China Internet ‘Hijacking': Your Questions Answered
Rodney Joffe is senior vice president and senior technologist at Neustar, Inc., a global technology and communications company.
Larry Wortzel is a member ofthe U.S.-China commission that investigated the incident.
Q1: Why is it so important for the U.S. to worry that the hijacking of the Internet was done when the Chinese can go to a Third World country — or even the United States — and have servers route the information through another country and save the information gathered and delivered via courier to the Chinese government?
RODNEY JOFFE: The Chinese government going to a Third World country or setting up in the U.S. does not achieve the objective that a route hijack does. In any of those cases you still need to hijack the routes in order to see the traffic. Assuming China enlisted the official help of Country A, they might be able to see the traffic destined for users in Country A from, let’s say, Country B. But they would not see any traffic going from Country B to Country C, or any other country. In the April 8 incident, they were able to see traffic that went from Country B to every other country. And Country C. And D. and so on. And vice versa.
LARRY WORTZEL: The possibility that the Chinese government could gain access to sensitive U.S. communications information from anywhere in the world is a matter of concern. This includes the aforementioned scenarios, particularly in light of recent substantial investments by major Chinese telecommunications firms in developing nations. However, as the United States looks to improve telecommunications security, decision makers must approach the problem from a broad, risk-management standpoint. This means that the U.S. government, together with industry and other stakeholders, must first mitigate the most serious and likely threats to communications fidelity, including problems such as the April 8 incident.
Q2: Why not just cut off the Chinese telecommunication company from being able to use the Internet?
RODNEY JOFFE: The flow of data around the Internet is based on peering agreements. The Chinese telecommunications company peers with hundreds of other networks, in many other countries. In order to effectively disconnect them from the Internet, you would have to get every one of their peers to disconnect them as well, and this is almost impossible given the fact that 1) many of those peers are state-owned companies in other countries who may have different political policies towards China that would preclude this, 2) Governments (the U.S. for example) would find it very difficult to force major carriers to disconnect China because those carriers have operations in many countries, and of course the U.S. had no jurisdiction over them, and 3) traffic flows both ways, and so non-China networks have large numbers of users who seek to communicate with their customers, friends, vendors etc. located inside China, and who would be up in arms if they were no longer able to communicate.
LARRY WORTZEL: There is no single, central authority that can resolve to exclude China Telecom (or other firms) from participation in the Internet. Although there are some precedents for off-lining Internet service providers tied to questionable computer activities, such instances are rare and applied to only the most flagrantly malicious entities. It is unclear that China Telecom’s actions meet that threshold. Additionally, exclusions may be spearheaded by a host nation, and accompanied by legal proceedings. This case study highlights the limitations of the current Internet governance regime.
Q3: Is the traffic from .mil and .gov sites encrypted so that even if the packets are intercepted by another country they would be unreadable? Couldn’t traffic from .mil and .gov sites be routed through “friendly” routers or at least a private pipeline even if it took a little longer to reach their destinations?
RODNEY JOFFE: Certainly much of the traffic from those networks is encrypted. However no encryption is uncrackable. We know this from experience. It is just a matter of time and money. As far as routing is concerned, the very nature of the Internet allows for dynamic routing of traffic. There is no easy, practical and scalable way to control what routes traffic takes on the Internet.
LARRY WORTZEL: Traffic to and from .mil and .gov websites is not necessarily encrypted. Even encrypted traffic, however, is potentially vulnerable during a data hijacking due to the distributed nature of Internet encryption certificate authorities (for more on this, see page 244 of the 2010 U.S.-China Economic and Security Commission Annual Report).
Some traffic could potentially be directed through “friendly” routers. However, this premise raises numerous operational questions about, for example, authentication and permissions. A more pragmatic approach would probably be to invest in follow-on routing technologies that facilitate the verification of routes.
Finally, any substantial change to the status quo in the Internet architecture could require architectural adjustments that might come at considerable expense. The potential advantages of such changes must be weighed against potential network security investments elsewhere.
Q4: Are our laptops and desktops made in China bugged? And what can a person do to protect his or her computer in the future?
