Last week’s opening ceremonies were full of Russian stereotypes – ballet, nutcrackers, revolution, really bad techno. But one image that was far from a cliché was the cozy relationship between Russian President Vladamir Putin and his Chinese counterpart, Xi Jinping. Over at Concurrent Opinions, law professor and China expert Margaret K. Lewis, mused about what appears to be a deepening friendship and what this could mean for China. Will Xi be wearing a tracksuit anytime soon? Read Lewis’ post here.
Posts tagged: Russia
World leaders met this week in Washington, DC to discuss the danger of nuclear war. But as the world becomes increasingly reliant on the internet and increasingly connected through it, another threat is beginning to loom large – cyberwar. When noted technology giant Google is susceptible to cyber-attacks, that does not bode well for the rest of us. How safe is the U.S. from a large-scale cyber-attack? Today Chinese hackers attack Google’s servers, but what about tomorrow? Will the next attack be on something more critical, like a U.S. power grid?
To understand the complex issues underlying the world of hacking and cyber-espionage, and how it relates to U.S.-China relations, China Law & Policy sat down with a noted expert on both China and cyber-security, Dr. Adam Segal, the Ira A. Lipman Senior Fellow at the Council on Foreign Relations. In this exclusive interview, Dr. Segal discusses the nature of the attacks on Google, the involvement of the Chinese government in the hacking world and the danger China poses to the U.S.’ cyber-security. But as Dr. Segal makes clear, it is not a one-sided affair; the U.S. also plays a very active role in hacking and cyber-espionage, making it difficult to challenge China when something like the Google incident arises. Dr. Segal also explores the need for international cooperation on these issues and the role that international law can play in containing the threat. Unfortunately, as he points out, the world community is far from reaching any sort of agreement, leaving all nations susceptible.
Click here to listen to the interview with Dr. Adam Segal (read below for transcript)
EL: Can you just give our listeners a little bit of background on the hacking which lead to Google’s announcement in January that it was looking to leave China? How widespread and sophisticated was the attack and what was the theft that Google referenced in its press release if you know at all?
AS: Google announced that it was going to be shutting down its business in China. And what they said drove them to that decision was a hacking incident which seems to have two main components. The first was, as you said, a kind of attack on Google’s intellectual property, its corporate knowledge and corporate property. And the second was attacks on the G-mail accounts of human rights dissents. Google said it traced those attacks back to China; it didn’t implicate the Chinese government. Others, like the New York Times have traced it back to Shanghai Jiaotong University and a computer training institute but the source of it still remains a bit of a mystery.
There is some debate about how sophisticated the attacks actually were. They were referred to as the Aurora attacks. Google has consistently said that they were extremely sophisticated but a number of other security analysts have said that in fact they were fairly basic, that much of the code used has been floating around for a long time. What the IPR that the Chinese got or were trying to get is unclear, Google hasn’t specifically said. Some people seem to believe that it was basically that it was the data and databases that Google collects on its own users. So basically the kind of core knowledge that Google extracts from what Google users do, how they do it, when they do it, which would be one of the most important kind of assets that Google has.
EL: In tracing back, or Google saying that the attacks were traced back to China, why is that difficult to ascertain? To what degree…Can you put a percentage on how accurate you can trace back an attack?
AS: The problem is that you can continually trace back the attacks to certain computers or to certain networks or IP addresses, but often once you get there, some more poking around leads you to another computer behind that. And the other thing is the hackers themselves can spoof the address that they are using. I think there becomes a fairly high degree of certainty about where the attack might have come within a national network. In some cases, even down to specific IP addresses. But even then you don’t know who the hacker was that was involved and you don’t know the hackers relationship to any state organization or anybody else for that matter.
EL: And in terms of China specifically, the cyber-hacking, how prevalent is cyber-hacking from China compared to other countries like Russia or even the United States? Is China being singled out here?
AS: I think China is being singled out in a sense. I mean given that it was a high profile attack on a company like Google, but also given the state of U.S.-China relations right now, that it fed into a worsening tenor in the bilateral relationship. But in raw numbers, for criminal activity, clearly Russia is very high up there and we saw the political uses of cyber-hacking in the case of the Georgian war and Estonia and some other high profile political cases. And there is a large amount of hacking that comes from the United States and that’s actually one of the big complaints on the Chinese side – is that the Chinese are being scapegoated and they themselves are often victims of attacks and many of those attacks come from servers in the United States. When you look at the number of bad ISP – Internet Service Providers – that are hosting botnets and other kind of zombies that are attacking, there are a large number of them that are in the United States. So, China is also a victim.
EL: Just focusing on just China and the hacking there, can you explain maybe a little bit more what the hacker community is like in China. Is it an organized community? And what motivates the hackers – do they do this just for fun or are they ever “hired” for their skills? And also how do they determine targets – how was Google determined? Was that just something for fun or for profit?
AS: I think the community itself is incredibly hard to characterize. It’s very diverse, it’s, I think, very decentralized. The community represents kind of the similar community that there is in the United States and Russia. There are what they called script-kiddies – people, teenagers who are doing it for fun or to show off or to see what they can actually accomplish. There are criminals – people that are just hacking for financial gains. There are what are called patriotic hackers – people that hack websites out of a kind of nationalistic feeling. Then there are hackers that are probably employed by the Chinese government, probably by the military and the security agencies that are used to attack specific targets for political reasons. And then there are hackers in the military that are thinking about how cyber would be used in an actual military conflict.
Of course, the important question is the relationship about all of these people and I don’t think we really have a very good idea. Clearly, there is some blurring of boundaries of patriotic hackers and criminal hackers. The system itself seems to be in many ways a kind of mirror of the system that has made China such a power in the global manufacturing which is that there are kind of contracts and subcontracts and subcontracts of what people do. Somebody might be in charge of writing a very low-level code and that code is then packaged up and used by people above them, who may then might contract for a specific project or may sell it on the open market. Certain things are just put out there on hacker websites and you can just download them and buy them just for your own thing.
Why Google was targeted. If, as Google says that they were part of an attack that seems to have included at least 30 other technology companies, there does seem to be a push from Chinese intelligence community, from its espionage community, to try and get advanced technology from foreign companies. So we have seen for at least five years, if not longer, pretty concentrated, focused attacks on defense contractors and other U.S. technology providers. And then, once you add the attack on the dissidents as well, then that also seems to be one of the interests of the attacks. But who was, who within the Chinese government organized it or put it in a larger strategy, I think that we really have no idea.
EL: I guess that raises kind of the other issue that has been floating around there with the Google incident and cyber-hacking in general, is to what degree is the Chinese government involved in some of these incidences? I know Northrop Grumman issued a report last year to the US-China Economic and Security Commission analyzing the link between, hacking for military purposes, but this general hacking of corporations, could it be that the Chinese government is behind it? And also, when you make this distinction of political hackers, would that be motivated by the Chinese government or is it just a by-product of the nationalism that seems very active in China right now?
AS: I don’t think we know. I think the most we can say is on the espionage side, it just matches, or it pushes in the same direction of a general concern we know that China has about technological dependence and wanting to gain as much technology from the West as possible. That strategy I think has been in place for fifteen, twenty years. That includes perfectly harmless, normal technology policy about how China is going to increase its own technological capabilities, goes from that to espionage and theft. You would expect that that would include the normal type of espionage or bribing, stealing, theft of secrets from corporations, to now including cyber-espionage and attacks and those things. So I would say that the government has a role in the sense that it has set this general direction of the policy and these concerns about technology and China’s desire for it.
Clearly the intelligence agencies probably have a sense of specific technology that they are concerned about and want to know more about. So the hacking of the F-35 and the F-22 and those kind of things, those are clearly probably driven by government agencies who are looking at a potential conflict with the United States and want to know what those capabilities are.
But once you get to the level of Google – is there a government official that says, well if we hack Google, then we can give that information to Baidu [the popular Chinese search engine] and we can have a competitor, I don’t think we can know. That clearly is a possibility but at this point, it may just be criminal. It may be a criminal that turns around and says to Baidu – we can sell this to you.
On the dissident side, I think it is probably very similar also. I think in some cases the security agencies may have….are targeting specific individuals who are using those capabilities. In other cases criminal hackers go after people and then turn around and say to the intelligence agencies – we’ve got this person so either do something for us or pay us for the information.
EL: In the press it has often been the Chinese government attached to this cyber-hacking, but does the Chinese government ever see this cyber-hacking as a threat to its own rule either from domestic hackers or from hackers in the U.S.? Are the government agencies ever a victim of the cyber-hacking and cyber-espionage either domestically or from abroad?
AS: Yeah, I would think all of the time. I think, from the international perspective the Chinese basically assume that the United States is engaged in cyber-espionage all of the time. And that given our capabilities, in particular the capabilities that exist in the NSA – the National Security Agency – that they are….we are probably getting more from them then they are getting from us, in the Chinese perspective, and that we are constantly hacking them. So they point to that as well as to the discussions in the United States about creating a cyber-command in the military and discussions about controlling the commons and all these other things as kind of a representation of American hypocrisy. We are talking about militarizing cyber-space while they are being hacked. So I think yes, that’s clearly and issue from outside of China.
On the domestic front I think yes, that Chinese government agencies and corporations are being hacked. There’s been a number of prominent cases of Chinese hackers spreading malware to try and steal identity numbers and virtual money from these multiple player games. Very prominent hackers have been arrested and eventually imprisoned. So I think that is part of the threat.
The other threat is of course is that, dealing with these patriotic hackers is a double-edged sword for the Chinese government. There is a fear that while they are focusing externally, U.S. corporations or U.S. government websites, in the case of the Olympics on French websites and things like that. But if their ire is turned inward then those people could hack Chinese government websites. I think the Chinese government is very concerned and you can see that in discussions about their own cyber-security but also trying to develop new types of software. The problem is that the Chinese is hyper-reliant in Microsoft, something like 90% of Chinese government offices use Windows. A lot of that is pirated which means that it is not updated regularly for security patches. So there is a lot of vulnerability.
EL: You make this distinction between patriotic hacking, criminal hacking, commercial hacking, but under Chinese law itself, is hacking in general illegal?
AS: It is. There are laws on the books against hacking, criminal hacking, privacy laws. Those were strengthened in
December 2008 and then again in February of this year I think. The Chinese announced that they were going again to try to strengthen anti-hacking laws, in particular the kind of punishment for hackers. Also on-line privacy issues and some tort issues about privacy and defamation. Like I said, there are prominent cases of hackers who have been arrested and fined. This guy who wrote this malware called Panda malware I think it was, and was sentenced to I think 3 years and fined $18,000. So there are domestic laws against it.
EL: And do you think the domestic laws are sufficient in dealing with this? And also how do Chinese laws compare to laws in the United States against hacking?
AS: I think they’re comparable. I think the issue is with all laws in China has to do with implementation. Clearly the issue for the United States or other countries, investigating hacking requires more cooperation from the Chinese about, who’s behind the attacks and actually following up on prosecution. But I think within China, I suspect the issue is not the law per se but expertise….all the things we have in the United States about how do you prosecute cyber-crimes – expertise at the local level, resources, enough people staffing these kinds of issues. From the Chinese perspective also, the U.S. hasn’t been all that helpful either. I have heard a number of cases where the Chinese have turned around to the FBI and said –we think this hacking is coming from the United States. And the United States has not been all that responsive from what I’ve heard.
EL: I guess cyber-hacking, it’s definitely a crime more without borders. So how do you see international law or treaties coming into play here to battle the threat of cyber-espionage?
AS: I don’t think there’s much to be done about espionage. There’s no international treaties against espionage. We engage in it, they engage in it, our allies engage in it. I think that is likely to happen. I think espionage we have to figure out how we are going to defend ourselves against. The problem with espionage of course though is that it is hard to differentiate espionage from what could become vandalism or an attack. So I think what we want to kind of agree on with the Chinese is that we know espionage is going to go on, but things like probing electricity grids, that should not be occurring or other kind of critical infrastructure. We should be working on how do we declare those off limits.
