By Ellen Nakashima
Washington Post Staff Writer
Monday, February 15, 2010; A03
More private computers were commandeered by hackers for malicious purposes in China in the last quarter of 2009 than in any other country, including the United States, according to a new study by an Internet security company.
These "zombie" computers are often grouped into "botnets," or armies of infected computers that can be used to send spam e-mail or attack Web sites, according to McAfee, a Silicon Valley security firm. The company, which said it collects information about Internet-based threats that target more than 100 million computers in 120 countries, said that in the last three months of 2009, about 1,095,000 computers in China and 1,057,000 in the United States were infected.
Those numbers are in addition to 10 million or so previously infected computers in each country, McAfee said.
The prevalence of botnets is a sign of how vulnerable computer networks are to infiltration, a subject of increasing international debate as companies and governments seek to defend their computer systems from intruders.
Last month, Google announced that its networks had been penetrated by attacks originating in China. The Chinese government denied any involvement, saying that hacking in is against the law. There was no indication that the attack involved botnets, experts said.
In a Jan. 21 speech about Internet freedom, Secretary of State Hillary Rodham Clinton advanced the notion of cyberspace as a "global networked commons" and urged the creation of "norms of behavior" among states. Echoing a key principle behind NATO, she said: "An attack on one nation's networks can be an attack on all."
She declared that "countries or individuals that engage in cyberattacks should face consequences and international condemnation."
Some experts have said that Clinton's call for accountability and norms is complicated by the fact that the United States has so many infected computers. "The government could crack down on botnets, but doing so would raise the cost of software or Internet access and would be controversial," Jack Goldsmith, a professor at Harvard Law School, wrote in a recent opinion piece in The Washington Post. "So it has not acted, and the number of dangerous botnet attacks from America grows."
Indeed, Stewart A. Baker, a cyber expert and former assistant secretary for policy at the Department of Homeland Security, said he would like to see a few leading nations develop "effective national norms aimed at eliminating zombie computers." Companies could be encouraged or required to comply, he said.
One Internet service provider has begun a voluntary service to notify customers when their computers have been infected by bots, viruses and other online threats. Philadelphia-based Comcast, which has 15 million non-commercial customers, began the program last fall. Such initiatives, some experts said, could start to clear out the "noise" in the networks and could help in identifying higher-order threats that could compromise critical computer systems.
One reason computers in China are so vulnerable to botnets may be that software piracy is common and computer users often have not updated the patches on their machines, said George Kurtz, McAfee's worldwide chief technology officer.
In fact, the number of zombie computers in a country says more about the vulnerability of the computers than about who infected them, Baker said. A nation that might want to use botnets as part of an attack probably would want to have its own computers bot-free and commandeer computers in other countries, he said.
China has steadfastly denied that it supports or engages in hacking and that it penetrates U.S. firms' computers to steal technology and trade secrets to help state companies -- whether by bots or any other tool.
Such "remarks are groundless," Peng Bo, an official with the Internet bureau under the Information Office, said in remarks to the New China News Agency. "In fact, China is the country worst hit by worldwide hackers."
Experts say that the United States, which is highly networked and dependent on the Internet for commerce and the running of industry, is the most vulnerable of all countries to cyberattack.
At the same time, the United States is considered the most worrisome potential aggressor, according to McAfee, which in a separate recent survey of 600 technology and security executives of firms around the world found that 36 percent feared the United States and 33 percent feared China as potentially attacking their industries. Russia ran a distant third, at 12 percent.
The result "might simply be a reflection of the raw capabilities and frankly the raw size of U.S. intelligence agencies," retired Gen. Michael V. Hayden, former director of the CIA and of the National Security Agency, said in the report, which was produced in conjunction with the Center for Strategic and International Studies. The United States also has been engaged in a protracted debate about how to organize its attack and defense capabilities, which may have created an "echo chamber" for concerns about such abilities, the report noted.
That report, issued last month, also found that 59 percent of the executives surveyed said they believed that representatives of foreign governments had already been involved in denial-of-service attacks (the disabling of a Web site by bombarding it with requests for access) and network intrusions to control or steal data from "critical infrastructure" industries in their countries.