In the United States, the tough words were accompanied by indictments against the hackers Zhu Hua and Zhang Shilong, who Justice Department officials said were part of a Chinese Ministry of State Security-backed hacking group commonly known as “Advanced Persistent Threat 10” or “Stone Panda,” as my colleagues Ellen Nakashima and David J. Lynch reported.
The joint condemnations mark a watershed in U.S.-led efforts to impose rules of the road on the once-lawless realm of cyberspace, experts and former government officials said. They also demonstrate that the Trump administration has reached a very un-Trumpian conclusion: When it comes to cybersecurity, the United States can’t simply go it alone.
The U.S. strategy of seeking cooperation with allies on naming and shaming nations that behave badly in cyberspace dates to roughly 2014, John Carlin, a former assistant attorney general for national security during the Obama administration, told me.
The United States and its allies have cooperated on numerous naming and shaming campaigns this year. That includes the U.S. and U.K. attributing the 2017 NotPetya ransomware campaign to Russia, the U.S., U.K. and Dutch governments condemning Russian cyberattacks against chemical weapons monitors, Olympic athletes and anti-doping organizations, and the U.S. and U.K. fingering North Korea for the WannaCry malware campaign.
Those attributions were relatively painless, however, compared to the possible consequences of publicly accusing China of massive corporate espionage and intellectual property theft.
“The rogue activities of Russia and North Korea are so provocative and the trade relationships are not so valuable, so there’s a willingness to call them out,” Carlin told me.
“But other countries are more cautious when it comes to China,” he said. Those countries “clearly hit a threshold saying: ‘Enough is enough. Even though we want to do business with you, if you keep doing economic espionage at this scale there are going to be consequences.’”
The United States and its allies are likely to push for more joint cybersecurity attributions against China and other nations in 2019, Carlin told me. The more important question, he said, will be whether the United States and allies can agree not just to name and shame Chinese hackers in 2019 but to actually impose consequences, such as levying harsh sanctions on Chinese companies.
“For China, when it comes to economic espionage, it’s purely a cost-benefit analysis,” Carlin said. “If you keep raising the costs, the rational decision on their part will be that it’s better to invest in research and development than in cyber-enabled espionage.”
Here are three other big cybersecurity stories you should be watching in 2019.
Sitting down at the negotiating table
Speaking of international cooperation, 2019 will also produce two parallel U.N. groups focused on setting international rules of the road in cyberspace — one sponsored by the U.S. and the U.K. among 30-some other nations and the other sponsored by Russia, China and North Korea among 20-some others.
It’s unlikely those groups will reach a grand bargain on the major issues bedeviling international cybersecurity, but the fact the United States and Russia are both still pushing for dialogue suggests there remains a chance for common ground.
In previous U.N.-led dialogues, the United States, Russia and other nations agreed to the broad contours of how international law should apply in cyberspace and endorsed norms of behavior, including that nations shouldn’t hack each other’s cyber emergency response units and shouldn’t intentionally destroy each other’s critical infrastructure. A 2017 round of meetings, however, ended in acrimony and with no additional agreements.
The 2019 dialogues should focus less on agreeing to new global cybersecurity norms and more on how to enforce the ones nations have already agreed to, Chris Painter, a former State Department cyber coordinator, told me
“If you constantly violate those norms and there are no consequences, those violations emphasize that the norms are not valuable,” Painter told me. “We have been bad at doing that next step of imposing costs on these bad actors.”
Election security: Round 2
Bipartisan support in the Senate, a Russian hacking and disinformation campaign that upended the 2016 election, and the threat of more hacking in 2018 weren’t enough to get an election security bill over the finish line this Congress.
With 2020 coming up and a new Democratic majority in the House, however, the chances for a successful election security bill in 2019 are much stronger, Rep. Jim Langevin (D-R.I.) told me.
The most important element of that bill should be a new infusion of cash for states and localities to upgrade their election systems and invest in cyber testing, said Langevin, who co-founded the Congressional Cybersecurity Caucus. It should also include minimum cybersecurity requirements that states must meet, he said, including an auditable paper trail for votes.
