Slashdot Mirror

← Back to Stories (view on slashdot.org)

China's Cyber-Warfare Capabilities Overstated

Posted by Soulskill on from the but-aren't-we-supposed-to-be-afraid dept.

An anonymous reader writes "A new paper argues that China's cyber-warfare capability is actually pretty poor. '[China has] evinced little proficiency with more sophisticated hacking techniques. The viruses and Trojan Horses they have used have been fairly easy to detect and remove before any damage has been done or data stolen. There is no evidence that China's cyber-warriors can penetrate highly secure networks or covertly steal or falsify critical data,' the paper reads (PDF). 'They would be unable to systematically cripple selected command and control, air defense and intelligence networks and databases of advanced adversaries, or to conduct deception operations by secretly manipulating the data in these networks.'"

19 of 140 comments (clear)

  1. Yeah by fragfoo · · Score: 2

    Thats what they want you to think.

    --
    Sig? Heil
    1. Re:Yeah by ackthpt · · Score: 2

      No, US wants people to think China is some powerful enemy and that cyberwar is constant threat. This enables them to pass new more powerful laws, keeps citizens in constant fear and allows US to use things like Stuxnet against Iran.

      All US has to do is shut off a range of IP addresses from Mainland China - that would pretty much stop it. Drastic, yes, but perhaps they day will come. The US Government threatens some IP addresses in Russia, from time to time, so they certainly have dictated to those who route traffic they had best have some controls and a switch for Washington to flip if and when it wants to. Can't say I'd find the concept hard to believe.

      It's actually all coming from an attempt by Elma Sniddle to hack a C64 ...

      --

      A feeling of having made the same mistake before: Deja Foobar
    2. Re:Yeah by RenderSeven · · Score: 2

      But, actually, they do. Dont know if they're naive or overconfident or just dont give a shit, but when I look at attacks on my firewall on a given day the source IP's all trace back to China. Maybe a couple from Korea or Eastern Europe, but 95% of the stuff I see is from China. Maybe its haxorz in Iowa using compromised servers in Beijing but... well, no, its not. Its China attacking from their own IP addresses.

  2. Would you rather? by SniperJoe · · Score: 3, Interesting

    Personally, I'd rather we far overstated China's abilities and designed our systems to counter such a threat.

    Would you rather overestimate their abilities or underestimate them?

    1. Re:Would you rather? by Fluffeh · · Score: 3, Insightful

      I wouldn't be so sure that it is the case. Given my experience with a few large scale projects, the ineptitude of middle managers and a summary of what was provided as a solution for what price, I would worry about how much it would end up costing a government to make systems "impregnable". While I could well be wrong, but I wouldn't at all be surprised if the final cost of such an undertaking ended up being simply astronomical.

      If you worry too much about your neighbour getting too much advantage in manufacturing, stop buying ALL their stuff and stop sending your designs to be made there then sold back to your own country. It's not an easy fix, it's not a short term fix, but if a country doesn't have markets for anything and everything they sell, they won't be raking in all that much money - meaning that you can once again sit unfettered on the top of the SuperPower steps.

      --
      Moved to http://soylentnews.org/. You are invited to join us too!
    2. Re:Would you rather? by vux984 · · Score: 2

      Personally, I'd rather we far overstated China's abilities and designed our systems to counter such a threat.

      So, like terrorism, then?

      Do you really want the TSA administering network security as well?

    3. Re:Would you rather? by jd · · Score: 2

      It depends on whether it's done for action or voter consumption. For the former, I'd far prefer it to be overestimated and dealt with. However, I despair of DHS or DoD actually being capable of countering anything more threatening than house flies.

      For voter consumption, I'd far prefer there to be no estimate at all. The use of estimates to manipulate the population is very Humphrey Appleby. It is Psych Ops against the population the government is sworn to protect and serve, regardless of which way it is done. Even if it were 100% accurate, it would STILL be a Psych Ops attack against the populace.

      I see nothing wrong with the government supplying useful information (eg: pressure companies to use OpenBSD or a hardened Linux for appliances and embedded systems, not Windows under any circumstance; don't use randomly-discarded USB thumb drives in nuclear reactors; keep confidential information offline or strongly encrypted). I also don't see anything wrong with the government being required to report large-scale DDoS attacks, so long as attribution of the attacks is provable and verifiable by some independent body (even if not by the public) and where it is either not provable or not verifiable, no attribution is given no matter how politically tempting.

      I also see nothing wrong with the government actually taking cybersecurity seriously and mandating a rolling minimum standard of security for corporations. The main objection to minimum standards is that they are static and thus obsolete. So don't define it statically or in terms of specific technologies or specific threats. It's entirely possible to say that an incident involving any given compromised system will affect X number of people, given a total of Y people, by Z amount. You then mandate that companies cannot permit either X*Z or (X/Y)*Z to exceed certain totals for any given year. Compromises below those totals are fined at a modest rate but enough to create impetus to improve, compromises above those totals are fined to apocalyptic proportions. Let the companies take care of how to go about this.

      You can also specify rolling standards in other ways. Instead of stating the number of bits in an encryption key, specify that operations critical to the security of the infrastructure and economy must be either FIPS-compliant OR use encryption classified as "minimal risk" (no known weaknesses, not subject to brute force attacks with available technology, that sort of thing) within some sensible window of time. Six months sound reasonable from the time of a security announcement of a potential hazard to the end of testing and full roll-out of replacement systems in mission-critical systems? Too long and you will be attacked. Too short and the consequences of a mistake will be worse than an attack.

