Is a cold net.war going on between the US and China?

19 March 2008

Every once in a while a news article about attempts to crack US military and government systems coming out of China or the Middle East hits the 'wires; rumors of groups of systems crackers belonging to the Air Force/United Nations/Department of Homeland Security/Microsoft/the Illuminati regularly make their rounds at hacker conventions. Military data nets are increasingly becoming targets of crackers from abroad, safe from prosecution and extradition because it's so difficult to start legal proceedings against someone you don't even know, let alone can grab by the scruff of the neck (police dramas and MLATs to the contrary). It's not just the military that's coming under packet fire either, government think tanks and defense contractors are also feeling the burn of intruders clawing at their firewalls and sticking their fingers into their e-mail servers. There's just one thing: This has been going on for the better part of twenty or more years. I don't think that it's slowed down any, and it's not about to stop.

Cracking machines that belong to high profile organizations like NASA has been a rite of passage for crackers since the early 1990's, if not earlier. The data nets of the Federal Bureau of Investigation have been cracked from time to time, verifiably dating as far back as the mid 1980's. Hell, Gary McKinnon proved what the government's known since Cliff Stoll bopped them over the head with it - their security sucks.

As if this wasn't enough, there's a non-zero probability that, even though the attacks are coming from Chinese nets, it might not be China that's behind them. A major component of warfare in the modern day is posturing and propaganda - power believed is power claimed. Just because a group of crackers posted to a website someplace that the Chinese government funded their infiltration of someone's data network does not mean that they were telling the truth. Just because the Chinese government has declared that they're training and deploying cadres of net.warriors does not mean that a) they are actually ready to do so, and b) that they were telling the truth, either. Just because a network was taken down by a flood of network traffic does not necessarily mean that a DDoS attack was behind it, it could just as well have been a cracked file server loaded up with movies and warez and posted to a busy IRC channel.

Moreover, an infiltration attempt coming from behind the Great Firewall of China doesn't mean that China was to blame - bouncing through someone else's machine to cover your tracks is a tactic so old that it's had children, grandchildren, and an affair with Captain Jack Harkness.

My point is this: By crying that the sky is falling, useful OSINT gets buried under an avalanche of press releases and rehashes of the same news article. Yes, bad stuff is going on that involves government and military networks. Yes, there are cadres of systems crackers out there - this is nothing new. Yes, there are real attacks going on - what happened in Estonia is proof of that (as well as verified reports of SCADA exploits in the wild). However, throwing blame around is not necessarily the best thing to do - it can create false leads and waste the time of the people trying to stop attacks and figure out what's really going on. It also makes buying snake oil products to cover one's ass an attractive option, which not only does the buyer a great disservice but makes the infosec community as a whole look bad. Arguably, the one thing worse than having no security at all is thinking that you're secure when in fact your threat model is completely wrong and your countermeasures do nothing against attacks currently extant on the Net.

Also, remember this: Never underestimate the power of one person with too much free time on their hands.