US: Chinese Military is Hacking on "Unprecedented" Scale

[Kleves]

From: http://www.nytimes.com/2013/05/07/world/asia/us-accuses-chinas-military-in-cyberattacks.html?pagewanted=2&_r=1&nl=todaysheadlines&emc=edit_th_20130507&

WASHINGTON — The Obama administration on Monday explicitly accused China's military of mounting attacks on American government computer systems and defense contractors, saying one motive could be to map "military capabilities that could be exploited during a crisis."

While some recent estimates have more than 90 percent of cyberespionage in the United States originating in China, the accusations relayed in the Pentagon's annual report to Congress on Chinese military capabilities were remarkable in their directness. Until now the administration avoided directly accusing both the Chinese government and the People's Liberation Army of using cyberweapons against the United States in a deliberate, government-developed strategy to steal intellectual property and gain strategic advantage.

"In 2012, numerous computer systems around the world, including those owned by the U.S. government, continued to be targeted for intrusions, some of which appear to be attributable directly to the Chinese government and military," the nearly 100-page report said.

The report, released Monday, described China's primary goal as stealing industrial technology, but said many intrusions also seemed aimed at obtaining insights into American policy makers' thinking. It warned that the same information-gathering could easily be used for "building a picture of U.S. network defense networks, logistics, and related military capabilities that could be exploited during a crisis."

It was unclear why the administration chose the Pentagon report to make assertions that it has long declined to make at the White House. A White House official declined to say at what level the report was cleared. A senior defense official said "this was a thoroughly coordinated report," but did not elaborate.

On Tuesday,  a spokeswoman for the Chinese Ministry of Foreign Affairs,  Hua Chunying, criticized the report.

''China has repeatedly said that we resolutely oppose all forms of hacker attacks,'' she said. ''We're willing to carry out an even-tempered and constructive dialogue with the U.S. on the issue of Internet security. But we are firmly opposed to any groundless accusations and speculations, since they will only damage the cooperation efforts and atmosphere between the two sides to strengthen dialogue and cooperation.''

Missing from the Pentagon report was any acknowledgment of the similar abilities being developed in the United States, where billions of dollars are spent each year on cyberdefense and constructing increasingly sophisticated cyberweapons. Recently the director of the National Security Agency, Gen. Keith Alexander, who is also commander of the military's fast-growing Cyber Command, told Congress that he was creating more than a dozen offensive cyberunits, designed to mount attacks, when necessary, at foreign computer networks.

When the United States mounted its cyberattacks on Iran's nuclear facilities early in President Obama's first term, Mr. Obama expressed concern to aides that China and other states might use the American operations to justify their own intrusions.

But the Pentagon report describes something far more sophisticated: A China that has now leapt into the first ranks of offensive cybertechnologies. It is investing in electronic warfare capabilities in an effort to blind American satellites and other space assets, and hopes to use electronic and traditional weapons systems to gradually push the United States military presence into the mid-Pacific nearly 2,000 miles from China's coast.

The report argues that China's first aircraft carrier, the Liaoning, commissioned last September, is the first of several carriers the country plans to deploy over the next 15 years. It said the carrier would not reach "operational effectiveness" for three or four years, but is already set to operate in the East and South China Seas, the site of China's territorial disputes with several neighbors, including Japan, Indonesia, the Philippines and Vietnam. The report notes a new carrier base under construction in Yuchi.

The report also detailed China's progress in developing its stealth aircraft, first tested in January 2011.

Three months ago the Obama administration would not officially confirm reports in The New York Times, based in large part on a detailed study by the computer security firm Mandiant, that identified P.L.A. Unit 61398 near Shanghai as the likely source of many of the biggest thefts of data from American companies and some government institutions.

Until Monday, the strongest critique of China came from Thomas E. Donilon, the president's national security adviser, who said in a speech at the Asia Society in March  that American companies were increasingly concerned about "cyberintrusions emanating from China on an unprecedented scale," and that "the international community cannot tolerate such activity from any country." He stopped short of blaming the Chinese government for the espionage.