On the criminal front there is a…the Council on Europe has this convention on cyber-crime. I can’t remember how many countries have signed it now, it’s about I think 20 or 40, I can’t remember exactly. But part of the problem is that most of the major players haven’t signed it; the U.S. has signed it, Japan has signed it but Russia hasn’t signed it. Which goes a long way in defining consistent standards across national borders about what a cyber-crime is, how do you punish hacking, create a deterrent. The problem with Russia, China things that we see as freedom of speech they see as a cyber-crime so that has been a problem in the case of Russia. But the Chinese seem to be at least studying the Council on Europe convention which often kind of the first sign that the Chinese are moving toward international standards. So I think that is a way to move forward. And within Asia itself, ASEAN has had a couple of discussion about creating a similar kind of convention on cyber-crime in the region.
And then the other issue is this international convention on arms control, on cyber-war. The United States has entered into discussions with the Russians about it. That I think is very difficult and I think unlikely to be very useful because in the kind of traditional terms of arms control verification, inspection, those are all impossible with cyber-weapons. So, that I think is useful just for talking for talking’s sake but will not result in any kind of concrete agreements.
EL: Just to follow-up on the convention on cyber-crime, you said that one of the problems is definition of terms. Is that the only thing that would hold back a country like China or Russia from signing on to this kind of convention? Or are there other factors?
AS: I think that’s a big one but I do think also that right now at least China and Russia find it politically and strategically useful to kind of have this arms-length relationship with hackers. As we talked about earlier, this ties the government’s willingness to directly use or indirectly use hackers for their own political purposes makes it….right now that’s a reason for them not to crackdown too hard on criminal hacking. So that is I think another reason why it has been hard to create a common ground.
EL: Do you think that there is any space for having maybe a bi-lateral agreement between U.S. and China or a tri-lateral agreement between U.S., China and Russia about issues of cyber-espionage like not probing electricity grids or things like that? Or do you think it would have to be global?
AS: Well I think any convention would have to be global. But I think there is a benefit for having these bi-lateral discussions only if because this area is newly emerging and policymakers I don’t think are particularly cognizant of all the risks and problems involved in any of these issues. So just having a discussion with the Russians and the Chinese and others about what the potential rules of the road might I think are probably pretty useful.
EL: Absent any kind of global agreement, how best should the U.S. government and U.S. corporations deal with this issue of their own? How can they better prevent it from happening? Or can they?
AS: That’s what we are struggling with now. The United States finally has the cyber-czar in place, Harry Schmidt. I think one of the big things that is still occurring in the United States is kind of a debate about what the best metaphor for this is, how do you think about this cyber-issue. You have those like, the op-ed in the Washington Post several weeks ago by the former head of NSA, McConnell, about basically cyber-war and we’re losing it and his response was very much a militarization of cyber-space. In fact he calls for something like the re-engineering of the internet so we can basically see where any attack is coming from.
And then you have Schmidt at a conference a couple of weeks ago saying – I don’t believe in cyber-war, I don’t think cyber-war is the right metaphor. And you have those people talking about resilience and more of a public health model for how you respond to these things – you have to defend, you have to respond, you have to quarantine.
So I think we have this broad outline, we have this debate to settle in the States. But the way we are moving is probably closer to the public health, well actually probably both tracks at the same time. From the defense side I think you are beginning to see more traction on private-public cooperation, about definitions of standards – what does secure actually mean and how should it be implemented, more spending on R&D for cyber-security, more training of people and that’s a major issue is about getting people trained, more public awareness. These are all domestic issues.
EL: And just a final question. Since President Hu Jintao is in the United States, in Washington today, do you think in his side talks with President Obama, the issue of cyber-hacking and cyber-espionage will be coming up? How important do you think the Administration views this issues especially in light of the fact that Secretary of State Clinton has openly talked about it?
AS: I suspect it wasn’t brought up in these meetings if only because over the last two and a half weeks it has been a clear effort on both sides to try to get the relationship back on track. Clearly the Administration’s major strategic concern right now is Iran and then with the currency being the second concern. So those are the two issues, from what I’ve heard, were discussed in the meeting. I suspect there were no reasons to bring up the cyber-issues because there are no solutions or discussion that is helpful to both sides at this point. So other than just poking them in the eye with it, I don’t see why they would bring it up. So I suspect it was not discussed.
