spy“Yes, the Chinese Army is spying on you,” read Bloomberg Businessweek’s February 18 cover. Nowadays, it seems everyone is being hacked left-right-and-center, from the New York Times and the Wall Street Journal to Twitter and Evernote. And in every case, often before there’s even any substantial evidence, there’s a whisper in the air – China!  The highly sophisticated multi-year hacking campaign uncovered by Kaspersky Lab was dubbed “Red October” (tongue-in-cheek coming from a company founded by a former KGB member?), and is thought by a number of analysts to have originated in China. But Mandiant, with a flair for publicity, pulled no punches in their February 19 report linking the infamous “APT1” to Chinese PLA “Unit 61398.”

It seems that China aka “Red October” aka “APT1” aka “the Borg” are hell-bent on an aggressive attack on all levels of our government and economy. It’s only a matter of time before they gain control over all our critical infrastructure systems. Once they’ve gained control over all our nuclear power plants we’ll die a horrible death as they cause massive concurrent nuclear meltdowns quicker than you can say “Why did I open this PDF attachm-AAAAGGGHH I’m melting!!!” Then those PLA hackers will ogle at pictures of your now departed loved ones stolen from your hard drive, salute a portrait of Mao Zedong, take a shot of Moutai, and dig in to their bowl of cadmium-tainted rice. Is this how it all ends?!

Phew, take a breath. Have a look at this video of a cat. Better? Good.

The prevalence of hacking shouldn’t be understated. New zero-day exploits in Java or Adobe Acrobat are being discovered with such regularity at the moment one could almost turn it into a depressing drinking game. To a certain extent Obama’s new executive order on cyber security should be encouraged, because there does need to be wider awareness of just how woeful most information security systems are. Even former Cold War Warrior, Zbigniew Brzezinski, has come out urging for a new binding international treaty dictating the rules of engagement in a cyber war.

However, the issue in question is the scale of attacks being carried out by the Chinese People’s Liberation Army. Are there cyber attacks originating in China? Certainly. Are there attacks being carried out by the PLA? Definitely. Are all attacks originating in China being carried out by the PLA and part of a centrally-directed wide-ranging multi-year attack spanning government, multiple private sector industries, media organizations, personal emails and everything in between? Highly unlikely.

There is a real risk of taking a large number of unrelated attacks that either originated or passed through China in some form and seeing a link that doesn’t in fact exist between them at all. And in doing so, creating an inflated or entirely non-existent threat. Is there a large-scale highly organized multi-year campaign attacking all aspects of American government and business or are there a series of non-related attacks with different objectives that taken as a whole look like an attack of unprecedented scale?

For one, the PLA is not the only government organization that is capable of launching offensive cyber attacks. The other likely source of state-directed attacks is the Ministry of State Security (MSS), China’s largest foreign intelligence agency, but one that is heavily involved in domestic intelligence as well. There is also the Ministry of Industry and Information Technology, responsible for the Great Firewall, which is another potential originator of attacks. The Ministry of Public Security, the agency responsible for all the police forces in China, also has significant cyber capabilities. And also the PLA’s cyber capabilities itself are located in a range of geographic locations under different leadership with different directives. This fragmented nature is documented by the many different groups attributed to attacks such as Aurora, Nitro, Sykipot, NightDragon, FlowerLday, etc.

It’s important to remember that the differing arms of Chinese government are hardly a cohesive unit, let alone those within the same branch. Imagine for a second the idyllic flat-structure of Valve with no bosses and no one to tell you what to do. Beautiful isn’t it? Now, imagine the polar opposite, a mind-numbing ancient Soviet-style bureaucracy with endemic corruption at all levels, rampant factionalism and the ability to get things done largely rest on one’s personal connections. This is a country where the former Minister for Railways was running his agency as effectively a personal fiefdom, embezzling billions of renminbi and famously keeping 18 different mistresses.

China is a highly fragmented and factional government where ministries regularly compete for dominance over different sectors. Even when the government harshly imposes its will, as it did on the state banks to harshly limit lending rate after the 2009-2010 stimulus package, it can be foiled, as the banks did by continuing to lend but through off balance sheet financial products such as wealth management products (WMPs).

A good parallel for understanding the bureaucratic milieu behind state-sponsored cyber hacking is the multitude of actors responsible for Chinese actions in the South China Seas. International Crisis Group released a report about the “nine dragons stirring up the sea.” Their report documents how agencies jockeying with each other for greater funding and local governments pushing their economic interests have been instrumental in ramping up the tensions in the South China Sea. When one thinks about the wealth of interest groups from government departments and state-owned enterprises, would it be surprising that hacking was highly fragmented and driven by self-interested independent actors within the rubric of the state?

Let us not forget the possibility of non-state actors in China as well. China has a huge black PR industry, is it possible it is also has a significant corporate espionage industry? China has a large amount of compromised servers that can be used by other actors and huge amounts of computers are running copied versions of operating systems and other software leaving them vulnerable to unpatched exploits. Other actors could also set up operations in China. For example, South Korea recently suffered a large-scale attack with strong links to China that they believe to be the work of North Koreans operating there.

I’m not necessarily disputing all of Mandiant’s findings, but I am warning against treating all attacks with links to China as part of a carefully planned campaign. China is not a monolith, and they are not “The Borg” either. Generalizations like “APT1” play into a familiar binary narrative of us verses them, and it is very easy to attribute unrelated attacks to an ambiguous term like “APT1” (we don’t want to be declaring war on a vague term like “terror” or “drugs” again).

This should make us consider the incentives for big information security firms to play up the “China threat.” There is a significant monetary incentive for big information security firms to characterize these attacks as centrally-directed and emanating from a nation-state. Because attacks from a nation-state provoke a national response, and a national response likely means new laws and requirements for companies to have certain levels of security protection, which means more money to information security firms.

Bloomberg notes that filings from lobby groups on cybersecurity increased by 85 percent in 2012, and that companies “want to be protected from privacy lawsuits if they share information on customers, and from negligence suits for failing to act on warnings.” Generalizations about a Chinese monolithic “Borg” hacking everything in our economy could ultimately have serious implications for our privacy rights as companies seek amnesty from sharing user data.

Maybe as you consider whether the “Chinese Army is spying on you,” you should also consider whether we are witnessing the birth of the information security industrial complex and another nail in the coffin of user privacy.

[Image courtesy Leo Reynolds]