Yes, it’s true. Those Chinese death-nerds are everywhere. They’re in your bank account. They’re in the Pentagon. They’re sending naked pictures of themselves to your daughter. And they’re completely invulnerable to all known countermeasures!
Or at least that’s the terrifying conclusion one might draw if one was to read a long article from the Washington Times with the chilling headline, “China blocks US from cyber warfare.” Now, the Washington Times and this journalist in particular have–how shall I put it?–a distinct point of view on China, and it’s perhaps just a tad darker than my own. But I find this story interesting less on its own (thin) merits and more because it represents the latest installment in what seems to be something of a fad in hair-raising stories on the Chinese cyber-security threat. My heavens, are we having a meme?
You may recall that this idea began rolling in its most recent incarnation with a report about Ghost Net, in which the link to the Chinese government was unclear but widely assumed. It gathered steam with a rather vague Wall Street Journal article about Chinese “spies” hacking into the US electricity grid. With this Washington Times article, which has been picked up by AFP and thus relayed to Yahoo and other portals, it’s reached something of a loony crescendo. You’d think bureaucracies in Washington were competing over turf and budgets and thus doing their best to dial up the general anxiety level in order to exert political leverage. Because, you know, what with the economy, two wars, the Taliban destabilizing Pakistan and Swine A/H1N1 flu we so desperately need one more thing to be afraid of.
The Washington Times article really is in a class all by itself, though. It focuses on the devastating implications of a “hardened” Chinese operating system that, to read this article, makes Chinese government computers essentially hack-proof. It is based largely on the testimony (PDF) of Mr. Kevin Coleman, one of nine witnesses speaking before the US-China Economic and Security Review Commission on April 30th. (The USCC makes periodic recommendations to congress on the national security implications of trade with China.) There is no one part of the article can single out for an excerpt, so I’ll instead give you a rundown of the highlights. The article features:
- An IT security consultant (Mr. Coleman) who “advises the government on cybersecurity” telling us that the Chinese are outplaying us badly. Because what do you expect him to say? “It’s all good. I’m done here.”
- Terrifying absolutes, such as this quote on the effect of China “hardening” it’s servers with this new operating system:
“This action also made our offensive cybercapabilities ineffective against them, given the cyberweapons were designed to be used against Linux, UNIX and Windows,” he said.
- The suggestion that the revelation of this operating system is somehow an intelligence coup, on par with the cracking of Enigma:
The secure operating system was disclosed as computer hackers in China – some of them sponsored by the communist government and military – are engaged in aggressive attacks against the United States, said officials and experts who disclosed new details of what was described as a growing war in cyberspace.
- Further vague but terrifying details designed to emphasize our inferiority:
Additionally, Mr. Coleman said, the Chinese have developed a secure microprocessor that, unlike U.S.-made chips, is known to be hardened against external access by a hacker or automated malicious software. “If you add a hardened microchip and a hardened operating system, that makes a really good solid platform for defending infrastructure [from external attack],” Mr. Coleman said.
- Hopeless over-generalizations of dubious technical soundness:
U.S. operating system software, including Microsoft, used open-source and offshore code that makes it less secure and vulnerable to software “trap doors” that could allow access in wartime, he explained.
- Quotable quotes:
“What’s so interesting from a strategic standpoint is that in the cyberarena, China is playing chess while we’re playing checkers,” he said.
- The devastating revelation that the Chinese government is hiring hackers!
A third computer specialist, Alan Paller, told the Senate Committee on Homeland Security and Governmental Affairs on April 29 that China’s military in 2005 recruited Tan Dailin, a graduate student at Sichuan University, after he showed off his hacker skills at an annual contest.
Mr. Paller, a computer security specialist with the SANS Institute, said the Chinese military put the hacker through a 30-day, 16-hour-a-day workshop “where he learned to develop really high-end attacks and honed his skills.”
- Meaningless statistics:
Mr. Coleman said one indication of the problem was identified by Solutionary, a computer security company that in March detected 128 “acts of cyberagression” per minute tied to Internet addresses in China.
“These acts should serve as a warning that clearly indicates just how far along China’s cyberintelligence collection capabilities are,” Mr. Coleman said.
- Just plain goofyness:
Mr. [Joel] Brenner [national counterintelligence executive] said there are minimal concerns about a Chinese cyberattack to shut down U.S. banking networks because “they have too much money invested here.”
Well, thank god for that!
It’s hard to know where to start with this article, but perhaps I should begin by saying, of course the Chinese government is conducting cyber-espionage against the US. They’d be stupid not to. And of course they are concerned with securing their own critical systems against the United States’ equally inevitable cyber-espionage. Again, they’d be stupid not to. And certainly the US government needs to take information security seriously. And so do businesses. And so does your grandmother. Especially if she’s using Windows. All granted.
And it’s nice that various American government bureaucracies are having a pissing match about who should oversee American cyber-security at a government level (the end of the article hints at that a bit). I hope somebody wins someday. But, really, do we need to frame all of this in such Michael Bay terms? Let’s take a closer look at this super-secure operating system, “Kylin”. It’s hardly a secret, having been in the press since at least 2004. You can even download the ISO files, which suggests security somewhat shy of, say, the Manhattan Project. I’m thinking Langley may have a copy. A fairly sketchy DIY site promisingly called “Cheapest-computer-hardware-software.com” has the skinny (all Chinglish is sic):
The Kylin operating system focuses on high performance, reliability and security. The development program was first funded by the Chinese government sponsored R&D program during 2002. The operating system developed in a hierarchical model, in which, the kernel layer is based on Mach, the system service layer is based on FreeBSD and the desktop environment is similar to that of Windows. The operating system standards are similar to UNIX standards, and are highly compatible with Linux binaries.
The operating system was on development at the National University of Defense Technology. The operating system was designated as the document processing operating system. It can now turn China into super power in IT product development. The powerfulness, stronger security of the operating system may make Chinese people to replace the foreign operating systems. In China, Kylin was listed among the best 10 scientific and Technological Progresses News of Higher Learning Institutes during 2005.
The dominance of IT product by the foreigners in China will get reduced, once this operating system made popular among Chinese population. The security of data will be stronger, because, it is being developed by the Chinese government and people themselves.
So, the indestructible Chinese operating system is FreeBSD + Mach. Yes, that’s right, the operating system that frees them from foreign innovation and with which China will conquer the world is a less slick version of Mac OS X. Well, I hate to break that to the scare-mongers Washington, but we have that technology also. As for the secure microprocessor, I hope he’s not talking about Godson, the domestic chip project that languishes in the same commercial phantom zone as the domestic video disk project (EVD) and the domestic WiFi standard project (WAPI).
Why would I trust some half-assed and likely Chinese no-name site over the best and brightest of Washington DC? Well, for one reason, the language in the extract above rings absolutely true. Second, let’s just say I’m getting agenda sensitivity on this issue. Sure, it’s possible this is all part of some huge Chinese disinformation campaign and I’m just another useful idiot, talking down the crowbar that the Chinese state will someday use to pry open the secret folder where I keep the naughty photos of Mrs. Imagethief. Maybe there are two Kylins, and I’ve got the wrong one. Maybe Kylin + Godson is the shit, and I should trade in my MacBook Pro.
Or, just conceivably, people with their noses in the Washington trough are blowing smoke up my ass. Let’s face it, it wouldn’t be the first time.