But government officials said the overall issue of cyberintrusions would move to the center of the United States-China relationship, and it was raised on recent trips to Beijing by Treasury Secretary Jacob J. Lew and the chairman of the Joint Chiefs of Staff, Gen. Martin E. Dempsey.

To bolster its case, the report argues that cyberweapons have become integral to Chinese military strategy. It cites two major public works of military doctrine, "Science of Strategy" and "Science of Campaigns," saying they identify "information warfare (I.W.) as integral to achieving information superiority and an effective means for countering a stronger foe." But it notes that neither document "identifies the specific criteria for employing a computer network attack against an adversary," though they "advocate developing capabilities to compete in this medium."

It is a critique the Chinese could easily level at the United States, where the Pentagon has declined to describe the conditions under which it would use offensive cyberweapons. The Iran operation was considered a covert action, run by intelligence agencies, though many techniques used to manipulate Iran's computer controllers would be common to a military program.

The Pentagon report also explicitly states that China's investments in the United States aim to bolster its own military technology. "China continues to leverage foreign investments, commercial joint ventures, academic exchanges, the experience of repatriated Chinese students and researchers, and state-sponsored industrial and technical espionage to increase the level of technologies and expertise available to support military research, development and acquisition."

But the report does not address how the Obama administration should deal with that problem in an economically interconnected world where the United States encourages those investments, and its own in China, to create jobs and deepen the relationship between the world's No. 1 and No. 2 economies. Some experts have argued that the threat from China has been exaggerated. They point out that the Chinese government — unlike, say, Iran or North Korea — has such deep investments in the United States that it cannot afford to mount a crippling cyberstrike on the country.

The report estimates that China's defense budget is $135 billion to $215 billion, a large range attributable in part to the opaqueness of Chinese budgeting. While the figure is huge in Asia, the top estimate would still be less than a third of what the United States spends every year.

Some of the report's most interesting elements examine the debate inside China over whether this is a moment for the country to bide its time, focusing on internal challenges, or to directly challenge the United States and other powers in the Pacific.

But it said that "proponents of a more active and assertive Chinese role on the world stage" — a group whose members it did not name — "have suggested that China would be better served by a firm stance in the face of U.S. or other regional pressure."

Aren't these attacks pretty much an act of war? Oh well, probably a good time to gut the Pentagon's budget in favor of transferring wealth to old folks.

Anyway, let's just write off the debt to China and call it even.

[Darth Wagtaros]

Shocking.

[Malthus]

The US must mobilize its strategic reserve of nerds.

[Phillip V]

We need to increase funding and recruiting for America's cyber defense.

[CountDeMoney]

Nobody really cares.

[Brazen]

And where do you think 90% of cyberespionage against Chinese sites originates?

[The Minsky Moment]

And where do you think 90% of cyberespionage against Chinese sites originates?

Taiwan?

[The Minsky Moment]

Aren't these attacks pretty much an act of war?

Decades of cold war precendent says no.

[Brazen]

We need to increase funding and recruiting for America's cyber defense.

The problem is an unwillingness to mandate industry to maintain government-grade cyberdefence.

There's a lot of money in being an "ethical hacker" these days.

[CountDeMoney]

The problem is an unwillingness to mandate industry to maintain government-grade cyberdefence.

Yup.  That doesn't increase shareholder value.

There's a lot of money in being an "ethical hacker" these days.

Not here in the private sector. Too many suits in Legal say it's a no-no.

[Brazen]

There's a lot of money in being an "ethical hacker" these days.

Not here in the private sector. Too many suits in Legal say it's a no-no.

Nearly every successful cyber specialist has been bought up by Big Defence anyhow.

I always ensure I squeeze, "So are you working on cyber weapons too?" into all my interviews 

[Syt]

There's a lot of money in being an "ethical hacker" these days.

http://www.guardian.co.uk/technology/2013/mar/18/us-hacker-andrew-auernheimer-at-t

Andrew Auernheimer, the online activist convicted of federal crimes for obtaining email addresses of iPad users from AT&T's website, was sentenced to nearly three and a half years in prison on Monday

At a district court in Newark, New Jersey, Auernheimer, 27, was also ordered to pay over $73,000 in damages to AT&T and to serve three years supervised probation after his release.