EL: Thank you very much. This was very interesting and I appreciate your time.
AS: Thank you.
Originally posted on the Huffington Post
China remained noticeably mum on Friday as other member nations of the U.N. Security Council stood before the world and accused Iran of developing a secret nuclear enrichment site. Flanked by Prime Minister Gordon Brown of the U.K. and President Nicolas Sarkozy of France, President Obama promised to take strong action against Iran if the country did not fully disclose its nuclear ambitions and open all sites to international inspectors. Such strong action would include crippling sanctions on all trade to and from Iran. Even Russia appeared willing to consider sanctions if Iran failed to cooperate, breaking with Russia’s long opposition to such action.
China, on the other hand, prefers a different route. Stressing the need for diplomacy and negotiations, China announced that “sanctions and pressure should not be an option” in dealing with Iran. Although not completely ruling out sanctions, China desperately hopes that the upcoming talks with Iran scheduled to begin this Thursday satisfy the U.S. and obviate the need for sanctions.
Why is China so hesitant to support sanctions against a country that is secretly developing nuclear capabilities? History, geo-politics and economic ties are what set China apart from its Security Council brethren in dealing with Iran. But China’s growth as a world power has caused it to become a stakeholder in the current system. With this new-found power, China has begun to realize its actions, or lack of action, does in fact shape the world’s future course and as a result, its own global prospects.
History, History, History
China has long been an outsider to the western world order. Even after mainland China’s return to the U.N. Security Council in 1971, China was still largely considered a pariah state, a Communist country with severe human rights violations. China’s violent crackdown on the 1989 Tiananmen protests rolled back any international good will it was amassing and subjected China to crippling economic sanctions. It has only been in the past few years that China has become a significant voice in the international arena and respected by Western powers.
But for China, its past is far from forgotten. While it has significantly benefited from the current world order, China understands that other countries, either rightly or wrongly, are marginalized because of alleged human rights violations or nuclear development. As a result, China has developed a philosophy of “non-interference” in other country’s domestic affairs and has largely stuck to that attitude in dealing with countries that the U.N. or the U.S. might consider rogue. This is not to say that China condones such behavior; in fact China has been an ardent supporter of various global nuclear non-proliferation efforts and supported sanctions against North Korea for its nuclear development. However, with its sense of history, China will be slow to agree to sanctions against Iran, even if sanctions are in its long-term self-interest.
Iran plays an important role in China’s aspiration to become a regional power. With its rise, China has sought to create political alliances and economic ties with other countries in Asia and reduce the influence of the U.S. in the region. One such effort is the Shanghai Cooperation Organization (SCO). China leads the organization which has created greater economic interdependence among Russia, China and the Central Asian states. Iran, although not a member, currently holds observer status. China, along with Russia, has used the SCO to reduce the U.S. military presence in Central Asia when in July 2005, its members signed an agreement to push the U.S. to set a deadline for troop withdrawal from the region (Library of Congress Report, p. 68).
The SCO is beginning to function as a multilateral alliance system allowing China to exert its influence in a region where western powers are largely absent. To move too quickly in calling for sanctions against Iran, a country within the SCO’s domain, China could jeopardize its current leadership role in the region.
China’s strongest reason to oppose sanctions against Iran lies with its current economic ties to the country. In 2008, 12% of China’s crude oil imports were from Iran; the first five months of 2009 have seen an increase and China is on target to import 15% from Iran (Energy Information Administration Country Analysis Brief) . Furthermore, Chinese oil companies have invested heavily in Iranian oil fields. In December 2007, China’s Sinopec signed a $2 bn contract with Iran to develop the Yadavaran oil fields; in January 2009, CNPC, China’s largest oil and gas company signed a $1.7bn oil contract to develop the Azadegan oil fields. Although these investments are large, many question whether the Chinese companies have in fact moved forward with developing these fields. In the past, Chinese oil companies have signed deals with countries but have waited, even as much as ten years, for geopolitical issues to settle (According to the Brookings Institute, CNPC signed a contract with Iraq in 1997 but did not begin to the develop the oil fields until 2008, after threats of sanctions were over).
