Good morning! I’m Cat Zakrzewski, a tech policy reporter at The Washington Post. I’ll be at the helm of The Cybersecurity 202 these next few weeks. If you can’t get enough of Post newsletters, sign up here for my forthcoming newsletter, The Technology 202. You won’t want to miss our daily analysis on the complex relationship between Washington and Silicon Valley, coming to your inbox in December.
President Trump is taking an even tougher stance on cybersecurity in the days before the midterm elections as his attorney general announced a broad new program Thursday meant to curb Chinese economic espionage against American companies.
As my colleague Ellen Nakashima reported, Attorney General Jeff Sessions announced the Justice Department would vigorously pursue cases involving the theft of trade secrets and to find new ways to identify industry workers who have been “co-opted” by Chinese agents. The initiative was introduced as U.S. authorities indicted three Taiwanese nationals, a Taiwanese semiconductor company and a Chinese state-owned company for conspiring to steal trade secrets from an American semiconductor company.
“Chinese economic espionage against the United States has been increasing — and it has been increasing rapidly,” Sessions said. “Enough is enough. We’re not going to take it anymore.”
Trump has been inconsistent in the way he's treated cybersecurity issues. As a candidate, he promised digital security would be one of his main priorities. But he consistently waffles on whether he accepts the intelligence community's conclusion that Russia interfered in the presidential election through a campaign of hacking and fake news. And the White House came under fire from some lawmakers after it eliminated the position of cybersecurity coordinator on the National Security Council.
But there's been flurry of activity on cybersecurity from the administration in recent days and weeks. It's not just the indictment and economic espionage strategy. His national security adviser John Bolton confirmed the United States was conducting offensive cyber operations to safeguard next week’s midterm elections. And Ellen reported last week that U.S. Cyber Command was targeting Russian operatives and seeking to deter them from interfering in the election by signaling that the military is tracking their moves.
And just yesterday, Trump after an election security briefing insisted that his administration’s investment in election security would keep next week’s midterms “perfect and safe.” He told reporters at the White House that “there will be, hopefully, no meddling, no tampering, no nothing,” according to the Associated Press.
But of course, the tough actions on China fit into Trump's broader push to pressure the country amid a trade war. Ellen reported that the indictment — which charged the individuals and companies with stealing from Idaho-based Micron — follow a series of steps “meant to Beijing on notice.”
From her piece:
The Trump administration has prioritized countering threats to U.S. national and economic security as China seeks to supplant the United States as the world’s dominant economic power. The administration already has imposed tariffs on $250 billion worth of Chinese goods, and since September federal prosecutors have brought charges in three intellectual property theft cases allegedly involving Chinese spies and hackers.
And Trump -- and his administration -- have for weeks been accusing China of interfering in the elections in retaliation without providing substantive evidence to back up these claims. Trump made the allegation during a September U.N. Security Council meeting, insisting that China “has been attempting to interfere in our upcoming 2018 election, coming up in November, against my administration. They do not want me or us to win because I am the first president to ever challenge China on trade, and we are winning on trade — we are winning on every level."
The indictments aimed China come as Axios reports the administration is trying to ensure its anti-China message is heard.
“We're not just going to let Russia be the boogeyman,” one White House official told Axios. “It's Russia and China.”
Indeed, China's Ministry of State Security has been escalating its hacking efforts, as Ellen reported:
Dmitri Alperovitch, a cyber expert and chief technology officer at the cybersecurity firm CrowdStrike, said the Chinese military curtailed its commercial hacking in 2016 but that over the past year, operatives affiliated with China’s Ministry of State Security have increasingly taken up the slack, stealing military, medical, agricultural, high-tech and other secrets.
The Justice Department’s actions earned praise from lawmakers on both sides.
“The Chinese government’s complicity in intellectual property theft hurts American manufacturers, workers, and consumers, and undermines the ability of U.S. businesses to operate in China,” Senator Mark R. Warner (D-Va.) said. “I applaud the Department of Justice for using one of those tools today to hold China accountable, and encourage the Administration to take additional steps to crack down on economic espionage by Chinese businesses and the Chinese government."
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: Sen. Joe Manchin III, a Democrat running for reelection in West Virginia, “was notified that social media accounts associated with his official office had been hacked,” according to a statement from his Senate office. “The accounts have since been secured,” the statement said. “Manchin and staff are working with state and federal law enforcement officials to prevent further hacking and secure all accounts.” The statement, which was issued before Manchin was set to take part in a debate against his Republican opponent Patrick Morrisey, the state's attorney general, did not specify who is suspected of carrying out the hack. The Post's Sean Sullivan reported that Jonathan Kott, a spokesman for Manchin, declined to provide additional details.
PATCHED: Federal agencies and cybersecurity companies are watching for Russian interference efforts in the waning days of the campaign season but there has not been much activity so far, the New York Times's David E. Sanger reported. “While some say they believe President Vladimir V. Putin of Russia is sitting out this election — the scrutiny is intense, the argument goes, and 470 House and Senate races make it just too hard for the Russians to figure out their interests, much less manipulate the outcome,” Sanger wrote. “Still, others find the quiet deeply disturbing, perhaps a sign of a plan to make a last-minute effort to convince voters that their ballots might not be counted, or counted correctly.”
Even though the campaigns are almost over, cyberattacks could also strike on Election Day. “A last-minute attack on county or state voter-registration systems, just to knock them offline, would create an uproar from voters who might show up at the polls and find they could not vote,” Sanger wrote. “A strike at power grids, turning out the lights at polling places, or just disrupting transportation systems could suppress turnout and lead to charges of manipulation.” Moreover, threats to the U.S. political system won't go away after the election, according to the Times. “Come Wednesday, if there are still races that are too close to call, just a rumor campaign about possible election manipulation might be enough to cast doubt about the integrity of the results,” according to Sanger.
PWNED: The United States has a plan to retaliate should Russia hack the midterms, the Center for Public Integrity's Zachary Fryer-Biggs reported in a story published by the Daily Beast. “The U.S. intelligence community and the Pentagon have quietly agreed on the outlines of an offensive cyberattack that the United States would unleash if Russia electronically interferes with the 2018 midterm election on Nov. 6, according to current and former senior U.S. officials who are familiar with the plan,” Fryer-Biggs wrote. “In preparation for its potential use, U.S. military hackers have been given the go-ahead to gain access to Russian cybersystems that they feel is needed to let the plan unfold quickly, the officials said. The effort constitutes one of the first major cyberbattle plans organized under a new government policy enabling potential offensive operations to proceed more quickly once the parameters have been worked out in advance and agreed among key agencies.”
The plan comes after Trump signed an executive order in August to ease procedural restrictions to carry out cyberattacks, according to Fryer-Biggs. “One of the key, unpublicized consequences of the new directive is that military planners can prepare for cyberstrikes—as called for in interagency agreements in advance—by gaining access to the computer systems of potential targets well before any order has been given to attack, or even before a foreign attack has occurred, the officials said,” Fryer-Biggs wrote. “That access is meant to pave the way for deploying malware—packages of compromising computer instructions—swiftly inside foreign networks and servers, when a decision is made to proceed.”
— Senior executives of major companies would risk heavy fines and up to 20 years' imprisonment for transgressing new data regulations while consumers would obtain increased control over their personal information under a draft bill released by Sen. Ron Wyden (D-Ore.). The bill, titled “Consumer Data Protection Act,” would enable the Federal Trade Commission to create and implement new privacy and cybersecurity standards.
Wyden said in a statement that the bill aims to establish “radical transparency” for users and “punish companies that abuse” consumers' data. “Today’s economy is a giant vacuum for your personal information — Everything you read, everywhere you go, everything you buy and everyone you talk to is sucked up in a corporation’s database,” Wyden said. “But individual Americans know far too little about how their data is collected, how it’s used and how it’s shared.”
The legislation would give consumers the possibility to refuse that companies share their personal data under a system called “Do Not Track.” Such system would also allow “companies to charge consumers who want to use their products and services but don’t want their information monetized,” according to a summary of the bill issued by Wyden's office. Additionally, the legislation would allow the FTC to hire additional staff “to police the largely unregulated market for private data,” according to the bill's summary.
— “From around 2009 to 2013, the U.S. intelligence community experienced crippling intelligence failures related to the secret internet-based communications system, a key means for remote messaging between CIA officers and their sources on the ground worldwide,” Yahoo News's Zach Dorfman and Jenna McLaughlin reported. “The previously unreported global problem originated in Iran and spiderwebbed to other countries, and was left unrepaired — despite warnings about what was happening — until more than two dozen sources died in China in 2011 and 2012 as a result, according to 11 former intelligence and national security officials.”
— After receiving his election security briefing, Trump accused former president Barack Obama of not trying to prevent foreign interference in the 2016 election but didn't provide any evidence to back up the claim. “He was told by the FBI in September before the election in ’16 about potential meddling, or potential Russian meddling, and he did nothing about it,” Trump said. “He didn’t do that because he thought that Hillary Clinton would win.”
— “Roger Stone, a longtime adviser to President Trump, sent an email to Trump’s chief campaign strategist in October 2016 that implied that he had information about WikiLeaks’s plans to release material that would be damaging to Democratic nominee Hillary Clinton,” The Post's Rosalind S. Helderman and Manuel Roig-Franzia reported. “In an email to Stephen K. Bannon on Oct. 4 — days before WikiLeaks began releasing emails hacked from the account of Clinton campaign chairman John Podesta — Stone said that WikiLeaks founder Julian Assange feared for his personal safety but would nevertheless be releasing ‘a load every week going forward.’ ” Moreover, as my colleagues noted, “Stone posted the exchange with Bannon on Thursday in a column on the Daily Caller website, shortly before the New York Times published a story describing the message.”
— The leaders of the Senate Homeland Security and Governmental Affairs Committee last month requested a classified briefing from the FBI and the Department of Homeland Security following a controversial Bloomberg Businessweek report alleging that China carried out a hardware-based hacking operation that affected several U.S. companies. The Bloomberg Businessweek story has met forceful denials, and Apple and Amazon Web Services have called for the story to be retracted. (Amazon.com founder and chief executive Jeffrey P. Bezos owns The Washington Post.)
In an Oct. 16 letter to FBI Director Christopher A. Wray and DHS Secretary Kirstjen Nielsen, Sen. Ron Johnson (R-Wis.), the committee's chairman, and Sen. Claire McCaskill (Mo.), the panel's ranking Democrat, asked for a briefing to “fully understand the accuracy of public reports about the potential cybersecurity and supply chain threat.” Johnson and McCaskill requested the briefing by Oct. 25. Bloomberg News's Steven T. Dennis reported that the “agencies are processing the request and the panel hasn’t yet been briefed, according to a committee spokesman.”
— More cybersecurity news from the public sector:
— “Hackers appear to have compromised and published private messages from at least 81,000 Facebook users' accounts,” Andrei Zakharov of the BBC Russian Service reported. “The perpetrators told the BBC Russian Service that they had details from a total of 120 million accounts, which they were attempting to sell, although there are reasons to be sceptical about that figure. Facebook said its security had not been compromised. And the data had probably been obtained through malicious browser extensions.”
- The National Institute of Standards and Technology hosts the 2018 Cybersecurity Risk Management Conference on Nov. 7 through Nov. 9 in Baltimore.
A student’s death and administrators’ choices leave Maryland's campus divided:
Rep. Steve King fires back at Pittsburgh shooting question: