Google and China: the fallout continues

Since I wrote my last post suggesting (rather speculatively) that Google's apparent willingness to pull out of China might be linked to US state fears of (and pressure concerning?) cyber espionage against data held by Google about US citizens instead of/as well as Chinese dissidents, the world has become very interested in the succeeding revelation by Google that they are now working with the NSA to improve their cyber defenses.

This raises all kinds of further questions: doesn't Google have as much expertise in computer security itself as the Spooks? Or as someone put it even more conspiratorially on Twitter: hadn't we always assumed Google was working with the spooks? In which case what drove a public admission of it now?

All fun stuff and clearly far beyond the ken of a mere academic lawyer. But t0day's Grauniad has an interesting quote:

"Google is unlikely to be turning to the NSA for technical advice. Why then is it calling in the spooks? One reason could be that the world's dominant internet company is now in the crossfire of early skirmishes of the next cold war.

This thought was reinforced by Financial Times columnist Gideon Rachman. He'd been to the International Institute for Strategic Studies for a briefing on its annual survey, Military Balance. "The thing I found most interesting," he said, "was the confirmation that cyber-security is the hot issue … John Chipman, the head of the IISS, says the institute is about to launch a study of cyber-security which raises all sorts of issues. What if a country's infrastructure could be destroyed as effectively by a cyber-attack as by an invasion of tanks? How do you defend against that? How do you identify the culprits? What does international law have to say – might we have to revise our definitions of what constitutes an act of war?"

"Chipman argues, plausibly, that we are now at an equivalent period to the early 1950s. Just as strategists had to devise whole new doctrines to cope with the nuclear age, so they will have to come up with new ideas to cope with the information age."

I've noted before that I find it difficult to see how current international law can define cyber attacks and especially cyber espionage as armed attacks justifying, eg, the doctrine of self defense. But I've also now been to several events where military lawyers seemed to be if not saying then at least moving toeards exactly that. It is clear we are entering the era of what is sometimes called "justificatory discourse" regarding cyber war, or PR in less elevated circles. (The irony of the fact this is playing out as the Iraq inquiry goes on is not lost on Pangloss. Nor that MI5 appears to be trying to get in on the action by revealing what bad stuff Chinese cyber spies have been doing inthe UK too.) The same thing, is, of course, happening in China too: one report from there notes that the average Chinese citizen is mostly apathetic to the loss of Google but Chinese news coverage has " focused not on Google but on what is perceived as US "information imperialism." "

And meanwhile, the ever excellent Ray Corrigan points out (I think - lots of interesting stuff packed in here) that cyberwar may be becoming the latest bogeyman, following hard on pedophiles and alQuaeda to justify incursions into our civil liberties. And that we are hardly ones to condemn China's Great Firewall, when we do an awful lot of net censorship ourselves. (See further, dare I say, my own chapter here, which is the basis of the paper on cyber filtering and free speech I'm giving in a few days.)

OT: Looking at B2fxx reminds me I have been derelict of duty not to mention my collague Chris Marsden's much awaited book on 'Net neutrality: towards a co-regulatory solution' is not only just published by Bloomsbury but also available for free download under a creative commons licence at http://www.bloomsburyacademic.com/pdf%20files/NetNeutrality.pdf . Lordy lordy such wondrous times we live in!!

Google and China: Interesting Times?

So what do we think about the Google China affair then? For anyone who has been hiding under a rock on Pluto lately, Google announced on January 13th that it "may end its operations in China following a "sophisticated and targeted" cyber attack originating from the country." aimed apparently at gathering intelligence from Gmail accounts etc on human rights activits, dissidents and the like in China, and adding that in response they would no longer self censor their search database as they had since starting up in China in 2006. China, unsurprisingly, insisted that hacking was illegal in China and Google would have to toe the line and enforce local laws like other companies. Then perhaps slightly more surprisingly, the US government itself got involved in the form of a swinging speech by Hilary Clinton demanding that Beijing that should investigate the hack attacks on Google, and les directly, implying that China had a duty, like also-mentioned Tunisia, Uzbekistan, Vietnam and Egypt to stop restricting freedom of expression on the Internet. One commentator has compared this to Reagan demanding the pulling down of the Berlin Wall - only this time it was the Chinese Great Firewall. For China to back down wouldbe almost unprecedented; so at least China insider has said that in six months he expects there to be no Google.cn. Meanwhile information filters out that similar espionage hacks seem to have been mounted by Chinese hackers on other US companies in recent months , seeking economic espionage intelligence; two of the companies were major US oil companies.

