
Richard Clarke: China's Cyberassault On America - tptacek
http://online.wsj.com/article/SB10001424052702304259304576373391101828876.html?mod=googlenews_wsj
======
gamble
I've always wondered what the US would do if China started flying sigint
surveillance planes along the edge of US territorial airspace. Or if Americans
discovered that the Chinese had interception equipment in critical telecom
switching stations throughout the world that allowed them to divert America's
commercial and governmental communications to Chinese supercomputers for
decryption.

There are a lot of things that America does to other countries that would be
taken as acts of war if they were done to America.

~~~
DanielBMarkham
_There are a lot of things that America does to other countries that would be
taken as acts of war if they were done to America._

I have to call bullshit on this, sorry.

The Russians did this sort of thing all the time during the cold war: parking
nuclear submarines off the East Coast, flying bomber runs along the border,
reconnaissance -- the list goes on and on. On both sides. There was never an
"act of war" Even the Cuban Missile Crisis (which did not have mutants, by the
way) ended peacefully.

Look, I think it's great to point out there are two sides of every story. But
this type of statement goes beyond a simple plea for "take a look at the other
side, guys" and heads into propaganda territory, i.e. everything is mostly the
same. So I had to call you on it. Let's not go there.

Why? Because this is a good topic. It calls into question the intersection of
governments, technology, and rule of law. The whole point of the article is
destroyed if you just say it's all the same. It's not.

Every bad thing in the world can't be erased by an over-application of
equivocation. That kind of thing is for spinners. We head down this road next
you'll be telling me that China owns vast hunks of ocean and various islands
that everybody else says they don't.

~~~
smackay
Nations unfortunately engage in a lot of belligerant actions that can easily
spiral out of control. The long term risk with the USA conducting operations
in international waters around China - which they are perfectly entitled to do
so - is that areas of contested territory such as the Spratly islands in the
South China Sea could easily become flashpoints for needless conflict.

~~~
thematt
It is a flashpoint irrespective of whether we're there. That area has been
contested for years. It's not belligerence on our part to attempt to maintain
order.

------
yaix
Interesting paper, but not a smart approach. Well, a very ...uhm American
approach to the problem. Unilateral.

Better would be to think about an internationally accepted (within the UN
framework) mechanism to deal with these attacks. Define what is permissible
and what is "over the line". Then define required actions and accepted
sanctions when an attack occures.

Governments will always blame it on some "hackers". But a mechanism could
define how a government MUST procede when a grave attack is carried out from
within its territory. Maybe it MUST accept that law enforcement of the target
nation has the right to check equipment used in the offending nation.

Overall, such an international mechanism should be set up to make it more
difficult to sneakily carry our those attacks and hide behind some "hackers"
accusation.

However, I doubt that the US would be willing to submit to such a mechanism.
Because I believe they would be sitting more often on the offending site than
on the target site. Until now, the US has not even submitted to the
International Court of Justice (ICJ) and similar important mechanisms to stop
and procecute attrocities against humanity committed during war. The US knows
very well why they don't submit to such a court, of course. Same would most
likely be the case for any international mechanism against government cyber
crimes.

~~~
xiaoma
That's a terrible idea. The US and China both have UN veto votes.

~~~
yaix
No, they have Security Council veto votes. This has nothing to do with the
UNSC.

However, it would only be useful if nations like the US and China could be
made to participate, so negotiating this would not be easy. At the end
however, it would be beneficial for all participants.

Now, why would it be a bad idea? Any argument, or "just because"?

------
learc83
A while back my gmail account was hacked by someone with a chinese IP. It made
me wonder.

What if they goal of all this is to build a giant database of identities and
known passwords. Say the chinese govt has 50 million online identities each
associated with an email address, and known passwords for each.

If they do decide to launch a massive cyber attack, it doesn't matter what
security we have in place; they could just log in.

They wouldn't need to find backdoors, they could log in as customers to every
major bank and start moving things around. It wouldn't matter if the banks
caught it, the only way to stop it would be to shut down all transaction--
which would cause the panic the attackers are looking for.

They could do this with any public website, and with enough computing power
and bandwidth, do it fast enough to really cause a problem.

Just imagine if they had 0.1% of all public logins and passwords.

