“Keeping to your message, repeat it many times, and ignore the criticism” are key principles of success in Washington DC policy work. If you say something over and over again, it must be true. It does not matter if the message is true, based on facts, or have any empirical data to support your assertion. The point is the “message” is a tool to support the policy agenda. Ignore the collateral damage from the message’s consequences, just keep driving the message. This approach is having a dire effect on the cybersecurity posture of all global telecommunications and the Internet. It diverts attention from the real issues to the “message of the week” that supports some other policy agenda.
Let us look at an example from James Clapper, the director of National Intelligence, to the Senate Armed Services Committee. In this case, the asserted “message” is communicated to Kevin Fogarty at IT WORLD:
On April 8, 2010, network administrators at the state-owned China Telecom threw a switch that rerouted “massive volumes” of data from other countries through Chinese networks rather than the more secure paths they were supposed to take, according to the U.S. spy chief.
China Telecom routers stopped advertising real Internet routes in favor of fake ones that caused huge chunks of the Internet to believe the road to China was the route actually their regular route, for 17 minutes.
The re-routed traffic, which could have been captured, compromised or copied with no one being the wiser, put huge amounts of potentially sensitive U.S. military and corporate data at risk, according to James Clapper, director of National Intelligence, to the Senate Armed Services Committee yesterday.
The incident was just one of a series of attacks, exploits and intelligence-gathering efforts launched by an increasingly well-equipped and effective Chinese cyberwar effort that was part of a “dramatic increase in malicious cyber-activity targeting U.S. computers and networks,” during 2010, he said.
The “message” being asserted is that the network incident on April 8th, 2010 was intentional.
The problem with this assertion is that it is not based on the data. As Craig Labovitz points out in a series of blog posts:
Both at the time of the incident in April and prior to my posting of this China hijack blog, I had private conversations with operations staff at several of AS23724′s upstreams, network operators around the world, collaborators in other security companies, and Arbor’s own resident engineers in the region. All of these private discussions reflect the sentiment espoused in public engineering forums that the China hijack had modest to minimal impact on Internet traffic volumes, including this RIPE statement, NANOG discussion thread and even the BGPMon blog at the heart of the controversy.
I will add to this data. In my “cybersecurity” capacity at the time of the incident, working as a key Operational Security member of the community, and an accountable party responsible for security incidents at the company I worked at on April 8, 2010, I contacted my peers inside China. This issue was expressed as an operational goof. These “operational goofs” are normal. We see them all the time on the Internet. They are considered to be operationally impacting, but not intentional. Just human error.
Yet, when the people who design, build, and operation the Internet say “April 8, 2010, was not a security incident,” policymakers choose to ignore the experts. Why? Because the facts do not align with the “message.” 🙁
To add more data to the inaccuracies of the “message,” look at the following:
I have not spoken with engineers from AS23724, so I can only speculate. Given the large number of prefixes and short interval I don’t believe this is an intentional hijack.
Most likely it’s because of configuration issue, i.e. fat fingers. But again, this is just speculation.
– From BGPMon Blog – one of the major transparency tools we use to monitor all of the Internet.
On April 8th, starting at 15:50 UTC, China Telecom incorrectly asserted ownership of more than 50,000 different blocks of IP addresses. This is the source of the “15% of the Internet” factoid that you’ll hear floating around. One small part of China Telecom (autonomous system number 23724, used for operations in Beijing, not their primary countrywide ASN 4134) made this assertion, and nobody disbelieved them. Within a few minutes, they “grew” to more than 1,000 times their normal size, and started to receive some of the traffic bound for these 50,000 networks.
In fact, it was such a broad shotgun blast of address space that it included networks from 170 different countries, including 16,000 from the USA. It also included 11,500 hijacked networks… from China! Asian networks were disproportionately affected (China, Korea, India, Australia, Japan), because they were closer to the source. Several different governments had networks among the victims, as you’d expect by pure chance, out of such a large sample.In summary, the scattershot nature of the hijack suggests a random mistake, not a deliberate attack on anyone in particular. Of course, it’s impossible to know for sure.
Here we have three major sources of data that point out that April 8, 2010, was not a “China Hijacking incident using BGP.” Do the facts from the experts matter to the Washington “message?” No. Is this fixation on the “message” a problem with the security of the Internet? YES!
Why is this normal policy approach a security threat to the Internet? The message supports a policy agenda. The policy agenda is not stated nor linked to the facts. The facts are what we use to build better networks. It is engineering 101. It is science 101. Ye, when the facts counter a policy agenda that policy agenda will override the good engineering and science for some other goal. A goal that is not necessarily moving towards a more secure Internet. A goal that will increase the cybersecurity risk.
BGP Hijacking is a threat. As you can see in a NANOG video presentation “Hijacking Mitigation: Something is Better Than Nothing,” the feasibility to perform BGP Hijacking is real. The community who operate the Internet have some tools we use today to monitor, alert, and mitigate BGP Hijacking. The community also has developments that will improve the BGP security on the Internet. But this work can be disrupted by conflicting “policy agendas.”
If you are a reporter writing about “Cyberwar” and getting quotes from government policymakers, ask hard questions. Do your homework. The Internet Operations community is not shy about stating the real facts. The good, the bad, and the ugly Internet data is usually there to validate or disprove the “message.”
Need Security Advice?
If you find your organization needs help and worry about the FUD from the industry, reach out and ask for help. You can reach me at firstname.lastname@example.org. Start with the Operator’s Security Toolkit. It is the no-nonsense security for all Operators. It provides details to help them build more security resilient networks. In the meantime, stay connected to the Senki Community to get updates on new empowerment and security insights.