China: Internet Freedom Is Culturally Relative

February 2, 2010 by ADMIN

Share |

By Anthony M. Freed, Director of Business Development, InfosecIsland.com

We have had a few weeks to absorb the implications of wide spread Chinese supported attacks against Google and thirty or so other organizations.

The US Secretary of State made one of the most affirmative statements on Internet freedom yet articulated by a government.

Various policy analysts have chimed in as well. Some thoughts on what they have said:

George Kurtz, CTO of McAfee, and his team were involved in the analysis of just what happened during these attacks which he dubs “Aurora”.

He revealed in his blog on January 14th that the primary mechanism was a Trojan horse that exploited a new vulnerability in Internet Explorer. What is interesting to note is Kurtz’s surprise at the dramatic turn the threatscape has taken.

All I can say is wow. The world has changed. Everyone’s threat model now needs to be adapted to the new reality of these advanced persistent threats.

In addition to worrying about Eastern European cybercriminals trying to siphon off credit card databases, you have to focus on protecting all of your core intellectual property, private nonfinancial customer information and anything else of intangible value.

There have been many instances of Chinese hacking of US research and defense organizations. To date the US State Department has remained aloof.

Hiliary Clinton’s Remarks on Internet Freedom are worth noting because they are the first time a US Secretary of State has so explicitly endorsed Internet freedom and access to information.

Full text and video is available here.

The same networks that help organize movements for freedom also enable al-Qaida to spew hatred and incite violence against the innocent.

And technologies with the potential to open up access to government and promote transparency can also be hijacked by governments to crush dissent and deny human rights.

In the last year, we’ve seen a spike in threats to the free flow of information. China, Tunisia, and Uzbekistan have stepped up their censorship of the internet.

In Vietnam, access to popular social networking sites has suddenly disappeared. And last Friday in Egypt, 30 bloggers and activists were detained.

The most important thing Mrs. Clinton said in my opinion:

On their own, new technologies do not take sides in the struggle for freedom and progress, but the United States does.

We stand for a single internet where all of humanity has equal access to knowledge and ideas. And we recognize that the world’s information infrastructure will become what we and others make of it.

Them’s fight’n words and the Chinese reacted in kind. Xinhua, the official news agency of the Chinese government, published a Commentary: Don’t impose double standards on “Internet freedom” .

My favorite quote:

As is widely recognized, freedom is always relative, and such is also the case with Internet freedom.

That says it all and the lines are drawn.

Evgeny Morozov, the Yahoo! Fellow at Georgetown University characterized Ms. Clinton’s remarks as laced with cold war rhetoric.

He predicted correctly that China would reciprocate with criticism of US restrictions on Internet communications.

While Evgeny may denigrate Cold War thinking (keep in mind that he grew up on the wrong side of the Iron Curtain: Belarus) there is something to be said for recognizing China is indeed engaged in regional hegemony and global jockeying for power and control that is reminiscent of the Cold War.

Never lose sight of China’s nuclear arsenal, standing army, and caustic rhetoric.

Marcus Ranum got a little heated in his contribution to the discussion. Aside from inferring that all of the rest of people I am quoting here are clueless he had this to offer:

My prediction for you: The Chinese Government will offer to block access to Google. I.e.: “Want to pull out of China? Here, let us help you.” Google will shut up, and the whole thing will blow over.

He might just be right there as Google has yet to carry through on their threat to stop censoring search results at Google.cn.

Bruce Schneier, cryptographer, author, and critic of the TSA, singled out a different aspect of the story. He criticizes the existance of so-called back doors that Google and other Internet services have built in so that they can comply with government demands for information.

China’s hackers subverted the access system Google put in place to comply with U.S. intercept orders.

Why does anyone think criminals won’t be able to use the same system to steal bank account and credit card information, use it to launch other attacks or turn it into a massive spam-sending network?

Why does anyone think that only authorized law enforcement can mine collected Internet data or eavesdrop on phone and IM conversations?

Schneier may have jumped to conclusions based on too little information. Read this refutation by John Mark Walker here.

L. Gordon Crovitz, the Information Age columnist at the Wall Street Journal invoked the ‘Shores of Tripoli” when he called for Washington to fix the cyber security problem.

If you have not heard the story of how Thomas Jefferson finally beat the Barbary Pirates as a shining example of how law enforcement can be effective you have missed out.

I first heard the story applied to Internet security in 2004 when Steve Forbes recited it at a dinner he sponsored in California.

It is telling that we have to go back 200 years in history to find a good example of the US effectively dealing with brigands.

Crovitz calls for a government crackdown, claiming:

Just as the traders of the 18th century could not protect open sea lanes by themselves, technology companies, even ones as powerful as Google, today cannot keep digital sea lanes open on their own. Washington has started to talk about the seriousness of the problem. Now it needs a plan to fix it.

