Over the past few years, the US government has invested heavily in trying to create international norms for cyberspace. We’ve endlessly cajoled other nations to agree on broad principles about internet freedom and how the law of war applies to cyberconflicts. Progress has been slow, especially with countries that might actually face us in a cyberwar.
But the bigger problem with the US effort is simple: Real international law is not made by talking. It’s made by doing.
“If you want to know the law … you must look at it as a bad man,” Oliver Wendell Holmes Jr. once observed. A bad man only cares whether he’ll be punished or not. If you tell him that an act is immoral but won’t be punished, Holmes argued, you’re telling him that it’s lawful.
Internet companies like GitHub first discovered that the Chinese government was using the Great Firewall to launch cyberattacks when their sites went down.
Like lots of US tech successes, GitHub didn’t exist ten years ago, but it is now valued at more than $2 billion. Its value comes from creating a collaborative environment where software can be edited by dozens or hundreds of people around the world. Making information freely available is the core of its business.
So when the Chinese government decided to block access to the New York Times, the paper provided access to Chinese readers via GitHub. China then tried to block GitHub, as it had the Times.
But if Chinese programmers can’t access GitHub, they can’t do their jobs. The outcry from Chinese tech companies forced the Chinese government to drop its block within days. It was a victory for free speech. Or so you’d think.
But the Chinese didn’t give up that easily. They went looking for another way to punish GitHub.
And found it. In 2015, GitHub was hit with a massive distributed denial of service attack. Computers in the US, Taiwan, and Hong Kong sent waves of meaningless requests to GitHub, swamping its servers and causing intermittent outages for days. The company’s IT costs skyrocketed. A similar attack was launched against Greatfire.org, a technically sophisticated anticensorship site.
A Citizens Lab report shows that this denial of service attack was actually a pathbreaking new use of China’s censorship infrastructure. Over the years, China has built a “Great Firewall” that interrupts every single internet communication between China and the rest of the world. Up to now, China has used that infrastructure to inspect Chinese users’ requests for content from abroad. Uncontroversial requests are allowed to proceed after inspection. But most requests for censored information trigger a reset signal that cuts the connection.
The same infrastructure could be used to inspect foreign requests for data from Chinese sites but there’s no obvious need to do so because the Chinese sites are already under the government’s thumb.
But the Github attack shows an imaginative repurposing of the censorship machinery. Instead of subtracting packets from the foreign data requests, China decided to add a few packets -- of malware.
Whenever foreigners -- whether from the US, Taiwan, or Hong Kong -- visited a site inside the Great Firewall, they were already downloading buckets of code to run on their machines. Called javascript, this code is now a standard part of almost all internet browsing. It’s javascript that makes your computer play those moving, talking ads you love so much, and its importance to advertisers means that it isn't likely to fade away any time soon. That's too bad, because javascript actually runs code on your machine, so it’s not just an annoyance, it’s a serious security risk.
A risk China managed to exploit. How? Well, since China’s censorship infrastructure was already intercepting all the packets running between China and the outside world, it was easy enough for China to drop a few additional javascripts into the stream of legitimate advertisers’ code that foreign users were already downloading.
Once on the user’s machine, though, instead of stealing credit card information the way most javascript malware does, the Chinese government’s code started sending packets to GitHub. Soon, millions of infected machines were doing the same, and Github’s servers couldn’t keep up. The attack brought GitHub to its knees.
The Citizen Lab report makes clear that no one other than the Chinese government could have used this technique or this infrastructure.
Think about that for a minute. This was an attack that was carried out on computers that were all located in the territory of other sovereign nations. Not only did China feel free to infect those computers and then to attack others located abroad, but it didn’t even bother to hide its actions from those governments.
As it turns out, the Chinese had taken our measure pretty well. Not until May, weeks after the attacks, did the State Department respond. And then it simply announced that it “has asked Chinese authorities to investigate” the attack. Really? What’s to investigate? Given the evidence of Chinese complicity, the request seems pointless. And now, months later, it appears that the Chinese have not deigned to respond.
No government has done anything to respond to the Chinese government's attacks. Which means that it's up to internet users to protect themselves. The good news is that the Great Cannon is surprisingly vulnerable. After all, it only works if foreigners continue to visit Chinese sites and continue to download scripts from Chinese ad networks. They supply the ammunition that the Great Cannon fires. If no one from outside China visits Chinese search sites or loads Chinese ads, the Cannon can’t shoot.
That shines a spotlight on the limited number of Chinese sites with broad appeal outside China. Baidu is one of them. It’s the fourth most popular site in the world – the Google of China, and a popular search engine for many Chinese speakers outside China. Like Google, it makes a great deal of its money from advertising. It supplies ads (and the javascript that runs the ads) to a host of Chinese-language sites. The first time China used its Great Cannon, in fact, it relied heavily on the popularity of Baidu. As Citizen Lab put it, China “intercepted traffic sent to Baidu infrastructure servers that host commonly used analytics, social, or advertising scripts” and “sent a malicious script back to the requesting user” about 2% of the time.
At the time of the attack on GitHub, Baidu denied any involvement and said that its own internal security hadn't been compromised: “After careful inspection by Baidu’s security engineers, we have ruled out the possibility of security problems or hacker attacks on our own products,” the company said. That may be true. It looks as though the Chinese government injected malware into a stream of Baidu packets after the packets left Baidu's premises. But if Baidu investigated the attack carefully by logging on to its site from the United States, it seems likely that it could have figured out the source of the attack, just as Citizen Lab did. Since its denial of a security problem on its own network, Baidu has apparently stayed silent.
Whatever it knew at the time, Baidu's sites were the key to the attack. They drew the foreign traffic that made the attack possible. And it’s quite possible that the Great Cannon could be spiked if Americans and other foreigners simply stopped going to Baidu and its affiliated sites. The Cannon would certainly fail if foreigners refused to visit any site inside the Great Firewall. Which, frankly, would only be prudent, since we now know that China can add malware to any javascript leaving its borders.
So protecting users from malware and depriving the Great Cannon of ammo both begin with the same step. We need to let internet users know that every time they visit a site inside China they are exposing others to attack and themselves to malware. Venturing inside the Great Firewall is both antisocial and dangerous – sort of like littering, if littering also caused cancer. A lot of internet users will want to avoid that risk, or at least minimize it. All they need is a good way to warn them away from dangerous sites.
The experts I’ve consulted think it’s actually pretty easy to identify sites that are inside the Great Firewall. If so, it shouldn’t be hard to write a browser extension that would warn users every time they click on a site that sits on the wrong side of China’s attack infrastructure. The extension could even be programmed to offer outside-China alternatives to risky sites. There are plenty of Chinese-language search engines and ad networks that aren’t inside the Great Firewall. (You might have heard of them: the big ones are Chinese-language versions of Google, Yahoo! and Bing.)
Ok, so this is where I turn from blogging to blegging. I’d welcome tech-savvy volunteers who’d like to do a proof-of-concept browser extension that provides this service to uneasy users. It shouldn’t be that hard. We’re talking about a combination of Noscript and Adblock (or, maybe, Catblock, a charming extension that turns all that evil javascript into entertaining pictures of, what else, cats).
The irony is that this might not hurt the browsing experience. If a site in Taiwan is getting its analytics and its ads from Baidu, there’s a good chance that the extension I’m proposing would block the bandwidth-wasting ads and analytics as well as China’s malware -- while still delivering the Taiwanese content.
Now that’s a win-win.