~~~
nkassis
Same thing happened to me last year. Freaked me out, I know that that password
was the same for a few sites (I know I know but I keep a few levels of
passwords) So they had to obtain it from one of those. I never received a
message from anywhere telling me that my info had been leaked which means some
sites I vist I can't trust. I have no way of knowing which.

------
siculars
Ya, that sounds about right. The sad truth is that defending our cyber space,
or cyber space in general, is a Sisyphean task. No one can do it, least of all
the government. There are just too many vectors of attack and too many targets
and, frankly, not enough people who know anything about cyber-security. Even
people who do know about security are routinely hacked, see Google, RSA,
Lockheed, et al.

The only rational way to combat catastrophic cyber warfare is to disuade our
enemies from engaging in it. Some say it has worked for us before, MAD[0]
(note section on criticism, which obviously plays here). As mentioned in the
WSJ[1] a few weeks ago:

"One idea gaining momentum at the Pentagon is the notion of "equivalence." If
a cyber attack produces the death, damage, destruction or high-level
disruption that a traditional military attack would cause, then it would be a
candidate for a "use of force" consideration, which could merit retaliation."

This notion that a cyber attack could result in a real military response must
be delivered to the highest levels of decision making throughout the world. We
can only hope that the message is received.

Obviously, we must do all we can on defense but no defense will be foolproof.
It is just not possible. Stating our intentions in the event of a devastating
cyber attack is the only real option we have.

Everything short of national catastrophe should be dealt with in other ways.
Industrial espionage is a major consideration but that should be taken to
arbitrage at forums like the WTO. I'm all for free trade and everything it has
to offer as long as there is an even playing field. At the risk of conflating
issues I will simply say that China's ongoing espionage is an extension of
unfair trading practices that work to create an uneven playing field between
them and everyone else.

[0]<http://en.wikipedia.org/wiki/Mutual_assured_destruction>

[1][http://online.wsj.com/article/SB1000142405270230456310457635...](http://online.wsj.com/article/SB10001424052702304563104576355623135782718.html)

~~~
Volpe
The pentagons posturing on using force in retaliation to cyber attacks, would
be a hard sell [to the public] to ever actually perform one of these
retaliations... Especially with such a prominent target as China.

Rather than an arms race in cyber-warfare, is it possible to work out why
these attacks are occurring? A militarily non-aggressive nation (outside of
its own borders) continuously attacking external targets for no reason, feels
like we are missing some of the story.

~~~
siculars
I'm pretty sure the US public would require retaliation in the event of, say,
a prolonged regional blackout, a breached dam, a meltdown at a nuclear
facility or any other number of real world insanity caused by a cyber attack.

"for no reason" I'm sure there are reasons. LulzSec does it for the "lulz".
China has their own reasons, whatever they are they are and we can sit and
discuss them but there needs to be red lines. Figuring those reasons out does
not mean we should not have a well known military posture in certain
eventualities.

------
Zakharov
"Cyber warfare" has far more in common with international espionage than
actual warfare. China and the US have been constantly spying on each other for
65 years, maybe longer. Rarely do such actions constitute grounds for a war.

The big differences now is that the espionage extends to a significant number
of non-government actors, and that there's a greater degree of plausible
deniability to any attacks. Still, the Chinese are capable of physically
blowing up a lot of American infrastructure (and vice versa), and the Chinese
may be capable of disguising a physical attack as a terrorist attack.

Cyber-warfare is another vector allowing states to attack each other, but it's
still less powerful than conventional warfare, and not that much more powerful
than conventional espionage.

------
Zakharov
From the article: "The targeting of specific U.S. officials is not something
that a mere hacker gang could do."

This is patently false. Anyone could target a U.S. official, and many could
even succeed. Nevertheless, the other arguments the article presents are
sufficient to support its conclusion.

~~~
tlb
I assume he means that a large number of officials were individually targeted,
requiring large numbers of hackers working in tandem.

------
cageface
Perhaps this kind of thing is going to eventually fundamentally change the way
we build software? In most of the common development stacks is an afterthought
if it's addressed at all. If even security "experts" are getting hacked
something is deeply wrong.

~~~
percept
This is the most important comment here, IMO.

What should we be doing about this, now, individually, collectively?