The main response to this has been huzzah! In a world apparently dominated by bankers taking as many undeserved bonuses as they can sweep up, one can sense the eagernness of the world to believe that a big company can still want to do the right thing. Certainly even if Google's "Do no evil" motto has tarnished a little lately they do stand out as appearing in the world of corporate politics to give a damn about human rights. A Grauniad columnist wrote perhaps a little over excitedly yesterday:
"

we can now again unreservedly identify, politically as well as aesthetically, with Google. This is the spirit of liberal universalism. It says that there are some universal rights it is not the prerogative of any state or "civilisation" to curb; and that, as the Universal Declaration of Human Rights states, the right to information freedom is among them."

But is anything in life really this simple? As many have pointed out, China is a market where Google is not dominant, having only around 30% of the market. But pulling out of the world's largest emergent economy is still rather a bold step. Unless perhaps you consider the rather less publicised fact that Google only makes money by click through on ads; and reportedly, the Chinese don't yet bother to click through (Google don't reveal the turnover of their Chinese business as they do their US profits). Still it seems like either a very brave or a very foolhardy endeavour. (Bill Thompson comments that "Threatening to pull out of China is like threatening to spit on a whale".) (Unless you think it's all merely a very successful PR stunt.)

A braver woman than Pangloss might even sail into the world of conspiracy theories, and consider the Google response and the Clinton speech as part of a combined PR drive. China expert Orville Schell in this video recorded at Davos, notes that

"Google has become more like a nation than a company. By this he means that not only is Google closely connected to the Obama administration, but the company has a high resonance in the western world. Only a company like Google could take such a stance against China".

Why would the US want Google out of China, or at least, a very public fuss about the hack attacks on Gmail accounts by China? Well cybersecurity experts have long privately admitted that although rather more fuss has been publicly made about "cyberwar" denial of service attacks on critical infrastructure (as , famously, against Estonian and Georgian banks and media sites, etc), the foremost worry is actually about cyber espionage. Chinese keylogger code has been found before now on military computers; it is known that it is almost impossible to 100% protect against this. Google store invaluable information not just about Chinese dissidents but US citizens - and companies. If you were a Chinese espionage officer would you target the unprotected Gmail user or the more protected Google servers, or the very well protected servers carrying confidential military or corporate secrets?

For a cyber lawyer, the interest here is whether we are approaching the point where cyber espionage might begin to be characterised as "cyberwar". Just as with DDOS attacks, the current law is badly equippd, perhaps quite properly, to make this conceptual leap. I spoke on this in Estonia last summer, at the NATO backed CyberSecurity Centre. International treaties demand an "armed attack" by a "state" before rights of self defence or international humanitarian law can begin to apply. Is use of code to find out information an "armed attack"? Difficult to see (although there was some discussion of this back in the good ol' days of Star Wars defence.)

More significant still is the pained matter of attribution. No one can prove that attacks by Chinese hackers came from and with the authority of the Beijing government - and circumstantial evidence simply cannot be regarded as decisive here given the easy obfuscation of Internet traffic and addresses, and the flourishing private enterprise cyber black market. Much of the cybercrime in the world originates from networks of zombie machines run (apparently:-) by Russians with the machines scattered through every country from the UK to Brazil; this does not mean (necessarily) that Russia, the UK or Brazil is responsible as a state aggressor. The question of attribution will have to be far better discussed before we can go any further down this line. In the meantime however, it is interesting to note that there are reported American stirrings of interest in a cyberwar treaty to reduce cyber-attacks, as with munitions or poison gas weapons: such a treaty has long been resisted by the US, but now that position seems to be shifting - why?*

And meanwhile today brave little Twitter, hero of the Iran dissidents, announces they are sub contracting research to avoid being blocked by China. All in all very interesting times - in the Chinese sense?

*Well perhaps because as I discover the minute I finish writing this, 37% of US critical infrastructure firms think cyber attacks are growing and 2/5 expct a majot cyber security incient within the year - say McAfee at Davos.

MI5 warn of chinese hacking theat too

Only a day after the McAfee report warned of the possibility of Chinese hackers attacking states around the world including the UK, MI5 has, unconnectedly, sent out a confidential letter warning of exactly that. the Chinese embassy has of course denied the allegations - just as they did in response to the original report.

More over at Blogzilla.

And Pangloss goes to China Tuesday to give a paper entitled "Chinese zombies or Japanese worms? What can the law do about cyber-security?". Synchronicitous times..

Meanwhile on the domestic security front, fall out from the great child benefit disc scandal continues. Contactpoint, the database to combine data on most the country's children for multi-agency communication purposes , has been put on hold for five months.

Shadow Children’s Minister Maria Miller said: "The government should also use this opportunity to see whether it really is necessary to have a database for every single child in the country, accessible to 330,000 people, given the significant amount of concern that this could overload the system and lead to a dumbing down of information.

Pangloss just turned in a somewhat critical chapter on Contactpoint for a book on social work, privacy and confidentiality; perhaps by the time it is printed it will already be a dead letter?

First, Contactpoint: next the ID Database? Watch this space.