In Rebuke of China, Focus Falls on Cybersecurity

The decision by Google to draw a line and threaten to end its business operations in
China brought attention to reports of Chinese high-technology espionage stretching back
at least a decade. But despite Google’s suggestion that the hacking came from within
China, it remained unclear who was responsible. Nevertheless, it presented the Obama
administration with a problem of how to respond.

From The New York Times

January 14, 2010
In Rebuke of China, Focus Falls on Cybersecurity

By MIGUEL HELFT and JOHN MARKOFF
SAN FRANCISCO — Even before Google threatened to pull out of China in response to an
attack on its computer systems, the company was notifying activists whose e-mail accounts
might have been compromised by hackers.

In a world where vast amounts of personal information stored online can quickly reveal a
network of friends and associates, Google’s move to protect individuals from government
surveillance required quick action. In early January, Tenzin Seldon, a 20-year-old
Stanford student and Tibetan activist, was told by university officials to contact Google
because her Gmail account had been hacked.

Ms. Seldon, the Indian-born daughter of Tibetan refugees, said she immediately contacted
David Drummond, Google’s chief legal officer.

“David informed me that my account was hacked by someone in China,” Ms. Seldon said in a
telephone interview. “They were concerned and asked whether they could see my laptop.”

Ms. Seldon immediately changed her password and became more careful of what she wrote.
She also allowed Google to examine her personal computer at the company’s request. Google
returned it this week, saying that while no viruses or malware had been detected, her
account had indeed been entered surreptitiously.

Google confirmed Ms. Seldon’s account of events, but declined to say whether it had
notified other activists who might have been victims of hacking.

Mr. Drummond said that an attack originating in China was aimed at its corporate
infrastructure.

While the full scope of the attacks on Google and several dozen other companies remains
unclear, the events set off immediate alarms in Washington, where the Obama
administration has previously expressed concern about international computer security and
attacks on Western companies.

Neither the sequence of events leading to Google’s decision nor the company’s ultimate
goal in rebuking China is fully understood. But this was not the first time that the
company had considered withdrawing from China, according to a former company executive.
It had clashed repeatedly with Chinese officials over censorship demands, the executive
said.

Google said on Tuesday that that in its investigation of the attacks on corporations, it
found that the Gmail accounts of Chinese and Tibetan activists, like Ms. Seldon, had been
compromised in separate attacks involving phishing and spyware.

Independent security researchers said that at least 34 corporations had been targets of
the attacks originating in China.

Adobe, a software maker, said it had been the victim of an attack, but said that it did
not know if it was linked to the hacking of Google. Some reports suggested that Yahoo had
been a victim, but a person with knowledge said that Yahoo did not think that it been
subject to the same attack as Google.

The decision by Google to draw a line and threaten to end its business operations in
China brought attention to reports of Chinese high-technology espionage stretching back
at least a decade. But despite Google’s suggestion that the hacking came from within
China, it remained unclear who was responsible. Nevertheless, it presented the Obama
administration with a problem of how to respond.

Google’s description of the attacks closely matches a vast surveillance system called
Ghostnet that was reported in March by a group of Canadian researchers based at the Munk
Center for International Studies at the University of Toronto. They found that an
automated espionage system based in China was using targeted e-mail messages to
compromise thousands of computers in hundreds of governmental organizations. In each
case, after the computers were controlled by the attackers, they were able to scan for
documents that were then stolen and transferred to a digital storage facility in China.

The researchers stopped short of directly accusing the Chinese government of
masterminding the attacks. However, for years there have been reports of attacks planned
by so-called patriotic hackers in China, and many American security specialists argue
that these are simply irregular elements of the People’s Liberation Army. At the same
time, hackers frequently use so-called false flag espionage or denial of service attacks
to route their activities through the computers of a third country and hide their
identity.

One of the Canadian researchers said that fellow computer security researchers suspected
that the attack on Google and other recent intrusions relied on hackers sending
booby-trapped documents that were stored in Adobe’s Acrobat Reader format, which then
infect victims’ computers. This method was seen in a recent wave of attacks on the Dalai
Lama’s computers. “We’ve seen a huge upsurge in attacks using Adobe Acrobat,” said Greg
Walton, an editor at Information Warfare Monitor, a publication of the Canadian research
group.

A spokeswoman for Adobe said the company was investigating the reports, but could not
confirm that the Adobe software was linked to the most recent attacks.

For Google, the attacks appeared to have been the final straw in a series of
confrontations with Chinese authorities.

Top Google executives, including the chief executive, Eric E. Schmidt, and the
co-founders, Larry Page and Sergey Brin, were ambivalent about the decision to go into
China in 2006, which involved agreeing to censor some search results on the company’s
local search engine, according to a former executive with knowledge of the discussions.
The resistance was strong from Mr. Brin, who had grown up in the Soviet Union.

But after discussions and internal lobbying from Chinese and Chinese-American employees
inside Google, as well as some of the company’s sales executives, Google’s top executives
came around. They were particularly swayed by the argument that even a censored version
of Google’s search engine would provide Chinese people more access to information and
help promote free expression in that country.

Once the decision was made, however, Google began expanding its operation in China, which
it expected would grow to be one of the largest Internet markets. During Mr. Schmidt’s
2006 visit to China, shortly after Google introduced the company’s China-based search
engine, Google.cn, he told reporters that it would be “arrogant” to try to change China’s
censorship laws.

But repeated clashes with Chinese authorities caused Google to reconsider its decision on
many occasions, the former executives said. Things almost collapsed in 2008, when Chinese
government officials asked Google to censor results not only on Google.cn but also on
Google.com. the company’s English-language search engine. Google refused, and after the
2008 Olympics, Chinese officials dropped the issue.

Google now says it thinks that its attempt to help bring openness to China has failed.

“We were looking at an environment that is more difficult than it was when we started,”
Mr. Drummond said in an interview on Tuesday. “Far from our presence helping to open
things up, it seems that things are getting tighter for open expression and freedom.”

Robert Gibbs, the White House press secretary, said Wednesday that the White House had
been briefed by Google on the company’s decision. However, he declined to describe what
actions the government might take in response to the claims of Chinese-directed Internet
attacks.

“The recent cyberintrusion that Google attributes to China is troubling, and the federal
government is looking into it,” said a White House spokesman, Nicholas Shapiro. He said
that the president had stated that Internet freedom was a central human rights issue on a
recent China trip. He also said that the president had made Internet security a national
priority.

Gabriel Stricker, a Google spokesman, said Google’s decision to publicize the attacks was
motivated in part by its desire to alert activists that their accounts could have been
compromised.

The attacks present a challenge for the Obama administration, which last year debated the
role of a federal Internet security adviser. The administration is grappling on how to
balance stricter security controls and the freedom of technology companies to innovate.

Several Internet security specialists were quick to point out that a group within the
White House led by Lawrence H. Summers, the national economic adviser, had pointed to
Google in debates on the appointment as an example of an innovative Silicon Valley
company that might be hamstrung by strict new Internet security restrictions.

“It’s ironic that the new economy folks at the White House were pushing back against
faster movement on cybersecurity to protect companies like Google from stricter
regulations,” said James Lewis, an Internet security specialist at the Center for
Strategic and International Studies in Washington. Last year, Mr. Lewis led a bipartisan
study calling for the creation of a strong Internet czar reporting directly to the
president to combat a rash of new security threats.

The White House said on Tuesday that Robert A. Schmidt, a compromise candidate who was
chosen last month to be the Internet security adviser, would not start in the position
until later in the month.

Ashlee Vance contributed reporting from Mountain View, Calif., and Thom Shanker from
Washington.