet, the commercial interests of companies that not only are active on the Chinese market but also produce much of their equipment there, and the political pressure of not being seen to bend to authoritarian demands. It seems scarcely possible that all these interests can be pursued without trade-offs. Consequently, diplomatic and political capital will need to be spent more judiciously, and Western governments perhaps need to start asking themselves which price they are willing to pay to forestall further escalation. It is likely, for instance, that the price of a non-Balkanized Internet will be concessions to China’s demands for more governmental participation in global governance systems. This is not necessarily a bad thing. If a resulting deal is characterized by well-understood self-restraint and increasing trust and openness on all sides, it might actually enable a balance among the various participants.

The matter is much complicated, however, by the fact that we are not discussing a typical state-to-state issue, but one involving various types of private actors. Of course, one can point to online giants whose power in the information space rivals that of national governments. But much more than in the real world, it is possible for a very small number of individuals to inflict significant damage through the network. In other words, cyberspace greatly magnifies risk. A key question that must therefore be resolved is the legitimacy of violent acts. Historically, violence has been monopolized by the state, while civilians have done rather poorly. Under the laws of war, civilians taking up arms in wartime could be shot. Regardless of which side one is on, as Jason indicates, both GreatFire and the GitHub attackers have used similar techniques of leveraging the activities of common online civilians in an aggressive manner. That comes across as rather medieval, and could escalate into continuous wrangling by anyone who can muster enough mercenary forces (and whether those mercenaries are actually aware of what is happening, is optional).

Great response Steve. However, I'm not sure there are many people seriously blaming Baidu for this. As you mention, barring new information coming to light, Baidu appears to also be a victim in this attack. Collin astutely points out the challenges these types of alleged incidents cause Chinese companies like Baidu as they seek to expand globally (As I've written previously: "If Chinese Internet companies want to achieve Google- or Microsoft-like global status, they’ll need not only to produce outstanding products, but will need help from their government to quash the perception they are mere pawns for the Communist Party’s overarching goals.")

I'd also push back on your take of GitHub's relative insignificance as well as your argument that this is not an Internet governance matter—the breach of trust exhibited here (again, if the allegations are true), and in the recent CNNIC digital certificates kerfuffle, undermines China's vision for the Internet as expressed in the rejected Wuzhen Declaration. If China's goals are to enlist fellow nations in supporting the statements in the Wuzhen Declaration, then incidents like this attack are very much self defeating.

But I agree this attack probably won't elicit a serious response from U.S. authorities because GitHub is not seen as essential infrastructure the same way as, for instance, the power grid is. However, I wouldn't go so far as to call this a "capitulation." As you suggest, Chinese officials may very well have chosen to attack GitHub to make a statement about its capabilities and in that sense, if that were the goal, then this incident was not self-defeating at all. However, I'd also like to point to a recent publication, Jon R. Lindsay's excellent paper "The Impact of China on Cybersecurity: Fiction and Friction," which argues that these sorts of attacks and the ensuing non-escalation are to be expected—and in fact may indicate a stable equilibrium where nation states recognize that so long as "dense interconnection and economic interdependence remain mutually beneficial. . . they will be able to tolerate the irritants that they will inevitably inflict on one another." It's a very realpolitik take, and while living in such a world of constant friction isn't ideal, he is quite optimistic that such constraints mean the likelihood of full-out cyberwar between the U.S. and China is unlikely to pass:

Cyberattackers intentionally keep the costs they inflict below the assessed threshold of even limited military retaliation by opponents, occupying a region where military threats of punishment would be utterly noncredible. The aggressor’s freedom of action is further constrained by the need to maintain stealth and plausible deniability for ongoing operations. Actors that are deterred by threats of military punishment, on the one hand, and threats of counterintelligence detection or loss of connection, on the other, are encouraged to and more limited ways to inflict costs. The complexity of modern computer network infrastructure, in particular, offers many inexpensive ways to inflict minor costs. One implication is that cyberspace creates more scope for nontraditional security concerns (e.g., harassment of human rights organizations and vulnerable user communities) that powerful actors usually ignore in their focus on protecting high-value economic and military assets. [. . .]

The United States and China should discuss the interaction of cybersecurity and traditional military force in depth and take steps to limit misunderstandings about the other’s intentions. They might even learn to interpret chronic cyber friction as a sign that more truly dangerous threats have been constrained. Contrary to conventional wisdom, the emergence of complex cyberthreats may be a positive development in the tragic history of international politics: the bad news about cybersecurity is good news for global security.

While Baidu was a victim rather than a participant in the GitHub attack, the abuse of Baidu’s platform by Chinese hackers certainly hurts Baidu’s international reputation.

So far, Baidu and other Chinese companies have gained more than they have lost from the Chinese government’s Internet policies. These policies have made the Chinese Internet market untenable for companies like Google and others that are unwilling to comply with censorship and user surveillance requirements. But with Chinese companies being used—wittingly or not—to launch global attacks, that could change.

Unfortunately the current political environment gives Chinese companies little room for maneuver.

The GitHub incident happened around the same time as a Chinese government-owned company called the China Internet Network Information Center (CNNIC), appeared to have actively facilitated another type of attack against encrypted web traffic to Google and other organizations. As a result Google and Mozilla have removed CNNIC from their list of trusted organizations that issue digital “certificates” used to authenticate encrypted web traffic.

Chinese pro government hackers are not their only state-sponsored adversary, certainly. They've been doing battle directly and openly with the NSA.

In the post-Snowden environment, there is a growing gap between the interests of global Internet companies and the interests of their home governments. U.S. companies have the freedom to make this explicit: Microsoft has called the NSA an “advanced persistent threat” to its business. Companies like Cisco have been losing business around the world thanks to the Snowden revelations. The best way to regain user trust is to vocally oppose government surveillance and espionage practices that lack sufficient oversight and due process and therefore hurt their business, and to do everything possible to harden their own security systems against being hijacked through dishonest technical means. Which is exactly what many U.S. companies have been doing. Baidu may be able to quietly bolster its security, but otherwise it cannot vocally “draw a clear line” (to borrow an old cultural revolution phrase) between its corporate interests and the Chinese government’s interests.

I’ve argued for many years that the Chinese system of Internet controls is unlikely to crumble unless and until Chinese businesses become willing and able to push back against that system with sufficient force. However I doubt that will happen without sufficiently empowered allies within China’s bureaucracy—and at higher levels. The current environment does not inspire great hope in the short to medium term.

I am told that Baidu’s developers regularly use GitHub. The platform is important for many Chinese Internet entrepreneurs, including our friend Isaac Mao. Just as many Americans have grown cynical about their government’s “internet freedom” policies after Snowden revealed NSA surveillance behaviors that directly undermine that policy, there are plenty of entrepreneurs, developers and other Internet users in China who rely on GitHub, and who even use tools to get around the Great Firewall, but who do not trust the U.S. government and might be cynical about the real motives behind the US government’s “internet freedom” policies. Yet at the same time they feel strong frustration with their own government’s censorship policies as well as covert cyber-attacks directed at international services and products from GitHub to Google.

Thanks to censorship—ironically, carried out by companies at the behest of the government – this frustration is largely invisible and therefore unable to develop traction. As the citizen media community Global Voices recently reported, news and critical discussion of these recent cyber-attacks made against US-based platforms via Chinese organizations is being censored from Chinese microblogs and other Internet platforms.