Vulnerabilities / Threats // Advanced Threats
5/11/2015
07:45 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

What Does China-Russia 'No Hack' Pact Mean For US?

It could be an Internet governance issue or a response to the U.S. DoD's new cyber strategy, but one thing is certain: it doesn't really mean China and Russia aren't spying on one another anymore.

Russia and China on Friday signed a pact agreeing not to hit one another with cyberattacks. Experts agree, however, that the countries don't actually have any intention of ceasing their cyberespionage campaigns against each other. They say that the agreement instead is political posturing intended to send a message to the United States and its allies, though they differ slightly on what that message is, what motivated Russia and China to send it, and what it means for the U.S.

The nations also agreed to exchange technology, share information between their law enforcement agencies, and "jointly counteract technology that may 'destabilize the internal political and socio-economic atmosphere,' 'disturb public order' or 'interfere with the internal affairs of the state,'" as the Wall Street Journal reports.

Tom Kellermann, chief cybersecurity officer of Trend Micro, says this is a natural progression of the economic and military relationship Russia and China have already had together since the Shanghai Cooperation Organization was established in 2001. He says this announcement could be happening now as a reaction to two things: the U.S-backed efforts to change Japan's pacifist constitution to allow Japan's Self-Defense Forces to engage in combat overseas (which would naturally extend to combat in cyberspace) and the U.S.'s new, more aggressive cybersecurity strategy.

Last month, the U.S. Department of Defense announced a new cybersecurity strategy and revealed that Russian hackers had accessed an unclassified DoD network. Also last month, a Department of Justice official explained that the U.S. is giving "no free passes" to cybercriminals, regardless of whether or not they are nation-state actors. This Russian-Chinese cybersecurity pact could be seen, says Kellermann, as a way of the two countries presenting a united front against the U.S.

As Kellermann puts it, "Oh, Mr. Secretary of Defense, you're taking the gloves off? Well, there's two of us. Now what?"

"When the U.S. pursues active defense against one of them, will [Russia and China] respond collectively?" says Kellermann. "That's the inevitable question."

Others say this is an effort probably instigated by the Russians to bolster their stance on Internet governance. Opinions about Internet governance are polarized around openness and sovereignty; Russia and China are largely aligned on the side of sovereignty.

"Russians have tried to shape how the Chinese think about these issues," says James Lewis, senior fellow and program director of the Center for Strategic and International Studies. "The Chinese just went along with it because anything the U.S. disagrees with can't be all bad."

Having two super-powers allied as a united front helps further the agenda in the international debate.

As Richard Bejtlich, Senior Fellow at the Brookings Institute explains, these nations' definition of "information security" is closer to "information control," including censorship and surveillance.

Lewis explains that the countries' tactics on information control are slightly different -- the Chinese are very focused on censorship, while the Russians, he says, have pervasive surveillance and a greater willingness to use physical force.

Bejtlich says that by the agreement to jointly counteract technology that may "disturb public order," Russia and China may be sharing technologies that improve surveillance or help automate censorship, which is still largely manual in China.

He does not, however, think that they would share malware, at least not anything significant. "Possibly they might share some low-level stuff to show good will," says Bejtlich, but those nations aren't going to share serious tricks of the trade because they have each have teams established specifically for cyberspying on the other and he doesn't expect that to change just because they agreed not to hack each other.

"I think they're trying to push the norm of not going to attack each other's critical infrastructure," says Bejtlich.

It's hard to know how close the partnership really is. "We'll know how seriously to take this when we see Chinese sources report it," says Lewis. "The Chinese haven't said anything."

Lewis also says the Russians made the announcement "largely to jerk the Americans' chain. We're always asking for law enforcement cooperation. What better way to irritate us than to cooperate with someone else?"

Will this closer partnership, if it is indeed closer, have any impact on Western law enforcement's efforts to pursue cybercriminals in Russia and China?

Bejtlich proposed one possibility. Suppose the U.S. and the Dutch are planning to capture a Russian cybercriminal while he's on vacation in Holland and a Chinese law enforcement agency gets wind of it? Maybe the Chinese officials would give their Russian counterparts a call.  "I wouldn't be surprised if they said 'The Americans are gonna pounce; get your guy out of there,'" says Bejtlich.

Kellermann says that this pact may just be posturing on the part of China and Russia, but that doesn't mean it shouldn't be taken seriously. "If they're saying they're no longer pointing their guns at each other," says Kellermann, "the guns have to be faced somewhere."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
5/14/2015 | 5:34:43 PM
Re: Opposing Viewpoints
@RyanSepe I think that sums it up nicely: "This pact seems like more of statement of disapproval more than a statement of things to come." But I'll tell you what: if it DOES change things in the future, it could make things very interesting.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/12/2015 | 8:38:49 AM
Opposing Viewpoints
It will be interesting to see if the US tries to handle this in a similiar fashion...(Creating an InfoSec Coalition with other countries that have similar viewpoints) I think you will still see the same amount of traffic aimed at the US regardless of this pact.

Action Items for the United States? That will depend on the detrimental effects of the pact, if any. This pact seems like more of statement of disapproval more than a statement of things to come, at least in the near future.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.