China Criticizes US For Making Weapon Plans Steal-able, Alleges Attacks From US

Etherwalk writes "Huang Chengqing, China's top internet security official, alleged that cyberattacks on China from people in the U.S. are as serious as those from China on the U.S. 'We have mountains of data, if we wanted to accuse the U.S., but it's not helpful in solving the problem.' Huang, however, does not necessarily attribute them to the U.S. government just because they came from U.S. soil, and he thinks Washington should extend the same courtesy. 'They advocated cases that they never let us know about. Some cases can be addressed if they had talked to us, why not let us know? It is not a constructive train of thought to solve problems.' In response to the recent theft of U.S. military designs, he replied with an observation whose obviousness is worthy of Captain Hammer: 'Even following the general principle of secret-keeping, it should not have been linked to the Internet.'" A few experts think China's more cooperative attitude has come about precisely because the U.S. government has gone public with hacking allegations.

Oh FFS

"This is what I was wearing when China stole my weapons schematics. Tell me I asked for it."

Fuck off with your victim blaming, China. Pricks.

Re:Oh FFS

[nhat11]

Still doesn't justify stealing it.

Re:Oh FFS

[skywire]

They didn't steal it; they copied it.

Re:Oh FFS

[hawguy]

Still doesn't justify stealing it.

Entire divisions of intelligence agencies are devoted to stealing secrets from other countries (including "friendly" countries and allies). If the data was readily available, they wouldn't be doing their jobs if they ignored it.

Or are you advocating disbanding all foreign intelligence agencies because no one should be "stealing" any data that's not been made public through official channels?

Re:Oh FFS

[naoursla]

You have lots of room to complain. If you take away the expectation to complain it give criminals an excuse to commit the crime.

If you saw a Ferrari parked somewhere with a bunch of cash in the front seat, would YOU feel okay stealing it or the car? I would hope not. Stealing is wrong regardless of how easy it is. Why do you give others a pass for something you wouldn't do?

Re:Oh FFS

[LordLimecat]

The world is complex enough that multiple people can be at fault. If the Ferrari gets broken into, you are at fault for being naieve and foolish, and the thief is at fault for being a leech on society.

Who gets the blame? Both of them. Is the thief the bigger part of the problem? Sure he is, and the largest portion of the blame goes to him. But you still are responsible insofar as your foolishness left you wide open to being victimized and creating an opportunity for a crime that any reasonable individual could have predicted.

Re:Oh FFS

[NatasRevol]

You can complain all you want.

It's still fucking stupid to park the car there.

Someone is going to steal the car. Right or wrong has nothing to do with it.

Re:Oh FFS

[hawguy]

Depends on the neighborhood...

The data was stolen through the internet -- the worst neighborhood imaginable.

Re:um?

[SJHillman]

At least we're not Britain. I mean, seriously, what kind of permissions is 007 for a spy?

Can't fault China on this one

[Xest]

Whilst I'm not saying China doesn't do any state sponsored hacking I've pointed out before that China has the largest online population of any nation and has about 1/6th of the world's population. Statistically if you get non-state sponsored hackers in every nation it makes sense that you're going to see more from China than anywhere else.

It's quite possible that it's nothing to do with the US "going public" and everything to do with the fact that a large number of hack attacks from China against the US is pretty much a statistical certainty regardless of state actors being behind it or not.

I think all governments do state sponsored hacking, I certainly think China does, to what extent is unclear but I do think at least the claims against China are probably overhyped.

Which may not inherently be a bad thing anyway though I guess if it gets Western firms to take security a bit more seriously so maybe there's a silver lining regardless.

Re:Can't fault China on this one

[c]

Statistically if you get non-state sponsored hackers in every nation it makes sense that you're going to see more from China than anywhere else.

Yeah, but China has a firewall. Surely you're not suggesting that non-state sponsored Chinese hackers have figured out how to get around the national firewall?

Heh... actually, that wouldn't be a bad official response. Puts the Chinese in the position of either accepting responsibility for hacking, or admitting that their state firewall is actually pretty porous.

Re:Can't fault China on this one

[ranton]

Heh... actually, that wouldn't be a bad official response. Puts the Chinese in the position of either accepting responsibility for hacking, or admitting that their state firewall is actually pretty porous.

I doubt they care very much that there firewall can be compromised by people skilled enough to hack into government and corporate computers. The main point of the firewall is to assert control over the general population.

