Is China's Military Behind Cyberattacks on U.S.?
IRA FLATOW, HOST:
This is SCIENCE FRIDAY, I'm Ira Flatow. The Internet is the new battleground.
PRESIDENT BARACK OBAMA: We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.
FLATOW: In his State of the Union address, President Obama said we need to focus more on cybersecurity. That point was driven home this week by a report released by Mandiant, an American security firm, which claims a unit of the Chinese military has been carrying out extensive cyberespionage against the U.S. since 2006.
And it goes beyond stealing corporate secrets. The report says agencies that control critical infrastructure, everything from power grids to hydro, have been targeted by Chinese hackers. Is China engaged in cyberwarfare against the U.S.? And if it is, why are we so surprised? Doesn't the U.S. do it, don't - doesn't everybody do it?
In this brave new world of cybersecurity, how can we protect our most valuable networks and systems. Our number is 1-800-989-8255 if you'd like to get in on the conversation. You can also tweet us @scifri, @-S-C-I-F-R-I, go to our website at sciencefriday.com.
Jon Lindsay is a research fellow at the University of California Institute on Global Conflict and Cooperation, that's at U.C. San Diego. He joins us. Welcome to the program.
JON LINDSAY: Thanks, good to be here.
FLATOW: Is the president overstating the threat?
LINDSAY: Well, there's definitely a lot of malicious cyberactivity that's happening. The question is whether this really raises to the level of a national security threat, whether because it is a massive transfer of wealth through espionage or if there are risks to our critical infrastructure on the level of, you know, large-scale military attack. And there are big debates on both of those questions.
FLATOW: But he is right about all the attacks that are occurring.
LINDSAY: Absolutely. We can certainly observe a lot of activity, especially from China there is a lot of hacking activity. But again the question is how do you relate activity to actual strategic effect. And that is a more tenuous question.
FLATOW: Let's talk about this new report. What kinds of things did we learn from it?
LINDSAY: So this new report is fascinating for - you know, we've had several very interesting reports over the last several years of hacking, which almost certainly originated in China, but that was always based on looking at the motive, the kinds of targets that were hit, maybe a history of attacking, things like this. This is the first report in the public domain, which makes a very, very strong case for not only China, not only the Chinese military but this particular unit.
So, you know, I think that attribution case in this was pretty good.
FLATOW: So you think that the real news is that it's in the public domain because most people in the business know this already?
LINDSAY: Yeah, I think that's true. I mean, when you look at the kinds of information that they provided, no piece of information on its own was a smoking gun, right. So I mean you have Internet addresses from China, you have servers that are in China, you have telephone numbers used to verify Gmail accounts that are in China. You have some, you know, Chinese language in some of the code and idiosyncratic behavior and whatnot.
So, you know, any of these by themselves don't work, but when you see how you put them all together, that's how you see how the fusion of all that intelligence can help to make the attribution case. So I think this just helps to highlight the kind of information that people in the forensics business have been tracking for a while.
FLATOW: And in the report, what type of organizations are being targeted?
LINDSAY: In the report, you know, they lay out a very wide range. I mean, it's everything from the energy industry to the chemical industry to information technology was one of the big ones. I mean, you name it. And what's very interesting is that there's a pretty good, you know, correlation between that and the strategic emerging industries that China is interested in developing.
So again, this is, you know, the kinds of targets are the kinds of things that, you know, China would be interested in.
FLATOW: Something like our infrastructure, like our electrical grid, things like that?
LINDSAY: Sure, but again, you know, you have to ask what is the reason that they're looking at these things. I mean, is - are they interested in finding out information about how it works so maybe they can improve their own operations or, you know, economic espionage? Or is this, you know, the toehold for the great cyber-Pearl Harbor?
And this is where it's - you know, I find that proposition a little bit harder to believe.
FLATOW: Is it more than you think for stealing company secrets or strategies for negotiating with the companies that they deal with all the time?
LINDSAY: Yes, I mean, there's a great deal of theft in all of these things, and you can definitely think of lots of things. There'd be research and development on products and processes that could be valuable, negotiating plans and strategies, mergers and acquisitions could be incredibly valuable, a lot of stuff.
But then all this information then gets, you know, sucked into the Chinese intelligence apparatus. The first question is: Well, are they actually getting that information? You know, we know that there's an incredible amount of junk information on networks and on the Internet in general. So finding that needle in the haystack when you've got the haystacks growing really quickly is very, very difficult.
Then they have to identify that that is useful information. Then they have to be able to get that to a customer that can use it. And there's a great deal of Chinese bureaucracy in the Chinese state between, you know, the PLA Third Department and the actual state-owned enterprises that might be able to use it.
Then they would have to recognize it. So, you know, I guess my bottom line is you can steal text, but you can't steal the context that makes that text really, really valuable. So we see a tremendous amount of information being sucked out that would be potentially useful, but to actually call that a transfer of wealth requires that the Chinese are actually able to do something with it, and that's something that we really do not know anything about.
And the Mandiant report did not give us any new information on that front.
FLATOW: But China can't be the only country that's doing this. Don't we all do it?