RODNEY JOFFE: The possibility does exist, but is unlikely in general. There is far more likelihood that computers, no matter where they are manufactured, are compromised as a result of Internet-borne malware (malicious software) such as viruses and trojans. Practicing safe Internet hygiene, including the use of antivirus software, retaining strong defensive settings on firewalls, and avoiding dangerous websites or opening untrusted attachments is the best bet in the current world. Sadly, the only safe computer is one that is turned off.
LARRY WORTZEL: China’s role as a leading computer and information system manufacturer raises serious questions about U.S. supply chain security. The lack of reliable methods to evaluate these systems for malicious access vectors (including “bugs”) only compounds this problem.
Over the short term, the United States should aim to secure vulnerabilities in key Internet functions in order to curtail wholesale abuse of the Internet (such as that which occurred during the April 8 incident) and other telecommunications infrastructure. Simultaneously, the United States should explore options for supply chain security regimes, particularly for those systems destined for sensitive applications.
Individual users must evaluate their own status. The average American citizen is of no economic, business or intelligence interest to the Chinese government, its industry, or its intelligence services. On the other hand, someone involved in trade negotiations with a Chinese state-owned firm may be at higher risk, particularly if that person is communicating with or traveling to China.
Q5: Occam’s Razor would strongly suggest that the most likely root cause of this incident would be a misconfigured router at IDC China Telecommunications. Such a misconfiguration would be easy enough to create, by any junior network engineer with the necessary login credentials. Why sensationalize this into a major security breach coordinated by the Chinese government? On what evidence? What is the benefit of making it into a diplomatic incident?
RODNEY JOFFE: As it turns out, Occam’s Razor would not seem to apply here. Despite what many so-called experts are claiming, we have not been able to create a “fat-finger” event that would result in the randomness of the routes that were propagated. None of our routing experts has been able to develop a plausible set of keystrokes or settings in the operating systems of the routers used by the Chinese operator that would have had this kind of outcome. That does not mean that there wasn’t a hardware or software bug that might have contributed to this, but it appears unlikely. We’d be happy to receive the technical explanation from the operator, and reevaluate (and perhaps all learn). The effects of this were significant and could have been catastrophic, and as network operators, we’d like to make sure that if it was inadvertent, we don’t repeat this ourselves.
LARRY WORTZEL: The April 8 incident could have resulted from a simple router misconfiguration. But it also could have resulted from a deliberate operation planned and conducted by a Chinese military or intelligence organization. We simply do not know.
The U.S.-China Economic and Security Review Commission does not speculate on the cause. The report simply explains that such an incident could enable severe malicious activities. In the broadcast, I provided potential examples of these malicious activities for illustrative purposes, with appropriate caveats.
It is also important to keep in mind that the governments of the United States, Canada, England, Japan, South Korea, Germany and Australia all complained of Internet penetrations or the extraction of data and attributed such internet interference to China. I don’t think we should be simplistic; we have to do the forensics, but given historical precedent, we must take precautions.
Q6: Any sensitive traffic is — or should be — strongly encrypted. That certainly includes consumer banking transactions and email, as well as confidential and secret U.S. government communications. And highly classified U.S. government communications are not sent on the public Internet. So why do you suggest that the Chinese government could benefit from an eavesdropping attack on a sample of traffic taken over an apparently random period of time?
RODNEY JOFFE: The reliability and ubiquity of the public Internet has resulted in many applications that should never have been transitioned to the Internet now using it. This includes the use of the public Internet as an underlying transport for VPNs, or virtual private networks, by government departments and critical infrastructure organizations. Indeed, the only way that nomadic or mobile users from governments and enterprises can often reach their corporate/government networks whilst on the road is via a “secure” encrypted connection over the public Internet. This results in communications being susceptible to interception. However, in order to intercept, an eavesdropper must be in the path of the communication, which is usually very difficult to do. But by hijacking a route, and forcing traffic to flow through routers controlled by them, adversaries are much more able to intercept. The encryption discussion is covered in question No. 3 above, and in more detail within Larry’s excellent responses. And as far as the benefits of a small period of eavesdropping – if it occurred during the “right” interval, when a particular transmission was known to be happening – it has profound value. Finally, during an 18-minute window hundreds of thousands of people would have been logging in to e-mail accounts and bank accounts — from a criminal point of view, pure gold.
