Google on the defensive, vulnerable; China risks international and U.S. response

Either Google has some very unusual vulnerability in its back office operations, or is not disclosing the full nature of the attack.
Written by Doug Hanchard, Contributor

The attack on Google's email service in China could not come at more critical time. Google has enjoyed a calm and steady past year in operations, sales and product development with few exposures to risk, liability and financial turmoil. Now it faces its first major crisis which threatens several key areas of Google's business. Likewise, China has also weathered economic challenges reasonably well. It has experienced some criticism over Copenhagen, trade imbalances, foreign exchange currency issues, but in general terms the past several years have been steady for the country. Now It would appear that China has decided to change course. Government oversight over its own sovereign people is well known and not news worthy in itself, because human rights has always been a cause for concern outside of China. But directly attacking a foreign multinational corporation in the process to collect intelligence on its own soil is.

Hacking is practically a rite of passage for many a programmer's career. But hacking Google is an Everest in the hacking world; in other words it would be one hell of a feather in the underground world if it succeeded. Google recognizes this and invests heavily in monitoring and continually upgrading its hardware, software and people skills to support its products and services.  This hack however was not your stereotypical basement junk food collection of kids just trying to kick in a few back doors. This was a directed attack looking for very specific information, according to the Google Blog of David Drummond, SVP, Corporate Development and Chief Legal Officer.  Few organizations take on this type of project. Government intelligence agencies are the only ones with such mandates, funding and time to carry out such operations. While Google does not specifically state that the attack on its email servers was carried out or initiated by China's Ministry of State Security (MSS), it's a foregone conclusion that the mandate and operation was carried out by MSS. Google's response was delicately worded, leaving open the door to dialogue and future relationships. It will likely fall on deaf ears in Beijing.

Google claims the attack was unsuccessful, collecting only text contained within the subject line of emails and when the email accounts of two user IDs where created. Google also states that it was likely a phishing and - or malware attached files type of attack. This explanation doesn't go over very well because Drummond then goes on to explain that you can learn more about how these types of attacks have occurred in the past by referencing GhostNet Spying incident.  Ghostnet was a very sophisticated attack across multiple nations and networks, servers and people being tracked all linked with an Achilles heel - a complete lack of security policies, management and procedures on all the affected systems. Google prides itself as a company that uses best practices, particularly in security. Drummond continues in a defensive mode by stating it had completed an analysis of the attack and:

"We have already used information gained from this attack to make infrastructure and architectural improvements that enhance security for Google and for our users."

There are two probable explanations why Google has explained the attack in the way it did and both raise concerns that require analysis. Either Google has some very unusual vulnerability in its back office operations or is not disclosing the full nature of the attack. It should be noted that Google should be commended for making such an attack public knowledge, which when reviewed is the right ethical and smart thing to do, since it is traded as a publicly traded company anyway, i.e. someone was going to eventually leak it someday and not disclosing it might have caused other problems. One view is that this not really an attack so much as standard problem that all ISPs deal with. It's a risk all ISPs face and while it may appear to not make any sense, in this particular case, Chinese intelligence has an objective (always has) and will continue to pursue it all over the world.

Malware and phishing scams do not impact architecture or infrastructure's of email servers, routers, or even processes like authentication platform and internal domain routing unless it is very sophisticated in nature suggesting that the attack WAS directly aimed at Google and not just at users of the email content but also the email application servers enabling the intruder to determine email addresses, when emails where sent, to whom, when, where, etc.. But according to Drummond, Google security was not compromised. So why is Google making a big deal out this attack? There are plenty of reasons, all of them dealing with future opportunities, which would impact Google's financial health and therefore, must be managed immediately or risk losing more than just a few customers.

Drummond states that upon review and analysis of the evidence collected, it has made architectural and infrastructure changes to its operations which will enhance security. This probably means that Google is improving its tracking of email source and destination logs, caching email attachments for virus and malware filtering and other security techniques. It also suggests that Google's own internal firewalls, routers and switches have been upgraded and hardened to prevent IP snooping in its own internal network. Google may wind up encrypting traffic internally and create secured VPN networks in countries where networks are constantly being monitored. Clearly something went wrong in its operations center in China.

Google will likely not disclose what actions it has taken, but rest assured, Google is (as is stated in Drummond's blog) upgrading and reviewing all policies and procedures of services operated internationally and inside the U.S. Hopefully, Google will clarify what actually occurred and then reassure its customers that it clearly understands what happened and what needs to be done and is a company that can be entrusted with customer information, content and services.  This incident will not change how public use of cloud computing is offered as a service, but it will ask a lot of questions surrounding privacy and security when customers use these products and services. Cloud computing is simply a fancy buzz word for outsourcing anyway. People will either continue to use such services based on their own needs and requirements. Google simply wants to limit the damage and now recognises that the Chinese government will not support or protect assets of a company doing business in the country. With no options for any recourse with Chinese officials, it is likely one of the reasons it is considering closing up shop there.

This incident has clearly shaken senior management at Google. The boardroom drama probably happened and the conversations probably were not easy ones to have. To publicly state that it will review future operations in China, the largest future consumer audience in the world, speaks volumes about how hard this has hit Google. The company is used to legal frameworks that management is comfortable with. Be it anti-trust, warrants, subpoenas or testifying before government hearings or panels, the company understands how to operate within a legal frame work of any nation, including China. It was criticized heavily by special interests groups for complying with Chinese Law. Google has a solid set of agreements to believe it was operating in good standing with the Chinese government. This attack however, has created a stir within Google management that it does not like. In a sense, management probably feels that the Chinese government has directly attacked and attempted to compromise Google directly, let alone its customers, and there's not a thing Google can do about it, except perhaps to leave.  If Google had been served with a warrant or subpoena by the Chinese Justice Ministry, it probably would have said, let's go to court to ensure we are not violating any specific Chinese laws. Needless to say, they didn't knock on Google's offices in Hong Kong or even email them asking, unsettling Google government relations further. Is Google serious about shutting down its Chinese operations?  Many think they are and clearly this type of attack is an issue that will involve the U.S. Government, which will have to deal with it on behalf of Google.

The United States Government already had its hands full after recent events with talks with the Chinese, first when President Obama met Premier Wen Jiabao in Beijing during November of 2009 and again in Copenhagen for the COP 15 IPCC Summit for Climate Change. In both sessions, relations were unsettling for the Obama administration as China rebuffed the Administration's many new ideas and opportunities to create new agreements. The U.S. has some options in its toolbox such as WTO agreements and other negotiating tactics available. The question: Is it worth it and where does the U.S. Administration draw the line?

Update January 13, 2010: 8:48 PM EST: Comment by Secratary of State Clinton:

  Refer questions on announcement and technical aspects of this issue to Google / Google informed us of their concerns
U.S. relationship with China is broad, deep, expanding and durable / As part of ongoing strategic and economic dialogue, we will have questions on economic policies / China's ability to continue to meet international standards in terms of products and services / Not a different range of issues that we continue to work on with China / Discussions with China for some time on questions of network security / Internet freedom / Will continue to raise these issues
[poll id="35"]

Next: China, why it is doing this and is it worth the risks.

Other Resources:

Google asks the NSA for help: Smart decision

U.S. arms sale to Taiwan may throw Google negotiations in China out the window

Editorial standards