------
n1ck4n
The Aurora attacks were followed by systematic penetrations of one industry
after another. In the so-called Night Dragon series, attackers apparently in
China went after major oil and gas companies, not only in the U.S. but
throughout the world \---

One more "for" argument: in Asia, China's been accused by Phillippines and
Vietnam, as well as Japan of aggressively invading their territorial waters,
islands. Those areas are likely rich of oil. Actions such as sending war boats
to damage fishing boats are a sign of China's ambition to seek more oil, oil
and oil...

Relevant link: <http://news.yahoo.com/s/ap/20110614/ap_on_re_as/as_china_us>

~~~
nl
Why make an unsubstantiated link between the hacking incidents and the South
China Sea conflicts? The South China Sea has been a source of territorial
conflicts though-out history.

In modern times there have been brief shooting conflict between China &
Vietnam in 1974, and 1988 [1], and there have been numerous incidents since.

[1]
[http://en.wikipedia.org/wiki/South_China_Sea#Territorial_cla...](http://en.wikipedia.org/wiki/South_China_Sea#Territorial_claims)

~~~
n1ck4n
If you look at Paracel Islands, yeah, maybe China's close to it. But if you
look at Spratly islands, which are very much territories of either Vietnam,
Indonesia or the Phillipines. And China is to claim it?
<http://en.wikipedia.org/wiki/File:South_China_Sea.jpg>

Plus, the attacks happened around Spratly islands, 2 days _right after_
Shangri-la Dialogue, with the participation of top military bosses, including
Robert Gates, where China promised to use peace talks to resolve the problem.

My 2 cents here:

1\. China has always been a world of its own, it acts by its rules and what it
promises is just what is says, what it does is another thing.

2\. China has become BIG, and worse, it IS aggressive. We'd better be prepared
for a coming war, be it cyber or economical or traditional.

We might be under a much bigger threat than what the media could convey, like
that picture by David Gothard [http://si.wsj.net/public/resources/images/ED-
AN742_clarke_D_...](http://si.wsj.net/public/resources/images/ED-
AN742_clarke_D_20110614180051.jpg)

~~~
Volpe
War mongering ethnocentric bullshit.

China are aggressive in what they believe is 'their' territory, and nothing
else. They have no (modern) history of invading or even being involved in
other conflicts around the world. Most [large] countries could not boast a
similar history.

On the UN security council they veto most aggressive action the US/England/EU
press. If further pressed they generally abstain from the vote. Other than
territorial disputes where do you get the idea they are 'aggressive' ?

China is out to protect it's interests just like every other nation. The worry
is, they are big, and CAN protect their interests. The western super powers
are not used to being challenged like this.

~~~
n1ck4n
Yeah, even Napoleon Bonaparte once said: "China? There lies a lion, let her
sleep, for once she's awake, she will shake the world"

Another point is, I can't remember who (pretty famous analyst) said this, but
something like: "There's nothing wrong with China's getting richer and
stronger. The only problem is China was once depressed by other countries like
Japan, England... And like a child, when he grows up, he will take _revenge_ "

So China is not just-like-every-other-nation like you said

------
aresant
I wonder what America's Cyberassault on China looks like?

------
krakensden
What useful `cybersecurity' legislation could you possibly pass? The only
thing I can think of is "do not connect x, y, and z systems to the internet,"
but that still leaves plenty of ground.

------
dvfer
Both governments are on the same team...total Control........

------
tatsuke95
I don't know about anyone else, but I felt this article had the vibe of:

"Guys! The internet is dangerous! We NEED a way to turn it on and off! It's
for YOUR safety!"

~~~
tatsuke95
Well, I won't be surprised when the powers-that-be put forward a plan for a
"method" to cut us off from the rest of the internet. And it will be accepted,
because they'll have convinced the public there are too many harmful cyber
attackers out there. National Security, don'tcha know.

~~~
learc83
Cutting us off from the rest of the world doesn't work, b/c it would be easy
to deploy a botnet inside the US.

~~~
tatsuke95
It's also tremendously easy to detonate a bomb on American soil a kill a lot
of people. Yet they're still strip searching small children and hammering us
with radiation at the airport.

I don't think they care much about logic....

------
danssig
This is just scare mongering nonsense. WSJ just keeps getting better and
better.

