Afterbytes - Ranum on Google Considering Leaving China

Title: Google Considering Leaving China Date: January 12, 2010

In the wake of the attacks on Google and other companies, Google has indicated that it may no longer cooperate with Chinese censorship rules and that it may consider pulling out of China altogether. When Google opened operations in China in 2006, it operated under an agreement with the Chinese government that it would remove banned subject matter from search results.

Sources: Google, Citing Attack, Threatens to Exit China, Update: Google may pull out of China because of cyberattacks, Google's response to being attacked by China

Paired with this fascinating piece by Gerald Posner.

The ongoing story of the Chinese "cyberwar" just keeps popping up in the news, again and again, like a zombie that takes repeated blows with a shovel and just won't stop moving. Am I talking about it too much? Perhaps, but it's one of those nodal point issues that I think tells us an incredible amount about what's going on in information security at the government and major corporation level. What do I mean? It's becoming a litmus test, for me, as to who has a clue and who doesn't. But if you want to be a paranoid skeptic, ask yourself "why are people with clues acting as if they have none?"

First, to the Google part of the story.

About a year ago, China's internet-using population surpassed the US' (this is based on estimates, of course). Google is currently valued on the stock market with a market capitalization of $182 billion, based on its marketing reach and technology strategy, it's profits mostly being from the US. So, when someone says "Google is thinking of pulling out of China" they're talking nonsense - even if they're a Google executive. Simply because no company that is an internet business is going to abandon a market that is going to be larger than the one most of their income comes from, today. Right now, Google.cn has a "measly" $300 million in annual revenues. Google pulling out of China is as likely as WAL-MART closing all its stores west of Nashville; i.e.: it's just not going to happen. Threatening to pull out of China is like threatening to poke one of your own eyes out.

So, what's really going on? it's an excuse to renegotiate. Think about it this way: Google's already needs to have an infrastructure capable of resisting all the hackers, script kiddies, spammers, and cybercriminals in the world. Whether the attackers are from China or Chicago, it really doesn't matter - if Google's infrastructure can't keep them out, it's an expensive problem. They already have to have flooding and denial-of-service protections in place, or we'd already be hearing about it. What they're really doing is using alleged Chinese government non-cooperation as an excuse to push back on having agreed to support Chinese censorship and to filter banned topics out of its results for Chinese users. In other words, Google decided to "be a little bit evil" because of all the potential money China represented, and maybe they just haven't been seeing the cash come into the till, so they're using a trumped-up excuse to try to haul the Chinese government back to the negotiating table.

My prediction for you: The Chinese Government will offer to block access to Google. I.e.: "Want to pull out of China? Here, let us help you." Google will shut up, and the whole thing will blow over.

Have the executive team at Google lost their minds, or did someone put them up to it? Arguing in favor of the "they have lost their minds" theory, we have the fact that a search engine company is now trying to make telephones, because the world really needs another smart phone to forget about. On the other side - the paranoid side - maybe someone put them up to it.

Those attacks, which Google said took place last week, were directed at some 34 companies or entities, most of them in Silicon Valley, California, according to people with knowledge of Google’s investigation into the matter.

Presumably, these attacks against the other companies were companies whose infrastructure is in whole or part running on Google's services. Otherwise, why would Google be investigating? I would expect that Google's reaction would be to fix stuff and get back to work. My suspicion is that Google's becoming the inadvertent poster child for the US Government's "Chinese cyberwar" hype campaign which has been going on for the last year. First, we heard the drum banging about all the attacks on federal agencies. Then it was the "they stole the joint strike fighter plans!" and now it's going to be "and they're messing with Google!"

Now, to Posner's article. Posner's a pretty good journalist, in my opinion. I enjoyed his research and reasoning in his book about the Kennedy assassination, and I've read other articles by him, as well, and been generally impressed by how clueful he is. That's why I enjoyed his article on the Chinese cyberattacks. He's careful to say "the FBI says..." and I don't see a lot of places where he appears to be taking it at face value; his reporting of the story is very nuanced. He does a good job with it.

A classified FBI report indicates that China has secretly developed an army of 180,000 cyberspies that “poses the largest single threat to the United States for cyberterrorism and has the potential to destroy vital infrastructure, interrupt banking and commerce, and compromise sensitive military and defense databases."

When I read that, I literally laughed so hard I was braying like a donkey. I wonder if that was Posner's initial reaction, too. 180,000 cyberspies? That's, what, about the size of the US contingent at the Normandy landings - are they planning to launch human wave attacks? Guys, the whole idea of "cyberwar" is that it's (theoretically) a force multiplier - a small number of guys can do disproportional damage. The Chinese do not have 180,000 cyberspies - I can guarantee you that. How do I know? Because the Chinese are not stupid.

Why is the FBI up to these tricks - deliberately giving classified reports to journalists? Talking about "WMD-Like" capabilities? Will someone, please, tell the FBI to shut up about the "WMD" - we, The People, fell for that one kind of recently, and we're still a little bit sore about it.

Here's the meat, and here's what matters:

According to the bureau’s classified information, the Chinese hackers are adept at implanting malicious computer code, and in 2009 companies in diverse industries such as oil and gas, banking, aerospace, and telecommunications encountered costly and at times debilitating problems with Chinese-implanted “malware.” The FBI analyst would not name the affected companies.

I've been saying for years that over-reliance on outsourcing code is a threat to national security. The real threat is not malware, the real threat is submarine code - submarine code running on critical computers managed by organizations that by definition are not competent to find trapdoors because, otherwise, they wouldn't have outsourced it.

Even the Pentagon was breached in 2007 and again in early 2009, despite what it considered foolproof Titan Rain security patches. The 2009 intrusion was particularly worrisome since the Chinese managed to get inside the Pentagon's $300 billion Joint Strike Fighter project—the Defense Department's costliest weapons program ever

How many of you who are reading this are information security practitioners with more than 10 years in the field? 15? If you've been doing this for more than a decade, you'll probably remember that The Pentagon has been hacked every year, several times, since - well - since it hooked to the Internet. It has been hacked by everyone from script-kiddies to professionals, regular as clockwork. At least the old mantra (which used to be: "Pentagon hacked again, DoD sources say 'but no classified materials were accessed'") has finally accepted that, of course, important data leaks when you get hacked. That is, after all, why people hack in the first place.

Read the rest of Posner's article. It's fascinating. Meanwhile, here's my theory what's happening: The Chinese internet population is about the same size as the US Internet population. Let's assume that, maybe, there are about the same number of expert hackers and script kiddies. In China, if you're caught hacking your government's machines, you might be executed - killed dead. In China, if you're caught hacking the US government's machines - nobody cares. So what I think we're seeing is a thundering herd of Chinese script kiddies. If I were an intelligence officer working for the Chinese Government, I'd find it all quite amusing, since it would divert American efforts from actually doing anything useful about security, and would allow the FBI to keep running around getting more and more upset. Meanwhile, I'd own a few system administrators at a few big beltway bandits; guys who can walk out of buildings with a 2TB USB drive in their backpacks. Because that's how the real spies do it - Aldrich Ames, Robert Hanssen, Kim Philby, John Walker, Michael Walker, Jonathan Pollard, Katrina Leung, etc, etc. It's not the thundering herds of script kiddies that bring home the big bacon: it's the insiders. The KGB knew that. The Mossad knows that. The Chinese Ministry of State Security knows that.

Even the FBI knows it. After all, their operation was penetrated by Katrina Leung, who started an affair with an FBI agent to get documents from him. It's not the thundering herds of script kiddies we need to worry about, really, itisn't. And that, once again, is why I keep writing about this topic. I'm desperately afraid that our focus on security is being manipulated for budget-enlargement purposes, while serious problems are being ignored. The clear and present danger is not the human wave of 180,000 hackers - it's the coder who's writing the next version of the code for the Predator Drone, or a communications satellite, or a data dictionary for a logistics system.

Telling people to worry about insider threats is always an unpopular position, because it's saying "don't trust people!" But, unfortunately, not everyone can be trusted, especially when there's money or national identity at stake. So, if you're a security practitioner that's dealing with critical infrastructure, important code or important data, once you've done the security basics to keep out the human waves of script kiddies, start asking yourself how you can detect inappropriate activity that might represent "low and slow" penetrations. That's the real deep water.