One of the most touted takeaways from Chinese President Xi Jinping’s (習近平) visit to the US last month was an agreement by the two leaders on the contentious issue of cyberattacks — and especially cyberespionage — against US targets. Particular attention has been given to a commitment Xi and US President Barack Obama made to avoid engaging in or knowingly supporting acts of cybertheft for economic gain.
However, while the commitment signals bilateral goodwill, there are a number of reasons to doubt its effectiveness in curbing commercial espionage and the broader problem of intrusive, destructive cyberattacks against a range of US targets by entities tied to the Chinese government:
Absence of clear standards or verification mechanisms: Security experts analyzing the agreement noted its vague wording and lack of definitions for what constitutes acceptable or unacceptable activity, meaning further negotiation would be required to render the agreement effective.
Similarly, no objective metrics were identified for determining whether one side or the other has followed through on its commitments. These challenges, along with the near impossibility of tracing who is responsible for most cyberattacks, are likely to make enforcement difficult.
Omission of politically motivated attacks: More problematic from the perspective of privacy and freedom of expression was the cybertheft agreement’s focus on the economic realm. By framing the pact in this way, Obama and Xi ignored the increasingly aggressive, sophisticated and widespread cyberattacks apparently committed by Chinese state actors against US media companies, human rights groups, individual activists and government bodies.
Thus, even if an agreement like this one had been in place for the past five years, it arguably would not have prevented attacks on Google in 2010 (which hacked rights defenders’ accounts, among other targets), media outlets like the New York Times in 2012 (seeking information on the sources for the paper’s investigation of former Chinese premier Wen Jiabao’s (溫家寶) family wealth), or a massive denial-of-service attack against the code-sharing platform GitHub in March of this year. Nor would it have helped stem routine phishing attacks that target overseas Chinese, Tibetan and Uighur activists and, increasingly, US government personnel.
Failure to address vulnerabilities created by China’s Great Firewall: More indirectly, any agreement that depoliticizes the Chinese government’s Internet policies is overlooking the general security problems created by the Great Firewall (GFW) — Beijing’s system for monitoring and filtering Internet communications between China and the outside world.
Over the past month, this issue was highlighted by two incidents in which malware infected applications on Apple’s mobile operating system. On Sept. 17, some of China’s most popular apps — including Tencent’s WeChat and NetEase — were found to be carrying malware, affecting hundreds of millions of smartphones and marking the largest such incident to date in Apple’s history.
The apps were susceptible to intrusions because they used an alternative to Apple’s standard XCode.
Analyzing why app developers might have used a less secure code, Oiwan Lam (林藹雲) of Global Voices (全球之聲) said that due to the slow international Internet connections in China (a direct result of the GFW’s real-time filtering), downloading XCode takes a very long time.
Some programmers have consequently turned to alternatives that are more accessible from within the firewall, but also more vulnerable to malware.
In the second incident, a malicious program targeting Apple devices was reported on Oct. 4 by researchers at Palo Alto Networks. This time, a Chinese marketing company took advantage of Internet users’ desire to circumvent censorship to convince them to download an infected application. The malware essentially allowed the marketers to take control of users’ phones and execute certain actions, such as opening their Safari Web browser to a page showing clients’ products or advertisements.
Both of the above incidents were resolved quickly without long-term harm to consumers, but future attacks that exploit the same incentives might not prove as innocuous.
Moreover, security analysts have found that the attack in March this year on GitHub was carried out with a tool they labeled the “Great Cannon.”
This weapon, which is colocated with the GFW, worked by redirecting large volumes of bystander traffic — mostly from Taiwan and Hong Kong — that was headed for search engine Baidu’s China servers and using it to swamp and paralyze the US-based code-sharing Web site.
Ultimately, actions speak louder than words. Over the next six months, security experts are to closely track and investigate reports of cyberintrusions from China against US companies and other targets, hopefully providing evidence on whether the pace of attacks has slowed, if not ceased.
Meanwhile, the Obama administration has two avenues — a bilateral dialogue and an ongoing response system — through which to press the Chinese government for answers and prosecutions of those found responsible for violations. The US would also continue to consider imposing sanctions on Chinese companies found to have benefited from cyberespionage.
The threat of sanctions appears to have had at least a short-term impact: On Monday, the Washington Post reported that Chinese officials had for the first time arrested hackers identified by US officials.
A White House fact sheet states that these new communication channels could address “malicious cyberactivities” generally. This leaves space for US officials to expand the scope of inquiries beyond commercial espionage. US and Chinese Internet users, civil society and media outlets would be well-served if politically driven attacks were covered, beginning with the first bilateral dialogue expected before the end of this year.
In the meantime, though, security experts who have analyzed the Obama-Xi agreement appear to agree that they will not be out of work anytime soon.
On Sept. 29, security firm KnowBe4 offered a stark warning to those seeking protection from detrimental cyberintrusions originating in China: “You are still mostly on your own.”
Sarah Cook is a Senior Research Analyst for East Asia at Freedom House and director of its China Media Bulletin.
The gutting of Voice of America (VOA) and Radio Free Asia (RFA) by US President Donald Trump’s administration poses a serious threat to the global voice of freedom, particularly for those living under authoritarian regimes such as China. The US — hailed as the model of liberal democracy — has the moral responsibility to uphold the values it champions. In undermining these institutions, the US risks diminishing its “soft power,” a pivotal pillar of its global influence. VOA Tibetan and RFA Tibetan played an enormous role in promoting the strong image of the US in and outside Tibet. On VOA Tibetan,
Sung Chien-liang (宋建樑), the leader of the Chinese Nationalist Party’s (KMT) efforts to recall Democratic Progressive Party (DPP) Legislator Lee Kun-cheng (李坤城), caused a national outrage and drew diplomatic condemnation on Tuesday after he arrived at the New Taipei City District Prosecutors’ Office dressed in a Nazi uniform. Sung performed a Nazi salute and carried a copy of Adolf Hitler’s Mein Kampf as he arrived to be questioned over allegations of signature forgery in the recall petition. The KMT’s response to the incident has shown a striking lack of contrition and decency. Rather than apologizing and distancing itself from Sung’s actions,
US President Trump weighed into the state of America’s semiconductor manufacturing when he declared, “They [Taiwan] stole it from us. They took it from us, and I don’t blame them. I give them credit.” At a prior White House event President Trump hosted TSMC chairman C.C. Wei (魏哲家), head of the world’s largest and most advanced chip manufacturer, to announce a commitment to invest US$100 billion in America. The president then shifted his previously critical rhetoric on Taiwan and put off tariffs on its chips. Now we learn that the Trump Administration is conducting a “trade investigation” on semiconductors which
By now, most of Taiwan has heard Taipei Mayor Chiang Wan-an’s (蔣萬安) threats to initiate a vote of no confidence against the Cabinet. His rationale is that the Democratic Progressive Party (DPP)-led government’s investigation into alleged signature forgery in the Chinese Nationalist Party’s (KMT) recall campaign constitutes “political persecution.” I sincerely hope he goes through with it. The opposition currently holds a majority in the Legislative Yuan, so the initiation of a no-confidence motion and its passage should be entirely within reach. If Chiang truly believes that the government is overreaching, abusing its power and targeting political opponents — then
RSS