Hard to Verify Claims of Hacking Go Both Ways
This week, the Chinese government made an official demand for an explanation to the US government regarding a number of alleged hacks against Chinese public and private targets, including research institutions, government branches, ISPs, and energy providers among others.
In this briefing, we will take a look at what happened and why this occurrence feels counterintuitive to readers in the west.
Earlier this month, Beijing based cybersecurity firm Qihoo published allegations claiming that they had discovered evidence of a CIA-led hacking effort against Chinese targets going back at least 11 years. The exact evidence is - as always in these cases - not available.
The fact that many of the CIA’s hacking tools were leaked in 2017 as part of the so-called Vault 7 leak may aid researches in identifying attacks but it also means that almost everyone currently has access to said tools.
Naturally, as we keep pointing out, it is almost impossible to prove to a high standard that a hack was performed by a specific actor. Public allegations of this kind are usually driven as much by political interests as by the data available.
Did the CIA do it?
We need to break this question down into two parts.
Did the CIA hack into these specific targets that Qihoo has uncovered? No one can tell for sure.
Did the US hack into any Chinese targets? Most likely yes.
If leaks from Prism to Vault7 have shown us anything over the past years, it is that almost all governments are in the systems of almost all other governments.
It would be very surprising if the US (through the CIA or other agencies) did not have a foothold in at least some of China’s critical infrastructure. The same goes for Germany, North Korea, Brazil, and any other country we could continue randomly picking.
At this time, cybersecurity trend analysis, incident reports, government statements like this one, the continuing research into election interference across the globe and the daily flow of news about breaches caused by state actors firmly support our working assumption that the overwhelming majority of countries are hacking one another in some capacity.
Why does this feel “wrong”?
The above question may only make sense to our western readers as biases and implied assumptions are often region-specific. Most of us know that biases exist and many of us are aware that we personally must be holding some of them.
But try as you might, it is almost impossible to identify a bias until it runs into conflicting information. Of course, everyone technically knew about the western countries’ hacking efforts from leaks and everyone knew on an abstract level that espionage has always been a part of international relations. But since all the reports we usually see point in one direction - namely attacks from China, Russia, and North Korea - an unconscious bias can quickly form. This story feels off because it contradicts said bias.
Beware your own bias
To defend against an opponent, you must understand the opponent and you must also understand yourself. One example of this not being the case is the lax security standards employed by many organizations that have few digital assets of monetary value but many of political value.
If one were to assume that all attackers are after direct monetary gain, then there would be no need to secure such networks well. While this sounds crazy, from a 2020 perspective, the breaches during the 2016 US election cycle provide us with good examples of such mindsets.
Likewise, if you assume that your own team - be it company, group, government, country, or else - is not engaging in offensive security, then any defensive measure taken by an adversary will look like offensive preparation.
This is why it is so critical to make sure that your perception of the world is accurate and why chances to challenge our own biases are invaluable tools.
In order to secure yourself and your organization, it is valuable to have an accurate perception of the world. Unfortunately, as social animals, it is almost impossible for us to do so. Stories like this one - even when leaving the veracity of the specific claims in doubt - allow us to identify and challenge our assumptions. This, in the end, can help make us accurate and thus secure.