Five years ago it was hard to get anyone to believe that the Chinese were collecting large quantities of data from businesses and government entities in the U.S. There wasn't much that attributed attacks and thefts of data to them. Now everyone seems to be in the game of attributing cyber events to people in China. Attribution has become more effective, but more dangerous. I was reminded of this when I read Josh Chin's article, Cyber Sleuths Track Hacker to China’s Military, in the Wall Street Journal (23 September 2015).
We now have a few companies actively tracking Chinese hackers back to China, in the case Chin discusses, to "People’s Liberation Army Unit 78020, a military intelligence arm based in China’s southwest, and a hacker collective known as Naikon that security researchers say has successfully penetrated key computer networks in countries competing with China for control over the South China Sea." This is certainly good for people like me who believed the Chinese were stealing us blind, while the Chinese denied it, and our government seldom mentioned China as the source of attacks. Now, we assume it is the Chinese even before the investigations are complete.
The reason this is dangerous is we have private companies running intelligence operations to collect information about one of our adversaries, and that includes the military. That is not really their business, and one they need to think about before doing it. Mandiant, part of FireEye, has had companies using data they have in their series of reports and duplicating their examination of hacking going on in Chinese military units. Mandiant gets confirmation and some additional information but not much else. Once these reports are published, we have proof of what the Chinese are doing, but we also have details that guarantees those places will not be doing business the same way they were before they were found out. One thing we can all agree on is the Chinese are not stupid. They read a lot and they adapt quickly.
Mandiant was the first but a number of others have followed. We now have at least five U.S. companies, and a few overseas that I know of, doing the same thing. These are not government sanctioned, controlled, or managed. The danger here is that the Chinese elements are run by the government. We cannot continue to trample each other trying to trace things to a network that is not under our control. In a way, Xi Jinping is having his wish come true - the U.S. has its private businesses tracing these attacks back into China at a time when Chinese businesses are doing the same thing. Neither of us has an interest in allowing state-owned businesses or private concerns romping around in the computer networks of other countries (not they are accused or admit to any such thing). Spying is a government's business, and getting too far away from government sponsorship is more than a little dangerous for all of us. We would not want businesses to cross that line.
It isn't always obvious, but hacker groups are not benign. Some of them are mixed up in politics, some in crime, and a few in government intelligence collection. Some will attack an attacker, and few will be destructive. We don't always know the motivation for a collection effort conducted from a Chinese network, though the Chinese certainly do. Without a little government oversight, these kinds of operations stand to interfere with on-going operations of several governments, not just our own. Maybe it is time to get these companies together to discuss what the ground rules should be for conducting inquiries on attribution. There may not be a need for laws, but there is certainly a need for understanding of the consequences if it isn't controlled.
No comments:
Post a Comment