China-bashing made easy
The War Party never sleeps: there are always new variations of war propaganda coming ’round the bend. With the coming of the internet, the latest manufactured “threat” to rear its head is “cyber-warfare,” which is now being touted by the Obama administration and its media fan club as the Next Big Scary Thing – but what are the facts?
The first fact we need to integrate into our analysis is that “cyber-security” isn’t a science, it’s an industry: that is, the entities issuing alarming reports of this lurking threat are for profit companies mainly if not exclusively concerned with selling a product. And while the “threat landscape,” as the jargon phrases it, is potentially very diverse, with a number of countries and non-state actors potential combatants, our cyber-warriors have targeted China as the main danger to our cybernetic security – the Yellow Peril of the Internet Age. They’re stealing our technology, our secrets, and infiltrating our very homes! This is largely baloney, as Jeffrey Carr, founder of Project Grey Goose and Taia Global, a cyber-security firm, and author of Inside Cyber Warfare, points out:
“[I]t’s good business today to blame China. I know from experience that many corporations, government and DOD organizations are more eager to buy cyber threat data that claims to focus on the PRC than any other nation state. When the cyber security industry issues PRC-centric reports like this one without performing any alternative analysis of the collected data, and when the readership of these reports are government and corporate officials without the depth of knowledge to critically analyze what they’re reading (i.e., when they trust the report’s authors to do the thinking for them), we wind up being in the position that we’re in today – easily fooled into looking in one direction when we have an entire threat landscape left unattended. We got into that position because InfoSec vendors have been left alone to define the threat landscape based upon their product offerings. In other words, vendors only tell customers to worry about the threats that their products can protect them from and they only tell them to worry about the actors that they can identify (or think that they can identify). This has resulted in a security awareness clusterfuck of epic proportions.”
The “cyber-threat” from China has been much in the news lately, and any number of self-proclaimed “experts” with a financial stake in hyping this latest bogeyman have been pointing an accusing finger at Beijing whenever some government agency or big corporation discovers cyber-vandals in its domain. The latest is a report issued by a private cyber-security firm, Mandiant, which claims these attacks are occurring under the auspices of the People’s Liberation Army (PLA). It is, of course, just a coincidence that this accusation limns a recent National Intelligence Estimate, which – according to the New York Times, itself supposedly victimized by Chinese hackers – “makes a strong case that many of these hacking groups are either run by army officers or are contractors working for commands like [PLA] Unit 61398.”
Yet, as Carr discusses here, the Mandiant report has several analytic flaws. To begin with, the “mission area,” i.e. the nature and alleged goal of these intrusions, is supposed to identify China as the culprit because the latest APT (cyber-security jargon for “advanced persistent threat”) “steals intellectual property from English-speaking organizations,” and that these thefts coincide with the technical requirements of China’s current Five-Year Plan.
This kind of “logic” ought to make your BS-detector go haywire, recalling Carr’s warning that there’s a bad case of perception bias at work here: that’s because other nations, and non-state actors such as criminal gangs, also launch cyber-attacks on English-speaking organizations, which in many instances parallel the interests contained in China’s Five-Year Plan. Russia, France, Israel, and a number of other countries have advanced cyber-warfare capabilities, and haven’t hesitated to use them for purposes of industrial espionage, among other reasons: Eastern European gangsters are also players in this game. Yet there is no mention of these alternatives in the Mandiant report: according to them, it’s all about China.
Mandiant claims that because the rash of recent intrusions have involved operations requiring hundreds of operators, that only a nation-state with “military-grade operations” could possibly have carried them out. Yet more than 30 nations are currently running “military-grade” operations, as Carr informs us: why pick on China?
Well, says Mandiant, because the intrusions they analyzed used a Shanghai phone number to register an email account, for one. Yet this proves exactly nothing. Okay then, what about the fact that “two of four network ‘home’ Shanghai blocs are assigned to the Pudong New Area,” where the PLA’s Unit 61398 is located? This also proves exactly nothing: the Pudong New Area has over 5 million inhabitants. It is smack dab in the center of China’s booming commercial and hi-tech metropolis. Ask yourself how many IP addresses originate from this area. Oh, but one of the “PLA” hackers’ “self-identified location is the Pudong New Area.” Really? So what? Aside from the demographic information supplied above, one has to wonder if these people really believe everything they see on the Internet is true. C’mon, guys!
The New York Times has been pushing the Yellow Cyber-Peril theme ever since their computer system was hacked, but the question of who exactly was responsible for that intrusion is by no means proved. In a Times piece on the subject – with the rather whiney headline “Hackers in China Attacked The Times for Last 4 Months” – we again come across Mandiant pointing to the Chinese military as the culprit, but their case against the PLA falls apart under the most cursory inspection. For example, Mandiant’s “analysis” is based in part on the observation that these alleged Chinese
“Hacker teams regularly began work, for the most part, at 8 a.m. Beijing time. Usually they continued for a standard work day, but sometimes the hacking persisted until midnight. Occasionally, the attacks stopped for two-week periods, Mandiant said, though the reason was not clear.”
Bull hockey. There are a number of other countries in the same time zone that have active hacker communities. The idea that the timing of these attacks somehow pinpoints “Chinese hackers” associated with the PLA is laughable. As Carr puts it:
“The hackers could have been from anywhere in the world. The time zone that Mandiant imagines as a Beijing workday could easily apply to a workday in Bangkok, Singapore, Taiwan, Tibet, Seoul, and even Tallinn – all of whom have active hacker populations.”
Mandiant – hired by the Times to investigate the intrusion, and currently in negotiations with the New York Times Company over a possible ongoing business relationship – cites the fact that the intrusions supposed originated at some of the “same universities used by the Chinese military to attack U.S. military contractors in the past.” Yet there are many universities located in the Jinan area Mandiant homes in on, and geolocation in this instance, as Carr says, “means absolutely nothing.” He also raises an important point: if the Chinese military was behind the Times hack, then why would they launch these attacks from a location previously identified with the PLA? That’s seems rather too obvious, especially in view of the lengths to which hackers go to cover their tracks. Wouldn’t China’s Ministry of State Security, their official intelligence agency, be assigned that task? Yet their facilities are located in Beijing, over 200 miles away from Jinan.
Most people are ignorant of the technical details utilized by commercial enterprises like Mandiant to gin up an alleged “threat.” One supposedly scary tool used by the “Chinese” hackers is a Remote Access Tool, and we are told that the specific methods used in the past by alleged Chinese hackers are matched to the Times intrusion. This is just plain wrong, however, as Carr explains:
“The article mentioned the hackers use of a Remote Access Tool (RAT). One such widely used tool is called GhostRAT. The fact that it was used in an attack against the Dalai Lama in 2008 (GhostNet) doesn’t mean that all of the later attacks which used this tool originated with the same group. In fact, even the GhostNet researchers refrained from attributing this attack to China’s government.
“Another tool whose use is often blamed on Chinese hackers is the ‘xKungFoo script.’ Like GhostRAT, the xKungFoo script is widely available for anyone to use so even if it was originally created by a Chinese hacker, it doesn’t mean that it is used by Chinese hackers in all instances. I personally know Russian, English, and Indian hackers who write and speak Chinese.”
This is simple logic: you don’t have to be a cyberwarfare “expert” to realize there are many possibilities when it comes to identifying the people behind the methods. If you’ve already decided who is the perpetrator, however, then Mandiant’s accusations directed at Beijing fit neatly into the available “evidence.” That’s how confirmation bias works.
The major piece of “evidence” supposedly pointing to the Chinese government is the timing of the intrusion: just as research for a Times story on the financial dealings of a top Chinese government official, Wen JaiBo, was “nearing completion.” According to the Times, the hackers gained access to email accounts belonging to Shanghai bureau chief David Barboza, author of the Wen expose, as well as Jim Yardley, bureau chief covering South Asia. Yet the Wen connection is contradicted in the very next paragraph of the Times‘s own account, which says:
“’Computer security experts found no evidence that sensitive e-mails or files from the reporting of our articles about the Wen family were accessed, downloaded or copied,’ said Jill Abramson, executive editor of The Times.”
So what’s the connection to the Wen story? In addition, Yardley had nothing to do with the Wen story, and yet his email was also breached, along with the passwords of 53 employees who are not in the Times newsroom. So what does this add up to? A big fat zero, as far as evidence of China’s involvement is concerned. China is merely the go-to cyber-villain of the moment, and this is certainly true where Mandiant is concerned.
The same kind of dicey “evidence” is being used to accuse Iran – you saw this coming, didn’t you? Again, the tech-ignorant New York Times is in the lead, with a story echoing the claims of US officials that Tehran was behind the recent cyber-attacks launched against several American banks. You can almost hear the spooky music in the first two paragraphs of the piece, by Nicole Perlroth and Quentin Hardy, which gives an account of how the hackers slowed down and disabled banking sites, and then goes on to say:
“There was something disturbingly different about the wave of online attacks on American banks in recent weeks. Security researchers say that instead of exploiting individual computers, the attackers engineered networks of computers in data centers, transforming the online equivalent of a few yapping Chihuahuas into a pack of fire-breathing Godzillas.”
Godzilla’s on the loose! And it’s an Iranian Godzilla! Yikes!
“The skill required to carry out attacks on this scale has convinced United States government officials and security researchers that they are the work of Iran, most likely in retaliation for economic sanctions and online attacks by the United States.
“’There is no doubt within the U.S. government that Iran is behind these attacks,’ said James A. Lewis, a former official in the State and Commerce Departments and a computer security expert at the Center for Strategic and International Studies in Washington.”
The skill required to carry out these attacks was minimal. As Roel Schouwenberg, senior researcher at Kaspersky Labs, put it:
“We can confirm that the attacks being reported are happening; however, the malware being used, known as ItsOKNoProblemBro, is far from sophisticated. It’s really rather simple. It’s also only one part of the puzzle but it seems to be effective, which is all that matters to the attackers. Going strictly by the publicly known technical details, we don’t see enough evidence that would categorize this operation as something only a nation-state sponsored actor could pull off.”
More “evidence” offered in support of the “Iran-did-it” theory is that these attacks did not garner any information: no data systems were breached. It was, in short, pure cyber-malice directed at American banks. If this is supposed to somehow prove the Iranians are the culprits, then it is weak tea indeed: because there are any number of groups who hate American bankers, including, I would venture, the vast majority of the American people. These DDOS attacks seem more like the sort of thing we might expect from a group like “Anonymous” than from a state actor such as Iran.
Of course, the paucity of evidence didn’t stop Sen. Joe Lieberman from declaring:
“I don’t believe these were just hackers who were skilled enough to cause disruption of the websites. I think this was done by Iran … and I believe it was a response to the increasingly strong economic sanctions that the United States and our European allies have put on Iranian financial institutions.”
As is the case with Iran’s alleged nuclear weapons program, which our own spooks have said does not presently exist, the technical details are obscure to most of us, and therefore this realm is given over to “experts,” both real and imagined. To Sen. Lieberman and all too many in the media, it’s just a matter of picking and choosing your “experts,” and making the “facts” fit your preconceived notions.
Aside from ginning up conflict with the War Party’s chosen targets, the whole cyber-war scare-mongering campaign, whether the alleged “threat” is said to be emanating from China, Iran, or wherever, is also very convenient for proponents of Internet regulation who want to install back doors on every web site, and every software system, so the feds can “trace” these alleged “cyber-terrorists.” It is, in short, a scam, part and parcel of a political campaign to rein in the wild and wooly – and largely unregulated – Internet, and make it more amenable to the interests of our wise rulers.
The mystification of science, and the culture of “expertise,” has greatly aided the War Party in their propaganda efforts. Instead of making up stories about babies being bayoneted in their cribs – although there is still some of that – we are given mind-numbingly technical explanations that point to purported acts of “cyber-terrorism” carried out by China, Iran, or the villain-of-the-moment. Except that the supposed “evidence” turns out to based on non-credible assumptions and faulty technical analysis.
Remember, we’ve been through this sort of thing before: all the “intelligence” supposedly pointed to the irrefutable “fact” that Iraq possessed “weapons of mass destruction,” which it was about to launch against its neighbors. That turned out to be a lie. Much of this baloney came wrapped up in impressive-sounding technical jargon, and was validated by the media’s chosen “experts.”
Has anybody learned anything from that experience? I’m thinking in particular of the members of the Fourth Estate, otherwise known as “journalists.” The answer, unfortunately, seems to be no.
ABOUT THE AUTHOR
Justin Raimondo is the editorial director of Antiwar.com, and a senior fellow at the Randolph Bourne Institute. He is a contributing editor at The American Conservative, and writes a monthly column for Chronicles. He is the author of Reclaiming the American Right: The Lost Legacy of the Conservative Movement [Center for Libertarian Studies, 1993; Intercollegiate Studies Institute, 2000], and An Enemy of the State: The Life of Murray N. Rothbard [Prometheus Books, 2000].
Cyberwarfare: US uses Hacking Allegations to Escalate Threats against China
Theme: US NATO War Agenda
The Obama administration is utilizing unsubstantiated charges of Chinese government cyber-attacks to escalate its threats against China. The past two days have seen allegations of hacking into US corporate and government web sites, hyped by the US media without any examination of their validity, employed to disorient the American public and justify an expansion of the Obama administration’s drive to isolate China and prepare for an eventual military attack.
The accusations of hacking against China will also be used to justify increased domestic surveillance of computer and Internet communications, as well as an expanded use of cyber warfare methods internationally.
The New York Times, functioning once again as a conduit for the Pentagon and the CIA, has taken the lead in the latest provocation against Beijing. On Tuesday it published a bellicose front-page article headlined “China’s Army Seen as Tied to Hacking Against US,” and carrying the ominous subhead “Power Grid is a Target.”
The article drips with cynicism and hypocrisy. It is well known that the United States is the world’s most ruthless practitioner of cyber warfare. The article itself acknowledged that the US worked with Israel to disrupt the Iranian nuclear program by introducing the Stuxnet virus into Iran’s computer systems. That bit of sabotage—itself an illegal act of aggression—was accompanied by a series of assassinations of Iranian scientists carried out by Israel with Washington’s support.
The sprawling front-page article, which continued on an entire inside page of the newspaper, was based on a 60-page report released that day by a private computer security firm with close ties to the Times, as well as to the US military and intelligence agencies. The report by Mandiant—founded by a retired Air Force officer and based in Alexandria, Virginia—provides no real evidence to substantiate its claim that a unit of China’s People’s Liberation Army based in Shanghai is directing hacking attacks on US corporations, organizations and government institutions.
In its report, Mandiant claims to have tracked 141 cyber attacks by the same Chinese hacker group since 2006, 115 of which targeted US corporations. On the basis of Internet footprints, including Internet provider addresses, Mandiant concludes that 90 percent of the hacking attacks come from the same neighborhood in Shanghai. It then notes that the headquarters of Unit 61398 of the People’s Liberation Army is located in that neighborhood. From this coincidence, Mandiant draws the entirely unwarranted inference that the cyber-attacks are coming from the PLA building.
As the Times admits in its article, “The firm was not able to place the hackers inside the 12-story [PLA Unit 61398 headquarters] building…” The newspaper goes on to report that “Mandiant also discovered an internal China Telecom memo discussing the state-owned telecom company’s decision to install high-speed fiber-optic lines for Unit 61398’s headquarters.” One can only assume that Mandiant “discovered” this memo by carrying out its own hacking of Chinese computers.
Chinese spokesmen have denied any involvement by the government or the military in hacking attacks and dismissed the Mandiant report as lacking any proof of its charges. The Chinese Ministry of Defense released a statement Wednesday pointing out that Internet provider addresses do not provide a reliable indication of the origin of hacking attacks, since hackers routinely usurp IP addresses. A Foreign Ministry spokesman pointed out that China is constantly being targeted by hackers, most of which originate in the US.
The Chinese position was echoed by Dell Secureworks cyber-security expert Joe Stewart, who told the Christian Science Monitor: “We still don’t have any hard proof that [the hacker group] is coming out of that [PLA Unit 61398’s] building, other than a lot of weird coincidence pointing in that direction. To me, it’s not hard evidence.”
The Obama administration followed up the Times article, which sparked a wave of frenzied media reports of Chinese cyber-attacks, by announcing on Wednesday that it would step up diplomatic pressure and consider more punitive laws to counter what it described as a wave of trade secret theft by China and other countries. The Associated Press reported that the administration was discussing “fines, penalties and tougher trade restrictions” directed against China.
The latest propaganda attack points to an escalation of the US offensive against China that went by the name “pivot to Asia” in Obama’s first term. That policy included whipping up territorial disputes in the East China and South China seas between China and a series of countries in East Asia, including Japan, Vietnam and the Philippines.
It has also included the establishment of closer military ties and new US installations in a number of countries, including India and Australia, to militarily encircle China.
The Times concluded its article by reporting that “The mounting evidence of state sponsorship… and the growing threat to American infrastructure are leading officials to conclude that a far stronger response is necessary.” It cited Rep. Mike Rogers, the Republican chairman of the House Intelligence Committee, as saying that Washington must “create a high price” to force the Chinese to back down.
In an editorial published Wednesday, the Times noted that the administration has decided to give US Internet providers and anti-virus vendors information on the signatures of Chinese hacker groups, leading to a denial of access to US networks for these groups. It also reported that President Obama last week signed an executive order authorizing increased sharing of information on cyber threats between the government and private companies that oversee critical infrastructure, such as the electrical grid.
The Wall Street Journal in its editorial called for “targeted sanctions” against Chinese individuals and institutions.
The background to this new salvo of anti-China propaganda underscores that it is part of an aggressive expansion of US military capabilities, both conventional and cyber-based. Obama raised the issue of cyber war in his February 12 State of the Union address, accusing US “enemies” of seeking to “sabotage our power grid, our financial institutions, our air traffic control systems,” and insisting that action be taken against such attacks.
In the same speech, he defended his drone assassination program, which is based on the claim that the president has the unlimited and unilateral power to order the murder of anyone anywhere in the world, including US citizens.
Last October, Obama signed an executive order expanding military authority to carry out cyber-attacks and redefine as “defensive” actions that would previously have been considered acts of aggression—such as the cutting off of computer networks. Around the same time, Defense Secretary Leon Panetta gave a bellicose speech in which he warned of a “cyber Pearl Harbor.” Panetta told Time magazine: “The three potential adversaries out there that are developing the greatest capabilities are Russia, China and Iran.”
At the end of January, the New York Times accused Chinese authorities of hacking into its news operations, a charge that was quickly seconded by the Washington Post and the Wall Street Journal. That same week, the Washington Post reported that the US military had approved a five-fold increase of personnel in its Cyber Command. Days later, the Times reported on its front page that the Obama administration had concluded that the president had the power to authorize pre-emptive cyber war attacks.
This bellicose posture toward China and expansion of cyber warfare methods goes hand in hand with growing threats to democratic rights at home. The cyber war plans include options for military action within the US. The Times reported earlier this month that the military “would become involved in cases of a major cyber-attack within the United States” under certain vaguely defined conditions.
Efforts to increase government control of the Internet and surveillance of Internet communications are being stepped up. Just last week, Rep. Rogers of Michigan and Democratic Senator Dutch Ruppersberger of California reintroduced the Cyber Intelligence Sharing and Protection Act (CISPA). The bill died in the Senate last year in the midst of protests over provisions allowing the government to spy on emails and other Internet-based communications.