Congress did approve $380 million in new election security funds for states in 2018, but top Homeland Security officials have said that wouldn’t cover all the necessary upgrades.
The federal government, which assisted states and localities with election security in 2018, must also continue to help out with cyber audits and training in 2019, Michael Daniel, who was a White House cybersecurity coordinator during the Obama administration, told me.
“You want to maintain state and local control over elections because that’s an important part of the federalist structure," said Daniel, who now runs the Cyber Threat Alliance, a cybersecurity information sharing group. “But you need to enable the federal government to assist states and localities because expecting them to go up against a nation state by themselves is just silly.”
New attacks in 2019?
The coming year might also see new and more dangerous digital attacks, experts warned.
Suzanne Spaulding, a former top DHS cybersecurity official, pointed to 2018 reports that Russia hacked into a Ukrainian chlorine plant using a malware called VPNFilter. That malware is focused on stealing data but can also destroy computer systems — which would be particularly dangerous in a plant that processes toxic chemicals.
A hacking group has also recently used Shamoon, another destructive malware, to attack computers across the Arabian Peninsula, according to cybersecurity firms.
If Russia or another nation used a destructive cyberattack to intentionally leak hazardous materials capable of killing people, that would cross a new and dangerous line, Spaulding told me.
While Russia and other major cyber powers may not be brash enough to launch a deadly attack on the U.S. electric grid or another piece of critical infrastructure in 2019, a nation might demonstrate that it’s capable of doing so to send a message, Spaulding said.
“Some adversary will get in and they will do something to let us know that they’ve gotten in as a deterrent,” she said. “They won’t bring down the electric grid, but they might make it blink. It will be ambiguous enough to give plausible deniability, but it will say: You are, at least, vulnerable, so don’t interfere with what we want to do.”
Will a strong new California privacy law and bad behavior by big tech companies finally push congressional action on privacy in 2019? Will it compel regulatory agencies, including the Federal Trade Commission and the Securities and Exchange Commission, to go after more companies for privacy violations?
Dear Readers: The Cybersecurity 202 is taking a break for the holidays starting on Monday, Dec. 24. We will be back in your inboxes ready to go for 2019 on Jan. 7. Thanks for reading this past year and we hope you, your family and friends have a relaxing and happy holiday season and new year.
While we’re away, check out The Post’s new premier daily podcast, Post Reports. Unparalleled reporting. Expert insight. Clear analysis. Every weekday. Get new episodes online, to your email or in a podcast app: Apple Podcasts | Google Podcasts | Stitcher
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: The indictment of the two Chinese hackers unveiled by DOJ Justice Department contains several details about hacking prosecutors said has gone on for 12 years. Prosecutors said Zhu and Zhang took part in two hacking campaigns. The first, which began around 2006, involved cybertheft of technology from U.S. government agencies and companies, according to the indictment. Hackers stole “hundreds of gigabytes of sensitive data” and targeted businesses in sectors such as aviation, satellites, pharmaceuticals, energy and communications. They also infiltrated the computers of more than 45 organizations in at least 12 states including California, New York and Texas.
In the second, Chinese hackers penetrated the networks of “managed service providers,” which handle the IT infrastructure of other businesses in an attempt to access the networks of their clients. That way, Chinese operatives were able to steal sensitive data from companies in at least 12 countries, according to the indictment. Their targets included financial businesses, telecoms, manufacturers, energy companies and others. Moreover, prosecutors said that the APT10 group stole information about more than 100,000 U.S. Navy personnel after compromising more than 40 computers.
PATCHED: Deputy Attorney General Rod J. Rosenstein said China is failing to uphold a commitment it made in 2015 not to engage in cybertheft for commercial gain. “We want China to cease its illegal cyber activities and honor its commitment to the international community, but the evidence suggests that China may not intend to abide by its promises,” Rosenstein said.
Sen. Mark R. Warner (D-Va.), the Senate Intelligence Committee's vice chairman, praised Rosenstein and DOJ for taking action. “DOJ’s recent moves to hold China accountable are important in exposing some of the threats posed by China as it attempts to pursue economic and technological dominance over the United States,” Warner said in a statement.
