China's Internet Traffic 'Hijacking' Was Probably Not On Purpose

The U.S.-China Economic and Security Review Commission released its annual report on Nov. 17, which advises Congress on a range of developments related to U.S.-China relations. The document covers economics and trade, military and security, foreign policy, energy and environment, and cybersecurity, among other topics.

One of the chief reasons the report has become so highly anticipated in the weeks before its release is its coverage of an incident that occurred April 8 in which a large mass of international Internet traffic was rerouted through Chinese servers for about 16 minutes (18 minutes according to the commission’s report), including traffic from the United States, Canada, South Korea, Australia and many other countries. On that day, China Telecom Corp. Ltd., intentionally or not, broadcast false information suggesting that its routes would be faster than other routes. Internet routers in the United States and elsewhere responded by assessing all possible routes and pursuing the fastest one available — which is standard practice — and thus massive traffic was rerouted through China. The review commission report claims that traffic related to about 15 per cent of the destinations on the Internet was rerouted through China.

The commission asserts that there is no clear way to discern whether any Chinese telecoms firms affected or meddled with the information that traveled through their servers. And it is not clear that the rerouting itself was intentional. Instead, the report focuses on the implicit risks — the ability to affect the decisions made by Internet routers could lead to stolen information, disrupted data flows, or the delivery of information to a different destination than intended, and it could potentially serve as a large diversion for a more specific cyberattack. The report also raised concerns that the rerouted data could provide information that could be used to hack into encrypted information.

Reasons to Doubt an Intentional ‘Hijacking’

There are a few things to note about this. First, this type of mistake, in which a group of routers send misinformation to other routers resulting in a large shift in direction of the volume of traffic through the false routes, is not unprecedented in the history of the Internet, though it is uncommon. The incident reflected a well-known security hole in the very structure of the Internet — that routers generally operate on a basis of trust within an accepted community of other routers and have limited security protections against misinformation that could cause a redirection of traffic. Thus, the incident with China Telecom could have been a mistake — China Telecom, for its part, has denied that it “hijacked” Internet traffic. It appears that the misinformation originated with a smaller and perhaps less reliable Chinese router that had been authorised as a “peer” by China Telecom. Nevertheless, the fact that the April incident involved a Chinese company has raised suspicions because the United States and other states are rightfully concerned that Chinese entities have used their growing Internet capabilities for malicious purposes in the past.

Second, the incident does not mark an invasion into secure systems. There was no violation of secure government networks or command-and-control infrastructure. The rerouting of traffic through the fastest available route is precisely how the Internet was meant to operate, so that if one location were to be knocked out, the information could simply take another route. The problem was that the Chinese routes were in fact not the fastest but were providing misinformation — whether through operators’ direction or accidentally — to other routers.

Third, the massive amount of information that was rerouted through China’s servers during that brief period would not necessarily yield any sensitive information or deep intelligence. The report emphasises that traffic through government and military locations (those familiar by Web addresses that end in .gov and .mil) were affected by this rerouting, but of course this traffic would have been affected among a great many other websites and other Internet traffic. There is not yet evidence that the government or military sites were directly targeted. Most of the rerouted information would probably have come from China and the surrounding region, where routers were more likely to accept the erroneous routing information they were receiving (whereas routers elsewhere in the world would have been more likely to reject the idea that the quickest route was through China). Nor is it clear whether China’s companies was able to save a snapshot of this information, but if they did manage to save copies, they would end up with a huge number of small packets of information that would have to be reassembled to recreate what they were looking for. This would be a gargantuan task, and while it is by no means outside China’s modus operandi to gather large quantities of information and use its large intelligence labour force to sift through it, it cannot be assumed that the intelligence gleaned in such a short time span would be hugely significant. Yet if the traffic rerouting were malicious, then the Chinese would not have been able to focus on targeted data and discarded the rest, which is what they currently do to censor domestic Internet material by means of the “Great Chinese Firewall.”

None of this is to suggest that China’s cyber capabilities do not pose serious security threats to other nations, including the United States. The United States has become increasingly concerned about China’s state-owned and state-connected telecommunications and Internet firms, its army of hackers, and its censorship policies, as the commission report notes. Naturally, few states are willing to write off an anomalous cyber-related event with security implications such as the April 8 traffic rerouting as an “accident” when it originates in China. If China Telecom deliberately caused the rerouting, the purpose may well have been to test the waters, gauge the response times and countermeasures taken by foreign operators, and test China’s own capabilities. And even if the incident was a mistake or a fluke, it will not necessarily be perceived that way by others.

America’s Growing Concerns about Cybersecurity

The most important aspect of the Nov. 17 commission report is that it calls this security problem to the attention of American lawmakers, who are increasingly interested in drafting legislation that they believe will reduce the security risks of the Internet, especially when states like China provide ample reason for concern. The incident itself happened in April, and companies and government entities that fear they may have been compromised by the incident have had time to take safety measures and step up precautions. The U.S. government has emphasised that its encryption of data would have precluded intelligence compromises. But the risk remains that companies, especially companies closely associated with foreign governments, could use their growing cyber capabilities to redirect traffic for malicious purposes — even if only to cause a distraction while pursuing a more targeted attack, as some have suggested may have been the purpose of the April 8 incident. And this risk is enough to drive the U.S. government to focus more heavily on cybersecurity risks, as well as on China as the state that poses the greatest threat in this category.

In the event that the U.S. government decides to take decisive action over this or other similar incidents, it is important to note that the United States does retain a large amount of leverage. Even without government action, American routers can reduce dependence on, blacklist or block specific Chinese companies, or whole swathes of Chinese Internet routes, to avoid such problems. Each router has specifically formed peer relationships with other routers (such as China Telecom), accepting announcements from their peer on the assumption that they are credible, and can revoke this relationship if the peer is deemed unreliable or disruptive. This option could be exercised if the Chinese state or state-controlled companies are shown to have had a hand in menacing incidents, or if such traffic hijackings from China become a repeat occurrence. At the moment, however, the incident — though of ambiguous nature and probably limited in its direct consequences — has served to highlight the American public’s and the government’s anxieties about vulnerabilities relating to the Internet, and this alone could have significant ramifications.

*This report is reprinted with permission of STRATFOR. It may not be reprinted by any other party without express permission of STRATFOR.

For more reports, visit www.stratfor.com

NOW WATCH: Tech Insider videos

Business Insider Emails & Alerts

Site highlights each day to your inbox.

Follow Business Insider Australia on Facebook, Twitter, LinkedIn, and Instagram.


Tagged In

china internet sai-us