The Trump administration ratcheted up its campaign against Chinese hacking operations Thursday, unsealing indictments against two hackers for a massive 2015 breach of the health insurer Anthem that compromised the personal information of 78 million people.
The Justice Department's charges against members of a “sophisticated China-based hacking group” are the latest in an unprecedented string of hacking charges against Chinese spies and cybercriminals for compromising government agencies, tech companies, manufacturing firms and other targets.
The Trump administration has lobbed four rounds of indictments at Chinese hackers for sophisticated cybercrimes in just the past 18 months — more than at hackers from any other nation — a pace clearly designed to send a stark message to Beijing to curtail its aggressiveness in cyberspace.
That’s a dramatic quickening of pace from the Obama administration, which indicted Chinese hackers just once -- in 2014 -- that was seen as a shot across the bow at Beijing and even helped produce a brief lull in Chinese IP theft.
“The Chinese thought they could get away with anything,” Jim Lewis, a former Commerce Department cybersecurity official, told me. “This is part of a larger administration strategy to be more aggressive and assertive … to find and make public Chinese hackers and punish them for their activities.”
The Trump administration's aggressiveness on this front -- notably, announcing the charges as the United States and China are engaged in high-stakes trade negotiations -- shows how far the tactic of using indictments to deter nation-state hackers has come since it began under Barack Obama.
Those 2014 indictments against five members of China's People's Liberation Army were the first of its kind. Indictments since then have been accompanied by a pressure campaign from administration officials – including coordinated naming and shaming campaigns with other nations for Chinese hacking operations against government agencies. Trump administration officials have consistently signaled that curtailing Chinese digital espionage and intellectual property theft is among their highest cyberspace priorities.
“There’s been a shift over the last six years to treat these issues with China much more seriously and to use all the tools at our disposal, including law enforcement,” Chris Painter, State Department cyber coordinator during the Obama administration, told me.
Yet indictments and tough talk have done little to change the pace of Chinese hacking and the Trump administration has struggled to impose consequences serious enough that Beijing will pay attention.
The alleged Anthem hackers — one named Fujie Wang and another whose name officials don’t know — are unlikely to ever come to the United States to face trial.
“Indictments are a useful step for pushing back and imposing consequences,” said Lewis, who directs the technology policy program at the Center for Strategic and International Studies. “It’s what [the Justice Department] can do and it’s a good place to start. But I think [Justice officials] would agree it’s not enough.”
Prosecutors described the Anthem hack in a news release as “brazen,” a “wanton violation of privacy” and “one of the worst data breaches in history.” The alleged hackers also compromised three other large U.S. companies in three industry sectors, the indictment states.
Cyber experts previously speculated that the Anthem breach wasn’t aimed simply at stealing individual Americans’ personal information but was part of a broader scheme to combine information from different breaches to identify intelligence agents and top government officials who might be vulnerable to blackmail.
That seemed particularly likely because of apparent links between the Chinese hacking group behind the Anthem breach and the group behind the 2015 Office of Personnel Management hack, which compromised sensitive security clearance information about more than 20 million current and former U.S. government employees.
Thursday’s indictment does not outline such a plan — but it also doesn’t state that the information stolen by the hackers was ever sold or used for identity theft as purely criminal hackers would do.
The indictment also does not say whether the hackers were working on behalf of the Chinese government or on their own.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: The Federal Communications Commission blocked the Chinese-state owned telecom China Mobile from operating in the United States on Thursday, citing digital spying concerns, my colleague Tony Romm reported.
The move comes as the Trump administration is mulling a much more serious executive order barring Hauwei from the United States’ next-generation 5G networks – and urging allies to do the same.
“Since 2011, China Mobile has sought federal permission to provide services connecting phone calls between people in the United States and other countries, operating as a critical nexus for international phone traffic,” Tony reported.
“But Republican FCC Chairman Ajit Pai charged that the firm is 'owned and controlled by the Chinese government,' a tie that raised a 'significant risk' that authorities there could 'conduct activities that would seriously jeopardize the national security, law enforcement and economic interests of the United States,'" according to Tony.
“The agencies Republicans and Democrats largely agreed, and some encouraged the FCC to take additional, future steps to block Chinese-tied telecom giants from operating in the United States or selling their equipment here,” Tony reported.
The move came the same day bipartisan leaders of the House Energy and Commerce Committee wrote a letter to Pai urging the FCC to more closely examine 5G security.
PATCHED: A government auditor recommended Thursday that Congress consider giving the IRS authority to mandate minimum cybersecurity requirements for online tax filing services such as TurboTax.
About 90 percent of tax filers use online tax preparation and filing services, but right now there are no mandates for how those services have to secure customers’ tax information before it reaches the IRS, according to the Government Accountability Office report.
There are about 15 online filing services that follow voluntary standards, but that only accounts for about one-third of all taxpayers, GAO said. And the voluntary cybersecurity and privacy standards that IRS shares with tax preparation services are partly out of date, the report states.
GAO has previously urged Congress to allow IRS to increase oversight of online tax preparers, but the recommendation hasn't gained traction in Congress. This is the first GAO to specifically focus on the preparers' cybersecurity.
PWNED: Experts are studying 2020 presidential candidates’ unique mannerisms to help guard against U.S. adversaries spreading extemely realistic-looking but phony videos of them known as deepfakes, The Hill’s Olivia Beavers reported.
“What we've been doing is building what we call soft biometric models for all of the presidential candidates,” Hany Farid, a digital forensics expert at the University of California, Berkeley, said, according to the Hill. “We've been analyzing hours and hours of…videos, and we've been doing this for Joe Biden and Elizabeth Warren and all of the candidates.”
Farid hopes his team can help journalists truth squad deepfake videos of candidates if and when they do emerge -- and dull any impact they have on the electorate.
Farid pointed to one of the most popular examples of a deepfake video, created by Buzzfeed, in which the director and comedian Jordan Peele provides the voice for a lifelike video of former President Barack Obama. saying some very un-Obama-like things.
“[There is a] link between what Obama says and how he says it, and we build what we call soft biometrics that we then can [use to] analyze a deepfake and say, ‘Oh, in that video, the mouth, which is synthesized to be consistent with Jordan Peele's voice, is in some ways decoupled from the rest of the head. It's physically not correct,'” Farid said.
The Federal Election Commission hit another roadblock Thursday as it considers whether to allow a non-profit to provide free cybersecurity services to presidential and congressional campaigns that might be targeted by Russian hackers.
The request has been delayed several times since October. The hang up this time was because the group Defending Digital Campaigns -- which is co-led by Hillary Clinton’s 2016 campaign manager Robby Mook and Mitt Romney’s 2012 campaign manager Matt Rhoades – wants to fund its work partly with donations from corporations.
Lawyers for the former campaign managers said the group wanted to be as transparent as possible about its donors, but FEC Chair Ellen L. Weintraub said she worried the setup would allow companies to surreptitiously influence lawmakers.
Commissioners have broadly agreed to support the cybersecurity request but squabbled over the details. They agreed during Thursdays’ hearing to draft a new advisory opinion drawing tighter boundaries around what donations Defending Digital Campaigns can accept.
“I think that everyone agrees what you are trying to do is a worthwhile endeavor. The question is how to work it into our legal framework,” Weintraub said.
More cybersecurity news from the public sector:
Cybersecurity news from the private sector:
Cybersecurity news from abroad: