The Trump administration is prepping a slate of get-tough measures against Chinese government-linked hackers — including indictments, a naming and shaming campaign by multiple federal agencies and possible sanctions against hackers and the organizations that back them.
The moves, as reported by my colleagues Ellen Nakashima and David J. Lynch yesterday, mark a dramatic U.S. counterpunch against China’s digital theft of U.S. companies’ intellectual property.
It’s far from clear, however, that the crackdown will make China pare back an intellectual property theft campaign that former intelligence officials once described as “the greatest transfer of wealth in history.”
The broader trade feud between the United States and China — and last week’s arrest of a top official at Chinese telecom giant Huawei — will make it difficult to deal with the commercial hacking issues in isolation, experts warn.
Chinese leaders may decide that it’s not worth acceding to U.S. demands about hacking when tensions are otherwise so high between the world’s two largest economies, they say. Because of this, tightening the screws on China at this volatile moment could just escalate the conflict.
“I don’t know whether this practice of applying maximum pressure is the right way to do it,” Herbert Lin, a senior research scholar for cyber policy at Stanford University, told me. “My own personal instinct is that it isn’t.”
With both sides at a standoff on trade, Beijing could ultimately decide that easing hacking would be a concession in exchange for nothing. “The issues are rolled together in a way that it’s difficult for Chinese leaders to know anything,” Jason Healey, a former White House cyber adviser, told me. “Chinese leaders don’t know if they go along with us on espionage that we’ll go easy on them somewhere else.”
This issue will be hot on the Hill today. Chris Krebs, the Department of Homeland Security’s top cyber official, is slated to testify about Chinese hacking before the Senate Judiciary Committee this morning.
According to prepared testimony provided by a DHS official, Krebs will say that overall Chinese hacking is down since 2015, the year when then-President Barack Obama signed an agreement with Chinese President Xi Jinping that the nations wouldn’t hack one another for commercial gain.
But Chinese hacking is still taking place: The nation’s most prominent targets are defense contractors with security clearances and information and communications technology firms, Krebs plans to say. And Chinese spies were also behind the hack revealed last month of personal information about approximately 500 million customers at the Marriott hotel chain, the New York Times reported Tuesday.
It's not the first time the U.S. has sought to ratchet up the pressure on China for hacking. In 2014, the Obama administration indicted five members of China’s People’s Liberation Army for hacking companies including U.S. Steel, the nation’s largest steelmaker, and Alcoa, the largest aluminum manufacturer.
Those charges, which were the first that the United States filed against a foreign government-linked hacking group, were preceded by several years of quiet diplomacy urging the Chinese to halt or reduce their commercial hacking operations. The 2014 indictments, along with a threat of sanctions, were widely credited with pressuring Xi to sign the 2015 deal, after which Chinese commercial hacking decreased substantially. However, according to cybersecurity companies, it has spiked again in recent years.
There are some differences today, though, that might make a next round of indictments carry less weight. For one thing, the United States has issued a lot of cyber indictments since 2014 and they’ve had minimal effect.
The United States has indicted government-linked hackers in Russia, Iran and North Korea since 2014 and there’s no evidence those nations have changed their hacking behavior. National security adviser John Bolton and other Trump administration officials have even bemoaned that indictments and other tools the United States uses to punish foreign hackers do little good and that the United States will pivot to responding more with retaliation in cyberspace.
There’s also the embarrassment factor. Many people believed the 2014 charges were deeply embarrassing to the Xi regime because they undermined the image of China as a responsible superpower whose companies could develop their own technology rather than thriving on tech stolen from the West.
But Healey says Chinese leaders may have changed their calculus as the expectations of sober statesmanship evolves during the Trump era. Trump’s feuding with allies and hostility to global agreements such as free-trade pacts and the Paris climate accord makes the possibility China will see a reason to reform its behavior less likely, he says.
Xi can project the image of a global leader “just by talking about climate change and global governance and all the things the U.S. used to talk about and doesn’t anymore,” Healey said.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: The Department of Homeland Security’s cybersecurity agency plans to do more outreach and education for the public, its director Chris Krebs told me in an interview . That includes working with other federal agencies to develop cyber education programs for K-12 and college students, Krebs said. It also includes doing public education programs about issues such as digital vulnerabilities in the Internet of Things, he said.
The move was partly spurred by recent legislation that reorganized Krebs’s agency and renamed it the Cybersecurity and Infrastructure Security Agency or CISA. “Now that we’re the cyber agency for the federal government, we need to make sure we’re raising awareness for the general public,” on cyber issues, Krebs said.
CISA officials are working on a road map for how the agency will evolve between now and 2020, Krebs said. That document, which is due out in a couple weeks, won’t be publicly released, he said, but a shorter “director’s vision” for the agency will be.
PATCHED: Super Micro Computer just made another dent in a Bloomberg Businessweek report alleging that China carried out a hardware-based hacking campaign against several American businesses. The company, also known as Supermicro, said that an investigation it undertook following the publication of the article “found absolutely no evidence of malicious hardware on our motherboards.” Reuters’s Joseph Menn reported that the investigations company Nardello & Co carried out the review of Supermicro’s motherboards. The Bloomberg Businessweek story said that malicious chips were inserted on Supermicro motherboards and compromised the U.S. technology supply chain, including in classified systems at the Defense Department and CIA.
“As we have stated repeatedly since these allegations were reported, no government agency has ever informed us that it has found malicious hardware on our products; no customer has ever informed us that it found malicious hardware on our products; and we have never seen any evidence of malicious hardware on our products,” Supermicro said in a letter to its customers. The Bloomberg Businessweek report also alleged that the hacking campaign affected companies including Amazon and Apple — Amazon Web Services and Apple have disputed the content of the story and said it ought to be retracted. U.S. officials have also expressed doubts about the story. (Amazon founder and chief executive Jeffrey P. Bezos owns The Washington Post.)
PWNED: Several cybersecurity experts said the data that was exposed in the Marriott breach such as names, contact information and passport numbers could prove valuable for intelligence services that may want to monitor diplomats, business executives and other targets, The Washington Post's Ellen Nakashima and Craig Timberg reported. “Armed with a rich array of personal data, an intelligence agency can also tailor an approach to a person to see whether the individual can be recruited as a spy or blackmailed for information,” my colleagues wrote.
Early clues suggest that hackers tied to the Chinese Ministry of State Security carried out the breach, according to two people who were briefed on the government probe of the hack. The fact that the data hasn't been found on the “dark Web” or other criminal forums is another indication that hackers tied to a nation-state — rather than cyber criminals — may be behind the breach. “If it were a criminal act, people would be trying to sell it,” one of the people familiar with the investigation told Ellen and Craig.
Chinese spies were also allegedly behind major breaches at insurance companies and the U.S. Office of Personnel Management, giving them a trove of information about U.S. government employees with access to sensitive information.
— Following his appearance before the House Judiciary Committee, Google chief executive Sundar Pichai said in an interview with The Post that the company is engaged in an internal effort to develop a product for China but didn't specify its nature. “Pichai, who acknowledged in questioning from lawmakers that roughly 100 people have worked on the project but repeatedly said Google currently has ‘no plans’ to offer a new product for China, later told the Post that it was too soon to put any parameters on the effort,” The Post's Tony Romm and Craig Timberg reported.
Rep. David N. Cicilline (D-R.I.) asked Pichai in the hearing if he would “rule out launching a tool for surveillance and censorship in China." Pichai said it company's mission “to explore possibilities to give users access to information."
— Russian operatives appeared to sit out this year’s midterm elections, but it doesn’t mean that hackers won’t take aim at the 2020 campaign. Robby Mook, who served as campaign manager for Hillary Clinton in the past presidential election, said campaigns represent targets for hackers because they don’t have enough resources to protect themselves adequately, the Wall Street Journal’s Catherine Stupp reported. “We still have a challenge that it’s expensive to secure your campaign and campaign people are not cybersecurity experts. They’re never going to be and they can’t afford to hire someone who is,” Mook said, as quoted by the Journal.
Moreover, operatives may use doctored videos known as deep fakes to throw the next presidential campaign into disarray, Mook said at a WSJ Pro Cybersecurity Executive Forum. Judd Choate, Colorado’s elections director, said that while it would be nearly impossible to alter votes, voter registration systems or election night reporting systems could come under attack, Stupp reported.
— Sen. Gary Peters (Mich.) will serve as ranking Democrat on the Senate Homeland Security and Governmental Affairs Committee in the next Congress, according to a news release from Senate Minority Leader Charles E. Schumer (D-N.Y.). Peters will replace Sen. Claire McCaskill (D-Mo.) as the top Democrat on the committee after she lost her campaign for reelection in November.
— More cybersecurity news from the public sector:
— Hackers are setting their sights on cloud services. “Hackers are becoming increasingly able to access and take advantage of vulnerabilities in cloud services, according to a new report published Tuesday,” the Hill's Jacqueline Thomsen reported. “Palo Alto Networks’s threat research team Unit 42 found that 29 percent of vendors it worked with had potential account compromises in their cloud services. And 32 percent of the groups had set up their networks in a way that publicly exposed at least one cloud storage system, according to the research team.”
- Senate Judiciary Committee hearing on “China’s non-traditional espionage”
- Federal Trade Commission hearing on data security.
- 2018 Cloud Security Alliance Congress in ChampionsGate, Fla.
- The Federal Election Commission holds an open meeting tomorrow.
Fact-checking Trump, Pelosi and Schumer's oval office showdown:
Huawei executive granted bail in Canada, faces possible extradition to U.S. on fraud charges:
Person dressed as Monopoly’s “Rich Uncle Pennybags” attends Google’s CEO congressional hearing: