Earlier this month, many Gmail users received a message from Google warning of "state-sponsored attackers" who "may be attempting to compromise your account or computer." The alleged state sponsor is China, of course, and the unusual message is Google's way of jabbing at a persistent foe. (Google and China have a complicated, largely acrimonious history.) In many ways, the intentionally unnerving warning is Google's most clever move yet. It is the search giant's way of sending up a signal flare, raising awareness of a serious issue to a heretofore-disinterested mass audience. Normal human beings consider cyber-attacks to be something that happens to other people. Banks get attacked; the FBI gets attacked — which is bad, but somehow disconnected from real life. Suddenly, though, an abstract problem has been made very real. It's not a weird computer virus or a hacker in his mother's basement; it's the People's Republic of China! They're not after Citibank; they're after me!
Anecdotally, it would seem that a disproportionate number of national security journalists and policy officials were targeted in this latest hack, which affected hundreds of Gmail accounts. This would be consistent with China's attempted attack on mailboxes in 2011. (Admittedly, many people working in such fields would be more surprised if foreign powers weren't after their data.) The reason for going after policymakers is obvious: Intelligence. The same applies to investigative journalists, who often correspond with high-ranking government officials.
Though China denies any wrongdoing, according to a leaked diplomatic cable from the U.S. Embassy in Beijing, "a well-placed contact claims that the Chinese government coordinated the recent intrusions of Google systems." How committed is the Chinese government to such operations? "One hundred percent."
There are many reasons to dislike Google. But the company is doing a heroic job challenging the Chinese government on the electronic field of battle.
Thankfully, China still has a lot to learn. Journalists I've spoken with who were targeted described the laughable spear phishing attempts by China — spelling errors, grammatical mistakes, and absurd names in the "From:" box. (Spear phishing involves forged email headers that appear to be from legitimate contacts, and are directed at specific individuals. The purpose is to trick recipients into opening malware or clicking through to sites that secretly hijack their computers.)
Of course, as China's cyber capabilities mature, the world's most populous nation will get better at digital espionage. And that's why it's so important that Google has named and shamed China, making the general public feel part of the issue. Perhaps that may spur lawmakers to actually address the problem.
Legislative action is long overdue. Even the gutted and impotent Cybersecurity Act of 2012 can't find its way out of committee in the Senate, and civil libertarians object to direct government involvement in the internet's workings, warning of a slippery slope. The other logical approach — leave the internet alone, but order businesses associated with critical infrastructure (the electric grid, for example) to comply with security guidelines — meets natural resistance from private industry. Government regulations are invariably onerous, expensive to implement, and difficult to comply with. As one cyber security specialist told me, "There is strong resistance from the business community for better cyber security. Some of that I don't understand. Some of it is pretty clear. They don't want additional costs. They don't want additional regulations. I understand that. National security is not something you can hand to the market or private sector and expect to have it work. But that's what we've been trying now for about 15 years."
While Congress remains at an impasse, the problem is growing. General Keith Alexander, commander of U.S. Cyber Command (CYBERCOM) and director of the National Security Agency, has called China's electronic misbehavior "the greatest transfer of wealth in history." Billions of dollars and decades of research are secretly stolen from private industry by the Chinese government every year. When CYBERCOM detects Chinese cyber intrusions on private industry, the only thing it can do is warn the business in question. It can't order them to fix the problem, and it can't help in stopping the attack — it lacks the legal authority to do so. (No federal agency, in fact, is explicitly permitted to help.)
Meanwhile, China isn't just sitting around waiting for you to slip up and click the wrong link — and nor is Google playing passive defense. Consider a 2010 example: The Chinese government directly infiltrated Google's computers and extracted information on anti-authoritarian activists. As a result of the break-in, Google threatened to withdraw its operations from China completely, but settled for sticking around and working to subvert PRC censorship from within. Now, whenever Chinese internet users attempt to search for material censored by the government, they are notified by Google of the specific word thwarting uncensored results, implicitly suggesting the user try other, similar words that might bypass PRC interference.
So where are we? Businesses and infrastructure are under siege. U.S. officials and journalists are targeted for intelligence. Congress is paralyzed, and during an election year, the White House won't tackle toxic issues with implications for civil liberties. There are many reasons to dislike Google. But the company is doing a heroic job in bringing the issue to light and challenging the Chinese government on the electronic field of battle. And right now, it is our most effective defender.