Re:Can't fault China on this one

[Zontar_Thing_From_Ve]

Heh... actually, that wouldn't be a bad official response. Puts the Chinese in the position of either accepting responsibility for hacking, or admitting that their state firewall is actually pretty porous.

Not really. They can do any of the following, including perhaps more than one of these.
1) The Beavis and Butthead defense - "Those were some other kids, sir" meaning non-Chinese people leaving a trail pointing back to China to deflect blame to there.
2) The Bart Simpson defense (denial) - "I didn't do it. Nobody saw me do it. You can't prove anything."
3) "Evil Chinese hackers did do it and yes, they got around our precious firewall. But we won't admit it to our own citizens. That's for external knowledge only."
4) "The Chinese military did it, but unfortunately they operate without our oversight." I guarantee you that no government person in the US or China wants that to be true. The Chinese military is a bit of a loose canon and the fear on the US side is that the civilian government in China may be not be as much in control of them as they would like. The Chinese government probably fears that they don't control them as much as they are supposed to either. The problem is that according to the Chinese constitution, the PLA (People's Liberation Army) swears allegiance not to China or the government but to the Chinese Communist Party. That's a really important distinction. The government is a subset of the CCP so in theory it could be possible that the government's interests could run counter to the CCP's interests if the CCP was under the control of some non-government whack job.

Re:Can't fault China on this one

[dunkindave]

China has implemented the Great Firewall of China, both to monitor and control their citizens, as well as to limit the ingress points into China (three major ones if my memory is right) so they can more easily monitor and cut the lines if attacked. Compare that to the United States which has so many major lines running into/out of the country that it would be nearly impossible to block an attack from outside (not that inside versus outside is truly a big difference). Since these attacks are coming from behind the firewall, and little or nothing is being done to stop them, it is easy to conclude that the government is choosing to allow them to happen. Compare this to the news stories of Chinese citizens being arrested, tried and executed for hacking internal Chinese companies.

Now consider the philosophy difference between the Chinese and Americans, where the Chinese people are raised to believe they have a duty to perform actions to help their country. The government doesn't have to tell people to hack into systems in other countries to collect useful information (which they also do), they just have to make it known that the information is desirable, then not block the attempts by the "non-government" hackers (see my first paragraph). If a citizen later has come into possession of valuable information which they choose to share with the government, then they are just being a good citizen. We call it hacking, China calls it patriotism.

So why does China now respond? Because they are walking a tightrope. They are seeing how far they can push things before it has an unacceptable consequence. That is also why I think we chose to speak up this time, because to always remain silent just lets China continue doing their antics with no real consequences. So why this time and not others? Because if you keep telling the attacker what you saw, and by implication what you didn't, you give him valuable information that can make him more effective and more stealthy.

It may not be the classic form or war, but it follows a lot of the same rules. And because of the difference of philosophies, it is a somewhat asymmetric war.

Re:Blah blah blah

[hawguy]

Whatever, its not like its going to start WW3... moving on.

If the Chinese use the data appropriately, it can stop WW3 from ever starting by giving them the chance to disable our defenses through software without firing a single shot. They just need to get a Chinese Jeff Goldblum to upload a virus to our mother ship with his Chinese made Macbook.

Re:um?

As long as the low-order bit is set, he has execute permission.

What's the problem?

Re:um?

[camperdave]

At least we're not Britain. I mean, seriously, what kind of permissions is 007 for a spy?

Plausible deniability?

I don't get this.

[wcrowe]

I always thought it was a rule from Espionage 101 that you don't let the other side know when your side has been compromised. You use it as an opportunity to start sending out false information, and to learn their tactics and precisely who is involved. I don't understand why we are telling everyone in the world that the Chinese have stolen our information. It just makes us look inept in all sorts of ways.

Re:I don't get this.

[SuricouRaven]

To harm China diplomatically and economically. If they get a reputation for underhanded spy games then businesses will be more reluctant to do business there for fear of having their designs shamelessly copied and research stolen, and nations will be less willing to allow free trade if it is known that China seeks to favor domestic industry by impeding the operations of overseas competition.

Re:I don't get this.

[Maxo-Texas]

The problem with this position is that they have HAD a bad reputation for stealing IP for over 20 years now. And it hasn't changed anything.

People still do business with them. People still ship designs and formulas to them to produce.

What will reduce IP Theft is higher chinese labor costs which make local manufacturing a better solution than offshoring. And we've probably got another 8 years before chinese wages + fuel transportation costs == local labor costs.

Re:I don't get this.

[erice]

I always thought it was a rule from Espionage 101 that you don't let the other side know when your side has been compromised. You use it as an opportunity to start sending out false information, and to learn their tactics and precisely who is involved.>/p>

I think this has already happened. They traced the attacks to a specific building in Shanghai operated by the Chinese military and learned a great deal about the operations taking place there.

I don't understand why we are telling everyone in the world that the Chinese have stolen our information. It just makes us look inept in all sorts of ways.

Probably because all the useful counter-espionage plays have been done. Now the biggest payoff is from using the information for political leverage.

Re:I don't get this.

[rahvin112]

The problem with this position is that they have HAD a bad reputation for stealing IP for over 20 years now. And it hasn't changed anything.

Hasn't changed anything? Are you insane. One small example is Russia won't sell the Chinese ANY advanced weapons. After the Chinese copied some older model Soviet weapons the Russians refused to sell them ANY advanced weapon systems. This little detail has crippled Chinese weapon advancement for more than a decade, and only recently after realizing they can't create the same 50 years of Russian innovation on their own they are only now at the point of a new arms deal with the Russians with guarantees that the designs will not be copied. Even with firm contractual guarantees the Russians are still not sure they want to execute the contract because they don't trust them. I'd wager the contract is about 50/50 that it will ever happen.

Wholesale theft of IP has harmed China in almost as many ways as it has helped them and they have started to realize the damage they've done.

VPN

[MotoRyan]

Also, how do we know that the IP address from the US is not just a VPN endpoint?

Re:Economic collapse.

[elsuperjefe]

I don't think China's holdings have that kind of power. If they sell prices would fall, rates would rise. I suspect these events might entice additional demand from other investors causing prices to rise and rates to drop. Also, the U.S. economy is currently growing, not collapsing so there is currently nothing to exacerbate. I would hold off on the bomb shelter for now.

Re:um?

[blane.bramble]

Sounds like perfect ones to me - read, write and execute everyone except himself and his group.

Re:um?

[Nerdfest]

Well, he does have execute permission for *everyone*.

Re:Blah blah blah

[SuricouRaven]

I do hope that means a second space race. If China seriously looked like they were about to set the first man on Mars, or establish a long-term moon base, I think America would have to devote billions of dollars to doing it first just to defend their national ego. Again.

Re:Blah blah blah

[interval1066]

But it does put us in the midst of a second cold war

Not even. China can get all butt-hurt if they want, but they'll NEVER put themselves in a position where they can't trade with the US, that would be suicide. China is acting all butt-hurt when we all know they have far more to gain by spying on us than we have to gain by spying on them, economically. We gain by spying on their military strategy, foriegn policy, and disposition of forces.

Then sic the RIAA on them

According to the RIAA, that's worse.

Re:Then sic the RIAA on them

[K.+S.+Kyosuke]

I am sure that the Russian Internet Armament Acquisition agency would disagree.

Re:"sophisticated weapon design"

[Nidi62]

Some elaborate conspiracy to appear incompetent while fooling the Chinese hackers is a little harder to believe.

If there is anything that government as a rule is good at, it is incompetency.

Re:China is America

[Maxo-Texas]

And by the same virtue the Democratic Party is the Republican Party and the Republican Party is the Democratic Party in America.

Both serve the corporations.

If it's any help- I think it's too late to do anything about it.

Outsourced R&D

[Scot+Seese]

WalMart has outsourced the production of plastic flower pots and patio furniture to China for decades - the Chinese are simply reversing the process! By letting U.S. taxpayers fund the billions of dollars per year we pour into military R&D, they save massive amounts of money and man hours, and are guaranteed the best designs that 17 year old Chinese Red-Bull & Cheetos-fuelled hax0rs can steal.

Take a copy-catted F22 Raptor, paint a Chinese air force insignia on it, and * VOILA! * Fifth generation air superiority fighter MINUS the 20 years of research and testing.
What you say? Their copy is only 85% as good as ours because they made shortcuts in the radar, or avionics, or missile systems? That's OK, our congress will keep paring down the final platform order until our air force ends up only getting 200 F22s, while the Chinese will manufacture 1,150 of theirs.

