Dark Cloud: Why CloudFlare's Deal with Baidu Could Haunt US Tech Companies
The dark side of a tech partnership between an American and Chinese company.
Matthew Prince, the CEO and co-founder of security firm CloudFlare. (Image: Web Summit/Flickr)
An unusual new business deal, dubbed "Yunjiasu," or "fast cloud," is now public. The joint venture pairs CloudFlare, a six-year-old San Francisco-based content delivery network, with Baidu, a 15-year-old Beijing-based Web company, sometimes called "China's Google."
A September 14th New York Times story by Paul Mozur broke the news:
"Using a mixture of CloudFlare's web traffic technology and Baidu's network of data centers in China, the two created a service that enables websites to load more quickly across China's border," Mozur wrote. "The service, called Yunjiasu, began operating in December. It has a unified network that makes foreign sites more easily accessible in China, and allows Chinese sites to run in destinations outside the country."
At first glance, this sounds like a win for the Chinese people, and even for those outside China. Mozur mentions the infamous "Great Firewall" of China, a system designed to control internet access, and calls the new joint service a "a sort of fast lane to speed traffic across the border."
What could be the problem with such a setup?
This would give the Chinese government an unprecedented censorship capability.
There are plenty of reasons for policymakers, pundits, and the populations of China and other countries to be worried by this arrangement. First, Mozur explains how "CloudFlare transferred its intellectual property (IP) that is used to manage and speed up internet traffic to Baidu." Mozur postures this technical transfer as "a new model for American tech firms that are considering doing business in the delicate areas of China's tech industry." This is exactly the sort of transfer that Beijing craves, and that American and Western firms in general should avoid. For example, the day prior the Washington Post reported on collusion between the Chinese government and a local telecommunications technology company to the detriment of US-based Vringo.
China emphasizes acquiring technical IP for several reasons. China views technology as a "commanding height" of the new economy, and fears Western domination of cyberspace. The July 2012 addendum to China's 12th five year plan (2011-2015) stressed "new-generation information-technology" as the second of seven "national strategic emerging industries." With technical IP in Chinese possession, domestic companies can build national champions to rival, and eventually replace, Western firms. China can also better understand, and eventually defeat, CloudFlare's security services, having first-hand access to IP and operational details.
Security is the core of the second major concern about Yunjiasu. CloudFlare is famous for heroically protecting Web sites from distributed denial of service (DDoS) attacks. By essentially providing copies of websites, distributed across dozens of data centers, CloudFlare customers can better withstand DDoS attacks by hackers, activists, and even nation-state operators. Mandiant, in fact, after releasing its February 2013 intelligence report on Unit 61398 of the People's Liberation Army, kept its site functioning using CloudFlare services while Chinese computers bombarded it.
DDoS has been a growing concern for those trying to escape China's censorship operations. Although China's Great Firewall is known to restrict online content for those living inside the country, in 2015 China unleashed a new capability that targeted Internet users outside the country. The so-called "Great Cannon" was first reported as having serious DDoS effects in March 2015, affecting two web services outside China.
The targets were GreatFire, a private website that tracks Great Firewall censorship, and GitHub, the massively popular open source code hosting platform. Curiously, Baidu enabled the Great Cannon to function by permitting its "Baidu Analytics" code to be co-opted for malicious purposes. This attack was serious because it crossed, in the eyes of many policy makers, a "red line"—China's censorship operations had escaped its domestic internet space and was affecting a global personal and corporate resource, GitHub.
Now that CloudFlare has handed its IP to Baidu, the Chinese government has easier access to the code, techniques, and procedures CloudFlare uses to combat DDoS attacks. Great Firewall and Great Cannon engineers can now devise improved DDoS attacks to support Chinese censorship. That capability is only the beginning, unfortunately.
The third concern involves the nature of the Yunjiasu offering. CloudFlare is a type of "man-in-the-middle" service. By leveraging features of the Domain Name System (DNS), CloudFlare serves copies of a customer's site to visitors, not from the original customer site, but from copies staged on geographically distributed servers. The operator of this CDN possesses great power. In a sense, they control what the end user ultimately sees. When used to accelerate delivery of content, or to fend off attacks, this capability is an obvious benefit.
Yunjiasu would also become a new control and censorship tool.
Sadly, this man-in-the-middle position can be used for nefarious purposes. The Chinese government could tell Baidu, operating Yunjiasu, to restrict access to customer sites, either partially ("block these pages) or totally ("block this site"). This would give the Chinese government an unprecedented censorship capability. Combined with recent reports on China's crackdown on virtual private networks (VPNs) used to escape through the Great Firewall, and it is plain to see China's quest for tighter network control.
Based on these concerns, what can we expect from this new venture? First, I predict Baidu, or a subsidiary or friendly company, will produce a CloudFlare competitor. China continues to build national champions in the hardware and telecommunications industries, like Huawei, ZTE, Lenovo, and Xiaomi. By "moving up the stack" into an Internet service, China will be able to offer domestic customers an eventual replacement for CloudFlare, with which it currently shares revenue.
Second, I expect Baidu to work with the Chinese government to forcefully court domestic Chinese sites to sign service agreements. Note that in order to be subject to the power of Yunjiasu, customers must adjust their DNS configuration such that Baidu essentially "speaks" for the customer's sites. A more aggressive version of this strategy might involve the government requirement for all domestic sites to use Yunjiasu. The Chinese government could claim this is a "security measure" for the benefit of its customers. While Chinese sites would undoubtedly be better protected from DDoS attacks, Yunjiasu would also become a new control and censorship tool.
Third, I expect the Chinese government, working through Baidu and its partnership, to influence the protection CloudFlare provides to sites serving content antithetical to Chinese government censors. In June 2014, CloudFlare battled a DDoS attack upon Occupy Central, a Hong Kong-based political movement fighting for universal suffrage in that city-state. CEO Matthew Prince even tweeted about the event, saying "Were [sic] thinking of opening @CloudFlare's Asian office in Singapore. After all the love tonight, thinking maybe Hong Kong instead." Would the company act differently, now that it is sharing revenue with Baidu?
In its own blog post on the venture, Prince describes steps CloudFlare is taking to preserve "the integrity of customer data," including the management of encryption keys. These are welcome, albeit tactical, steps. The larger problem is strategic, and centers on the issues of IP transfer, defeating DDoS protections, national champions, and censorship/control explained above.
While Yunjiasu is promoted as a "fast cloud," it is likely a dark one as well.
Richard Bejtlich is chief security strategist at FireEye, and a nonresident senior fellow at the Brookings Institution. He is also researching his PhD in war studies at King's College London. Follow him on Twitter @taosecurity.