The Case Against The Case Against China

This blog post is in response to Jamie Metzl's article "China and Cyberespionage" which, in turn, contains the source material for his Wall Street Journal Op-Ed "China's Threat To World Order" which unfortunately you have to pay Rupert Murdoch in order to read. I learned about this article when Mr. Metzl sent me a tweet asking if I agreed with him. Since I couldn't convey my answer in 140 characters or less, here's my critique of the article.

Mr. Metzl wrote that "China is one of the world's worst state perpetrators of cyber-espionage and malicious computer hacking". In order for that statement to be considered true, Mr. Metzl needed to identify at least some of the nation states who engage in that activity (i.e., Russia, France, Israel, U.S., etc.) and then demonstrate some kind of rating system which puts China at the top. He didn't do that. He merely listed a few reports that tell us what we already know: China engages in cyberespionage on a wide-spread and pervasive basis. The ones that talk about China's cyber warfare operations technically shouldn't be included in Metzl's article since warfare and espionage fall into distinctly separate legal categories and this field is sloppy enough already.

After "Reports" comes "Officials". This entire section should be shit-canned because many (not all) officials operate at the 50,000 foot level and really don't have a grasp of the subject matter. They have legislative aides who in turn ask other so-called experts for their opinion and then give a 5 minute briefing to their boss who reads from a statement. The officials that you want to listen to are the ones like General Hayden who limit their remarks to what they actually know. The others who pretend to know what they're talking about, but really don't (like Richard Clarke on China), do more harm than good despite their past laudable public service.

Moving on to Shady Rat, Night Dragon, Operation Aurora, et al. They all rely on Chinese IP addresses and/or Chinese toolmarks in the code; neither of which means that it came from China. Mr. Metzl and I could lease time on a Chinese server and send Richard Clarke a love letter and he'd no doubt be convinced that it came from Chinese intelligence because the IP address of our email account resolved to Beijing. Malicious software programs like the Ghost Remote Access Tool (RAT) are widely available on the Net so I could have added a malicious link to such a program for good measure.

Listing RSA as a Chinese operation is an insult to China. RSA's own security was astoundingly poor - disgraceful, in fact. So was EMC's handling of the incident. Apart from Joe Stewart's claims which rely on the fatally flawed IP address argument, I've seen no evidence to support a finding of attribution by any nation state for the RSA breach.

In conclusion Mr. Metzl, thanks for encouraging a discussion on this topic. China does engage in cyber espionage on a massive scale, but so does another half-dozen or more countries; most of whom apparently do it much better than China because no one seems to have caught them at it. Therefore my opinion on your article is that you've failed to make the case that the Chinese government is to blame for everything that you and so many others are claiming. Bad analysis relying on faulty evidence or sheer ignorance doesn't become good analysis because it's been repeated a hundred gazillion times.