Project Aurora and the Militarization of Cyberspace

In December of 2009, security experts at Google identified a highly sophisticated and targeted attack on their own corporate infrastructure as well as that of at least twenty other large companies from a wide range of businesses. According to Google, the
“primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists. Based on our investigation to date we believe their attack did not achieve that objective. Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves.”

It appears that the hackers used social networds to identify key employees at Google, and then set the stage for them to click on links to malware. According to Joseph Menn at Financial Times,

The most significant discovery is that the attackers had selected employees at the companies with access to proprietary data, then learnt who their friends were. The hackers compromised the social network accounts of those friends, hoping to enhance the probability that their final targets would click on the links they sent.

The software and security company McAfee has determined that the attackers took advantage of a vulnerability in Microsoft Internet Explorer, which Microsoft appears to have fixed.  Paul Kurtz, who served as the cybersecurity adviser on President Obama’s transition team and now serves as McAfee’s worldwide chief technology officer, referred to the attacks (which McAfee has termed “Operation Aurora”) as “a watershed moment in cybersecurity” that has “changed the world.”  Robin Wauters of TechCrunch points out that Kurtz has a vested interest in raising awareness of the attacks, but that McAfee has saved the day by identifying the vulnerabilities that lead to the hack.

McAfee, of course, has a commercial interest in spreading the word about the attack and how its security products can guard consumers and businesses from exploitation of the aforementioned Internet Explorer vulnerability, but the company is doing a service too, considering the fact that the code used to exploit the security hole has made its way to the public domain already.

I think Kurtz is correct in describing Project Aurora as a “watershed moment.”  Indie-hackers attempt to break the network security codes of major companies every day but the attacks are rarely successful and typically go unreported.  According to Dmitri Alperovitch, vice president of threat research at McAfee, those responsible for the ultra-sophisticated and coordinated attacks were meticulous at covering their tracks.  Furthermore, evidence suggest that parts of the hack code were written in 2006, suggesting a longstanding project.  In an interview with Wired Magazine, Alperovitch explains the unique nature of Project Aurora:

The sophistication of the attack was remarkable and was something that researchers have seen before in attacks on the defense industry, but never in the commercial sector. Generally, Alperovitch said, in attacks on commercial entities, the focus is on obtaining financial data, and the attackers typically use common methods for breaching the network, such as SQL-injection attacks through a company’s web site or through unsecured wireless networks.

“Cyber criminals are good … but they cut corners. They don’t spend a lot of time tweaking things and making sure that every aspect of the attack is obfuscated,” he said.

The mounting evidence strongly suggests that the Chinese government is behind the attack, although that assertion has yet to be proven.  Secretary of State Clinton implicated the Chinese government in the attacks in a speech this month regarding Internet freedom.  Chinese leaders, not surprisingly, have called the allegations “baseless” and are reportedly working with the U.S. State Department to resolve the matter.

Since 2005, Google has made concessions to the Chinese government, and offered a censored (i.e., filtered) version of its search engine.  This offering has been the source of a tremendous amount of controversy.  Following the attacks, Google has announced that it will no longer censor Google search results in China.  Although Google is threatening to pull out of China completely, it is likely that the two sides will come to some agreement.  As the Salt Lake Tribune points out, both Google and the Chinese government have conflicting objectives:

Google says it’s no longer willing to acquiesce to the Chinese government’s demands for censored search results, yet it still wants access to the country’s engineering talent and steadily growing online advertising and mobile phone markets.

Chinese leaders are determined to control the flow of information, but realize they need rich and innovative companies such as Google to achieve their goal of establishing the country as a technology leader. Even some Chinese media — which rarely deviate from the party line — have warned Google’s departure could slow technology development and hurt China’s economy.

The attack against Google is illustrative of an information revolution that is challenging countries’ ability to adapt, including our own.  Ben Newell, a staff writer for the Capital Flyer sums up the Department of Defense’s new stance on cybersecurity:

Because of its importance and the threats against it, the department now formally recognizes cyberspace for what it is: a domain similar to land, sea, air and space. Everyone utilizing information technology is on the front lines of this new domain and must exercise caution, even when performing basic tasks like checking email or writing documents.  And just like those other domains, it needs protection.

But rhetoric is far from preparedness.  Pentagon officials have begun conducting cyber-attack simulations to determine the capacity of the government to prevent and respond to such attacks. The results have been eye-opening.  David Sanger of the New York Times called the simulations “dispiriting.”

The enemy had all the advantages: stealth, anonymity and unpredictability. No one could pinpoint the country from which the attack came, so there was no effective way to deter further damage by threatening retaliation. What’s more, the military commanders noted that they even lacked the legal authority to respond — especially because it was never clear if the attack was an act of vandalism, an attempt at commercial theft or a state-sponsored effort to cripple the United States, perhaps as a prelude to a conventional war.

I hope that Project Aurora marks the beginning of a vigorous discussion amongst policymakers and the public about conflicting interests and values including Internet freedom, transparency, civil liberties, intellectual property, and security.


2 Responses

  1. […] I discuss the attack against Google in more detail here. […]

  2. […] : "" } Yesterday I blogged about the unfolding scandal known as Project Aurora. I’m following the story closely so I […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: