What do I think about the Chinese Spy Balloon Flying over the US?

One cybersecurity professional’s point of view

First of all, it doesn’t really matter what I speculate about the Chinese spy balloon because I do not have all the intelligence available to me that the people who make decisions about it do. My opinions do not matter. I am more curious about it than anything.

My first thought was, “What’s in that balloon?” I do not think it would be wise to shoot it down over the US if we do not have the answer to that question. All the people in the government screeching to shoot it down immediately as if it posed some imminent threat were uniformed and I’m personally very glad those people were not in charge of this particular decision. Those cries to scare and rile up the American public were simply political tactics, not well thought out opinions based on proper evidence.

The balloon was apparently the size of three buses. Source:

China balloon: Many questions about suspected spy in the sky

The balloon did not give China more intelligence than it already gets from its satellites. When it was shot down it scattered over a 7 mile area. Source:

Chinese Balloon Shot Down by US. Here's What We Know

I guess they could have tried to shoot it down over some barren land, but who knows where the wind would blow or what the contents of the balloon are and how that would have affected the air or whatever was on the ground.

Additionally, there’s a tactic sometimes taken in cybersecurity (which you should not do unless you really, really know what you are doing as it can lead to catastrophic results if you do not.) You spot an adversary in your network — and you don’t immediately kick them out. You watch them. You study their behavior. You learn how they operate.

In the case of this balloon, likely the data traversing from the balloon to whatever its destination was encrypted, so it may not have been possible to intercept and view the traffic. On the other hand, sometimes it is possible to trick malware to send its traffic to the wrong source, at which point you can capture it in the clear and study it. Perhaps that was occurring as this balloon traversed the US.

Another possible tactic would be that the US could intercept the traffic and send false data back to the command and control servers operating the balloon, hack those sources, or even cause them to malfunction. The US has recently changed hack back laws. You and I, citizens on the ground, have no idea what the government was actually doing while that balloon was floating over the US.

Additionally, for all the leaders in the government who back Trump and Trump himself saying what he would have done about it, it has now come to light that three such balloons traversed the US under Trump’s watch. It is no surprise that the leaders from that time period deny that took place. Source:

Trump officials deny Chinese spy balloons flew above U.S. on their watch

How could this possibly be true? This must be politics, right? Well the DoD likely stored footage of prior investigations from prior years and could refer back to that and revisit whether they had missed anything in the past.

Of course, people who don’t want to believe that won’t. But unless you are briefed on the matter by US intelligence you really can’t know or judge the evidence.

And so this is how I feel about the Chinese spy balloon. I tend to believe the government when they say it is a spy balloon because I know how cybersecurity works. I understand how to intercept traffic and see what is going on in the packets traversing the network — whether between two routers or a balloon and a satellite.

How to Inspect Network Traffic

What is Packet Sniffing?

I tend to believe that it was a balloon used for capturing intelligence, but I can’t really know. I feel that many people that work in cybersecurity are evidence-based. It’s something you learn after having proper training and years of experience. You try to avoid assumptions or jumping to conclusions. You tend to base your opinions on analysis and facts, not hearsay. So whomever working in cybersecurity for the government came to this conclusion likely has proper evidence to back up that statement.

But when you don’t know — you just say, “I don’t know.” Because you don’t. Unless you are privy to the evidence, you don’t know what’s in that balloon, why the Department of Defense didn’t want Biden to shoot it down, and a lot of other things that can’t be determined without the full evidence to make a logical conclusion. So avoid the political noise. Wait and watch for evidence and facts from trusted sources who are not blatantly biased.

Right now I’m just wondering what will come out of further inspection of the debris shot down near the coast of South Carolina not so far away from where we were walking our dog and listening to tunes down on the Savannah riverfront. Source:

Chinese balloon: What investigators might learn from the debris

While we were down there on the waterfront a woman who was randomly walking her own dog and started talking to us. She looked at a text at her phone and said, “They shot down the balloon!” As we continued talking I revealed that I work in cybersecurity and she said she works for Merck — where they had some huge cybersecurity incident where all the screens went black about four years ago.

I said, “Was it ransomware?”

She said, “I don’t know.”

I said, “It was ransomware.”

My opinion on the Chinese spy balloon? People should worry more about securing what they have control over — their own cybersecurity architecture and the systems and devices that are insecure, unpatched, and misconfigured that could lead to a data breach or spying on their own network. If any of those are hosted in AWS, Azure, or GCP follow my blog to learn how to secure those systems. The time will be better spent patching and updating your devices than worrying about a spy balloon.

The spy balloon is interesting but every government is spying on every other government at the moment. That’s the reality. There’s not really much you can do about it unless you work in the government and are involved in making related decisions — and you have all the relevant training and facts to do so.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2023

If you liked this story ~ use the links below to show your support. Thanks!

Support:
Clap for this story or refer others to follow me.
Follow on Medium: Teri Radichel
Sign up for Email List: Teri Radichel
Follow on Twitter: @teriradichel
Follow on Mastodon: @teriradichel@infosec.exchange
Follow on Post: @teriradichel
Like on Facebook: 2nd Sight Lab
Buy a Book: Teri Radichel on Amazon
Buy me a coffee: Teri Radichel
Request services via LinkedIn: Teri Radichel or through IANS Research

About:
Slideshare: Presentations by Teri Radichel 
Speakerdeck: Presentations by Teri Radichel
Recognition: SANS Difference Makers Award, AWS Hero, IANS Faculty
Certifications: SANS
Education: BA Business, Master of Sofware Engineering, Master of Infosec
How I got into security: Woman in tech
Company (Penetration Tests, Assessments, Training): 2nd Sight Lab

Cybersecurity for Executives in the Age of Cloud on Amazon

Cloud Security Training (virtual now available):

2nd Sight Lab Cloud Security Training

Is your cloud secure?

Hire 2nd Sight Lab for a penetration test or security assessment.

Have a Cybersecurity or Cloud Security Question?

Ask Teri Radichel by scheduling a call with IANS Research.

More by Teri Radichel:

Cybersecurity and Cloud security classes, articles, white papers, presentations, and podcasts