In November, he was found guilty of one count of identify fraud and one of conspiracy to access a computer without authorisation.

Three years ago, Auernheimer, whose online name is "weev", found a security breach in AT&T's website, allowing him and his company, Goatse Security, to access thousands of email addresses of iPad users. He gave them to a Gawker journalist in what he said was an effort to expose the company's security flaws.

Gawker posted redacted material online, writing that the material "exposed the most exclusive email list on the planet", including the addresses of Michael Bloomberg, the New York mayor, and then-White House chief of staff Rahm Emanuel. An FBI investigation followed.

Auernheimer's prosecution, under the Computer Fraud and Abuse Act, was being closely watched by critics of the US government's harsh line on hackers.

His sentence on Monday comes after a massive outcry following the suicide of free information activist Aaron Swartz in January. Swartz's was facing multiple charges and a prosecution that his supporters said was excessive.

Last week, federal prosecutors charged Matthew Keys, the deputy social media editor for Reuters, with helping the hacker group Anonymous attack the website of his former employer.

Keys and Swartz were also charged under the Computer Fraud and Abuse Ac, which many have said is too broad. Critics of the prosecutions say they are being bought by over-zealous prosecutors using outdated and flawed statutes. One lawmaker has tabled an amendment to the CFAA called "Aaron's law" aimed at stopping such prosecutions.

A lawyer for the Electronic Frontier Foundation, a digital rights group, described Auernheimer's sentence as "excessive" and said they would support his appeal.

Hanni Fakhouri, a staff attorney with the EFF, said: "It's excessive to say the least. The prosecution was excessive because he did not hack into anything. He obtained information from a public information website. It would be like me going into the Guardian website and copying information and emailing it to someone else."

Fakhouri said the law was misinterpreted and said: "We hope on appeal to get the sentence thrown out.

"We don't believe authorised access was exceeded. By virtue of the fact that the information was publicly available and they were not breaking into anything, there wasn't anything to indicate he did not have authorised access."

In an interview with the Guardian in January, Auernheimer said: "When you publish something, you don't have the right to whine and moan and cry: 'He's breaking and entering. That's what AT&T and the federal government are claiming. It's a dishonest and seditious claim."

He said the idea that what he did amounted to a felony was "ludicrous".

In a pre-sentence memo, Auernheimer's lawyers said he should only receive six months probation because AT&T's security was to lax that no special skill was needed to collect ipad customer's email addresses. It also highlighted comments made by one AT&T investigator who said that he "circumvented no security".

US attorney Paul Fishman described Auenheimer's reasoning that he was trying to expose security flaws in AT&T's website as a "fiction." Fishman said in a statement: "Andrew Auernheimer knew he was breaking the law when he and his partner hacked into AT&T's servers and stole personal information from unsuspecting iPad users.

"When it became clear that he was in trouble, he concocted the fiction that he was trying to make the internet more secure, and that all he did was walk in through an unlocked door. The jury didn't buy it, and neither did the court in imposing sentence upon him today."

David Velazquex, the FBI acting special agent in charge of the investigation, said Auernheimer's "self-serving cyber attack" was carried out to promote his business. He said his conviction and sentence signified the "continued and growing efforts of the US attorney's office and the FBI in investigating and prosecuting computer hacking and intellectual property crimes."

Auernheimer's co-defendant, Daniel Spitler, 27, of San Francisco, California, previously pleaded guilty to the same charges and is awaiting sentencing.

[AnchorClanker]

Aren't these attacks pretty much an act of war?

Decades of cold war precendent says no.

Yep.  Scanning, logging, bugging and stealing are not acts of war... however, if they actually *attack* a network, that would be considered an act of war.  So long as they are just fooling around, it's just considered espionage as opposed to a deliberate attack.

[AnchorClanker]

The US must mobilize its strategic reserve of nerds.

They're trying - see CYBERCOM.  Problem - most people with those skills aren't interested in being subject to the UCMJ.  News at 11.

[garbon]

There's a lot of money in being an "ethical hacker" these days.

http://www.guardian.co.uk/technology/2013/mar/18/us-hacker-andrew-auernheimer-at-t

Don't fuck with powerful people.