If he digs into it a bit Mr. Crovitz will find that the government has far less ability to keep the Internet sea lanes open than those who own and operate the networks.

Brahma Chellaney, Professor of Strategic Studies at the Indian Centre for Policy Research gives us the perspective of someone who is a little closer to China.

His blog contains a post “A new war, a new frontier”.

In peacetime, China is intimidating India through intermittent cyber warfare, even as it steps up military pressure along the Himalayan frontier.

In a conflict, China could cripple major Indian systems through a wave of cyber attacks.

With cyber intrusions against Indian government, defence and commercial targets ramping up since 2007, the protection of sensitive computer networks must become a national-security priority.

That holds true not just for India. Every country has to realize that the protection of sensitive computer networks must become a national security priority.

Wow, the world has changed this week.

Myth Busting

The attacks against Google emanating from China and the subsequent speech by the US Secretary of State on Internet Freedom have exposed cyber security issues to a wider audience in recent weeks. P

erhaps predictably some old ideas are creeping up that should be slapped down quickly.

Myth number 1: The US Engages in Cyberwarfare

First let’s address Jack Goldsmith’s comments in the Washington Post. His thesis is that Hilary Clinton is being hypocritical when she calls for a halt on cyber attacks, particularly from China.

He is actually parroting China’s response! Now, the US is not completely blameless.

The NSA does indeed spy on US citizens via Internet taps at ATT data centers, a practice set up by the Bush administration and tacitly condoned by the Obama administration.

But Goldsmith attributes way too much to the US in its cyber capabilities. I do not deny that I have encountered the desire to have cyber attack capabilities within the Defense Department.

I have not seen evidence that the US has such ability. Anecdotes abound but they tend to lead to single sources or outright hoaxes.

I find it interesting that Goldsmith is one of the participants in the committee that produced “Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities,” a document that goes over all the arguments against having cyber attack capabilities then supports it.

It is inevitable that the US builds up its cyber warfighting abilities. But to compare the US’s capabilities to China is out of proportion.

Myth number 2: The Internet Needs to be Controlled

We learn from “The Curious Capitalist”, Barbara Kiviat, at Time that an executive at Microsoft presented a worn out theory at Davos.

The argument goes like this: the Internet was never meant to be “to be a worldwide system of mass communication”.

It grew into the scary place it is today because there were no controls imposed.

Craig Mundie, Microsoft’s chief research and technology officer goes on to propose the imposition of authentication.

He draws an analogy to automobile use: If you want to drive a car, you have to have a license (not to mention an inspection, insurance, etc).

The idea of assigning one identity to each individual is the basis of all states of course.

How can you control people if you do not know who they are? (Or where they are, or what their health is, or how much income they have, etc.).

This idea applied to the Internet as a whole is ridiculous but it does not stop the likes of Mr. Mundie proposing it.

It takes many forms; the most organized is the Trusted Computing Group and their technology solution which has led to hundreds of millions of extra chips being installed in laptops and hand held devices.

Not, mind you, innovative devices like iPhones, iPads, and book readers; once again demonstrating that no matter how smart you are you cannot impose controls on something you do not control.

Microsoft, by the way, is one of the founding members of the Trusted Computing Group, Apple is not.

The danger of these myths is that policy and spending will be misappropriated if they persist.

Reality has a way of imposing itself regardless of theories. It is best to have a firm grip on reality before setting national policy or investing in technology.

* * *

Stay Informed With ISR News Alerts:

* * *

Announcing the birth of Cyber Defense Weekly, a newsletter created to give participants in this new category a comprehensive summary of the week’s news, product announcements, and escalations in cyber threats.

Simply provide your email address here to become a subscriber.

Comments and input are welcome as always on this critical new category.

Richard Stiennon, security expert and industry analyst, is known for shaking up the industry and providing actionable guidance to vendors and end users. Richard is a security consultant for Focus.com, as well as providing research for the Gerson Lehrman Group. He recently re-launched the security blog ThreatChaos.com and is the founder of IT-Harvest, an independent analyst firm that researches the 1,200 IT security vendors. He was Chief Marketing Officer for Fortinet, Inc. the leading UTM vendor. Prior to that he was VP Threat Research at Webroot Software. Before Webroot, Mr. Stiennon was VP Research at Gartner Inc. where he covered security topics including firewalls, intrusion detection, intrusion prevention, security consulting, and managed security services for the Security and Privacy group. He is a holder of Gartner’s Thought Leadership award and was named “One of the 50 most powerful people in Networking” by NetworkWorld Magazine.

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

These icons link to social bookmarking sites where readers can share and discover new web pages.