
New Chinese Cyberattacks: What’s to Be Done? - vincvinc
http://www.chinafile.com/conversation/new-chinese-cyberattacks-whats-be-done
======
fredkbloggs
The first step is to recognize that this is not a technical issue but a
political/diplomatic/military one. The second requirement for anything useful
to happen is for Western governments to find some balls and start standing up
to China in general. With those two changes in place, the groundwork is laid
for a meaningful engagement on this specific issue. The likelihood of either
happening is nil, so expect China to continue on its current trajectory.
Eventually it will come down to whether Western corporations are willing to
allow their governments to disconnect China from the rest of the world. Some
will demand it, tired of incessant attacks; others will lobby fiercely against
it, greedy for what they see as a profitable place to do business. Like so
many issues in the West today, it will come down to one group of corporate
lobbyists against another, both pushing for deeply suboptimal outcomes
relative to what a sane world would have imposed years earlier.

------
task_queue
We could dramatize what's been going on for decades as something new and
urgent and then pass tomes of legislation handing trillions to the DHS and
intelligence agencies.

~~~
jqm
Oh just THINK of the contracting opportunities!

------
rst
Much of this commentary was written while the attack was still in progress; it
presumes that Github would be forced to fold, and goes on to assess tye
consequences. This has been... overtaken by events.

------
pnathan
A few thoughts dredged up:

\- Coldly, the US citizens and companies _broadly_ views the internet as a way
to make cash, and generally will pursue that.

\- Free speech concerns and the decentralized power of the internet are of
interest to "damn fool idealists", as Kenobi might say. Not your major
business powers. Google's play is very revealing here...

\- China is extremely interested in their own sovereignty and control of the
China-sphere, with soft power exercised elsewhere.

The obvious easy way forward is for companies to capitulate to Beijing and let
the cash flow. This is likely the most common occurrence today. Some companies
will take the higher road, particularly the more idealistic ones with fat cash
bags.

The argument that the State department should be involved is probably the
correct one, but one wonders exactly what leverage can be applied, since China
has spent decades building local apps and infrastructure.

I would be extremely interested in tokenadult's take on this, as he is very
familiar with China.

------
theophrastus
The Chinese view is that an attempt to subvert their control, which typically
amounts to some form of censorship, makes you a viable target. They are
following: best defense is an offense. (It's interesting to compare this to
the legal 'attacks' from European demands on google "freedom to be forgotten"
and restraints on freedom of speech surrounding holocaust denial) One
suggestion is to daily and publicly publish, in a simple format, trans-
national internet attacks and to link those to imposed trade tariffs.
Following outrage and denials, this might result in either complete
Balkanization or a retreat to more defensive measures (e.g. the great internet
wall of china)

------
xnull6guest
New Everyone Cyberattacks: What's to Be Done?

Four things, each with their own time horizon and in parallel.

1\. Norms for cyber warfare and international cyber activity to be developed.
(The US may not be able to lead this post-Snowden, but they should try and
should be involved.)

2\. Cooperation on international standards, development and funding in
cyberspace to improve and prove the security of networks, protocols, hardware
and software.

3\. Deescalation of cyber capabilities and activities. These exercises can be
expressed in many ways such as 'cyber-free days' where nations show their good
intentions by withholding operations in good faith.

4\. International investment, development, data sharing and standardization of
forensics capabilities to squeeze the attribution problem. This may be done in
lockstep with protocol development.

But at its root there are three reasons nations hack one another:
intelligence, intellectual property, sabotage.

Whatever deterrents and legal frameworks are in place will need to be as or
more compelling than the motivations for cyberactivity. Whatever can be done
to limit what can be gained by intelligence, sabotage and IP theft will in
turn limit cyber activity. So a fifth item would be to reexamine and double
down on the international peace keeping frameworks that discourage the listed
above.

~~~
cm2187
Not only the US may not lead this but Snowden has shown that they are one of
the primary actors weaponizing the internet. Who else would want to "disarm"
in these conditions?

I'm not saying states should hack each others but complaining about China is a
pretty spectacular "do as I say, not as I do".

~~~
xnull6guest
Right. At the top of my post I correct the title to say everyone hacks
everyone.

This is a tragedy of the commons type situation. Nobody wants to disarm.
However there is historical precedent for cooperation and disarmament under
these conditions - even with nuclear arms races.

This is what I'm suggesting - what things do we need to do to deescalate an
international cyber arms race.

------
JohnTHaller
Stop using Baidu for one.

~~~
FreakyT
One of the key effects of China's firewall has been to ensure that China has
its own plethora of native internet services -- yet the latest attacks will
probably ensure that no one _outside_ of China uses those services. It seems
like the perpetrators of the attack are hurting Chinese businesses more than
anything else.

~~~
virmundi
Yes and the same can be said for the NSA and US networking tech.
(Un)Fortunately, people will continue using what works. If Baidu has a
benefit, then people will use it. Perhaps it can strengthen it to say no to
the Chinese government in these types of attacks.

~~~
JohnTHaller
Outside of China, using Google Adsense or Analytics won't make your website
visitors the unwitting participants in cyberwarfare. Using Baidu ads or
analytics, your website visitors can and will be used by China to attack a
website of their choosing.

------
higherpurpose
Decentralize the web. Much harder to DDoS it this way and also harder to
censor it.

~~~
skymt
I'm curious what you mean by "decentralize" here, because the web to me is the
prime example of a successful decentralized system.

~~~
swsieber
Moreso than decentralized web I think he means decentralized site. Most sites
are served by just a few servers. I think bittorrent is working on this with a
project called Maelstrom: [http://blog.bittorrent.com/2014/12/10/project-
maelstrom-the-...](http://blog.bittorrent.com/2014/12/10/project-maelstrom-
the-internet-we-build-next/)

~~~
skymt
This is a cool problem, and while others have worked on it before (e.g.
Freenet), Maelstrom could be a significant step forward in usability by using
the look and feel of a normal browser.

But these systems deal with static content. Distributed hash tables are a
well-studied solution. Providing the same advantages of magic, trust-free,
peer-to-peer replication to a dynamic (interactive and frequently-modified)
site like Github is a much cooler and harder problem, and I'm not aware of
anyone trying to solve it. Intuitively it feels impossible to create such a
site without a distinct set of trusted nodes doing the work.

