THE KEY

SAN FRANCISCO – China’s eating our lunch in cyberspace.

That’s the unified message NSA, FBI and Homeland Security Department officials brought to the RSA cybersecurity conference this week.

During keynote addresses, panel discussions and press conferences Tuesday, they were laser-focused on the digital security threat China poses to the U.S., describing it as more complex and damaging than any posed by other digital adversaries.

“I kind of look at Russia as the hurricane. It comes in fast and hard,” Rob Joyce, NSA’s senior cybersecurity adviser and former White House cybersecurity coordinator, told reporters. China, on the other hand, “is climate change: long, slow, pervasive.”

Chris Krebs, director of DHS’s Cybersecurity and Infrastructure Security Agency, backed up that assessment.

“Russia’s trying to disrupt the system,” he said, but “China’s trying to manipulate the system to its ultimate long-term advantage.” Combating Chinese digital espionage will be one of four major focus areas for CISA during the next 18 months, he said.

The intense focus on China at one of the country’s largest cybersecurity conferences was striking as much of the cybersecurity talk in Washington political circles remains focused on Russia. It was also notable heading into 2020 as Moscow’s hacking operations against Democratic political targets helped sow chaos during the 2016 elections – and after a drumbeat of indictments in the last year against government-linked hackers from not just China but also Russia, Iran and North Korea.

Yet U.S. officials seemed united in their assessment that while attacks from those nations may be damaging in the short-run, the long-term financial damage of China stealing U.S. companies’ trade secrets and intellectual property will be devastating.

When moderator Susan Hennessey, editor of the Lawfare blog, asked FBI Director Chris Wray if the government might be over emphasizing China’s digital threat, Wray responded that – if anything – government had historically under-emphasized it.

“There is nothing like it,” Wray said. “I’m not somebody who is prone to hyperbole, but of all the things that surprised me when I came back into this world, the thing that most shocked me was the breadth, the depth, the scale of the Chinese counterintelligence threat.”

The singular focus on China didn’t make sense to all of the industry leaders at RSA, however.

Crowdstrike President Shawn Henry told me he agreed that China is the greatest threat to U.S. financial cybersecurity but warned that a cyberattack from Russia – which has a track record of destroying systems and data rather than just stealing them – could produce far broader damage.

“The theft of data will have a significant economic impact. A destructive attack can have a significant threat to life,” said Henry, a former FBI executive assistant director.  

The messaging campaign about Chinese hacking may actually have an impact on Chinese leaders, Ryan Gillis, vice president for cybersecurity strategy at Palo Alto Networks and a former DHS official, told me.

Unlike Russia, which seem largely immune to public shaming, China has historically bristled when U.S. officials publicly accuse it of hacking, Gillis said. He noted that a similar public shaming campaign – and the threat of sanctions – were widely credited with pushing Chinese President XI Jinping to sign a 2015 no-commercial hacking agreement with the Obama administration.

China sharply reduced its commercial hacking after that agreement, but it has ramped up again during the Trump administration.

“China does want to be a leader in the international community, so that pressure and the unity of the message is an important thing right now,” Gillis told me.

The message was also well targeted to the industry-heavy audience at RSA.

A lot of China’s hacking involves exploiting very simple vulnerabilities that companies could protect against but don’t – either because they don’t understand their digital weaknesses or haven’t made cybersecurity a priority.

Krebs spent a lot of time at RSA urging cybersecurity industry pros to help companies do the simple security work to make Chinese hacking more difficult.

“The majority of the times they’re getting in, its just basic, basic stuff,” he said.

PINGED, PATCHED, PWNED

PINGED: Krebs also announced that DHS is launching a “strategic risk assessment” of cybersecurity threats to next-generation 5G telecommunication networks during his RSA speech. The assessment is focused on identifying the greatest threats to 5G and how hackers might exploit them, he said — not the threat posed specifically by Huawei, which is eager to build portions of the network.

Krebs’ agency is also revamping the automated feed of cyber threat information it shares with industry and which companies and auditors have criticized for focusing on volume of threat information over context. Within a few months, the agency plans to begin providing more context about digital threats and flagging ones that might come from nation-states, Krebs said.

Krebs also outlined CISA’s priorities for the next 18 months:

  1. The threat posed by China to 5G and elsewhere.
  2. Improving the security of federal networks.
  3. Improving the security of critical infrastructure, especially the industrial controls systems that manage the operations of everything from oil refineries to dams.
  4. Securing the 2020 election.

PATCHED: The Trump administration should permanently end a controversial NSA anti-terrorism program analyzing Americans' call records, Sen. Ron Wyden (D-Ore.) said. Wyden's statement came a day after the New York Times reported that the NSA had quietly stopped using the program.  Wyden said that while he could not comment on classified matters, “it is increasingly clear to me that the NSA’s implementation of reforms to the phone records dragnet has been fundamentally flawed.” 

Wyden, who sits on the Senate Intelligence Committee, said Congress should decline to reauthorize the phone records program this year. “Today, the NSA owes the American people an explanation of where things stand,” he said. “I will not stop pushing Congress and intelligence leaders to be straight with the American people and end unnecessary surveillance that violates our constitutional freedoms without keeping us any safer.”

PWNED: Russian lawmakers are pushing a bill that would tighten government control over the country's Internet traffic, Bloomberg News's Ilya Khrennikov and Stepan Kravchenko reported. Russian President Vladimir Putin has said the law would help Russia defend itself against a new U.S. policy of loosening restrictions on offensive cyber operations against Washington's adversaries. “The more sovereignty we have, including in the digital field, the better. This is a very important area,” Putin said last month, according to Bloomberg News.

The legislation, known as “Sovereign Internet,” would create a system that could enable regulators to block or reroute traffic. That would involve “installing special boxes with tracking software at the thousands of exchange points that link Russia to the wider web,” Khrennikov and Kravchenko reported. But experts say the draft law chiefly aims to prevent political unrest. “Russia is moving in a similar direction as China,” Rongbin Han, a professor of international affairs at the University of Georgia, told Bloomberg News. “You don’t necessarily need to shut down the entire internet to quash political dissent. It’s smarter just to filter online content.” 

PUBLIC KEY

-- In a rare show of transparency from the ultra-secretive spy agency, the NSA gave the first public demonstration of Ghidra at RSA. The formerly-internal cybersecurity tool the agency uses to "decompile" software basically transforms it from something a computer reads to something a human can read. Here's an explanation of the tool from Wired’s Lily Hay Newman.

— U.S. Transportation Command doesn't help out its industry partners by war gaming cyberattacks to test their defenses, Gen. Steve Lyons told lawmakers. The command does, however,  work closely with those companies to ensure their cybersecurity is improving, Lyons told  Sen. Angus King (I-Maine) during a Senate Armed Services Committee hearing. King urged Lyons to consider carrying out those simulated cyberattacks to help improve contractors'  defenses. “In other areas of the government that's been very effective. It has a way of waking people up when a skull and crossbones appears on the CEO's computer,” King said

— More cybersecurity news from the public sector:

Partnerships with private industry are one way FBI Director Christopher Wray sees law enforcement uncovering the information it needs.
Fifth Domain
Recipients also are being pressured for money to avoid arrest.
Nextgov
PRIVATE KEY

— Security researchers for Symantec identified a cyber espionage group that has attacked several Singapore-based organizations since at least 2017. The group, which researchers dubbed Whitefly, focuses on stealing vasts amounts of sensitive data, according to a report released today by Symantec's Attack Investigations Team. Whitefly stole about 1.5 million patient records in a cyberattack against Singapore's biggest public health-care organization last year, the report said.

Aside from the health-care sector, the hacking group has also targeted media, telecommunications and engineering organizations. “Whitefly usually attempts to remain within a targeted organization for long periods of time—often months—in order to steal large volumes of information,” researchers wrote.

— A Trend Micro cybersecurity expert asked colleagues to try to hack his own smart home in Germany as part of a research project, CyberScoop's Sean Lyngaas reported. “They quickly discovered that not only was the system susceptible to manipulation, but it was also ill-equipped to detect it,” according to CyberScoop. “The owner of the home found himself moving from room to room, trying to figure out why his lights and window blinds weren’t working.”

— More cybersecurity news from the private sector:

McAfee's Steve Grobman and Celeste Fralick showed in a keynote speech at RSA that deepfakes can be used to craft visuals that didn't happen.
VentureBeat
Coinbase acquired Neutrino in February, sparking a #DeleteCoinbase campaign in protest.
Motherboard
A new Mac security service called GamePlan uses a system's own indicators, and some videogame magic, to keep a lookout.
Wired
SECURITY FAILS
A survey suggests risks have risen substantially over the last five years, but cyber professionals still feel agencies are doing a good job in IT security.
Nextgov
THE NEW WILD WEST

— A new Huawei cybersecurity center in Brussels isn't doing much to temper European Union regulators' concerns about the company and its possible links to Chinese spying, the Wall Street Journal's Valentina Pop reported. The day the center opened, European Commission Vice President Andrus Ansip, met Huawei Deputy Chairman Ken Hu and spoke about “legitimate security concerns that need to be addressed,” the Journal reported. If the Commission launches a broader review  it "could effectively halt the sales of Huawei gear in Europe," the Journal reported. American officials have sought to convince foreign allies to keep Huawei out of their 5G networks over concerns about potential Chinese spying. 

— More cybersecurity news from abroad:

Intelligence officials backed by interior, foreign ministries
Bloomberg News
European Union President Donald Tusk warned that “external forces” could be trying to influence the EU’s legislative elections in May, saying such interference happened “openly or secretly” in the Brexit referendum and other votes in Europe.
Bloomberg News
A Portuguese man linked to the publication of internal documents that embarrassed top European clubs and soccer officials in the Football Leaks case will be extradited to his home country, a Hungarian court ruled Tuesday.
Associated Press
ZERO DAYBOOK

Today:

Coming soon:

EASTER EGGS

Why the public may never see the Mueller report:

The looming showdown over executive privilege:

Melania Trump addresses nation's opioid crisis in Las Vegas town hall: