Google/China Reality Check Amid The Fog Of Cyberwar

We've all heard about the Chinese attacks against Google by now. We've heard of Google's moral standing, how corporations now impact international relations, and how censorship is bad and freedom is good. However, some important questions lost in the fog of war need to be asked.Nobody knows for sure it was China that attacked Google and the other affected corporations, and if someone does, he or she is not saying so publicly. In fact, Google CEO Eric Schmidt told Newsweek that he has no clear evidence, but invites us to draw our own conclusions.

The evidence against China would be thrown out of any court of law, and just because we have grown comfortable in blaming China of attacks does not mean they are behind them.

The Chinese network is a hotbed of criminal activity used by criminals around the world to launch Internet attacks, which reduces the possibility of blaming any single attack coming from it as state-sponsored. However, it also raises the question of why such activity has been allowed to go on for so long.

Many networks around the world, including some inside the U.S., are just as abused by criminals. These have been shown to be used against nation-states in past attacks, such as with Estonia -- which I had the honor of writing the post-mortem analysis for -- and in Georgia last year.

Looking at the current incident, Google is a trustworthy and capable corporation. However, when making accusations one needs to provide proof. And "it feels like China" isn't good enough.

In the fog of war, with world news discussing the diplomatic implications for the U.S., Google's business and China's censorship, and applauding Google's moral stance, some important questions are left unanswered.

For some time now, cybercriminals have been winning the "war." Security professionals can write analyses of attacks, as well as mitigate specific attacks. But in nearly all instances we haven't been able to impact criminal operations. For some years, one of my beliefs has been that we should take the offensive in the fight against cybercrime.

For reasons ranging from the criminals' willingness to play a scorched Earth game to legal and ethical limitations, we must be careful to not start a war the Internet can't win. This means we can't use the criminals' weapons against them.

While reporting is vague, Google has supposedly broken into a server in Taiwan (unless information of working through Taiwanese authorities, or that someone else has done this for Google, becomes available). If this happened, then Google broke the law in order to defend itself from criminal activity. This should be legal, but it isn't. Google needs to disclose exactly what it has done. Ethics change, and morally I believe it is in the right. Our ethics just need to catch up.

Another question many of us should ask is about Microsoft and the Internet Explorer Web browser. It has been disclosed that a previously unknown software vulnerability (0day) in Internet Explorer was what attackers used. Exploit code enabling any criminal to make use of the vulnerability to attack has been made public, and in the past such events were followed further exploitation. But Microsoft initially planned to patch this vulnerability in February.

Only when Germany and France issued warnings to users to not use Internet Explorer, and ZERT considered releasing a third-party patch, did Microsoft say it would release an early patch.

While creating software updates is very complicated, and Microsoft is usually a responsible organization, not patching this type of vulnerability for a whole month as the default response is irresponsible and unethical. We should all call on Microsoft to act responsibly, and write our representatives and the press about it.

Microsoft should be commended for issuing an early patch; after all, it was far from easy. However, until such time as Microsoft announces a new policy on patching software vulnerabilities, it's in my opinion unsafe to continue using Internet Explorer for surfing the Web, so switch to one of the many alternatives, such as Mozilla's Firefox browser.

This targeted attack, while impressive, is no new threat. Security risk assessment should already include corporate espionage. An example for a targeted attack is the GhostNet incident, exposed last year by Canadian researchers, demonstrating in detail how such attacks work. As another, the public disclosure of German intelligence cyber-espionage operations, showed that indeed, everyone does it.

I call upon my fellow security professionals worldwide to refrain from creating fear when speaking of this incident. Computers are just the most recent weapon to be used for old motives -- espionage. Unlike cybercrime and cyberwar, it is well-recognized in law and in diplomacy, and it is not the security experts who should be called on for answers.

Follow Gadi Evron on Twitter: http://twitter.com/gadievron

Gadi Evron is an independent security strategist based in Israel. Special to Dark Reading.