Considering the security implications of CloudFlare’s partnership with Baidu

Earlier this year, Citizen Lab revealed an attack tool that redirected Internet traffic in mainland China to take down websites like GitHub or GreatFire. The tool was dubbed “the Great Cannon” because it appears to share locations with “the Great Firewall” that separates mainland China from the global Internet.
The Great Cannon was the first thing I thought about when news recently broke about CloudFlare’s partnership with Baidu. Both companies were touting their ability to reduce page loading times and make websites available to more people inside China, but nothing was said about how the tool might provide even more fodder for the Chinese government to load into its Great Cannon.
Matthew Prince, co-founder and chief executive of CloudFlare, was quick to address my concerns. “When we see attacks [like those caused by the Great Cannon] those are actually fairly easy attacks to stop,” he said. “Often, much larger and more destructive attacks come from using infected machines and botnets.”
The Great Cannon, in other words, isn’t the scariest thing out there. Prince added that CloudFlare’s partnership with Baidu might actually make it easier to defend Western sites from attack.
“I’m really excited that we’ll be better able to keep traffic inside China,” he told me. “Before, it was much harder to sinkhole traffic” coming from infected machines in the country. CloudFlare previously had to “largely overbuild” a West Coast facility to handle that traffic.
Others have taken a more pessimistic view of the partnership. FireEye’s chief security strategist, Richard Bejtlich, wrote an article for Motherboard about the problems Western companies might face because of the virtual joint venture. He argued that Baidu had enabled the Great Cannon with one of its tools; that sharing CloudFlare’s intellectual property could allow it to be undermined; and that Baidu or the Chinese government might just copy the company’s tech.
Prince dismissed the blog post as fear-mongering. Much of CloudFlare’s tech is already open-sourced, he said, and many companies could probably build a copycat by using the tools it has shared to its GitHub page. CloudFlare’s real value is said to come from the network it uses to thwart attacks and the data it gathers from the “more than 2 million web properties” with which it works.
“When US-China partnerships fail,” he said, “It’s often because some security guru and his lawyers say ‘We can’t trust you with anything.'” CloudFlare is said to have passed on many potential Chinese partners because it couldn’t trust them; sharing intellectual property is one way for CloudFlare to show that trust. He also said there’s “no evidence” Baidu was complicit with the Great Cannon.
Still, he said he hadn’t considered how speeding up Internet connections in China might indirectly assist the Chinese government. While things might not be as gloom as Bejtlich portrays them in his article, they might also not be as sunny as CloudFlare is depicting them. There’s a giant question mark here, and that’s unsettling, given just how problematic China’s Great Cannon might be.