LARRY WORTZEL: During the April 8 incident, even encrypted traffic was subject to compromise (see question No. 3).
The Chinese government could in fact benefit from eavesdropping in a variety of ways. Network analysis could identify key nodes for further exploitation. A careful review of disparate unclassified information could yield important details about sensitive plans or programs. The sheer scale of the April incident enables much other exploitation.
Moreover, eavesdropping is not the sole concern. Once an Internet service provider has control over routing paths, that entity could modify or delete affected traffic. These possibilities add important dimensions to the landscape of potential threats.
As I explained in the broadcast, if a communications network and its members’ e-mail addresses are intercepted, a malicious actor could create a fake e-mail and send it to the participants. Such an e-mail could contain false information or could have a malicious attachment.
Q7: Will changing passwords to things like e-mail access, bank accounts, credit accounts protect against nefarious use of any information gained in the April hijacking?
RODNEY JOFFE: The damage was likely done within a very short period of time, now long over. However changing passwords frequently is always a good practice.
LARRY WORTZEL: Unfortunately, changing account credentials (such as login names and passwords) cannot undo the April incident. However, whether the April incident was intentional or accidental, it does not appear to pose an overt threat to bank and credit card information. If perpetrated intentionally, the motive would more likely have been intelligence collection rather than financial gain.
That said, a password change cannot hurt. Computer security experts typically recommend changing passwords every 30 to 90 days, depending on the sensitivity of the account in question. Thus, those who have not changed their passwords since April are probably due anyhow.
Q8: It is my understanding that the U.S. electrical grid is, or will be, using the Internet for data and control. Is this correct? If so, how can this be justified in the light of possible threats?
RODNEY JOFFE: This is precisely the area of focus of the various cybersecurity working groups within the power industry. For all the reasons above.
LARRY WORTZEL: The U.S. power grid and other critical infrastructure are not entirely isolated from the Internet. Chinese actors (among others) are well aware of this vulnerability, and appear prepared to exploit it. (See, for example, page 5 of my testimony to the U.S. House Committee on Foreign Affairs) This constitutes a potential threat to U.S. national security.
As the United States looks to move ahead with new “smart grid” technologies, the problem will only become more acute. This follows from design features that will, by most accounts, allow numerous devices to interface with electric grid infrastructure components via the public Internet. Computer security professionals often lament that the Internet was not designed with security in mind. Given the implications of this oversight, engineers should design, construct, and deploy next-generation electrical systems with security as a primary requirement.
Q9: The piece indicated that all of that information may have been recorded. Since the data was only held up for milliseconds, is it within current technological capabilities to record that much data that quickly?
RODNEY JOFFE: Indeed, especially when copying data via a tap, there is no discernible delay in traffic. The additional 100+ milliseconds noted were as a result of the additional distance that traffic had to travel.
LARRY WORTZEL: Recording the information digitally and then sorting it by computer appears to be within the realm of possibility. All traffic diverted to China during the April 8 incident would have necessarily transited that nation’s “Great Firewall” (a complex Internet censorship mechanism). Although little is known about the inner-workings of the Great Firewall, the system apparently mirrors all traffic to “out-of-band” servers that conduct invasive scans to identify and block content that the Chinese government deems objectionable (either based on keywords or prohibited destinations).
Once a mirrored version of the traffic is passed to these “out-of-band” servers, the original traffic could continue on its way, only delayed by a fraction of a second. The mirrored version of the messages, however, could conceivably be copied and stored for later analysis and exploitation.
Q10: Since most sites that require IDs and passwords make use of SSL, wouldn’t that pretty much preclude this from happening? SSL encrypted data is phenomenally difficult and time consuming to decipher.
LARRY WORTZEL: Encrypted information is only hard to decrypt for those who do not have the key. The critical issue here is that in the April 8 incident, China Telecom, as the de facto steward of the hijacked data, would have been in the position to be the “guarantor” of encrypted sessions. That is, it would have facilitated the “handshake” between clients (e.g. U.S. personal computers) and servers (e.g. U.S. websites) necessary to establish encrypted browsing sessions. This clearly presents a vulnerability to ostensibly secure data (see also questions No. 3 and 6).