      In the case of systems where encryption is too difficult - for example, in automotive systems which currently use Ethernet for cabling between modules and which are starting to support wireless systems control - then specify things in terms of authentication and authority, under the same relative measure. (eg: A car should be X% certain, given known cyberthreats at the time of last maintenance, that it is the authorized user who is turning off the ignition or slamming on the brakes, where X is some well-published value that vendors and cybersecurity experts jointly agree is acceptable in terms of cost per unit mitigation). If a car isn't maintained for a year, then the vendor should be liable for any excessive exposure to risk known about at that time but not for risks discovered after then. Because there's no specific threat stated, only the permissible relative risk, no update is needed.

      (We expect the same in other industries. We care if an airline took reasonable precautions in last maintenance to ensure everything was OK, we care that the regulations ensure that critical components are tested thoroughly enough, but do we care that much as to whether the regulations specified BY NAME every nut and bolt? Should we, or should we be entit

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    4. Re:Would you rather? by Johnny+Mnemonic · · Score: 2

      Neither. We have limited resources to defend our interests. If we overspend on an exaggerated cyber threat from China, we must needs reduce the resources allocated to something else. If we short a program that defends us from a threat that was actually understated vs. China's ability, we have made ourselves susceptible.

      --

      --
      $tar -xvf .sig.tar
  3. No Evidence by jeff4747 · · Score: 4, Insightful

    There is no evidence that China's cyber-warriors can penetrate highly secure networks or covertly steal or falsify critical data,'

    Because governments love to publicize when someone breaks into their highly secure networks. Every day, the spokespeople for various government agencies get to work and say to themselves, "Boy, I really wish I could announce that our networks have been hacked! That would really make my day!!". The leaders of said agencies go to sleep every night wishing that they could spend tomorrow being grilled by a legislative body over their swiss-cheese network defenses. But alas, tomorrow just brings another boring day of budget meetings.

    Or just maybe they don't talk about it.

  4. There is plenty of proof by strobe74 · · Score: 2

    Look at their stealth bomber and their stealth fighter.. look familiar? You might think to yourself "hmm.. their stealth bomber looks nearly identical to ours.. and hey!! so does their stealth fighter!" And they just magic'd them out of nowhere. No decades of research.. no skunk-works or area 51 for testing.. just POOF.. a few years after we come up with them and BAM.. China has nearly identical copies. Just a coincidence i'm sure.

    1. Re:There is plenty of proof by Thruen · · Score: 2

      Actually... This article seems to suggest the Chinese aren't hacking to steal our secrets. I'd find it amusing if they were just repeatedly making silly half-hearted attempts at breaking into our systems just to throw us off the trail of the real problem: people who've lost faith in their country. Well, that and greed. Probably mostly greed. Still, not the TECHNO-warriors of China.... that does sound better.

    2. Re:There is plenty of proof by bmo · · Score: 4, Insightful

      So you're going to fault them for taking shortcuts instead of reinventing the wheel?

      That's nuts. Nobody reinvents wheels if they can get clues/technology/etc, from elsewhere. Absolutely nobody. Only idiots make stuff from scratch without referring to other technology and practices.

      Come the fuck on, the industrial revolution was started in the US along the Blackstone River with "stolen" British ideas. Samuel Slater was no dummy.

      What a load of crap, sir.

      --
      BMO

    3. Re:There is plenty of proof by Anonymous Coward · · Score: 2, Funny

      That's because it's invisible, duh!

    4. Re:There is plenty of proof by strobe74 · · Score: 2

      No i'm just refuting the statement that they're not hacking anything. it's clear they've been through a fair amount of the RnD info from most of our defense contractors already. If there's any blame to be handed out it's that our defense contractors don't take security as seriously as they should.

  5. Beware teh Chinese by sneakyimp · · Score: 2

    Does the summary strike anyone else as a bit xenophobic? Or perhaps a bit skewed toward occidental cultures?

  6. Re:Stop using term cyber by SharkLaser · · Score: 2

    Online sex.. hm, no please.
    Electronic sex.. hm, it could be kinky, but no thanks.
    Internet sex.. well that's just boring.

    Now cybersex. That's something, and it's kinky too!

  7. This sounds a lot like... by bmo · · Score: 3, Insightful

    ..whistling past the graveyard. It sounds a /lot/ like what US automobile manufacturers said about the Japanese in the 60s and 70s. And then the Japanese whipped Ford, Chrysler, and GM's collective asses.

    Go ahead, dismiss your opponent as incompetent. Down that road lies complacency and defeat.

    --
    BMO

  8. Apologist much? by FyberOptic · · Score: 2

    What difference does it make whether the attacks are detectable? DDoS for example is detectable, but that doesn't make it any less potent of a weapon. As someone who has dealt with blocking Chinese break-in attempts for years, and at one point blacklisted IP blocks from the entire region, I can tell you that China is a scourge on the internet at best, and a damaging force against major targets at worst. There's more than enough evidence of that.

  9. The really good hackers by Hentes · · Score: 5, Insightful

    are the ones that don't get caught. Americans only detect the lousy attempts.