Disarming the Great Cannon
China thinks its cyberattacks are a defensive maneuver. How can the United States prevent the balkanization of the global Internet?
China, long known to block undesired online information with an electronic barrier known as the Great Firewall, may now have added to its censorship arsenal a powerful new cudgel. Researchers in the United States and Canada have traced a March cyberattack to a new tool they have dubbed the “Great Cannon,” apparently utilized by Chinese government authorities to manipulate and redirect foreign web traffic, and in the future perhaps even to expand online surveillance capabilities. Yet while Chinese authorities maintain that such censorship is justified by legitimate national security imperatives, the United States holds that it severely undermines the integrity of the global Internet. The two conflicting positions present a serious challenge to multilateral Internet governance and the future security of the global Internet.
In late March, a sustained denial of service attack targeted GreatFire.org, a U.S.-based non-governmental organization that seeks to analyze and circumvent the Great Firewall, and its section on the open-source code platform GitHub. The attack, attributed to China’s Internet authorities, took place through the insertion of malicious code—which researchers now believe was accomplished using the Great Cannon–into analytics code of Baidu, China’s largest search engine. As a result, traffic from all computers accessing websites in which this code was embedded, was redirected towards these websites, drastically slowing service. According to Jason Ng, a fellow at The Citizen Lab at the University of Toronto, both sides have sought to leverage the many passive, apolitical users of the Internet. GitHub is a platform used by many Chinese programmers, and so taking it down would cause a domestic backlash. GreatFire’s use of this platform is, in Ng’s words in an April 1 ChinaFile Conversation, a “high-stakes dare.” The attackers, on the other hand, relied on the substantive quantities of ordinary netizens who, in their daily web use, were unaware of the presence of Baidu’s analytics code, let alone its use in the cyberattack. These facts elicit complex questions about public-private relations in cyberspace, in particular with regard to the definition of online security and aggression. In the worst case, they might herald a medieval escalation into continuous wrangling between anyone who can muster enough mercenary forces (and with no guarantee that those mercenaries are actually aware of what is happening).
At the heart of this attack lie two fundamentally conflicting views of legitimate governance and security in cyberspace. From the Chinese point of view, the Great Firewall is a critical piece of national security infrastructure that protects against relentless attempts by “foreign hostile powers” to undermine the stability of the regime. The avowed mission of GreatFire.org to unblock censored websites is, in that sense, an act of sabotage that impinges on China’s sovereign right of self-determination.
From the Western point of view, GreatFire.org, which not only monitors censorship trends on the Chinese Internet, but also seeks to unblock censored information, is a courageous defender of the online rights and liberties of China’s citizens, as well as of the integrity of the global Internet. From this angle, China’s tactics undermine trust in Chinese businesses and regulators and risk the balkanization of the web.
Both positions are self-serving. One might argue that the U.S. cyber practices revealed in the Snowden revelations did as much to endanger network integrity as any attack from the Chinese side. If the argument is about human rights, the treatment of whistleblowers such as Chelsea Manning and Edward Snowden, or more broadly America’s continued pursuit of what has been called extrajudicial murder, provide easy ammunition to allege hypocrisy. For its part, the Chinese side often overlooks the fact that its astonishing economic success owes more than a little to the willingness of other states to accommodate China in the global trading system, often at significant domestic cost.
In any case, these arguments can only lead to a prolonged, unproductive shouting match. We are already seeing an escalation of threats in cyberspace, including the sanctions targeting foreign hackers President Obama announced a few days ago. If this status quo is undesirable, a deal is necessary. This deal can either be made relatively quickly, or after a prolonged period of strife and recriminations that merely allow for more harm to be inflicted, without shifting the goalposts. In other words, it is time for a bit of realpolitik.
The ingredients of an agreement are relatively simple: defining the nature of online threats to security, defining the role of various parties, including governments, corporations, and individual citizens in maintaining security, as well as liability for alleged aggression, and defining protocols for the attribution of cyberattacks. But such a deal would be very difficult to sell internally in either country: it is a characteristic of many governments, and particularly security services, to want others to be bound to rules that they themselves can disregard. Crucially, mutual trust is non-existent at the moment.
But we are not discussing a typical state-to-state issue. Privately owned online giants, from Apple to Google to Chinese companies like Tencent and Baidu, wield power in the information space that rivals that of national governments. And it’s also possible for a very small number of individuals with no corporate affiliation to inflict significant damage through the network. The power of these private actors greatly complicates notions of security and aggression. It would be relatively easy to formulate standards for what constitutes inter-state aggression online; international law on conflicts already provides enough handholds in this respect. But civilian acts present a more difficult challenge. If we recognize that all states have legitimate security concerns, a series of difficult choices presents itself: either states need to agree on a mutually recognized list of such concerns, or each state gets to do that for themselves. If the latter is the case, what should the government of country X do when a private party located in that country launches an attack against country Y? If country X does nothing, would it then be legitimate for country Y to retaliate against said private party?
These are now the crucial questions that must be faced in cybersecurity affairs. One inconvenient truth that the Western side must face is that China has a better bargaining position. Its chief objective is clearly spelled out in its drive for what it calls Internet sovereignty: to ensure that everything that might affect the Chinese Internet is under Beijing’s control. China’s government doesn’t care whether the Internet balkanizes; in fact, China has no overall transformative goal for the global Internet. Rather, it seeks to govern the international aspects of cyberspace on the basis of 19th century diplomatic principles. Instead of trying to develop a highly complex and new multi-stakeholder model for cybergovernance, it simply assumes a statist model. This defensive posture means that its objectives are much more closely matched to its abilities than the transformative views espoused in the global Internet governance community, which lacks the tools to bring non-compliant countries or organizations into the fold. And China has been able to buttress its position by leveraging its huge domestic market, requiring that global multinationals play by the government’s rules, or not at all.
This dynamic creates a complex brief for Western politicians and diplomats. They must juggle the ideological integrity of the open Internet agenda, the technological integrity of the Internet, the commercial interests of companies that not only are active on the Chinese market but also produce much of their equipment there, and the political pressure of not being seen to bend to authoritarian demands. It seems scarcely possible that all these interests can be pursued without trade-offs.
That means that diplomatic and political capital will need to be spent more judiciously. It is likely, for instance, that the price of a non-balkanized Internet will be concessions to China’s demands for more governmental participation in global governance systems. This is not necessarily a bad thing. If a resulting deal is characterized by well-understood self-restraint and increasing trust and openness on all sides, it might actually enable balance among the various participants. As China continues to up its online censorship game, Western governments perhaps need to start asking themselves what price they are willing to pay to forestall further escalation.