I have always wondered whether Chinese hackers were employed in a government agency, or alternatively how they coordinated. Wikileaks sheds some light on this:
Precisely how these hacking attacks are coordinated is not clear. Many appear to rely on Chinese freelancers and an irregular army of “patriotic hackers” who operate with the support of civilian or military authorities, but not directly under their day-to-day control, the cables and interviews suggest.
U.S. government hackers, I’d venture, operate under a more command and control structure: they work for the NSA, or some similar agency, and operate only under instructions from higher ups. How can China operate in a less command and control style than the U.S. here? This is pure speculation, but here is my guess:
In the U.S. the internet is not controlled and monitoring abilities are relatively low, so freelancers and an army for hire of hackers couldn’t be trusted. They would be too powerful, and uncontrollable. In China I’m sure they can monitor every move their army of hackers makes online, which means they can grant them more freedom and autonomy.
To put it in economic terms, China has a better hand on the principal agent problem because informational problems are less severe. The principal (the government) grants the agent (the hacker) power. But the operating without constraints, the agents profit maximizing behavior would not be optimal for the government. They’d hack domestic companies and government agencies trying to extract profit. The more complete the principal’s information about the agent’s behavior the more power and autonomy they can trust them with. Since they are more invested in monitoring and controlling internet activity, China has more complete information, and so can trust their hackers with more power and autonomy.
Like I said, this is almost pure speculation, so I’d be interested if anyone who knows something about this can tell me whether this description is plausible.
4 comments
Comments feed for this article
Sunday ~ December 5th, 2010 at 2:49 pm
Anonymous Coward
I think the main difference is simple: in the US hackers got largely ‘demonized’ in the past 20 years and powerful Hollywood lobbying criminalized much of legitimate security research as well.
(Hollywood did this to extend their copyright monopoly into a broader technology monopoly, controlling not just original content, but also the whole technology pathway of how content gets from them to our eyeballs – but that’s beside the point.)
As a result the US does not have a strong hacking research community [1] – and the one that exists is deeply criminal. As a result of the stigma it is also nearly impossible for any part of the US government to routinely hire “hackers” for patriotic purposes. The resources the US has are mostly security experts who never did any real ‘hacking’.
So the difference to China is not that the US, via a free choice, somehow does computer security as a government function while China uses a local security marketplace – the difference is that in the US the local security marketplace virtually does not exist. So the US government has little choice but to try to grow its own talent.
China (or even Europe) is different. It never demonized nor criminialized security research and there was no chinese equivalent of Hollywood either, so they (rather ironically) have a more open secure marketplace and have a larger pool of security talent to draw upon.
In countries where this segment exists, most of the security research is done freelance actors or is done by small companies – and this comes with the field: for true security research there’s basically no economy of scale – once a security hole has been found and plugged, there’s no follow-up revenue stream to finance that effort from. So most participants are small and stay small.
[1] Anti-virus companies are not examples of real security research. They mostly finance themselves from a security theatre effect and they mostly engage in reactive security efforts – not in figuring out new ways of attack.
Sunday ~ December 5th, 2010 at 5:32 pm
Adam Ozimek
I think Hollywood makes hackers look cool, not evil. It’s been awhile since I’ve seen either, but Hackers certainly made hacking seem cool and if I recall correctly Hackers 2 largely made Kevin Mitnick a sympathetic character.
Sunday ~ December 5th, 2010 at 6:56 pm
RickRussellTX
During the 90s and early 00s, there was legitimate concern that the fruits of your research might be criminalized as “munitions”, or result in tort actions against the researcher. The ITAR classification of encryption as munitions created the former (and led directly to the suppression of academic research on encryption). Threats of lawsuits suppressed hobbyist research into DRM-cracking technology.
AC is correct that Europe developed a strong hobbyist community of encryption experimenters and DRM hackers, two communities that benefit greatly from economies of scope. In the late 90s, European companies were selling far better encryption products than US companies, as R&D was directed away from products that could not be sold abroad.
Sunday ~ December 5th, 2010 at 3:14 pm
RickRussellTX
I suspect that the Chinese hackers with the actual ability to disrupt US systems could get away with anything they wanted without the Chinese government easily discovering them. Once you have robotic control of systems outside the Great Firewall, you’ve got a free hand if criminal activity is your main goal.
Instead, I think it probably comes down to incentives. In China, it’s all about who you know, and who will vouch for you when the sh*t comes down. Having a record of patriotic hacking will likely speak very well for you in the secret court when you’re caught with a hand in somebody’s cookie jar.
Similarly, the punishments in China are much more severe, motivating people to think twice before hacking on any internal resources. When the government is willing to toss you into a 20-year re-education program without a public trial, you probably think very hard before turning on your own people.
On the other hand, here in the US, we have trouble getting a jury to understand what a hacker did, much less why they should be behind bars. Poulsen is a senior editor at Wired and Mitnick runs his own security consultancy.
And if you are a US patriotic hacker, like Adrian Lamo, you get a cush job working for a private security firm that consults with the FBI and NSA.