The announcement of recent cyber attacks against Google and some 30 or so other companies recalled to mind a monograph from the Rand Corporation on the future of Cyberwarfare.
The initial news release earlier this week stated “Google has decided to stop censoring search results in China, after discovering that someone based in that country had attempted to hack into the e-mail accounts of human rights activists.” [1] The implications were that the Chinese government was behind the attacks. Google felt it was important to announce the attack to alert the activist community.
“The sophistication of the attack was remarkable and was something that researchers have seen before in attacks on the defense industry, but never in the commercial sector. “Cyber criminals are good … but they cut corners. They don’t spend a lot of time tweaking things and making sure that every aspect of the attack is obfuscated,” [2]
Wired.com described the attack, summarized below:
- The initial piece of code was shell code encrypted three times and that activated the exploit.
- Then it executed downloads from an external machine that dropped the first piece of binary on the host. That download was also encrypted.
- The encrypted binary packed itself into a couple of executables that were also encrypted.
- One of the malicious programs opened a remote backdoor to the computer, establishing an encrypted covert channel that masqueraded as an SSL connection to avoid detection. This allowed the attackers ongoing access to the computer and to use it as a “beachhead” into other parts of the network.
- Once the hackers were in systems, they siphoned off data to command-and-control servers in Illinois, Texas and Taiwan.
Yet the question of why pull out of China remains unanswered:
- Stopping censoring search results will put Google in breach of Chinese law which effectively takes them out of that market. It’s interesting that Google would take this course and be willing to face these consequences. No doubt there were other less drastic courses of action.
- The attack was initiated from servers in the US and Taiwan. How will shutting down service in China help prevent such attacks?
Chapter 5 of the Rand Corporation’s monograph, A Strategy of Response, might help frame Google’s actions. The chapter starts with a quote from Robert Gates “Future administrations will have to consider new declaratory policies about what level of cyberattack might be considered an act of war, and what type of military response is appropriate.” The Chapter goes on to ask the following questions:
- Should the Target Reveal the Cyberattack?
- When Should Attribution Be Announced?
- Should Cyberretaliation Be Obvious?
- Is Retaliation Better Late Than Never?
- Retaliating Against State-Tolerated Freelance Hackers
- What About Retaliating Against CNE?
- Should Deterrence Be Extended to Friends?
- Should a Deterrence Policy Be Explicit?
- Can Insouciance Defeat the Attacker’s Strategy?
- Confrontation Without Retaliation
- The Attacker’s Perspective.
- Signaling to a Close.
So, if the recent attacks were a battle in a much larger cyber war then it looks like the answers to the first three questions, in this instance, are yes. If this was indeed a state-sponsored attack, then one must conclude that the US Government has chosen to put Google on the front line and keep itself out of the fray. Coupled with China’s muted remarks about Google’s decisions suggests both sides are being cautious.
Leave a Reply