Similarly, China has looked to Iran for its large quantities of natural gas. In March 2009, the L.A. Times reported that Iran and China signed a $3.2 bn deal for natural gas development. But like the oil contracts, it is unclear if China intends to follow through with this agreement given the current politically-sensitive climate.
More real though is Chinese oil companies’ sale of gasoline to Iran. Although Iran has the second largest crude oil reserves in the world, it has little capacity to refine that oil and make it into usable gasoline. In fact, Iran imports 40% of its gasoline, mostly from European countries but also from China. Because of China’s increasing economic ties with Iran, sanctions that impact all trade with Iran could be particularly damaging to China.
China’s Countervailing Interests
On Sunday, it seemed as though everyone on the political talk shows called for China to join the U.S., France, Britain and Russia in condemning Iran and agreeing to join sanctions if need be. But China has not wavered on its stance of trying diplomacy first. At the same time, it has also not stated that it will oppose sanctions if the October 1 talks fail. And while political pundits, the media and elected officials in the West are currently criticizing China for not throwing its weight behind sanctions, it is China’s current silence on the issue that gives the October 1 talks the best chance of success. Without China’s commitment for or against sanctions, Iran is left guessing what its trading partner will do, and could acquiesce to U.S. demands to show blueprints of the new nuclear site and open its country to inspectors.
But if the October 1 talks fail, expect China to agree to sanctions, but likely not the ones that will be proposed by the U.S., France and Britain. In December 2006 and March 2007, in response to Iran’s nuclear development, the U.N. Security Council unanimously agreed to sanctions. However, through China and Russia’s insistence, these sanctions were substantially watered down and merely limited the sale of nuclear equipment and technologies to Iran and froze the assets of key individuals involved in Iran’s nuclear development.
The Obama Administration has already realized that a total embargo on gasoline shipments is not in the cards. Not only would Chinese companies be negatively impacted, but so would European oil companies that sell gasoline to Iran. Many E.U. countries have already come out against a total embargo.
But other measures, such as eliminating investments in Iran, might have more traction with China and could be something it agrees to in this round of sanctions. China has a lot to lose if Iran becomes a nuclear power or appears to be a nuclear power. First, while 12% of China’s crude oil imports are from Iran, 20% are from Saudi Arabia, a country that has already reprimanded Iran for its nuclear aspirations. Will China jeopardize that relationship by opposing sanctions?
Second, Israel’s response to an unchecked Iran could potentially lead to such instability in the region cutting off not only oil from the Middle East, but also key shipping lanes for China’s oil imports from other countries. China cannot afford to be cut off from any oil shipments since currently it only has 25 days worth of oil reserves.
Third, a nuclear Iran threatens the Central Asian strategic alliances that China has worked hard to create through the SCO. Arguably, the other Central Asian countries might begin to take their cues from Iran, dissipating China’s leadership role in the region.
Fourth, it remains unclear if China’s investments in Iranian gas and oil fields actually exist. If not, then China could easily agree to stop its investments in Iran. Even if China has already begun to develop these oil and gas fields, it is only at the start of these investments and under its contracts with Iran, China does not receive a return on the investment until development is completed. Any of China’s current contracts have a long way to go before completion.
Finally, China does want to become a responsible world player. It has actively sought membership in various international organizations and largely abides by their rules. Last year, during the North Korean missile crisis, China was on board in issuing a harsh reprimand of Kim Jung-Il’s actions.
If the situation with Iran further disintegrates and sanctions become necessary, the Obama Administration should push China to agree to sanctions that include a cut-off of investments in Iran. China might hesitate at first, but for the reasons stated above, they could agree to such measures. Getting China to stop importing crude from Iran could prove harder. Although interestingly enough, Iran’s largest importer of its crude is Japan, a strong U.S. ally, and Japan might actually be the strongest opponent of such measures. Including an embargo on sales of gasoline to Iran would be impossible. But asking China to join sanctions that limit investment in the region, is doable.