Circumstantial evidence alone should not condemn Beijing of sponsoring hacking of U.S. companies Ever since reports emerged about Chinese cyber attacks on several companies, including Google, the media has been full of stories accusing none other than the Chinese government (or its agents) of the dirty deed. For those of us inside the computer security industry, there’s nothing new about suspecting the Chinese government of malicious hacking. What’s missing in this case, however, is evidence; until that proof materializes, I refuse to point the finger at Beijing.I’ll readily admit that the Chinese government has a dubious track record when it comes to malicious hacking. The first public allegation of Chinese military hacking was back in 2005 with the Titan Rain project. Today, we have many well-documented cases of hacking originating from China (just use an Internet search engine to be overwhelmed). There are plenty of public whitepapers about Chinese government hacking programs. Among the most recent respected papers are Northtrop Grumman’s “Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation,” and the 2009 “U.S.-China Economic and Security Review” report to Congress.[ InfoWorld’s Roger Grimes explains how to stop data leaks in an enlightening 30-minute webcast, Data Loss Prevention, which covers the tools and techniques used by experienced security pros. ]Moreover, I’m personally familiar with many cases where government and military secrets have been hacked and sent to Chinese-originated IP addresses. It’s the world I have lived in for the past two-plus years. Chinese hacking of government and military information is rampant. But I’ve yet to see a shred of evidence that the Chinese government is involved in any of these incidents.Let me clear here that I am speaking on behalf of myself, not my employer or any company I’ve consulted. Also, let me say that I haven’t had access to classified data on the issue. Additionally, I’m not defending China for such actions as blocking free access to any information (with the notable and understandable exceptions of child pornography, classified information, etc.). I can’t understand any society tolerating filtered search queries. Moreover, I certainly believe that the Chinese government is capable of sophisticated hacking. I even believe it’s likely that the Chinese government would engage in that sort of activity.But again: What I don’t see is any evidence, and without publicly disclosed evidence linking the Chinese government to the crime, I don’t see how anyone can justify throwing strong accusations at said government.Admittedly, I have lots of friends who have better access to classified data, and they assure me that we do have the evidence to pin the rap on China. But to be honest, I’m not sure if I believe them. If we did have the evidence, why wouldn’t we share it? What possible reason would a person, company, or government agency have for not publicly disclosing irrefutable evidence of Chinese government hacking in the face of their strong protestations to the contrary?I’ve heard lots of interesting defenses, ranging from “we wouldn’t want to make the Chinese government mad” (which is strange considering nothing would make me madder than unsubstantiated accusations on the world stage) to “nation state hackers never, ever, leave hacking trails” (I’ve never known any government or hacker to do anything perfectly) to “revealing the evidence would reveal our intelligence methods and sources.” I can’t believe that not one bit of evidence can be revealed to answer the Chinese government’s protestations of false accusations.Most of my friends assume I’m lost in some naïve “innocent until proven guilty” mentality. They say that absolute proof of Chinese government hacking will never come out, that the best we can do is present overwhelming circumstantial evidence that the Chinese government have committed the crime. To be honest, I’ve never been overly impressed with cases decided by purely circumstantial evidence. I’m certainly not ready to use it to pass judgment on an entire country.Suppose for a moment that the Chinese hacking is completely (or even mostly) perpetrated by private Chinese citizens. Certainly this is just as plausible of a scenario, and we have proof of this one in the form of originating IP addresses and other published evidence. By not acting stronger to decrease cyber crime, is the Chinese government somehow responsible for it? I ask here because I truly do not know. I know of other countries that seem to knowingly encourage cyber hacking through neglectful laws. But I’ve not heard of China put into the same category. Is the Chinese government overly neglectful in cyber crime law or enforcement? Or, as I suspect, is the Chinese government just not doing a super job at it, like my own government? I mean, we passed the CAN-SPAM Act in 2003, yet since then, spam has escalated to the point that it constitutes more email traffic than does legitimate email. We also certainly have dozens of state and federal laws against cyber crime, yet millions of our citizens fall victim to exploits and malicious hacking each year. We prosecute almost no one (for a variety of reasons).For me, the bottom line here is, until I see irrefutable evidence that the Chinese government has knowingly involved in sponsoring foreign cyber hacking, I can’t help but presume the government is innocent of this particular wrongdoing. Too many falsely accused people, companies, and even countries have been found innocent of the early charges in a fully functioning, open justice system for me to think otherwise.And if someone has evidence, why not release it to end the debate? Until then, I’m going to suspect that China has the same problem as all the other countries around the world in controlling malicious hacking by its citizens. 再见 (Zai jian, or “good-bye” in Mandarin.)This story, “Chinese government is innocent of cyber attacks until proven guilty,” was originally published at InfoWorld.com. Follow the latest developments in security at InfoWorld.com. Related content analysis The 5 types of cyber attack you're most likely to face Don't be distracted by the exploit of the week. Invest your time and money defending against the threats you're apt to confront By Roger Grimes Aug 21, 2017 7 mins Phishing Malware Social Engineering analysis 'Jump boxes' and SAWs improve security, if you set them up right Organizations consistently and reliably using one or both of these approaches have far less risk than those that do not. By Roger Grimes Jul 26, 2017 13 mins Authentication Access Control Data and Information Security analysis Attention, 'red team' hackers: Stay on target You hire elite hackers to break your defenses and expose vulnerabilities -- not to be distracted by the pursuit of obscure flaws By Roger Grimes Dec 08, 2015 4 mins Hacking Data and Information Security Network Security analysis 4 do's and don'ts for safer holiday computing It's the season for scams, hacks, and malware attacks. But contrary to what you've heard, you can avoid being a victim pretty easily By Roger Grimes Dec 01, 2015 4 mins Phishing Malware Patch Management Software Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe