Some time ago, a question was posited here.

NDIA perhaps provides us with the answer. From National Defense Magazine:

For 18 minutes in April, China’s state-controlled telecommunications company hijacked 15 percent of the world’s Internet traffic, including data from U.S. military, civilian organizations and those of other U.S. allies.

This massive redirection of data has received scant attention in the mainstream media because the mechanics of how the hijacking was carried out and the implications of the incident are difficult for those outside the cybersecurity community to grasp, said a top security expert at McAfee, the world’s largest dedicated Internet security company.

In short, the Chinese could have carried out eavesdropping on unprotected communications — including emails and instant messaging — manipulated data passing through their country or decrypted messages, Dmitri Alperovitch, vice president of threat research at McAfee said.

Nobody outside of China can say, at least publicly, what happened to the terrabytes of data after it entered China.

The incident may receive more attention when the U.S.-China Economic and Security Review Commission, a congressional committee, releases its annual report on the bilateral relationship Nov. 17. A commission press release said the 2010 report will address “the increasingly sophisticated nature of malicious computer activity associated with China.”

Perhaps the time has come to recognize China has more than begun turning its “Unrestricted Warfare” theories into practice. The next policy official or War College/NDU professor, the next GO/FO who reiterates the tired and naive refrain that the book “doesn’t represent official Chinese or PLA policy” needs to be shown the door. A decade of that silly and Panglossian answer is more than plenty. Those who still find that statement credible have missed the boat long ago. The NDIA article goes on:

“If China telecom intercepts that [encrypted message] and they are sitting on the middle of that, they can send you their public key with their public certificate and you will not know any better,” he said. The holder of this certificate has the capability to decrypt encrypted communication links, whether it’s web traffic, emails or instant messaging, Alperovitch said. “It is a flaw in the way the Internet operates,” said Yoris Evers, director of worldwide public relations at McAfee.

No one outside of China can say whether any of these potentially nefarious events occurred, Alperovitch noted. “It did not make mainstream news because it is so esoteric and hard to understand,” he added. It is not defined as a cyberattack because no sites were hacked or shut down. “But it is pretty disconcerting.”

And the hijacking took advantage of the way the Internet operates. “It can happen again. They can do it tomorrow or they can do it in an hour. And the same problem will occur again.”

As various “Cyber Commands” design their service pins and declare themselves “ready” for a major cyber event, they ought to take heed. There were inklings of this occurrence in April/May, but this seems to be the first relatively comprehensive public acknowledgment of China’s actions.



Some of Defense Secretary Gates’ remarks to the Wall Street Journal CEO Council yesterday:

The U.S. Defence Department estimates that over 100 foreign intelligence organizations have attempted to break into U.S. networks. Every year, hackers also steal enough data from U.S. government agencies, businesses and universities to fill the U.S. Library of Congress many times over, officials say.

The Pentagon’s biggest suppliers — including Lockheed Martin Corp, Boeing Co and Northrop Grumman Corp — are investing in the growing market for cyber technology, estimated at up to $140 billion a year worldwide.

Gates said the U.S. military had made considerable progress protecting its own sites and was working with its private-sector partners “to bring them under that umbrella.”

And everyone that touches Lockheed Martin and Boeing and Northrup Grumman, and everyone they touch, and everyone who touches them, and….

Good luck with that.

Posted by UltimaRatioReg in Air Force, Army, Aviation, Coast Guard, Foreign Policy, Homeland Security, Marine Corps, Maritime Security, Navy

You can leave a response, or trackback from your own site.

  • Derrick

    Interesting…but I thought the NSA had been listening in on China’s electronic traffic since the 80’s…I thought there are still US surveillance stations in China, manned by US personnel? The fact that China has not been able to capture proof/evidence of the NSA’s surveillance on them is a testament to the high calibre of personnel working in the US intelligence community as well as the superiority of US information technology.

    This definitely has to be brought up in discussions between the US diplomats and Chinese counterparts.

    Also, where the network packets China hijacked encrypted or not? If so, what level of encryption? 64 bit? 128 bit? Or more?

  • UltimaRatioReg


    Whether the packets were encrypted or not makes little difference to the “man in the middle” exploit.

  • infocyde

    Maybe more diversity in the armed forces would keep this from happening. I know Gates and Mullen are spending a lot of time on making diversity their number one priority. Diversity sure must be important, because fielding a viable air force, maintaining a 300 ship navy that isn’t made up of fast under armed light frigates (LCS), maintaining info dominance, making non-politically motivated threat assessments, and maintaining operational security sure are taking a back seat in the priority bus apparently.

    Maybe if we diversified the electrons?

  • Solon

    This type of incident,the Wikileaks breach, and the NMCI ‘outage’ last summer are tiles in the same mosaic. The picture those tiles form is not pretty if you believe that information can be “controlled”. It cannot – yet our collective cyber teams continue to believe that the brass ring of cyber and info security is the absolute protection of the .mil domain.

    All those efforts will provide, at best, is a temporarily protected domain. The ubiguity of information – logistics passed on .net or .org or other domains, operational philosophies passed on .edu, and even the OPSEC nightmare of permanently recorded fragments that can be assembled into a single picture – are all moving simultaneously and allow the interested (and capable) observer to learn much.

    That’s just the intel side. What about gradual information degradation (imposed by a third party)? If our networks, practices, and plans rely on assured information, on demand, then we have built a great and vulnerable bottleneck. We’re, collectively, still guilty of thinking of information as “digital print” instead of as an assimilable, consummable, and often perishable facilitating resource.

    We can continue to treat information like fuel or water or nuclear material, but that approach will only leave us vulnerable across-the-board. The Chinese are already exploiting our perceptual blindspot…need to get moving to mitigate this never-shrinking threat.

  • UltimaRatioReg


    Superb observations. Right on point. My experience with DoD and USG understanding of the true impact of near-instant information exchange, and the ability of some potential and capable adversary to exploit it, is definitely underwhelming. Others (China, Russia, non-state actors, and criminal elements) get it in spades and are unafraid to exploit. In fact, they do so routinely.

  • Old Air Force Sarge


    Superb post.

    Part of the problem is that the (ahem) older generation do not understand all this hi-tech bit manipulation on any level, let alone on a global scale (which the internet certainly spans). I don’t know how many times I’ve seen one of our brilliant young engineers in the defense contracting industry have an idea shot down simply because the Jurassic-Era engineer doesn’t understand the concept or says “that’s not the way we did things on the UYK-7”. And that’s guys who’ve been trained in this stuff (although years/decades ago)! So it’s not hard to understand how non-computer savvy people figure this isn’t a problem. Or at least not a major problem.

    Incidents like this aren’t much different from a gang “casing” a bank to plan a later robbery. Looks innocent but most assuredly is not.

  • Derrick

    Actually, whether the packets being encrypted or not will help me understand what the next step China has to do to get the information.

    The blog post authored by UltimaRatioReg explicitly states that:
    In short, the Chinese could have carried out eavesdropping on unprotected communications — including emails and instant messaging — manipulated data passing through their country or decrypted messages, Dmitri Alperovitch, vice president of threat research at McAfee said.

    If the packets were encrypted by any US security standard, China would have to go through every possible key combination in order to decrypt the information. And by the US security standards, this should be in the order of hundreds of years to do so. So even if the packets were intercepted, encrypted packets would take forever to recycle and thus be useless to China. If the packets were intercepted by a non-state actor like Al Qaeda, and the packets were encrypted, they would have no chance at all of getting at the information because they would not have the computing resources to decipher the packets.

    If the packets were unencrypted, well, yeah, China/Al Qaeda/whomever would be able to read the data easily. However, I would assume unencrypted packets would contain info like my emails or my blog post here, not important stuff like nuclear control codes/etc…

    What is the proof these cyber “experts” have to confirm that the Chinese government has knowingly hijacked US based internet traffic?

    Also, the problem appears to be limited to internet traffic going through China (ie the actual network packets passing through physical data lines in geographic China). So I’m not concerned because I hope the US navy at least doesn’t send information over the Internet.

  • UltimaRatioReg

    “So I’m not concerned because I hope the US navy at least doesn’t send information over the Internet.” No? You might be very surprised. Read Solon’s comments above.

    Think of all the information that DoD and USG uses that is critical, that does cross non “dot mil” domains.

    Even if the packets cannot be deciphered, the potential interruption of traffic at the whim of the third (and unknown) party can badly compromise communications reliability and mutual trust in the information.

    Don’t over-value encryption. If mutual authentication is weak, a modified MiM exploit may be able to read enough packets to make it worth their while.

  • Derrick

    OK…didn’t read Solon’s comments…but now that I have, I guess your superiors should all sit down and review what is allowed to be transmitted over the Internet and what is not.

    To look at this problem from the high level, I think US national security policy must change to reflect the modern world. Just like how World War 2 taught me that it is important for the US navy to be a dominant force in the world’s oceans in order to protect/enforce peace, and how Operation Desert Storm taught me that air superiority is essential before a ground campaign, I think the US should focus on establishing dominance in the information warfare area.

    However, this is not really a problem suited for the traditional US military, because information warfare requires cyber experts who are more academically skilled as opposed to physically skilled.

  • UltimaRatioReg


    Your last sentence is a mouthful. In fact, the DoD is often at odds with the very people who may help them the most with information assurance. Saw it oh-so-many times in exercises, and sometimes in real life.

    However, the “internet” is so inextricably intertwined with all our business and governmental processes that is probably impossible to regulate traffic as the USG and DoD sometimes speak of doing. Even evaluating networks to ensure “air gapping” from public internet is a dicey business. A very experienced colleague of mine informed me that he had NEVER seen a network of any consequence that was truly air gapped from the “big I” internet. That includes SIPR, NIPR, and myriad other supposedly “safe” networks.

  • Derrick

    What are the typical conflicts between the DoD and the IT security people?

    Separating networks from the Internet will probably be near-impossible…but I would hope that encryption standards can be set to make it impossible to decrypt intercepted data within 100 years.

  • UltimaRatioReg

    The conflicts are not just with IT Security, but between US Government and the ISPs themselves.

    The ISPs do not want ANY KIND of government regulation. They (the ISPs) think, somewhat rightly, that the USG understands little of the essential components of their industry, and the infrastructure which supports it. They also somewhat rightly fear USG oversight as intrusive and an invasion of privacy which would be exceedingly harmful to the entire concept of internet use for personal and business purposes.

    To oversee is to monitor, to monitor is to record. To record is to save. To save is to use later. To use later is to have leverage and to have leverage is to threaten to use that leverage. All in an arena that works to a great extent on its anonymity.

    Also, simply dictating encryption standards will not be sufficient. They already exist. However, they can be gotten around in any countless number of ways. Remember, almost ALL security issues revolve around user-level security breaches.

  • Derrick

    I thought the NSA had something called Project Echelon that monitored all type of electronic traffic anyway…so why are the ISPs complaining?

  • UltimaRatioReg

    Though not thrilled with Echelon, the ISPs do have an understanding of NSA’s intentions. Which are far different from what they would consider oppressive regulation and law enforcement monitoring of internet users.

  • eastriver

    Thanks, URR, great wake-up call.

  • Derrick

    So ISPs don’t want the US government spying on them…don’t you love democracy?

    I think it would be too difficult to properly secure all ISPs but at least the points where the US government, particularly the military, connect to the Internet should have the right security hardware and software (firewalls, packet screening, private key encryption, etc…)…

    In fact, all military computer networks should require private keys for usage, and encryption of network packets should be standard practice, even within the US military. Think of all the jobs it would generate for software developers like myself. 😉

  • Derrick

    What happened was China Telecom sent out some sort of routing message to different routers indicating the fastest route for internal US internet traffic was to go through their routers…so an examination of network packets should show that some of the IP addresses they visited were geographically located in China.

  • UltimaRatioReg

    All unintentional, of course….

    One of the classic ways of creating a MiM exploit.