The Great Cyber-Warfare Scam

China-bashing made easy

by , February 20, 2013

The War Party never sleeps: there are always new variations of war propaganda coming ’round the bend. With the coming of the internet, the latest manufactured "threat" to rear its head is "cyber-warfare," which is now being touted by the Obama administration and its media fan club as the Next Big Scary Thing – but what are the facts?

The first fact we need to integrate into our analysis is that "cyber-security" isn’t a science, it’s an industry: that is, the entities issuing alarming reports of this lurking threat are for profit companies mainly if not exclusively concerned with selling a product. And while the "threat landscape," as the jargon phrases it, is potentially very diverse, with a number of countries and non-state actors potential combatants, our cyber-warriors have targeted China as the main danger to our cybernetic security – the Yellow Peril of the Internet Age. They’re stealing our technology, our secrets, and infiltrating our very homes! This is largely baloney, as Jeffrey Carr, founder of Project Grey Goose and Taia Global, a cyber-security firm, and author of Inside Cyber Warfare, points out:

"[I]t’s good business today to blame China. I know from experience that many corporations, government and DOD organizations are more eager to buy cyber threat data that claims to focus on the PRC than any other nation state. When the cyber security industry issues PRC-centric reports like this one without performing any alternative analysis of the collected data, and when the readership of these reports are government and corporate officials without the depth of knowledge to critically analyze what they’re reading (i.e., when they trust the report’s authors to do the thinking for them), we wind up being in the position that we’re in today – easily fooled into looking in one direction when we have an entire threat landscape left unattended. We got into that position because InfoSec vendors have been left alone to define the threat landscape based upon their product offerings. In other words, vendors only tell customers to worry about the threats that their products can protect them from and they only tell them to worry about the actors that they can identify (or think that they can identify). This has resulted in a security awareness clusterfuck of epic proportions."

The "cyber-threat" from China has been much in the news lately, and any number of self-proclaimed "experts" with a financial stake in hyping this latest bogeyman have been pointing an accusing finger at Beijing whenever some government agency or big corporation discovers cyber-vandals in its domain. The latest is a report issued by a private cyber-security firm, Mandiant, which claims these attacks are occurring under the auspices of the People’s Liberation Army (PLA). It is, of course, just a coincidence that this accusation limns a recent National Intelligence Estimate, which – according to the New York Times, itself supposedly victimized by Chinese hackers – "makes a strong case that many of these hacking groups are either run by army officers or are contractors working for commands like [PLA] Unit 61398."

Yet, as Carr discusses here, the Mandiant report has several analytic flaws. To begin with, the "mission area," i.e. the nature and alleged goal of these intrusions, is supposed to identify China as the culprit because the latest APT (cyber-security jargon for "advanced persistent threat") "steals intellectual property from English-speaking organizations," and that these thefts coincide with the technical requirements of China’s current Five-Year Plan.

This kind of "logic" ought to make your BS-detector go haywire, recalling Carr’s warning that there’s a bad case of perception bias at work here: that’s because other nations, and non-state actors such as criminal gangs, also launch cyber-attacks on English-speaking organizations, which in many instances parallel the interests contained in China’s Five-Year Plan. Russia, France, Israel, and a number of other countries have advanced cyber-warfare capabilities, and haven’t hesitated to use them for purposes of industrial espionage, among other reasons: Eastern European gangsters are also players in this game. Yet there is no mention of these alternatives in the Mandiant report: according to them, it’s all about China.

Mandiant claims that because the rash of recent intrusions have involved operations requiring hundreds of operators, that only a nation-state with "military-grade operations" could possibly have carried them out. Yet more than 30 nations are currently running "military-grade" operations, as Carr informs us: why pick on China?

Well, says Mandiant, because the intrusions they analyzed used a Shanghai phone number to register an email account, for one. Yet this proves exactly nothing. Okay then, what about the fact that "two of four network ‘home’ Shanghai blocs are assigned to the Pudong New Area," where the PLA’s Unit 61398 is located? This also proves exactly nothing: the Pudong New Area has over 5 million inhabitants. It is smack dab in the center of China’s booming commercial and hi-tech metropolis. Ask yourself how many IP addresses originate from this area. Oh, but one of the "PLA" hackers’ "self-identified location is the Pudong New Area." Really? So what? Aside from the demographic information supplied above, one has to wonder if these people really believe everything they see on the Internet is true. C’mon, guys!

The New York Times has been pushing the Yellow Cyber-Peril theme ever since their computer system was hacked, but the question of who exactly was responsible for that intrusion is by no means proved. In a Times piece on the subject – with the rather whiney headline "Hackers in China Attacked The Times for Last 4 Months" – we again come across Mandiant pointing to the Chinese military as the culprit, but their case against the PLA falls apart under the most cursory inspection. For example, Mandiant’s "analysis" is based in part on the observation that these alleged Chinese

"Hacker teams regularly began work, for the most part, at 8 a.m. Beijing time. Usually they continued for a standard work day, but sometimes the hacking persisted until midnight. Occasionally, the attacks stopped for two-week periods, Mandiant said, though the reason was not clear."

Bull hockey. There are a number of other countries in the same time zone that have active hacker communities. The idea that the timing of these attacks somehow pinpoints "Chinese hackers" associated with the PLA is laughable. As Carr puts it:

"The hackers could have been from anywhere in the world. The time zone that Mandiant imagines as a Beijing workday could easily apply to a workday in Bangkok, Singapore, Taiwan, Tibet, Seoul, and even Tallinn – all of whom have active hacker populations."

Mandiant – hired by the Times to investigate the intrusion, and currently in negotiations with the New York Times Company over a possible ongoing business relationship – cites the fact that the intrusions supposed originated at some of the “same universities used by the Chinese military to attack U.S. military contractors in the past.” Yet there are many universities located in the Jinan area Mandiant homes in on, and geolocation in this instance, as Carr says, "means absolutely nothing." He also raises an important point: if the Chinese military was behind the Times hack, then why would they launch these attacks from a location previously identified with the PLA? That’s seems rather too obvious, especially in view of the lengths to which hackers go to cover their tracks. Wouldn’t China’s Ministry of State Security, their official intelligence agency, be assigned that task? Yet their facilities are located in Beijing, over 200 miles away from Jinan.

Most people are ignorant of the technical details utilized by commercial enterprises like Mandiant to gin up an alleged "threat." One supposedly scary tool used by the "Chinese" hackers is a Remote Access Tool, and we are told that the specific methods used in the past by alleged Chinese hackers are matched to the Times intrusion. This is just plain wrong, however, as Carr explains:

"The article mentioned the hackers use of a Remote Access Tool (RAT). One such widely used tool is called GhostRAT. The fact that it was used in an attack against the Dalai Lama in 2008 (GhostNet) doesn’t mean that all of the later attacks which used this tool originated with the same group. In fact, even the GhostNet researchers refrained from attributing this attack to China’s government.

"Another tool whose use is often blamed on Chinese hackers is the ‘xKungFoo script.’ Like GhostRAT, the xKungFoo script is widely available for anyone to use so even if it was originally created by a Chinese hacker, it doesn’t mean that it is used by Chinese hackers in all instances. I personally know Russian, English, and Indian hackers who write and speak Chinese."

This is simple logic: you don’t have to be a cyberwarfare "expert" to realize there are many possibilities when it comes to identifying the people behind the methods. If you’ve already decided who is the perpetrator, however, then Mandiant’s accusations directed at Beijing fit neatly into the available "evidence." That’s how confirmation bias works.

The major piece of "evidence" supposedly pointing to the Chinese government is the timing of the intrusion: just as research for a Times story on the financial dealings of a top Chinese government official, Wen JaiBo, was "nearing completion." According to the Times, the hackers gained access to email accounts belonging to Shanghai bureau chief David Barboza, author of the Wen expose, as well as Jim Yardley, bureau chief covering South Asia. Yet the Wen connection is contradicted in the very next paragraph of the Times‘s own account, which says:

"’Computer security experts found no evidence that sensitive e-mails or files from the reporting of our articles about the Wen family were accessed, downloaded or copied,’ said Jill Abramson, executive editor of The Times."

So what’s the connection to the Wen story? In addition, Yardley had nothing to do with the Wen story, and yet his email was also breached, along with the passwords of 53 employees who are not in the Times newsroom. So what does this add up to? A big fat zero, as far as evidence of China’s involvement is concerned. China is merely the go-to cyber-villain of the moment, and this is certainly true where Mandiant is concerned.

