China-based hackers may target Internet-based e-mail, data storage and other services provided overseas by such companies as Microsoft Corp. to spy on the U.S., a congressional commission found.
The Chinese government wages “a large-scale cyber espionage campaign” and “has successfully targeted the networks of U.S. government and private organizations,” the U.S.-China Economic and Security Review Commission concludes in its annual report to Congress released yesterday.
The commission for the first time said cloud computing, which connects Internet services, “represents a potential espionage threat.” The report fails to cite any examples of the Chinese government using the technology in attacks.
“Our focus has been on making sure that Defense Department or State Department data, or other government information, is secure,” William Reinsch, chairman of the commission, told reporters before the report’s release. “To the extent those entities use the cloud as well, we think that they need to get a better grip on who’s actually providing their services and where their data is going.”
President Barack Obama’s administration and lawmakers have used diplomacy and a public shaming campaign to pressure Beijing to stop cyber-attacks that are estimated to cost the U.S. economy as much as $300 billion a year. Their efforts have been overshadowed by revelations since June that the National Security Agency eavesdropped on foreign leaders, hacked into the private networks of Google Inc. and Yahoo! Inc. abroad and spied on Americans and foreigners without warrants.
China’s Ministry of State Security, which is the country’s main foreign intelligence collection agency, is “closely connected” to a special cloud-computing zone in the city of Chongqing, the commission wrote. That represents a threat “to foreign companies that might use cloud-computing services provided from the zone or base operations there,” it concluded.
The only U.S. cloud provider singled out in the report as a possible risk for hacks sponsored by the Chinese government was Microsoft because the Redmond, Washington-based company has licensed its products to 21Vianet Group Inc., a Beijing-based company selling online data center services.
The commission on Nov. 19 backed away from that assertion, saying in a statement it had “been informed of new information and will be reaching out to all involved parties to determine what impact, if any, this has on the findings.”
“If we inadvertently included incorrect information, we will make corrections as appropriate,” according to the statement.
The commission based its conclusions about cloud computing on a Sept. 5 report called Red Cloud Rising that it commissioned from a private U.S. intelligence and security company, Defense Group Inc., based in Vienna, Virginia.
The company was given incorrect information by Microsoft about its relationship with 21Vianet when it wrote the September report, Leigh Ann Ragland, one of the authors, said in an e-mail on Nov. 19. She said the company was contacting the commission to correct the report’s language.
While Microsoft licenses its Windows Azure and Office 365 products to 21Vianet, the Chinese company doesn’t have access to “services and datacenters operated by Microsoft outside of China,” Doug Hauger, Microsoft’s general manager for China commercial cloud services, said in an e-mail on Nov. 19.
Microsoft Azure and Office 365 “include security technologies, systems and monitoring to mitigate malicious activities,” Hauger said. “If we believe malicious activity is taking place, we investigate and take the appropriate action.”
Ragland said a theoretical cybersecurity concern still exists if the Chinese government can find unknown vulnerabilities, commonly referred to as zero-day exploits, in Windows Azure to attack users overseas.
“Cloud computing technology enables hackers to better obfuscate the source of their attacks, which also serves the strategic interests of certain organizations within the PRC military and government,” she said.
The commission recommends in its report that Congress direct the Obama administration “to prepare an inventory of existing federal use of cloud computing platforms and services and determine where the data storage and computing services are geographically located.” The inventory should be prepared annually, it said.
“If you allow a Chinese entity to provide cloud services then you’re entrusting them with your data,” Reinsch said. “That creates with it certain risks.”
The commission’s assessment of the security vulnerabilities received mixed reviews from cloud-computing industry specialists.
“Every country is going to seek to use information technology assets for surveillance,” Jim Reavis, executive director of the Seattle-based nonprofit Cloud Security Alliance, said in a phone interview.
He said U.S. information-technology companies aren’t aggressively seeking to expand cloud services in China due to restrictions that include regulations, an immature telecommunications infrastructure and Internet censorship.
U.S. companies operating in China have been more affected by revelations about the extent of NSA spying programs, he said, since the disclosures by former government contractor Edward Snowden, who’s now in Russia on temporary asylum. Cisco Systems Inc. last week became one of the first companies to warn publicly that the disclosures have reduced its business in China.
Daniel Castro, a senior analyst for the Information Technology and Innovation Foundation, a Washington research institution, said the commission’s report could damage a growing industry in China.
“It feeds this narrative that is incorrect that security is based on where you store data. It’s not,” Castro said in a phone interview. “It’s based on the security protocols that you have in place.”
The Defense Group estimated in its September report that China’s cloud computing industry will continue to grow and be valued at $163 billion by 2015.
To contact the reporter on this story: Chris Strohm in Washington at email@example.com
To contact the editor responsible for this story: Bernard Kohn at firstname.lastname@example.org