LINDSAY: I - that's a great point. You know, there was a - the U.S. government released a report a year and a half, two years ago that also named Russia as a major player in cyberespionage for economic purposes. But clearly the U.S. is very involved. You think of Stuxnet, Flame, Duqu, Gala, a lot of these kinds of things that were designed for, you know, more political- and military-type espionage.
This is certainly a new modality of information collection, and, you know, all countries with advanced intelligence organizations and military are in on the game.
FLATOW: Let me go to the phones, 1-800-989-8255. Let's go to Terry(ph) in Robbins, Tennessee. Hi Terry.
TERRY: Hello, Ira. Thank you.
FLATOW: Hey there, you're welcome.
TERRY: My question is the - well first of all, it's all of the above as far as the uses, but isn't all that outsourcing that we did of sending all of our computer manufacturing and everything to China really showing up to be real cheap now, that we're going to have to deal with all the repercussions?
FLATOW: Are you saying that - and this is an interesting point. If we're buying all oru hardware from China, could there not be stuff, Trojan horses and things inside the hardware they're sending us?
LINDSAY: Yeah, that's a really important concern. You know, we talk about the security of supply chains and the fact that, you know, China is the factory and the workshop of the world, especially on IT. You know, there could be a lot of back doors. And in fact this is a concern that prompted Australia to ban Huawei, which is the major telecommunications company, they build servers and routers, Internet infrastructure, they banned them from bidding on their high-speed backbone project.
There also was a House report on Huawei, which recommended against dealing with either Huawei or ZTE for exactly these kinds of reasons. You know, but that kind of shows you that, you know, that concern can have a huge business impact for these corporations. So do they necessarily have an interest in getting involved?
Plus, again, you know, I won't get into the technical details, but if you start thinking about, you know, if you put a bug in there, then actually being able to use it at a time and place of your choosing is going to be a really difficult proposition because supply chains are incredibly, incredibly complex. So being able to activate that logic bomb, if you will, and understanding where it is and understanding all of the other complex factors that go into its embeddedness in human and technical systems is a really, really hard thing.
So, you know, it's a genuine concern, but again it's a technical possibility is probably a lot greater than its actual probability.
FLATOW: Is there a high-tech fix to any of this snooping around?
LINDSAY: To snooping around? No, I don't think there's a high-tech fix because, you know, if you -you know, the Mandiant report and, you know, plenty of other reports from MacAfee or Symantec which kind of walk you through similar information show you that the weaknesses are less technical and more in exploiting just human gullibility or, you know, people who let their guard down.
Some of these phishing emails are incredibly sophisticated, right. I mean, if it comes from your boss, and it's talking about a project that you're working on, you're going to be very likely to open that file. Well, you've just installed a root kit onto your server, and now they can start moving laterally and, you know, compromising other pieces of the network.
FLATOW: So that's how they can do it? You had something called spear phishing, which is even higher level than regular - P-H-I-S-H, phishing.
LINDSAY: Yeah, so the term speak phishing means that, you know, they have identified you and your interests and your relationships. So for example, you know, you might get an email from one of your colleagues at NPR that says hey Ira, this is about the story that we're running next week. And you're like OK, that's interesting. You would open that up, bam you get hit.
So they made it very, very believable because they did the intelligence work on your background, which is now very easy to do because we have Twitter and Facebook, and people put all kinds of personal information that they can basically, you know, fake a contact.
FLATOW: Yeah, that's why I don't open my NPR mail anymore.
FLATOW: So is there - what do you see of the future here? Where is this headed?
LINDSAY: Well, I think that there's going to continue to be a lot of noise and friction in cyberspace. This isn't going to get fixed, but I think it's just going to be sort of the general level of background radiation that we will get used to. You know, when militaries go to war, there will be a cyber component, but people don't go to war because of cyberspace, you know, they just use it as one tool amongst many.
So, you know, it's going to be a complex world, but I don't think it's necessarily going to be a more dangerous world.
FLATOW: If you unplug for total security, can you have total security? Let's say you want to just unplug from the Internet and stay in-house.
LINDSAY: Yeah, absolutely. I mean, you know, the only reason that people can hack your computer is because you're connected to the network. So if you don't connect to anything, you can't do anything. But then it's not very useful. And this gets to the fundamental tradeoff in a lot of the policy that we're considering.
If we get really scared about the threat, and we start imposing, you know, technology standards and, you know, all kinds of things that would impact the productivity of our information networks, then you're going to see kind of the great gifts of the information economy start to be whittled away.
So right now we just don't have a good sense of how fast the threat is increasing relative to the productivity benefits of computers. And everything that I've looked at says that, you know, for every dollar that we make because of computers in the workplace, you know, we're definitely not losing a dollar, in fact we're losing, you know, far less than that.
FLATOW: All right, I've got to go, Jon.
FLATOW: Thank you very much, Jon Lindsay of U.C. San Diego. We'll be right back after this break. Stay with us. I'm Ira Flatow; this is SCIENCE FRIDAY from NPR. Transcript provided by NPR, Copyright NPR.