China has issued a new call for international “rules and cooperation” on Internet espionage issues, while insisting that accusations of Chinese government involvement in recent hacking attacks were part of an international smear campaign.

The remarks, by Foreign Minister Yang Jiechi, were China’s highest-level response yet to intensifying reports that the Chinese military may be engaging in cyberespionage.

“Anyone who tries to fabricate or piece together a sensational story to serve a political motive will not be able to blacken the name of others nor whitewash themselves,” he said.

Speaking to the news media on the sidelines of the annual session of the National People’s Congress on Saturday, Mr. Yang said that the reports were “built on shaky ground” and that cyberspace should not be turned into a battlefield.

For the full article, see here.

The post In wake of cyberattacks, China seeks new rules appeared first on The Citizen Lab.

Citizen Lab’s Greg Wiseman and University of New Mexico’s Jeffrey Knockel presented findings from this TOM-Skype project on 8 March 2013 at Boston University’s Freedom in Online Communications Day (BFOC).

See more about the “Chat Program Censorship and Surveillance in China: Tracking TOM-Skype and Sina UC” presentation in Boston here.

The post TOM-Skype surveillance research in Bloomberg Business Week appeared first on The Citizen Lab.

Last week, after the Washington Post reported that numerous Washington institutions in and outside government have experienced hacking attributed to China, the Post’s excellent political writer Ezra Klein had this unfortunate foray into commentary on Chinese elite politics:

The Chinese look at Washington, and they think there must be some document somewhere, some flowchart saved on a computer in the basement of some think-tank, that lays it all out. Because in China, there would be. In China, someone would be in charge. There would be a plan somewhere. It would probably last for many years. It would be at least partially followed. But that’s not how it works in Washington.

Coming at these events from a Washington perspective has led to some conceptual and factual assumptions that are emblematic of wider misperceptions of the US relationship with China.

Problem number one: who exactly are “the Chinese” in this paragraph? The charitable interpretation of this usage is that “the Chinese” here means “the Chinese government”, but I doubt a sophisticated commentator such as Klein would so comfortably refer simply to what “the Americans” think.

The less charitable interpretation is that Klein is using an old-fashioned, essentialising term as a crutch for lack of more detailed knowledge of the splits, divides and diversities of the fifth of the human population living in the People’s Republic of China. “The Chinese” appears as a collective noun in this short piece seven times. (A similar “silly Chinese!” piece in Foreign Policy resorts to this usage five times.)

For the full article, see here.

The post Chinese cyberwar and the US ‘myth of scheming’ appeared first on The Citizen Lab.

BFOC 2013 will be held at Boston University on Friday, March 8, 2013 from 9:00 AM to 5:00 PM. The main purpose of BFOC is to encourage collaboration between local researchers and practitioners in technology, law, and policy that are working in this area.

Gill will give a talk titled, “Characterizing Web Censorship Worldwide”. Wiseman will present with Jeffrey Knockel from University of New Mexico on “Chat Program Censorship and Surveillance in China: Tracking TOM-Skype and Sina UC”.

For more information on the event, see here.

The post Citizen Lab at the Boston Freedom in Online Communications Day (BFOC) appeared first on The Citizen Lab.

“There’s no cyberwar without a real war,” argues cryptographer Bruce Schneier. Yet some sort of cyberconflict with China is afoot. After the U.S. Air Force asked, I considered what a cyberwar, with some real shooting, might look like between the United States and China. In it, I thought cyber-arms would blind, cripple and confuse, but missiles, bombs and torpedoes would do the killing. That will likely change.

News of cyber-attack is omnipresent. But in answering the question of what makes a cyber-attack an act of war, remember that in computer science such attacks are no more than attempts to subvert the function of a system. Compromising a system to steal data, rob property or blow up an oil refinery are all attacks, but only the last of them would likely be considered an act of war or terrorism. We have a lexical problem.

As for rules of engagement, that’s for lawyers interpreting the laws of armed conflict to consider. I see no clear universal redlines. As long as they work, countries and plenty of others will launch cyber-attacks that blur the differentiation between power of persuasion and hard coercive force in combinations of diplomacy, trade, covert action and military intervention. A friend suggested a term for placement of cyber-action across the spectrum of international affairs: shoft (mostly soft, but with some hard elements). Most soft U.S. cyberpower is in Silicon Valley. But there is a growing area of cyber-action with physical ramifications in other places — see Stuxnet and Shamoon.

For the full article, see here.

The post Hacking isn’t cyberwar, for now appeared first on The Citizen Lab.

Two decades after computer security began generating billions by selling expertise and software designed to protect unwanted network intrusions, experts say those networks are more vulnerable than ever. Florida-based Internet security firm Cymru said in a report released today, shared exclusively with The Verge, that analysts there uncovered a massive overseas hacking operation that is making off with a terabyte of data per day. Some of the victims include military and academic facilities and a large search engine. The report doesn’t identify who might be behind the attacks, but Cymru director Steve Santorelli conceded that, given the amount of resources behind the attacks, it is obvious the group is state-sponsored. “This is Internet theft on an industrial level,” said Santorelli, a former detective with Scotland Yard.

