Cybersecurity and Rerouting of Internet Traffic to Chinese Servers

Not too many folks are familiar with the U.S.-China Economic and Security Review Commission, a body Congress created in 2000 to report periodically on, well, economic and security issues associated with the U.S.-China relationship.  Its most recent report to Congress may get a fair amount of extra attention, however, in light of a fascinating--and disturbing--cybersecurity incident it describes.  As Ellen Nakashima pointed out at the Post's Checkpoint Washington blog today, the Commission's report describes (at pages 243-44) an incident in which a Chinese state-owned entity rerouted a vast amount of internet traffic through Chinese servers:

For about 18 minutes on April 8, 2010, China Telecom advertised erroneous network traffic routes that instructed U.S. and other foreign Internet traffic to travel through Chinese servers. Other servers around the world quickly adopted these paths, routing all traffic to about 15 percent of the Internet’s destinations through servers located in China. This incident affected traffic to and from U.S. government (‘‘.gov’’) and military (‘‘.mil’’) sites, including those for the Senate, the army, the navy, the marine corps, the air force, the office of secretary of Defense, the National Aeronautics and Space Administration, the Department of Commerce, the National Oceanic and Atmospheric Administration, and many others. Certain commercial websites were also affected, such as those for Dell, Yahoo!, Microsoft, and IBM.

Although the Commission has no way to determine what, if anything, Chinese telecommunications firms did to the hijacked data, incidents of this nature could have a number of serious implications. This level of access could enable surveillance of specific users or sites. It could disrupt a data transaction and prevent a user from establishing a connection with a site. It could even allow a diversion of data to somewhere that the user did not intend (for example, to a ‘‘spoofed’’ site). Arbor Networks Chief Security Officer Danny McPherson has explained that the volume of affected data here could have been intended to conceal one targeted attack. Perhaps most disconcertingly, as a result of the diffusion of Internet security certification authorities, control over diverted data could possibly allow a telecommunications firm to compromise the integrity of supposedly secure encrypted sessions.