Kaspersky Labs’ Threat Post reports that China’s online defences have failed to keep pace with its widely hyped offensive capabilities:
For the last 18 months, Dillon Beresford, a security researcher with testing firm NSS Labs and divorced father of one, has spent up to seven hours a day of his spare time crawling the networks of China’s state and provincial governments, as well as stealthier networks belonging to the PLA and the country’s top universities. Armed with free tools like Metasploit and Netcat, as well as Google Translate, he’s pulled back the curtains on the state of cyber security in China. What he’s discovered may come as a surprise to many U.S. policymakers and Pentagon officials.
Contrary to the image of China as a nearly invincible cyber powerhouse, Beresford says in an interview with Threatpost Editor Paul Roberts, that the fast-growing nation suffers from woeful cyber security practices at home that leave, literally, thousands of networks and databases vulnerable to even trivial, remote attacks. Beresford, who publicized holes in domestic Chinese SCADA systems in September, 2010, said the country’s aggressive cyber offense abroad, he said, is in stark contrast to an almost total lack of basic cyber defense at home that has left both classified and unclassified government networks vulnerable to attack and compromise. That should give the Chinese government pause as it ponders the consequences of a global campaign of cyber espionage, and create an opportunity for the U.S. and China to de-escalate what he sees as a growing cyber arms race ….
“The media hype in the U.S. is all about cyberwar and how the Chinese are kicking our ass. I wanted to know how vulnerable are the Chinese, and what I found is that they are just as vulnerable as the U.s. if not more-so. In large part, I think its because of this lack of transparency and openness. I’m hoping that, as a result of my work, they might realize this and maybe tone down their aggressiveness towards U.S. After all, we have the best people and it won’t be long before other researchers will do as I have.”
See also an earlier Threat Post report on Beresford’s discovery of a “wide open” database belonging to the Chinese State Administration of Foreign Experts Affairs, a “government organization dedicated to promoting overseas education and training for chinese professionals, and recruiting foreign experts from abroad to work in China”.