The United States is under siege. Cymru’s report follows on the heels of similarly damning research issued last week by security firm Mandiant, a document that could be read as an indictment of the entire cyber-security sector. Mandiant detailed how a group of cyber commandos employed by China has electronically raided the computer networks of hundreds of American companies over several years to pilfer precious trade secrets. In a story about the Mandiant findings, The New York Times reported that Washington now believes China also has the ability to use the internet to sabotage water supplies, shut down power stations and hobble our financial system.

For the full article, see here.

The post State-sponsored hackers steal more than a terabyte of data per day, says new report appeared first on The Citizen Lab.

The political leader of exiled Tibetans is calling on Canada’s ambassador for religious freedom to investigate religious repression and suicide in his homeland, squeezing the week-old post into a tricky diplomatic position.

Lobsang Sangay, the head of the Central Tibetan Administration (also known as the Tibetan Government in Exile), made his plea while visiting Ottawa this week to seek support for Tibetan autonomy. He argued that growing business connections between Canada and China should not silence Canada’s concern for human rights in Tibet.

His challenge could prove an acid test for the Conservative government’s new Office of Religious Freedom: Any attempt to send such an envoy to China would be bound to cause offence.

Mr. Sangay’s visit comes amid a series of self-immolations in Tibet, where 106 people have set themselves on fire in the past three years to protest Chinese rule, the latest on Monday.

Mr. Sangay wants the Harper government to send its newly created ambassador for religious freedom, Andrew Bennett, to investigate.

“I would really like to see, and request, that the ambassador of religious freedom visit Tibet. Because religious freedom is very much at the core of self-immolation – as well as other issues – in Tibet,” Mr. Sangay said. “And now, the office is established, there’s an ambassador. If he could go to Tibet and investigate the situation, that would be a welcome gesture.”

For the full article, see

The post Call to help Tibetans puts pressure on Canada’s new religion envoy appeared first on The Citizen Lab.

Read the article, “China cybervictim claims a red herring: analysts”.

The post Senior Researcher Sarah McKune quoted in AFP piece appeared first on The Citizen Lab.

The release of the Mandiant report on “Advanced Persistent Threat 1″ (APT1) marked a watershed in US-China relations on cybersecurity. We are glad the security company released the report: it is good that we are now discussing specific allegations backed with specific items of evidence instead of vague accusations about “Chinese hackers” and pro forma denials by the Chinese government.

The evidence convinces me that the cyber-espionage documented by the Mandiant report came from the physical location of Pudong, Shanghai, and that the IP address blocks allocated to China Unicom and China Telecom are indeed the source of many of the break-ins documented. It is also pretty clear that there is an organized unit operating there, and it is unlikely it could operate without at least the tacit approval of the Chinese government. I am not yet convinced of the specific attribution to PLA unit 61398. I reserve judgment because China, like the US, has a military-industrial complex and people move across its boundaries in ways that are not so simple.

Indeed, Mandiant’s principals ought to know all about that. Kevin Mandia, the founder and CEO, served as a computer security officer in the 7th Communications Group at the Pentagon, and later as a Special Agent in the Air Force Office of Special Investigations (AFOSI). Richard Bejtlich, the Chief Security Officer of Mandiant, began his career as a military intelligence officer at Air Force CERT, then went on to work at the Air Force Information Warfare Center and Air Intelligence Agency before going private. Travis Reese, the Chief Operating Officer of Mandiant, worked at ManTech International Corporation where he “built one of the fastest growing and highly-regarded business units in the classified government contractor sector.” Mandiant’s offices are in the Washington, DC area. So Mandiant is as close to the US military as UglyGorilla and his colleagues probably are to the Chinese military. While nominally private sector actors, we do not know for sure the extent to which they are agents of some US government actors (“agents” in the sense of principal-agent theory or contractors, not in the sense of James Bond-style “secret agent”).

For the full article, see here.

The post China, the US and cybersecurity: Is Mandiant promoting a Cold War mentality? appeared first on The Citizen Lab.

Mandiant’s APT1 report is the latest infosec company document to accuse the Chinese government of running cyber espionage operations. In fact, according to Mandiant, if a company experiences an APT attack, then it is a victim of the Chinese government because in Mandiant-speak, APT equals China.

“We tend to perceive what we expect to perceive”
- Richard J. Heuer, “The Psychology of Intelligence Analysis

The fact that Mandiant refuses to acknowledge that other nation states engage in cyber espionage when the facts show otherwise demonstrates what Heuer calls an “expectation bias”, but it’s much worse than that.

Mandiant’s alleged proof is summarized in Table 12 (pp. 59-60): “Matching characteristics between APT1 and Unit 61398″. Mandiant’s entire premise that APT1 is PLA Unit 61398 rests on the connections made in that table and that no other conclusion is possible:

“Combining our direct observations with carefully researched and correlated findings; we believe the facts dictate only two possibilities: Either a secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multi-year, enterprise scale computer espionage campaign right outside of Unit 61398’s gates, performing tasks similar to Unit 61398’s known mission or APT1 is Unit 61398.” (APT1, p. 60)

For the full article, see here.

The post Mandiant APT1 report has critical analytic flaws appeared first on The Citizen Lab.