Yet some experts said the indictment may not deter Chinese President Xi Jinping, my colleagues Ellen and David reported. “Just as when the Obama administration did it, indicting a handful of Chinese agents out of the tens of thousands involved in economic espionage is necessary but not important,” Derek Scissors, a China analyst at the American Enterprise Institute, told my colleagues. “International denouncements may irritate Xi, but they place no real pressure on him.”
PWNED: Chinese hackers also accessed the networks of Hewlett Packard Enterprise (HPE) and IBM and then infiltrated the systems of their clients in a campaign called Cloudhopper, Reuters's Christopher Bing, Jack Stubbs and Joseph Menn reported. Hackers penetrated the networks of HPE and IBM “multiple times in breaches that lasted for weeks and months,” Reuters reported.
A senior intelligence official said compromising a managed service provider allows hackers to expand their reach. “By gaining access to an MSP, you can in many cases gain access to any one of their customers,” the official told Reuters. “Call it the Walmart approach: If I needed to get 30 different items for my shopping list, I could go to 15 different stores or I could go to the one that has everything.” Bing, Stubbs and Menn also reported that “IBM investigated an attack as recently as this summer, and HPE conducted a large breach investigation in early 2017."
— More cybersecurity news:
— Sen. Doug Jones (D-Ala.) wants an investigation into allegations that online disinformation tactics targeted his Republican opponent Roy Moore in his Senate contest, The Post’s Craig Timberg, Tony Romm, Aaron C. Davis and Elizabeth Dwoskin reported. “What is obvious now is that we have focused so much on Russia that we haven’t focused on the fact that people in this country could take the same playbook and do the same damn thing,” Jones said in a statement, as quoted by my colleagues. “I’d like to see the Federal Election Commission and the Justice Department look at this to see if there were any laws being violated and, if there were, prosecute those responsible.”
— Federal authorities are cracking down on DDoS-for-hire services. “Authorities in the United States this week brought criminal hacking charges against three men as part of an unprecedented, international takedown targeting 15 different ‘booter’ or ‘stresser’ sites — attack-for-hire services that helped paying customers launch tens of thousands of digital sieges capable of knocking Web sites and entire network providers offline,” according to Brian Krebs of KrebsOnSecurity.com. Krebs, a former reporter for The Post, wrote that such sites “are dangerous because they help lower the barriers to cybercrime, allowing even complete novices to launch sophisticated and crippling attacks with the click of a button.”
— More cybersecurity news from the public sector:
— Russian trolls posed as a Los Angeles-based startup and sought to convince U.S. business owners to purchase their online marketing services, according to the Wall Street Journal's Shelby Holliday and Rob Barry. The startup was called Your Digital Face and part of a broader Russian online effort to sow discord among the American electorate. “The group recruited American business owners as customers, and for a monthly fee, promised to post snappy marketing content on the business owner’s social-media pages and score them thousands of new followers,” Holliday and Barry reported. “Their main contact was a man who claimed to be named Yan Big Davis, the business owners told the Journal.”
— As Bangladesh approaches general elections, Facebook took down nine pages and six accounts that were controlled by people tied to the country's government and engaged in “coordinated inauthentic behavior” on the social network, Nathaniel Gleicher, head of cybersecurity policy at Facebook, said in a news release. The pages resembled legitimate, independent news outlets but posted content that favored Bangladesh's government and decried the opposition, according to Facebook.
“This kind of behavior is not allowed on Facebook under our misrepresentation policy because we don’t want people or organizations creating networks of accounts to mislead others about who they are, or what they’re doing,” Gleicher said. About 11,900 users followed at least one of the pages that Facebook took down.
— More cybersecurity news from abroad:
- The Center for Strategic and International Studies hosts a discussion on the Justice Department's responses to cyber threats on Jan. 15, 2019.
Mattis to leave administration in February:
Travelers stranded at British airport after reports of drones:
Christmas treats for gorillas, lions and camels at London Zoo: