If he’s confirmed as attorney general next week, William P. Barr will face a complex set of cybersecurity challenges that were unheard of the last time he served as the nation’s top law enforcement officer during the George H.W. Bush administration — and China tops the list.
Chinese hacking, which has cost the U.S. economy hundreds of billions of dollars, has surged during the Trump administration. It’s almost certain that the Justice Department is preparing additional indictments against Chinese government-linked hackers -- and Barr will play a leading role if confirmed, former officials tell me.
Barr, whose nomination the Senate Judiciary Committee forwarded on a party-line vote Thursday, will also be a key player in complex negotiations across government about how to ramp up pressure on China to reduce its digital spying campaign against U.S. companies.
“Given the scale of Chinese commercial espionage, that’s going to be a clear priority and I wouldn’t be surprised to see Justice doing much more to respond to it,” Robert Chesney, a former Justice Department official who teaches at the University of Texas Law School, told me.
Barr is aware of the challenge ahead: He identified China as the United States’ “paramount economic and military rival” during his confirmation hearing in January and charged that China’s rise was fueled largely by technology stolen from U.S. companies.
Barr told senators he plans to continue an initiative that Attorney General Jeff Sessions launched in November aimed at identifying Chinese trade theft cases at U.S. attorney’s offices across the nation, ensuring they have enough resources and “that we bring them to an appropriate conclusion quickly and effectively.”
Barr will also take the Justice Department reins at a precarious time for Trump administration efforts against Chinese hacking, Stewart Baker, a former official at the National Security Agency and Homeland Security Department, told me.
Indictments have been the Trump administration’s favorite tool to punish Chinese hackers — targeting about a dozen of them in the past year. But those indictments, which are largely symbolic because the hackers are unlikely to be tried in a U.S. court, have done little to stem the tide of Chinese commercial espionage.
Trump pledged in his State of the Union address Tuesday that he is “making it clear to China that after years of targeting our industries and stealing our intellectual property, the theft of American jobs and wealth has come to an end.” That will put pressure on Barr and other officials to bring something more than simply symbolic indictments to the table, Baker told me.
“If you bring one indictment, everyone reads it closely and is amazed and outraged and it can have a significant impact. The second one a little less so,” Baker said. “At some point, when you’re naming and shaming but failing to do anything else, prosecution begins to look more like weakness than strength.”
Barr will face numerous other cyber challenges if confirmed, including punishing digital efforts to compromise the 2020 election and combating the rising tide of identity theft and credit card fraud.
Here are three big ones:
1. Going dark again
FBI and Justice Department officials have maintained since 2014 that consumer encryption technology allows terrorists to recruit and plan operations outside law enforcement’s view.
The government hasn’t made any significant pushes against encryption, however, since a 2016 legal battle between the FBI and Apple over an encrypted iPhone used by San Bernardino, Calif., shooter Syed Farook. That case ended without any helpful legal precedent for the government, but the Justice Department could try again if the right case presented itself.
“It’s always there and it’s always a challenge for DOJ,” a former Justice official told me. “The question is, when does a policymaker say, ‘I want to make this an issue?' "
2. Playing nice with DHS
The Justice Department and the FBI are also still ironing out how they divide up responsibilities when it comes to responding to major data breaches and other cyber strikes that hit U.S. companies, Baker told me.
That means Barr will have to work closely with DHS Secretary Kirstjen Nielsen on cyber issues, Baker said, especially as the agencies cooperate on new ways to combat Chinese hacking.
3. Privacy and data breaches
Finally, the Justice Department is sure to be dragged into twin legislative pushes to rein in the personal information that social media companies can collect and share about customers and to create a national standard for when companies must notify customers about a data breach, Michael Vatis, a former Justice Department and FBI official, told me.
There's debate over whether these national laws should preempt states' laws as businesses prefer, or should merely be a baseline, as activists prefer.
Barr’s experience as a corporate attorney, including as general counsel for Verizon, is likely to make him sympathetic to the corporate position, Vatis told me.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: President Trump could sign an executive order next week to ban Chinese telecommunications equipment from American wireless networks as his administration continues to warn foreign allies against allowing Huawei to build their 5G networks, Politico's Eric Geller reported. The Trump administration is planning to issue the executive order before MWC Barcelona, a mobile industry conference that is scheduled for Feb. 25 through 28. “By preempting MWC, the world’s largest conference for the wireless industry, the White House hopes to send a signal that future contracts for cutting-edge technology must prioritize cybersecurity,” according to Politico.
U.S. officials have said Huawei equipment could be used as a platform for Chinese spying and have also warned about ZTE, another Chinese telecommunications company. Garrett Marquis, a spokesman for the National Security Council, told Politico that the United States is “working across government and with our allies and like-minded partners to mitigate risk in the deployment of 5G and other communications infrastructure.” (I wrote about the U.S. government's warnings about Chinese telecommunications firms in yesterday's Cybersecurity 202.)
PATCHED: Sens. Gary Peters (D-Mich.) and John Hoeven (R-N.D.) reintroduced a bipartisan bill to help federal cybersecurity workers develop their skills as the government struggles to retain cyber professionals. The bill, titled Federal Rotational Cyber Workforce Program Act, would allow civilian cybersecurity workers at one federal agency to work temporarily at another agency to diversify their experience. Peters, the ranking Democrat on the Senate Homeland Security Committee, said in a statement that the legislation would “help ensure that the federal government has the skilled workforce in place to combat emerging threats and help federal employees cultivate new skills and expertise.”
Committee Chairman Ron Johnson (R-Wis.), who's also sponsoring the bill, told me last month that passing it is one of his main priorities this Congress, along with other efforts to improve the federal government's ability to retain and recruit cybersecurity professionals.
PWNED: A bipartisan pair of senators wants the Department of Homeland Security to scrutinize foreign-made virtual private networks and other apps that foreign governments could use for surveillance. Sens. Marco Rubio (R-Fla.) and Ron Wyden (D-Ore.) asked Cybersecurity and Infrastructure Security Agency Director Christopher Krebs in a letter to investigate those apps to determine whether they threaten national security, saying they could expose the browsing data of federal employees who use them. “Because these foreign apps transmit users’ web-browsing data to servers located in or controlled by countries that have an interest in targeting U.S. government employees, their use raises the risk that user data will be surveilled by those foreign governments,” the senators said.
Rubio and Wyden also asked Krebs to ban those apps from federal government phones and computers if the agency determines that they threaten U.S. national security. Given previous warnings by the U.S. government about the Russian cybersecurity firm Kaspersky Lab and Chinese telecommunications companies, DHS should also be wary of foreign-made mobile apps, according to the senators. “If U.S. intelligence experts believe Beijing and Moscow are leveraging Chinese and Russian-made technology to surveil Americans, surely DHS should also be concerned about Americans sending their web browsing data directly to China and Russia,” Rubio and Wyden said.
— Krebs, whose agency is also tasked with helping prevent attempts to interfere in U.S. elections, will appear before the House Homeland Security Committee on Tuesday for a public hearing on election security. “Election security should not be a partisan issue, but Congress has done far too little to prevent foreign election meddling after Russia interfered in the 2016 election,” Rep. Bennie Thompson (D-Miss.), the committee's chairman, said in a statement. U.S. Election Assistance Commission Chairman Thomas Hicks and California Secretary of State Alex Padilla are among the witnesses who are set to appear before the committee.
— The Democratic National Committee's cybersecurity team has not contacted the campaign operations of 2020 hopefuls because of new rules requiring DNC staffers to remain neutral and not favor any candidate over another, Ruby Cramer and Kevin Collier reported for BuzzFeed News. “We’re not reaching out directly,” a DNC official told BuzzFeed News, “because that could show partiality if people aren’t getting the same attention. Hopefully we can send up the flare.” However, the DNC has published a video on YouTube about basic online security measures.
— More cybersecurity news from the public sector:
— Apple said apps that record their users' interactions such as swipes or taps must stop doing so or disclose the practice, TechCrunch's Zack Whittaker reported. The apps could be removed from Apple's App Store if they fail to do so. “It follows an investigation by TechCrunch that revealed major companies, like Expedia, Hollister and Hotels.com, were using a third-party analytics tool to record every tap and swipe inside the app,” Whittaker wrote. “We found that none of the apps we tested asked the user for permission, and none of the companies said in their privacy policies that they were recording a user’s app activity.”
— Apple also fixed a vulnerability in FaceTime that was reported by a teenager and said it found and patched another flaw affecting FaceTime's Live Photos feature, the Wall Street Journal's Robert McMillan reported. “We again apologize to our customers and we thank them for their patience,” Apple said, according to CNBC's Todd Haselton. “In addition to addressing the bug that was reported, our team conducted a thorough security audit of the FaceTime service and made additional updates to both the FaceTime app and server to improve security.” The company said that it will pay 14-year-old Grant Thompson of Arizona for reporting the vulnerability, according to the Journal.
— Microsoft is expanding its efforts to protect political groups and elections against cyberattacks to Canada, the Hill's Jacqueline Thomsen reported. “AccountGuard, which is included in Microsoft’s Defending Democracy program, is now available to think tanks, political groups and candidates, the president of Microsoft Canada Kevin Peesker wrote in a post,” the Hill reported. “The program offers free cybersecurity protections for users with existing Microsoft Office 365 products, including monitoring for potential hacking attempts by nation-state actors.”
— More cybersecurity news from abroad:
- House Homeland Security Committee hearing on election security on Feb. 12.
- The Center for Strategic and International Studies holds an event on digital surveillance on Feb. 13.
Freshman Democrats say they will not fund Trump’s immigration agenda:
How Trump talks about his faith: