Over the past few years, the US government has invested heavily in trying to create international norms for cyberspace. We’ve endlessly cajoled other nations to agree on broad principles about internet freedom and how the law of war applies to cyberconflicts. Progress has been slow, especially with countries that might actually face us in a cyberwar.
But the bigger problem with the US effort is simple: Real international law is not made by talking. It’s made by doing.
“If you want to know the law … you must look at it as a bad man,” Oliver Wendell Holmes Jr. once observed. A bad man only cares whether he’ll be punished or not. If you tell him that an act is immoral but won’t be punished, Holmes argued, you’re telling him that it’s lawful.
Internet companies like GitHub first discovered that the Chinese government was using the Great Firewall to launch cyberattacks when their sites went down.
Like lots of US tech successes, GitHub didn’t exist ten years ago, but it is now valued at more than $2 billion. Its value comes from creating a collaborative environment where software can be edited by dozens or hundreds of people around the world. Making information freely available is the core of its business.
So when the Chinese government decided to block access to the New York Times, the paper provided access to Chinese readers via GitHub. China then tried to block GitHub, as it had the Times.
But if Chinese programmers can’t access GitHub, they can’t do their jobs. The outcry from Chinese tech companies forced the Chinese government to drop its block within days. It was a victory for free speech. Or so you’d think.
But the Chinese didn’t give up that easily. They went looking for another way to punish GitHub.
And found it. In 2015, GitHub was hit with a massive distributed denial of service attack. Computers in the US, Taiwan, and Hong Kong sent waves of meaningless requests to GitHub, swamping its servers and causing intermittent outages for days. The company’s IT costs skyrocketed. A similar attack was launched against Greatfire.org, a technically sophisticated anticensorship site.
A Citizens Lab report shows that this denial of service attack was actually a pathbreaking new use of China’s censorship infrastructure. Over the years, China has built a “Great Firewall” that interrupts every single internet communication between China and the rest of the world. Up to now, China has used that infrastructure to inspect Chinese users’ requests for content from abroad. Uncontroversial requests are allowed to proceed after inspection. But most requests for censored information trigger a reset signal that cuts the connection.
The same infrastructure could be used to inspect foreign requests for data from Chinese sites but there’s no obvious need to do so because the Chinese sites are already under the government’s thumb.
But the Github attack shows an imaginative repurposing of the censorship machinery. Instead of subtracting packets from the foreign data requests, China decided to add a few packets -- of malware.
The Citizen Lab report makes clear that no one other than the Chinese government could have used this technique or this infrastructure.
Think about that for a minute. This was an attack that was carried out on computers that were all located in the territory of other sovereign nations. Not only did China feel free to infect those computers and then to attack others located abroad, but it didn’t even bother to hide its actions from those governments.
As it turns out, the Chinese had taken our measure pretty well. Not until May, weeks after the attacks, did the State Department respond. And then it simply announced that it “has asked Chinese authorities to investigate” the attack. Really? What’s to investigate? Given the evidence of Chinese complicity, the request seems pointless. And now, months later, it appears that the Chinese have not deigned to respond.
No government has done anything to respond to the Chinese government's attacks. Which means that it's up to internet users to protect themselves. The good news is that the Great Cannon is surprisingly vulnerable. After all, it only works if foreigners continue to visit Chinese sites and continue to download scripts from Chinese ad networks. They supply the ammunition that the Great Cannon fires. If no one from outside China visits Chinese search sites or loads Chinese ads, the Cannon can’t shoot.
At the time of the attack on GitHub, Baidu denied any involvement and said that its own internal security hadn't been compromised: “After careful inspection by Baidu’s security engineers, we have ruled out the possibility of security problems or hacker attacks on our own products,” the company said. That may be true. It looks as though the Chinese government injected malware into a stream of Baidu packets after the packets left Baidu's premises. But if Baidu investigated the attack carefully by logging on to its site from the United States, it seems likely that it could have figured out the source of the attack, just as Citizen Lab did. Since its denial of a security problem on its own network, Baidu has apparently stayed silent.
So protecting users from malware and depriving the Great Cannon of ammo both begin with the same step. We need to let internet users know that every time they visit a site inside China they are exposing others to attack and themselves to malware. Venturing inside the Great Firewall is both antisocial and dangerous – sort of like littering, if littering also caused cancer. A lot of internet users will want to avoid that risk, or at least minimize it. All they need is a good way to warn them away from dangerous sites.
The experts I’ve consulted think it’s actually pretty easy to identify sites that are inside the Great Firewall. If so, it shouldn’t be hard to write a browser extension that would warn users every time they click on a site that sits on the wrong side of China’s attack infrastructure. The extension could even be programmed to offer outside-China alternatives to risky sites. There are plenty of Chinese-language search engines and ad networks that aren’t inside the Great Firewall. (You might have heard of them: the big ones are Chinese-language versions of Google, Yahoo! and Bing.)
The irony is that this might not hurt the browsing experience. If a site in Taiwan is getting its analytics and its ads from Baidu, there’s a good chance that the extension I’m proposing would block the bandwidth-wasting ads and analytics as well as China’s malware -- while still delivering the Taiwanese content.
Now that’s a win-win.