Hello, Cybersecurity 202 readers. My name is Joe Marks and I’ll be anchoring this newsletter going forward. I’ll be your guide through data breaches, bug bounty bills, encryption debates and disinformation campaigns. Send your tips, quips, critiques and big ideas to me anytime at firstname.lastname@example.org or on Twitter at @Joseph_Marks_.
The U.S. government’s get-tough strategy with Russian and Chinese companies that officials suspect of spying for their home governments risks a tit-for-tat response that could hurt U.S. companies and contribute to fracturing the global Internet, experts and former officials warn.
An escalating conflict over government bans on Kaspersky, Huawei and ZTE products could prompt Russia and China to retaliate by banning U.S. companies in those markets, said Adam Segal, a China expert and director of the cybersecurity policy program at the Council on Foreign Relations.
“U.S. actions reinforce Beijing's view that it is in a tech cold war with the U.S. and that Washington wants to contain China's rise,” Segal told me. “It will react by increasing its own efforts to develop home-grown tech and retaliate against U.S. firms.” Just as likely, China and Russia might further hike trade barriers for digital tech firms that have been rising since 2015, Segal said.
The prospect of retaliation only intensifies pressure on the lawmakers and executive branch officials who back the bans — and may make it harder to press companies and allies to join in.
The U.S. government won a major victory late last month when a federal appeals court upheld two government-wide bans that effectively barred software from the Russian anti-virus company Kaspersky Lab from government computers or from contractors that touch government systems. The bans, imposed by the Department of Homeland Security in October 2017 and by Congress two months later, followed months of allegations that a Kaspersky anti-virus could be used as a spying tool by the Kremlin.
In August, Congress passed similar bans against the Chinese telecom companies Huawei and ZTE.
Now, companies and government officials should prepare for a backlash against U.S. companies and be ready to “truth squad” any charges those companies were spying on behalf of the U.S. government, Frank Cilluffo, a former White House homeland security adviser during the George W. Bush administration, told me.
At the same time, lawmakers are keeping up the pressure in Washington and urging industry and some allies to steer clear of the Russian and Chinese companies. Sen. Mark R. Warner (D-Va.) urged Google in June to be more transparent about its dealings with Huawei. Warner and Sen. Marco Rubio (R-Fla.) have consistently urged Canada to shut Huawei out of its planned 5G network.
After Canadian officials announced they’d arrested Huawei Chief Financial Officer Meng Wanzhou on Wednesday, seemingly to be extradited to the United States for sanctions violations, Sen. Ted Cruz (R-Tex.) described the company on Twitter as “a Communist Party spy agency thinly vieled (sic) as a telecom company.”
Huawei is a Communist Party spy agency thinly vieled as a telecom company. Its surveillance networks span the globe & its clients are rogue regimes such as Iran, Syria, North Korea & Cuba. The arrest of Huawei’s CFO Wanzhou Meng in Canada is both an opportunity & a challenge.— Senator Ted Cruz (@SenTedCruz) December 6, 2018
Bruce McConnell, a former top cyber official in the Department of Homeland Security, said this kind of language may only add fuel to the fire. While government bans might be necessary to protect national security secrets, he said, this could encourage China and Russia to launch a similar war of words against U.S. companies.
“It’s up to governments and customers to make their own decisions,” he said. “When government acts as a national policymaker, that’s a different story … It’s more of a reputational issue if the government is calling around to people and warning them off something.”
After all, government and private sector interests might not be totally aligned. Many U.S. and European security pros, for example, say Kaspersky is useful inside a broader suite of cyber protection tools, he said, because Kaspersky researchers are better at spotting and protecting against malware written by Russian cybercriminals.
As China and Russia consider how to respond to the bans, it might not be so easy for them to replace American tech products. For one thing, the United States leads in most of the technology that is vital to government and critical infrastructure, so it would be difficult to find a suitable replacement, Segal said.
But there are other ways to respond besides an outright prohibition on U.S. products. The Russian and Chinese governments have passed cybersecurity laws that make it harder for foreign companies to enter their markets, and those rules could become more onerous, Segal said. Those laws require companies to store data inside national borders under certain circumstances. The governments have also demanded that some companies that manage critical systems submit to intrusive reviews of the source code underlying their products.
Regardless of how China and Russia respond, this conflict is part of a broader shift to greater controls on government and sensitive computer networks, said Cilluffo, who runs a cyber strategy and technology program at Auburn University.
“Countries are increasingly turning to internal security providers, especially when dealing with cybersecurity,” he said. “There are some legitimate concerns in term of Balkanization of the Internet, but I don’t think Kaspersky is the tipping point.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: The Department of Homeland Security should require federal agencies to block Internet ads that might deliver malware attacks to government employee computers, Sen. Ron Wyden (D-Ore.) said in a letter this morning to the department’s top cybersecurity official and shared exclusively with The Cybersecurity 202.
Wyden first urged DHS to address the “malvertising” threat last November. DHS responded in April that it was still looking into the issue. Today’s letter cites public guidance from the National Security Agency, which urged private organizations in June to block potentially malicious ads. Wyden asks whether DHS agrees with the NSA guidance, if it blocks malicious ads on its own networks, and what the holdup is in protecting the rest of the government.
PATCHED: Sens. Maggie Hassan (D-N.H.) and Rob Portman (R-Ohio) introduced legislation designed to allow white-hat hackers to report weaknesses in the Department of Homeland Security's computer systems without fear. “This bill encourages ethical hackers to come forward with information they find about vulnerabilities in our government networks by assuring them that if they do, they’ll have protection under the law,” Hassan said in a statement.
The Public-Private Cybersecurity Cooperation Act would require DHS to create a vulnerabilities disclosure program and set up a process to fix the vulnerabilities that security researchers report to the department. Portman said in a statement that the federal government should take advantage of “the vast expertise of hackers and security experts in our country to identify vulnerabilities and report them” to the appropriate authorities. Hassan and Portman's measure is a companion bill to a piece of legislation that was introduced by House Majority Leader Kevin McCarthy (R-Calif.) and passed the House in September. A separate bill from Hassan and Portman, which would give ethical hackers cash rewards for spotting bugs in DHS websites, passed the Senate but is stalled in the House.
PWNED: The CIA hasn't yet completely fixed an online system to communicate with sources abroad that was compromised several years ago with devastating consequences, Yahoo News's Jenna McLaughlin and Zach Dorfman reported. A former official told Yahoo News that “we’re talking about hundreds of billions of dollars to fix” the communications systems. CIA sources who were caught in Iran as a result of the system's failure were detained and in some cases executed, and about 30 sources were executed in China, according to Yahoo News.
“Even under the best of circumstances, said one former senior official, internet-based communications systems create counterintelligence challenges,” McLaughlin and Dorfman wrote. “CIA agents using the system were supposed to conduct ‘electronic surveillance detection routes’ — that is, to bounce around on various sites on the internet before accessing the system, to cover their tracks — but often failed to do so, creating potentially suspicious patterns of internet usage, said this person.”
— A CFR report suggests a three-pronged strategy for the Trump administration to curb Chinese cyber espionage for commercial gain. It says the U.S. should:
- Coordinate with allies to name and shame China and enact punitive measures. “Washington should mobilize large-scale, coordinated attribution with these same partners—especially countries such as Canada, Germany, and others victimized by Chinese commercial cyber theft—followed by concrete sanctions,” the report said.
- Sanctions companies, universities, researchers, and people who use digital attacks to steal U.S. intellectual property.
- Help small companies shore up their cyberdefenses against Chinese hackers "and strengthen counterintelligence to identify sectors and companies under threat." The report adds that “companies and intelligence agencies should consider a strategy of ‘poisoning the well’—planting fake data on networks to make it harder for the hackers to know what is useful and what is not.”
“Changing Beijing’s behavior will be a long-term endeavor, the success of which will be rooted in building a multinational coalition, punishing companies that benefit from cyber espionage, and strengthening cyber defenses at home,” according to the report by Lorand Laskai, a research associate for Asia Studies at CFR, and Segal.
— “A House lawmaker wants federal agencies to prioritize cybersecurity when buying internet-connected devices,” Nextgov’s Jack Corrigan reported. “The Internet of Things Federal Cybersecurity Improvement Act, which Rep. Robin Kelly, D-Ill., plans to introduce next week, would require all internet-connected devices purchased by the government to meet a set of basic cybersecurity standards. The bill would also pressure agencies to avoid using so-called ‘lowest price technically acceptable’ criteria when choosing vendors for those devices.”
— More cybersecurity news from the public sector:
— “Cybersecurity giant Symantec on Wednesday announced a new product meant to protect industrial control networks from a pernicious threat: USB flash drives,” CyberScoop’s Jeff Stone reported. “Numerous studies have determined that roughly half the population is likely to plug a USB drive found in the parking lot into their computer, presenting hackers with an invaluable opportunity to infiltrate sensitive networks. Symantec is trying to solve that problem with Industrial Control System Protection (ISCP) Neural, a USB-scanning station meant to help energy, oil, gas and manufacturing organizations — which often use USB drives to update legacy systems — check for malicious software.”
— More cybersecurity news from the private sector:
— “One third of Germany’s small- and medium-sized companies have been spied on by foreign states, competitors or employees, a team of experts including Germany’s Federal Crime Office (BKA) said on Thursday,” Reuters reported. “German officials and executives are worried about industrial espionage in Europe’s largest manufacturing nation. Cyber experts warn that Germany - with technology expertise - is a particularly attractive target for cyber attackers, including state actors.”
— More cybersecurity news from abroad:
- Warner delivers a speech on cybersecurity policy at the Center for a New American Security in Washington.
- Google chief executive Sundar Pichai testifies before the House Judiciary Committee on Dec. 11.
- House Armed Services subcommittee hearing on the Defense Department's “artificial intelligence structure, investments, and applications” on Dec. 11.
- 2018 Cloud Security Alliance Congress on Dec. 11 through Dec. 12. in ChampionsGate, Fla.
- Senate Judiciary Committee hearing on “China’s non-traditional espionage” on Dec. 12.
The Trump administration struggles to explain its own trade agreement:
From Fox News journalist to diplomat: Nauert to be nominated as next U.N. ambassador.
10 times George H.W. Bush's humor brought laughter to his loved ones in mourning: