Americas

  • United States

Asia

Oceania

roger_grimes
Columnist

Chinese government is innocent of cyber attacks until proven guilty

Analysis
Feb 12, 20105 mins
Data and Information SecurityGoogleHacking

Circumstantial evidence alone should not condemn Beijing of sponsoring hacking of U.S. companies

Ever since reports emerged about Chinese cyber attacks on several companies, including Google, the media has been full of stories accusing none other than the Chinese government (or its agents) of the dirty deed. For those of us inside the computer security industry, there’s nothing new about suspecting the Chinese government of malicious hacking. What’s missing in this case, however, is evidence; until that proof materializes, I refuse to point the finger at Beijing.

I’ll readily admit that the Chinese government has a dubious track record when it comes to malicious hacking. The first public allegation of Chinese military hacking was back in 2005 with the Titan Rain project. Today, we have many well-documented cases of hacking originating from China (just use an Internet search engine to be overwhelmed). There are plenty of public whitepapers about Chinese government hacking programs. Among the most recent respected papers are Northtrop Grumman’s “Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation,” and the 2009 “U.S.-China Economic and Security Review” report to Congress.

[ InfoWorld’s Roger Grimes explains how to stop data leaks in an enlightening 30-minute webcast, Data Loss Prevention, which covers the tools and techniques used by experienced security pros. ]

Moreover, I’m personally familiar with many cases where government and military secrets have been hacked and sent to Chinese-originated IP addresses. It’s the world I have lived in for the past two-plus years. Chinese hacking of government and military information is rampant.

But I’ve yet to see a shred of evidence that the Chinese government is involved in any of these incidents.

Let me clear here that I am speaking on behalf of myself, not my employer or any company I’ve consulted. Also, let me say that I haven’t had access to classified data on the issue.

Additionally, I’m not defending China for such actions as blocking free access to any information (with the notable and understandable exceptions of child pornography, classified information, etc.). I can’t understand any society tolerating filtered search queries. Moreover, I certainly believe that the Chinese government is capable of sophisticated hacking. I even believe it’s likely that the Chinese government would engage in that sort of activity.

But again: What I don’t see is any evidence, and without publicly disclosed evidence linking the Chinese government to the crime, I don’t see how anyone can justify throwing strong accusations at said government.

Admittedly, I have lots of friends who have better access to classified data, and they assure me that we do have the evidence to pin the rap on China. But to be honest, I’m not sure if I believe them. If we did have the evidence, why wouldn’t we share it? What possible reason would a person, company, or government agency have for not publicly disclosing irrefutable evidence of Chinese government hacking in the face of their strong protestations to the contrary?

I’ve heard lots of interesting defenses, ranging from “we wouldn’t want to make the Chinese government mad” (which is strange considering nothing would make me madder than unsubstantiated accusations on the world stage) to “nation state hackers never, ever, leave hacking trails” (I’ve never known any government or hacker to do anything perfectly) to “revealing the evidence would reveal our intelligence methods and sources.” I can’t believe that not one bit of evidence can be revealed to answer the Chinese government’s protestations of false accusations.

Most of my friends assume I’m lost in some naïve “innocent until proven guilty” mentality. They say that absolute proof of Chinese government hacking will never come out, that the best we can do is present overwhelming circumstantial evidence that the Chinese government have committed the crime. To be honest, I’ve never been overly impressed with cases decided by purely circumstantial evidence. I’m certainly not ready to use it to pass judgment on an entire country.

Suppose for a moment that the Chinese hacking is completely (or even mostly) perpetrated by private Chinese citizens. Certainly this is just as plausible of a scenario, and we have proof of this one in the form of originating IP addresses and other published evidence. By not acting stronger to decrease cyber crime, is the Chinese government somehow responsible for it? I ask here because I truly do not know. I know of other countries that seem to knowingly encourage cyber hacking through neglectful laws. But I’ve not heard of China put into the same category.

Is the Chinese government overly neglectful in cyber crime law or enforcement? Or, as I suspect, is the Chinese government just not doing a super job at it, like my own government? I mean, we passed the CAN-SPAM Act in 2003, yet since then, spam has escalated to the point that it constitutes more email traffic than does legitimate email. We also certainly have dozens of state and federal laws against cyber crime, yet millions of our citizens fall victim to exploits and malicious hacking each year. We prosecute almost no one (for a variety of reasons).

For me, the bottom line here is, until I see irrefutable evidence that the Chinese government has knowingly involved in sponsoring foreign cyber hacking, I can’t help but presume the government is innocent of this particular wrongdoing. Too many falsely accused people, companies, and even countries have been found innocent of the early charges in a fully functioning, open justice system for me to think otherwise.

And if someone has evidence, why not release it to end the debate? Until then, I’m going to suspect that China has the same problem as all the other countries around the world in controlling malicious hacking by its citizens. 再见 (Zai jian, or “good-bye” in Mandarin.)

This story, “Chinese government is innocent of cyber attacks until proven guilty,” was originally published at InfoWorld.com. Follow the latest developments in security at InfoWorld.com.

roger_grimes
Columnist

Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author