[Note: Computer security issues are getting more attention in China with the exchange of attacks between hackers in Taiwan and the mainland and the April 1999 attack of the CIH virus which hit many Chinese government computers (despite a September 1998 warning about the virus put out by Chinese Public Security). The recent announcement of the Red Flag Linux operating system – a Chinese version of the increasingly popular Linux operating system – and concerns raised by MII about the CPU identifiers on many new Intel chips are background to this story. Two Chinese computer security reports are available on the EST web page at http://www.usembassy-china.gov/english/sandt/index.html ]

------------------------------------

The Wolf Has Come – Raise Your Hunting Rifle Yellow Warning Light for Computer Security

PLA Daily, August 25, 1999, p. 5 by PLA Daily Correspondent Cao Xueyi

  • Worldwide the Violation of Online Computers Becomes More Serious Each Day; Every 20 Seconds a Hacker Invades an Internet Site
  • Every year computer crime causes losses of USD 15 billion; all countries now stress network security
  • Three State agencies issued a joint notice requesting that the Party, Government, and Key Enterprises do effective electronic security and protection work.
  • [The first half of this PLA Daily article gives an overview of the worldwide network security situation mentioning a June 1996 hacker attack against a Shanghai financial institution that resulted in the theft of RMB 260 million in securities; U.S. statistics showing a sharp rise in computer crime; the number of known computer viruses is 14,304 with over 30 [sic] new ones each year; computer viruses such as Melissa are circulating within China as well; since that first June 1996 hacker attack in Shanghai, there have been over 180 computer crime cases in China; during the Kosovo war, virus bearing email and ping attacks on NATO web sites and communications systems were used by Yugoslav hackers. ]

    [Begin translation of second half of the PLA Daily article]

    In recent years China has strengthened its research and management in the computer security area. The Party and Government, the military, the financial sector, science and technology institutions and other departments have established encrypted data transmission systems. China’s three special information security and secrecy companies recently developed the SJY01 internet information security and secrecy protection system. The SJY01 system organically combines a computation module, security protocol, and personal identity card. Multiple control mechanisms are used to classify documents and people into 128 different security levels and authorization levels. The systems uses electronic secrecy stamps and personal ID cards to implement such function as visit controls, secret key distribution, and authorization control.

    The Chinese military has also seen a rapid development in its computer networks. Bureau and regional networked systems have become important tools in schools, scientific research, combat training. Yet these systems also provide opportunities for various adversaries to gather intelligence about the Chinese military. The task of preventing the invasion and theft of information from military computer networks is very complex and difficult.

    According to CERT statistics, eighty percent of computer security problems are caused by management errors. Computer spies take advantage of these errors. They use electromagnetic sensors, bugs, or advanced network equipment to monitor a computer’s CPU, peripherals, terminals, communications equipment and network information. Making use of electromagnetic reflections, information and images on a computer system can be captured remotely using appropriate electronic equipment. Using various direct and indirect pathways, they enter Chinese military computer systems, steal information and damage systems or use computer viruses to change computer data. This can affect the entire computer system and cause a failure.

    >From this comes the requirement that we must insist on the establishment of computer security awareness, improve our internal management, and strengthen our various computer security procedures. Care for computer used daily and computers used in confidential applications must be handled by specialists only. These computers may not be connected to the Internet without special permission. Shielding and protection for installations must be strengthened and jamming equipment should be placed on each computer so as to protect against radio frequency interference and electromagnetic leakage. Special strengthening of computer security precaution is needed at more sensitive installations. This is applies especially to top secret installations, military control centers, and the web facilities of centers of high economic importance.

    “Prevent Disaster So It Won’t Happen; Think of Dangers While You Are at Peace” Establish Autonomous Chinese Information Networks

    Computer networks are easy to attack. This not only increases the pressure to improve computers but also sounds a warning that we are rely too much on foreign advanced technology. Some people speculate that the next war will not require attacks on cities and territory but will be about the “control of information”. It will be more like “by turning off a computer you turn off an enemy country”. Regardless of whether or not this scenario, we should bear in mind that the United States in the Gulf War was the first to use an information bomb in an astonishing attack that disabled Iraqi computer systems. That attack compels our deepest consideration.

    The U.S. military in 1969 established ARPA, the forerunner of the Internet, in order to assure the continuity of computer networks in the event of a nuclear war. The most important aspect of this network was that it has no center. Even if some nodes were destroyed in a nuclear attack, information could continue to flow through the remaining nodes.

    The development of China’s own operating system is important not only to the development of Chinese industry but more importantly for ensuring that our own Chinese computer network information is not completely attacked or totally destroyed in a war. Currently, Chinese computer systems mostly use Intel chips and Microsoft Windows operating systems. The products of both of these companies have serious security shortcomings.

    According to reports, Intel added a serial number function to its Pentium III processor. This could affect the privacy of chip users. Windows 98 when it is on the Internet automatically sends user information to the Microsoft website without the knowledge of the user. Many users have written articles about this and expressed concern about the implications of this for China’s information security, and made suggestions about how to protect Chinese information security.

    The Ministry of Information Industry has already issued a notice requiring that Chinese computer manufacturers disable the Pentium III serial number function. All products of this type in China must be inspected. Chinese government computers which have Pentium III chips must not get on the Internet directly. Government agencies at every level, including related departments and industries, such as telecommunications, banks, tax and fiscal, military and other critical sectors must disable the serial number function when buying a computer equipped with the Pentium III chip. Even with the chip disabled, the computer can only be used as a stand-alone or on internal networks. It is strictly forbidden to link a government office network to the Internet.

    The more Chinese people become aware of the importance of information security, the stronger the voices calling for the development of China’s own operating system becomes. Yet developing China’s own operating system is an arduous task. But the good news is that many units have already begun to take practical steps to ensure computer security. Every unit, when they establish regional networks, must make information security an important consideration. For example when National Defense University set up its campus network, it paid special attention to security problems in routers, anonymous FTP, and TELNET. Using various systems and equipment these security controls were strengthened so that these shortcomings were overcome. Moreover security services were provided to users such as security controls for information or data as it is transmitted through the network in order to assure the security of the campus information network. The People’s Armed Police (PAP) has also upgraded to a new generation of computer encryption technology so as to provide a solid foundation for the prevention of security leaks from PAP computer networks.

    The famous Chinese information security expert, Chinese Academy of Engineering Academician Shen Changxiang has expressed his concerns about Chinese information network security. Shen is very concerned that some departments build information networks without giving a thought to information security. He warns, “If you do it right, you’ll pay a big price later.” Shen says that information security should become one of China’s fundamental policies. China should gradually establish and develop its own Chinese computer information technology so that important Chinese information systems will be highly resistant to foreign information warfare attacks.

    In the computer network information field, the wolf has already come. Pick up your hunting rifle! You must take it seriously.