President Trump again scrambled debate yesterday about foreign cyberthreats with his unfounded claim — refuted by his own FBI — that China hacked Hillary Clinton’s emails while she was secretary of state.
This is an ongoing pattern for Trump. The president is quick to point the finger at Beijing when it comes to malicious activities in cyberspace, even as he refuses to consistently embrace his intelligence community's findings on Russian election interference in 2016. He has previously suggested, without evidence, that it “could have been China” that hacked Democratic organizations during the 2016 presidential election.
But the episode shouldn’t distract from the fact that Beijing hackers have long targeted U.S. officials, political candidates and government institutions. The issue is a top concern in Washington, where officials are struggling to find ways to deter cyber-aggression from nation states.
But the way China has used its influence in cyberspace is markedly different from how Russia has wielded its digital prowess. Chinese hackers haven't weaponized the information by releasing it into the public sphere with the goal of actually disrupting the political process.
“From a U.S. politics/public official standpoint, the Chinese government is more interested in using cyber operations for surveillance and reconnaissance,” Amy Chang of the Harvard Belfer Center’s Cyber Security Project said in an email. The goal, she told me, is “to understand the viewpoints and motivations of influential officials and how they may influence policy in favor of/against Chinese interests.”
China’s politically oriented snooping efforts go back years. Though Beijing denies it, U.S. intelligence officials say Chinese government-backed hackers infiltrated the presidential campaigns of Barack Obama and John McCain in 2008, making off with troves of files from campaign computers. Cyberattacks on sitting officials, including former Commerce secretary Carlos Gutierrez and former Virginia congressman Frank Wolf (R), have also been linked to Beijing. And in one of the biggest breaches of a government network to date, Chinese-linked hackers stole data on more than 22 million people from the Office of Personnel Management. Other examples abound.
“The Chinese have become adept at using cyber-tools to conduct espionage to further their national security, foreign policy, and economic goals,” said Michael Daniel, chief executive of the Cyber Threat Alliance and former White House cyber coordinator in the Obama administration. “The Chinese typically use their cyber-capabilities differently than the Russians or Iranians, primarily because they are usually more interested in shaping the world order versus disrupting it.”
But while high ranking-officials are certainly a target, there's no indication that Clinton's private emails when she was secretary of state were hacked.
Hours after Trump fired off his tweets, the FBI contradicted him. “The FBI has not found any evidence the servers were compromised,” the bureau said in a statement to my colleague John Wagner. John also noted that former FBI director James B. Comey, who investigated Clinton's use of a private email server, said in July 2016 the FBI “did not find direct evidence that Secretary Clinton’s personal e-mail domain, in its various configurations since 2009, was successfully hacked.”
But Trump didn't seek to tamp down the controversy, which appear to have been referencing an article in the right-leaning Daily Caller news site. It left a lot of observers scratching their heads.
“Mr. President, you have at your disposal the resources of the nation’s law enforcement agencies and intelligence community,” Rep. Adam B. Schiff (D-Calif.) tweeted. “Use them.”
From the Wall Street Journal’s Byron Tau:
The president has access to all classified information, has unilateral declassification authority to release anything he thinks is in the national interest and is hanging this explosive claim (that his FBI denies) on a Daily Caller story. https://t.co/6aKo2hdXeO— Byron Tau (@ByronTau) August 29, 2018
And my colleague Shane Harris:
The president could clear this is up very quickly if he wants. https://t.co/g2F0SFaXvV— Shane Harris (@shaneharris) August 29, 2018
And the government accountability group Citizens for Responsibility and Ethics in Washington:
Trump: Russia didn’t interfere in the election— Citizens for Ethics (@CREWcrew) August 29, 2018
FBI: Russia interfered in the election
Trump: China hacked Hillary Clinton’s email
FBI: China didn’t hack Hillary Clinton’s emailhttps://t.co/8GBCIp7rmu
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: Even though California passed a bill in late June that strengthens data privacy, opponents of the legislation have not given up their fight. “Lobbying groups and trade associations, including several representing the tech industry, immediately started pushing for a litany of deep changes that they say would make the law easier to implement before it goes into effect in January 2020,” Wired's Issie Lapowsky reported.
“But privacy advocates worry that pressure from powerful businesses could end up gutting the law completely.” Under the bill that passed in June, tech companies will have to disclose the kind of data they gather on users and reveal which advertisers and other third parties they share that data with. (I wrote about the legislation in June and July.)
As California's legislative session approaches the end, the battle is now being fought over another bill, SB-1121. “The original goal of SB-1121 was to deal with typos and other small, technical errors, with the hope of introducing more substantive changes in further legislation next year,” Lapowsky wrote. “But over the last few weeks, groups like the Chamber of Commerce and the Internet Association, which represents companies like Google and Facebook, have pushed for significant alterations, even as the tech industry works to develop a federal privacy bill that would, if passed, override California's law.”
PATCHED: A coalition of 31 privacy and civil-rights groups asked the Senate Judiciary Committee to consider two Trump nominees for the Privacy and Civil Liberties Oversight Board, an independent agency tasked with ensuring the U.S. government's fight against terrorism doesn't infringe on civil liberties.
In a letter to Sen. Charles E. Grassley (R-Iowa), the committee's chairman, and Sen. Dianne Feinstein (Calif.), the ranking Democrat on the panel, the groups said the board is lacking a quorum and therefore “cannot issue oversight reports, provide the agency’s advice, or build upon the agency foundations laid by the original members. It is also critical that the PCLOB operate with a full bipartisan slate of qualified individuals.” Elisebeth B. Collins is the sole board member at the moment, according to the agency's website.
The groups that signed the letter include the American Civil Liberties Union, the Brennan Center for Justice at New York University School of Law, the Electronic Frontier Foundation and New America’s Open Technology Institute. “It is a shame that the PCLOB has now lacked a quorum of members for over one and one-half years, and appalling that during the eleven years since Congress first created the PCLOB as an independent agency, the PCLOB has only operated with a quorum for four and one-half years,” Sharon Bradford Franklin, director of surveillance and cybersecurity policy at New America’s Open Technology Institute, said in a statement.
PWNED: The Election Assistance Commission “is at odds with itself, working under a vague but limited mandate and overseen by officials who hold conflicting ideas about what matters in the world of electoral security,” Yahoo News’s Alexander Nazaryan reported in an in-depth story on the commission.
For several years, the EAC was barely functioning. “From 2010 to 2014, the EAC was effectively a ghost agency, lacking commissioners and senior staff,” Nazaryan reported. “There was not a single public meeting in 2011, 2012, 2013 or 2014.” Moreover, the agency did not take notice of the extent of Russian efforts to interfere in the past presidential election, according to Yahoo News.
“As the November 2016 presidential elections approached, the EAC remained listless and unfocused,” Nazaryan wrote. “Records of meetings show that cybersecurity was discussed by agency staff, but no urgency was ever conveyed to Congress or the public. By the time that EAC Commissioner Thomas Hicks testified before a House subcommittee on information technology, on Sept. 28, 2016, Russian interference on all levels of the democratic process was becoming known. Hicks, however, was not especially concerned. The ‘American election administration system is secure,’ he told Congress.”
Brenda Soder, a spokeswoman for the EAC, denied the agency has failed to recognize the extent of threats to election security. “It’s disingenuous and inaccurate to claim that the EAC doesn’t take election security threats from Russia or any other potential malicious actor — foreign or domestic — seriously,” Soder said.
— “Facebook’s Sheryl Sandberg and Twitter’s Jack Dorsey are set to face a fresh grilling on Capitol Hill next week as lawmakers probe Silicon Valley’s efforts to police content online, from political speech to suspected Russian propaganda,” The Washington Post's Tony Romm reported. “The Senate Intelligence Committee said Wednesday that it would hold a hearing next week with the two tech giants focused on ‘social media companies’ responses to foreign influence operations.’” The hearing has been scheduled for Sept. 5. Tony reported that “lawmakers so far have rejected Google’s offer to send a lower-level executive, and the search giant has not committed to sending Larry Page, chief executive of parent company Alphabet, to testify.”
— “Democrat Abigail Spanberger, a former CIA officer challenging Rep. Dave Brat (R) in Virginia’s 7th Congressional district, says a conservative super PAC aligned with House Speaker Paul Ryan illegally obtained sensitive personal information about her from a questionnaire she submitted to the federal government years ago while seeking security clearance,” The Washington Post Laura Vozzella reported. The Congressional Leadership Fund said it obtained the document after America Rising Corp., a consultant to CLF, filed a Freedom of Information request and received Spanberger's personnel file from the U.S. Postal Service.
Spanberger demanded that CLF destroy copies of her security questionnaire, known as SF-86, and not use information from it. The form includes her unredacted social security number and her medical history, my colleague Laura reported. “CLF suggested that Spanberger was trying [to] distract from a fact of her work history — that she had once taught English at Islamic Saudi Academy, a Northern Virginia school dubbed ‘Terror High’ because some of its students later joined al Qaeda,” Laura wrote.
Now, another former CIA officer, Elissa Slotkin, worries that she might be next in line to see details of her life revealed to political opponents in her race for Congress, the Daily Beast's Spencer Ackerman reported on Wednesday. “Obviously I was very disappointed and surprised they had obtained and then leaked a copy of someone’s SF-86, so you have to assume they’re willing to do the same thing with any other candidate that has a security clearance,” Slotkin told Ackerman. She said she does not know if her security questionnaire has been obtained by opponents. Slotkin, who is running as a Democrat in Michigan, is among at least 34 intelligence and military veterans running for a seat in the House or Senate this year, according to the Daily Beast.
This is the type of tactic we've come to expect from foreign adversaries, not political organizations within our own democratic system. Given how active CLF is in MI08, I appeal to GOP officials to disavow these tactics & respect the privacy of those who have served their country— Elissa Slotkin (@ElissaSlotkin) August 29, 2018
— More cybersecurity news from the public sector:
— “Some 20,000 Air Canada customers woke up Wednesday to learn their personal information may have been compromised after a breach in the airline’s mobile app, which prompted a lock-down on all 1.7 million accounts until their passwords could be changed,” the Canadian Press's Christopher Reynolds reported. “Air Canada said it detected unusual login activity between Aug. 22 and Aug. 24 and tried to block the hacking attempt, locking the app accounts as an additional measure, according to a notice on its website.”
— More news about cybersecurity vulnerabilities:
— “Germany announced a new agency on Wednesday to fund research on cyber security and to end its reliance on digital technologies from the United States, China and other countries,” Reuters reported. “Interior Minister Horst Seehofer told reporters that Germany needed new tools to become a top player in cyber security and shore up European security and independence.”
— More cybersecurity news from abroad:
- North Carolina Digital Government Summit in Raleigh.
- 9th annual Billington CyberSecurity Summit in Washington on Sept. 6.
Trump calls for fairness, not regulation of Google:
McCain's family bids their final farewells:
At McCain's favorite restaurant, the owner plays one last farewell song: