What should we make of this Chinese cyber-spy story?

Yesterday's story in the New York Times about "GhostNet," the Chinese-based computer spying network that has apparently penetrated some 1,295 computers in more than 100 countries around the world, obviously raises this big question: Was the Chinese government behind it, or not? Three of the four servers that hosted GhostNet were apparently inside China (the fourth was in California), and many of the targets were involved one way or another in Free-Tibet activities or other causes opposed by the Chinese government. Wouldn't it have to have been the ChiComs?

Maybe, maybe not. I've now read (thanks to a stop-by at free WiFi site masquerading as a McDonald's) the 53-page report from the University of Toronto team that used clever reverse-engineering tools to penetrate "GhostNet" and monitor it from within. The report, in the Scribd format that deserves discussion itself some other time, is available here.

The U Toronto researchers are, in my view, properly agnostic about who is ultimately responsible for this malware operation. On the one hand, they point out that "China is actively developing an operational capacity in cyberspace.... Chinese cyber warfare doctrine is well developed, and significant resources have been invested by the People's Liberation Army and security services in developing defensive and offensive capabilities." But on the other hand,

"Attributing all Chinese malware to deliberate or targeted intelligence gathering operations by the Chinese state is wrong and misleading... The most significant actors in cyberspace are not states.... In China, the authorities most likely perceive individual attackers [ie, teenagers in internet cafes] as convenient instruments of national power."

For anyone technically inclined, the report is full of fascinating crime-procedural type details about the way the investigation unfolded and what the GhostNet system revealed once the moles from Toronto had made their way inside. 

Recommended Reading

My guess is that the "convenient instruments" hypothesis will eventually prove to be true (versus the "centrally controlled plot" scenario), if the "truth" of the case is ever fully determined. For reasons the Toronto report lays out, the episode looks more like the effort of groups of clever young hackers than a concentrated project of the People Liberation Army cyberwar division. But no one knows for certain, and further information about the case is definitely worth following. As are this new report on "The Snooping Dragon" by computer scientists at the Cambridge University in England and the University of Illinois, and this very good Wired blog item.   One more thing to worry about be interested in.