Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Face-Off: Chinese Cyberattacks: Myth or Menace?

Bruce Schneier and Marcus Ranum debate the threat of Chinese hackers and whether they are state-sponsored?


Chinese cyberattacks: Myth or menace?

Security Experts Marcus Ranum & Bruce Schneier Offer Their Opposing Points of View

Send comments on this column to

POINT by Marcus Ranum

Something is definitely going wrong with the U.S. Department of Defense and government agency networks, but it's not what you probably think. When it was announced that more than 10 terabytes of data had been stolen from DOD unclassified networks as part of an orchestrated operation from China, I was as horrified as you. Ten terabytes is a lot, and I'd have expected someone to do something after, say, the first terabyte flew by--especially because I happen to know something about the money spent on monitoring systems for some of those networks, and the sensitivity of the data on them. DOD always counters: no classified information was accessed. But that's BS--the unclassified networks carry logistical, payroll, personnel, medical and operational data.

What's really going on? Could it be that many government networks have access rules that are vastly permissive, and have lost control over the software running behind their firewalls? When I try to get answers from people "in the know," I hear one of two things:

  • A common sense assessment of the number of Trojan horses infecting desktop systems, and the difficulty of controlling traffic: It's not rocket science to imagine that getting a bot inside a DOD network would be an exciting score for any hacker. Or,
  • Secret Squirrel mumbo jumbo: "I could tell you but then I'd have to kill you" unsubstantiated hand-waving about "Chinese government hackers."
Given I'm cynical, when someone from the FBI says, "Well, there's evidence but we can't talk about it," I assume he's lying--because if he did have solid evidence, he couldn't say as much. Or he'd be presenting it. The best evidence I've heard that there's a Chinese cyber-espionage operation in progress are "The IP addresses are in China," "We hear stuff in chat rooms" and "I can't tell you but my buddy's cousin's uncle says it's true." Excuse me for crying "BS!", but if we're going to make public accusations of espionage, they need to be accompanied by equally public and compelling evidence. The FBI and our intelligence community are not the pinnacles of credibility we wish they were. Here are three pieces of data:
  • The number of Internet users in China is about the same as in the U.S.
  • China has been known to sentence hackers/cybercriminals to death.
  • No state-level intelligence agency would be so sloppy as to noisily and obviously steal 10 terabytes of information.
If you're the spymaster for a nation-state's intelligence arm, and you've got budget and personnel, an open society like ours must be easy game. This is especially true if the target has an uncoordinated mass of government agencies desperate to outsource all their information assets into the hands of beltway bandits. Stealing information openly and obviously through an Internet connection (with the termination in your country) would be shockingly crude and amateurish. I'm willing to bet there are Chinese spies looking at our networks--but doing it from the safety and the comfort of our own data centers.

A hacker living in China is probably not going to want to attack Chinese government systems. The Chinese would not slap him on the wrist and let him hit the celebrity hacker circuit alongside Kevin Mitnick.

If there's any strategic thinking going on behind this whole Chinese hacker fiasco, it's possible that some smart intelligence officer in the Chinese government realized it doesn't cost them anything to have U.S. security practitioners distracted. They know the best way to defeat the U.S. is to rattle us until we slap ourselves stupid.

Chinese cyberattacks? Why fabricate elaborate conspiracies when foreign demographics and domestic incompetence are adequate explanation? My concern is not that we're under attack by the Chinese, but rather that our sensitive networks are so lame that someone can steal 10 terabytes of data from them. We shouldn't be asking, "What are the Chinese doing?" We should be asking, "What's going wrong in Virginia, Los Alamos and Livermore?"



COUNTERPOINT by Bruce Schneier

The popular media narrative is that there is a coordinated attempt by the Chinese government to hack into U.S. computers--military, government, corporate--and steal secrets. The truth is a lot more complicated.

There certainly is a lot of hacking coming out of China. Any company that does security monitoring sees it all the time. Of course, they can't prove that it comes out of China. But the majority of servers used in the attacks are located in China, using DNS bouncers that can only be registered by people literate in Chinese. The hacker websites where different hackers and hacker groups brag about their exploits and sell hacker tools and how-to videos are written in Chinese. Technically, it's possible all the attackers are from, say, Canada and trying to disguise themselves, but it seems pretty unlikely.

These hacker groups seem not to be working for the Chinese government. They don't seem to be coordinated by the Chinese military. They're basically young, male, patriotic Chinese citizens, demonstrating they're as good as everyone else. Besides the American networks the media likes to talk about, their targets also include pro-Tibet, pro-Taiwan, Falun Gong and pro-Uyghur sites.

The hackers are in this for two reasons: fame and glory, and an attempt to make a living. The fame and glory comes from their nationalistic goals. Some of these hackers are heroes in China. They're upholding the country's honor against both anti-Chinese forces like the pro-Tibet movement and larger forces like the United States. And the money comes from several sources. The groups sell owned computers, malware services and data they steal on the black market. They sell hacker tools and videos to others wanting to pay. They even sell t-shirts, hats and other merchandise on their websites.

This is not to say the Chinese military ignores the hacker groups within their country. The People's Liberation Army has long had a doctrine of "informationization." It considers cyberwarfare a leapfrog technology, one that will allow it to achieve military parity with the West without having to engage in an expensive missile-for-missile arms race like the one that bankrupted the Soviet Union. Certainly the Chinese government knows the leaders of the hacker movement and chooses to look the other way. It probably buys good stuff, and probably recruits for its organizations from this self-selecting pool of experienced hacking experts. It certainly learns from the hackers.

And some of the hackers are good. Scott Henderson has been tracking Chinese hacker groups for years and writes about them in his blog,, and his book of the same name. He's watched the hackers become more sophisticated in tools and techniques. They're stealthy. They do good network reconnaissance. My guess is what the Pentagon thinks is the problem is only a small percentage of the actual problem.

And they discover their own vulnerabilities. Earlier this year, F-Secure found an attack against a pro-Tibet network that used an unpatched zero-day vulnerability to install a backdoor. That same attack was used two weeks earlier against a large multinational defense contractor. They also hoard vulnerabilities. During the 1999 conflict over the two-states theory, in a heated exchange with a group of Taiwanese hackers, one Chinese group threatened to unleash multiple stockpiled worms at once. There was no reason to disbelieve this threat.

If anything, the fact that these groups aren't being run by the Chinese government makes the problem worse. Without central political coordination, they're likely to take more risks, do stupider things and generally ignore the political fallout of their actions. In this regard, they're more like a non-state actor. So while I'm perfectly happy that the U.S. government is using the threat of Chinese hacking as an impetus to get its cybersecurity in order, and I hope it succeeds, I also hope the U.S. government recognizes that these groups are not acting under the direction of the Chinese military and doesn't treat their actions as officially approved by the Chinese government.

Coming up in October--Risk management: Does it make any sense?


Article 15 of 16

Dig Deeper on Emerging cyberattacks and threats

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All