Is the Chinese Government Really Behind Cyberattacks?
Even since reports emerged about Chinese cyber-attacks on several companies, including Google, the media has been full of stories accusing none other than the Chinese government (or its agents) of the dirty deed. For those of us inside the computer security industry, there's nothing new about suspecting the Chinese government of malicious hacking. What's missing in this case, however, is evidence, and until that proof materializes, I refuse to point the finger at Beijing.
I'll readily admit that the Chinese government has a dubious track record when it comes to malicious hacking. The first public allegation of Chinese military hacking was back in 2005 with the Titan Rain project. Today, we have many well-documented cases of hacking originating from China (just use an Internet search engine to be overwhelmed). There are plenty of public whitepapers about Chinese government hacking programs. Among the most recent respected papers are Northtrop Grumman's "Capability of the People's Republic of China to Conduct Cyber Warfare and Computer Network Exploitation," and the 2009 "U.S.-China Economic and Security Review" report to Congress.
Moreover, I'm personally familiar with many cases where government and military secrets have been hacked and sent to Chinese-originated IP addresses. It's the world I have lived in for the past two to three years. Chinese hacking of government and military information is rampant.
But, I've yet to see a shred of evidence that the Chinese government is involved in any of these incidents!
Let me clear here that I am speaking on behalf of myself, not my employer or any company I've consulted. Also, let me say that I haven't had access to classified data on the issue.
Additionally, I'm not defending China for such actions as blocking free access to any information (with the notable and understandable exceptions of child pornography, classified information, etc.). I can't understand any society tolerating filtered search queries. Moreover, I certainly believe that the Chinese government is capable of sophisticated hacking. I even believe it's likely that the Chinese government would engage in that sort of activity.
But again: What I don't see is any evidence, and without publicly disclosed evidence linking the Chinese government to the crime, I don't see how anyone can justify throwing strong accusations at said government.
Admittedly, I have lots of friends who have better access to classified data, and they assure me that we do have the evidence to pin the rap on China. But to be honest, I'm not really sure if I believe them. If we did have the evidence, why wouldn't we share it? What possible reason would a person, company, or government agency have for not publicly disclosing irrefutable evidence of Chinese government hacking in the face of their strong protestations to the contrary?
I've heard lots of interesting defenses, ranging from "we wouldn't want to make the Chinese government mad" (which is strange considering nothing would make me madder than unsubstantiated accusations on the world stage), to "nation state hackers never, ever, leave hacking trails" (I've never known any government or hacker to do anything perfectly) to "revealing the evidence would reveal our intelligence methods and sources." I can't believe that not one bit of evidence can be revealed to answer the Chinese government's protestations of false accusations.
Most of my friends assume I'm lost in some naïve "innocent until proven guilty" mentality. They say that absolute proof of Chinese government hacking will never come out, that the best we can do is present overwhelming circumstantial evidence that the Chinese government have committed the crime. To be honest, I've never been overly impressed with cases decided by purely circumstantial-evidence. I'm certainly not ready to use it to pass judgment on an entire country.
Suppose for a moment that the Chinese hacking is completely (or even mostly) perpetrated by private Chinese citizens. Certainly this is just as plausible of a scenario, and we have proof of this one in the form of originating IP addresses and other published evidence. By not acting stronger to decrease cybercrime, is the Chinese government somehow responsible for it? I ask here because I truly do not know. I know of other countries that seem to knowingly encourage cyber-hacking through neglectful law setting. But I've not heard of China put into the same category.
Is the Chinese government overly neglectful in cybercrime law or enforcement? Or, as I suspect, is the Chinese government just not doing a super job at it, like my own government? I mean, we passed the CAN-SPAM Act in 2003, yet since then, spam has escalated to the point that it constitutes more e-mail traffic than does legitimate email. We also certainly have dozens of state and federal laws against cybercrime, yet millions of our citizens fall victim to exploits and malicious hacking each year. We prosecute almost no one (for a variety of reasons).
The bottom line here for me is, until I see irrefutable evidence that the Chinese government has knowingly involved in sponsoring foreign cyber-hacking, I can't help but presume the government is innocent of this particular wrongdoing. Too many falsely accused people, companies, and even countries have been found innocent of the early charges in a fully functioning, open justice system for me to think otherwise.
And if someone has evidence, why not release it to end the debate? Until then, I'm going to suspect that China has the same problem as all the other countries around the world in controlling malicious hacking by its citizens. ?? (Zai jian, "good-bye" in Mandarin)