The current US military philosophy is starting to look more and more like WW2 era Germany, with absolute faith placed in a relatively small number of extremely expensive, extremely high quality weapons systems, which ultimately were smothered and overrun by a developing nation (the U.S.) with phenomenal industrial capacity capable of running M4 tanks, jeeps, B17 bombers, and numerous other things off assembly lines faster than the Germans could destroy them.

The comparative ironies to today's military situation are incredible.

Re:Outsourced R&D

[rahvin112]

Arm chair generals. Although the information they stole is valuable they haven't stolen information that's going to have them building Raptors. China has been trying to copy SU-27 jets for about a decade now, they can't get the engines built right and are at the point of having to go back to a Russia that vowed never to sell to them again to beg them for rights to purchase more advanced systems.

Even though they have working Russian built engines to compare against they weren't able to duplicate the engines. Any Engineer can tell you why, even with detailed schematics, if you don't understand the design you don't know where the critical sections of the design are or what processes to use during assembly that prevent catastrophic failure later. Most of these highly advanced weapon systems have decades of incremental experience built into the design. Even small differences in manufacturing can render parts unusable and it's experience that teaches you that, not schematics and working samples. Though the design information and working samples accelerate learning they don't do away with it.

Re:Outsourced R&D

[dj245]

Can you be more specific? I thought designs and schematics would detail all of these things to make sure someone else knows what to do. It's a bad idea to let critical information get stuck in the heads of your scientists and engineers in case they, you know, die.

Here's one.

My company sells gas turbines for generating electricity. These are based on a standard design which is analyzed to death and then built full-scale to make sure it performs. There is one main package (the gas turbine) and then small little modules which resemble small shipping containers (10x10ft, 15x20ft, etc) with equipment inside. The piping and electricals is run between the packages and the little modules.

Even if you had all the blueprints and design documents, you could easilly fall into the trap of thinking that "modular" implies a similarity to LEGOs and you can lay out the modules wherever you want, changing the placement to suit the site conditions. Maybe you want to move Module X from the left side of the machine to the right side of the machine, or move Module Y by 20 feet in order to try to hide a noisy piece of equipment from a residential area.

On the surface, this sounds quite easy! Just make sure your pipefitters have a little extra pipe, and the electricians have a little extra wiring so they can connect it up. The problem is that the system is completely and tightly integrated-

The piping has been analyzed in the standard design for friction losses and thermal stress. Move the module without considering this, and maybe the system doesn't get quite the pressure it was expecting. Maybe the pipes crack because of thermal expansion.

The Hazardous area classification has been studied in the standard design. Pressurized, airtight, explosion-proof electrical junction boxes are expensive, so they don't get used if they aren't needed. You use a regular one instead. Not a problem at all if you aren't in a hazardous area. Move that module 20 feet, however, and maybe you have put it in a dangerous location.

The entire layout has been planned for maintenance and construction. There is enough room to take everything apart and put it back together again. If you move a module to the wrong spot, maybe you can't remove Part Y from the machine. Or maybe you don't have enough room to put a wrench on equipment Z, so you can't install it in the first place.

The electricals have been designed as an integrated system too, and optimized to use the smallest wire possible while still being reliable and safe. If you make the length longer, however, maybe the resistance loss is high enough that the signal is unreliable.

As the GP said, if you are stealing plans for complicated equipment, you basically have to get to know the design as well as the original designer. If you don't, it is very easy to make a small change for reasons of improvement or localization which completely breaks the design. This can happen even if you have every drawing and document ever made for the thing. Inevitably you will have to change something, especially if you are stealing from the US since we use imperial measurements. It can be as simple as using 26mm thick steel plate instead of 1 inch thick steel plate.

Re:um?

[Z00L00K]

The world is not enough.

Re:hacking into US infrastructure is an act of war

[gary_7vn]

What a brilliant idea.

Or you could put them in camps and gas them.

People like you are the reason we are fucked.

US Infosec Incompetence summed up in one sentence!

[endus]

'Even following the general principle of secret-keeping, it should not have been linked to the Internet.'"

You think so??? Really? This is a novel concept to our American Information Security Industry, please, tell us more! Surely you don't mean that power plants and water treatment facilities and power grids and other sensitive facilities should not be linked to the internet...HOW THE FUCK ARE THE OPERATORS GOING TO GET TO FACEBOOK IF WE DISCONNECT THEM!?!?!?!?