The same kind of dicey "evidence" is being used to accuse Iran – you saw this coming, didn’t you? Again, the tech-ignorant New York Times is in the lead, with a story echoing the claims of US officials that Tehran was behind the recent cyber-attacks launched against several American banks. You can almost hear the spooky music in the first two paragraphs of the piece, by Nicole Perlroth and Quentin Hardy, which gives an account of how the hackers slowed down and disabled banking sites, and then goes on to say:

"There was something disturbingly different about the wave of online attacks on American banks in recent weeks. Security researchers say that instead of exploiting individual computers, the attackers engineered networks of computers in data centers, transforming the online equivalent of a few yapping Chihuahuas into a pack of fire-breathing Godzillas."

Godzilla’s on the loose! And it’s an Iranian Godzilla! Yikes!

"The skill required to carry out attacks on this scale has convinced United States government officials and security researchers that they are the work of Iran, most likely in retaliation for economic sanctions and online attacks by the United States.

"’There is no doubt within the U.S. government that Iran is behind these attacks,’ said James A. Lewis, a former official in the State and Commerce Departments and a computer security expert at the Center for Strategic and International Studies in Washington."

The skill required to carry out these attacks was minimal. As Roel Schouwenberg, senior researcher at Kaspersky Labs, put it:

"We can confirm that the attacks being reported are happening; however, the malware being used, known as ItsOKNoProblemBro, is far from sophisticated. It’s really rather simple. It’s also only one part of the puzzle but it seems to be effective, which is all that matters to the attackers. Going strictly by the publicly known technical details, we don’t see enough evidence that would categorize this operation as something only a nation-state sponsored actor could pull off."

More "evidence" offered in support of the "Iran-did-it" theory is that these attacks did not garner any information: no data systems were breached. It was, in short, pure cyber-malice directed at American banks. If this is supposed to somehow prove the Iranians are the culprits, then it is weak tea indeed: because there are any number of groups who hate American bankers, including, I would venture, the vast majority of the American people. These DDOS attacks seem more like the sort of thing we might expect from a group like "Anonymous" than from a state actor such as Iran.

Of course, the paucity of evidence didn’t stop Sen. Joe Lieberman from declaring:

"I don’t believe these were just hackers who were skilled enough to cause disruption of the websites. I think this was done by Iran … and I believe it was a response to the increasingly strong economic sanctions that the United States and our European allies have put on Iranian financial institutions."

As is the case with Iran’s alleged nuclear weapons program, which our own spooks have said does not presently exist, the technical details are obscure to most of us, and therefore this realm is given over to "experts," both real and imagined. To Sen. Lieberman and all too many in the media, it’s just a matter of picking and choosing your "experts," and making the "facts" fit your preconceived notions.

Aside from ginning up conflict with the War Party’s chosen targets, the whole cyber-war scare-mongering campaign, whether the alleged "threat" is said to be emanating from China, Iran, or wherever, is also very convenient for proponents of Internet regulation who want to install back doors on every web site, and every software system, so the feds can "trace" these alleged "cyber-terrorists." It is, in short, a scam, part and parcel of a political campaign to rein in the wild and wooly – and largely unregulated – Internet, and make it more amenable to the interests of our wise rulers.

The mystification of science, and the culture of "expertise," has greatly aided the War Party in their propaganda efforts. Instead of making up stories about babies being bayoneted in their cribs – although there is still some of that – we are given mind-numbingly technical explanations that point to purported acts of "cyber-terrorism" carried out by China, Iran, or the villain-of-the-moment. Except that the supposed "evidence" turns out to based on non-credible assumptions and faulty technical analysis.

Remember, we’ve been through this sort of thing before: all the "intelligence" supposedly pointed to the irrefutable "fact" that Iraq possessed "weapons of mass destruction," which it was about to launch against its neighbors. That turned out to be a lie. Much of this baloney came wrapped up in impressive-sounding technical jargon, and was validated by the media’s chosen "experts."

Has anybody learned anything from that experience? I’m thinking in particular of the members of the Fourth Estate, otherwise known as "journalists." The answer, unfortunately, seems to be no.

NOTES IN THE MARGIN

I’m on Twitter quite a bit these days: you can follow me here.

Here is the link for buying the second edition of my 1993 book, Reclaiming the American Right: The Lost Legacy of the Conservative Movement, with an Introduction by Prof. George W. Carey, a Forward by Patrick J. Buchanan, and critical essays by Scott Richert and David Gordon (ISI Books, 2008).

Buy my biography of the great libertarian thinker, An Enemy of the State: The Life of Murray N. Rothbard (Prometheus Books,2000), here.

Read more by Justin Raimondo