CloudStrike’s Own Announcement Makes It Clear It Doesn’t Have Proof of Ongoing Chinese Economic Cyberattacks

/3 Comments/in /by

Many many many outlets are reporting that China has continued conducting economic espionage even after Xi Jinping agreed to stop doing it. They base that claim on this post from CloudStrike, a big cybersecurity contractor that spends a lot of time feeding the press scary stories about hacking.

Here’s the proof they offer:

Over the last three weeks, CrowdStrike Falcon platform has detected and prevented a number of intrusions into our customers’ systems from actors we have affiliated with the Chinese government. Seven of the companies are firms in the Technology or Pharmaceuticals sectors, where the primary benefit of the intrusions seems clearly aligned to facilitate theft of intellectual property and trade secrets, rather than to conduct traditional national-security related intelligence collection which the Cyber agreement does not prohibit.

[snip]

In addition to preventing these intrusions, the CrowdStrike Falcon platform also provided full visibility into every tool, command and technique used by the adversary. This allowed us to determine that the hackers saw no need to change their usual tradecraft or previously used infrastructure in an attempt to throw off their scent.

The include a timeline showing 9 attempted intrusions into Tech Sector companies, and 2 into Pharma companies since Xi and President Obama signed the hacking agreement.

Now, even assuming that CrowdStrike has accurately labeled these Chinese government hackers (CrowdStrike’s CTO was less confident in an interview with Motherboard) this still is not proof that China has violated the agreement.

After all, the key part of the agreement is on how stolen information gets used — whether it gets used to benefit individual companies or even entire sectors (the latter of which we do in our own spying, but never mind). If CrowdStrike prevented any data from being stolen, then it is impossible to assert that it was being stolen to benefit market actors without more evidence that the hackers were tasked by a market actor. Even the indictment everyone points to as proof that China engages in economic espionage did not allege that the People Liberation’s Army had shared the data involved in the single economic espionage charge with private sector companies, and given that the data in question pertained to nuclear technology ,it’s not something that is proven just because it was stolen in the context of an ongoing relationship with the victim (even if that is a logical presumption to make).

The same is true here. When China hacked Google to spy on dissidents, that was clearly national security spying. When the US hacked Huawei to figure out how to backdoor its equipment, that was clearly national security spying.When the US used Microsoft and Siemens products to carry out StuxNet, the tech companies were merely enabling targets. There are too many reasons to hack tech sector companies for solidly national security purposes to claim, just based on the sector itself, that it was done for economic espionage.

You can’t even point to the 2 Pharma intrusions to make the claim. A list of sites the State Department identified as critical infrastructure from a leaked 2009 cable includes over 25 pharmaceutical sites (including animal Pharma), many of them related to vaccines. If we’re treating pharmaceutical supply and research facilities as critical infrastructure, with the presumed consequent defensive surveillance of those sites, it is tough to argue the Chinese can’t consider our pharmaceutical companies making key drugs to be critical targets. Both can be argued to stem from the same public health concerns.

I’m not saying it’s impossible or even unlikely that these intrusions were attempted economic espionage. I’m saying that this isn’t evidence of it, and that the reporting repeating this claim has been far too credulous.

But that also points to one of the inherent problems with this deal (one pointed to by many people at the time). When last he testified on the subject, Jim Clapper didn’t even claim to have fully attributed the OPM hack. The same attribution and use problems exist here. China may steal data on an important new drug, but that’s not going to be enough to prove they stole it for commercial gain until they release their own copycat of the drug in several years and use it to undercut the US company’s product, and even then that may require a lot more data — collected by spying! — from inside the market companies themselves (in part because China engages in many other means of stealing data which aren’t the subject of a special agreement, which will make even the copycat instance hard to prove came from an intrusion).

China knew that, too, when it signed the agreement. It will take more than evidence of 11 attempted intrusions to prove that China is violating the agreement.

The Financial Services Roundtable Wants to Terrify You into Giving Them More Immunity

/9 Comments/in , /by

The policy discussion about the many ways that the Cyber Information Sharing Act not only doesn’t do much to prevent the hacking of public and private networks, but in key ways will make it worse, must be making its mark. Because the Financial Services Roundtable, one of the key corporatist groups backing the bill, released this YouTube full of scary warnings but absolutely zero explanation about what CISA might do to increase cybersecurity.

Indeed, the YouTube is so context free, it doesn’t note that Susan Collins, the first person who appears in the video, has called for mandatory reporting from some sectors (notably, aviation), which is not covered in the bill and might be thwarted by the bill. Nor does it mention that the agency of the second person that appears in the video, Department of Homeland Security Secretary Jeh Johnson, has raised concerns about the complexity of the scheme set up in CISA, not to mention privacy concerns. It doesn’t note that the third person shown, House Homeland Security Chair Michael McCaul, favored an approach that more narrowly targeted the information being shared and reinforced the existing DHS structure with his committee’s bill.

Instead of that discussion … “Death, destruction, and devastation!” “Another organization being hacked!” “Costing jobs!” “One half of America affected!” “What is it going to take to do something?!?!?!”

All that fearmongering and only one mention of the phrase “information sharing,” much less a discussion of what the bill in question really does.

In August, the head of the FSR, Tim Pawlenty, was more honest about what this bill does and why his banks like it so much: because it would help to hide corporate negligence.

“If I think you’ve attacked me and I turn that information over to the government, is that going to be subject to the Freedom of Information Act?” he said, highlighting a major issue for senators concerned about privacy.

“If so, are the trial lawyers going to get it and sue my company for negligent maintenance of data or cyber defenses?” Pawlenty continued. “Are my regulators going to get it and come back and throw me in jail, or fine me or sanction me? Is the public going to have access to it? Are my competitors going to have access to it? Are they going to be able to see my proprietary cyber systems in a way that will give up competitive advantage?”

That is, the banks want to share information with the government so it can help those private corporations protect themselves (without paying for it, really, since banks do so well at dodging taxes), without any responsibility or consequences in return. “Are my regulators going to get [information about how banks got attacked] and come back and throw me in jail, or fine me, or sanction me?” the banks’ paid lobbyist worries. As the author of this bill confirmed last week, this bill will undercut regulators’ authority in case of corporate neglect.

The example of banks dodging responsibility in the past — possibly aided by a similar (albeit more rigorous) information sharing regime under the Bank Secrecy Act — provides all the evidence for how stupid this bill would be. We need corporations to start bearing liability for outright negligence. And this bill provides several ways for them to avoid such liability.

Don’t succumb to bankster inciting fear. America will be less safe if you do.

The Tech Industry Worries CISA Will Allow Other Companies to Damage Their Infrastructure

/9 Comments/in /by

Screen Shot 2015-10-16 at 10.01.41 AMThe Computer and Communications Industry Association — a trade organization that represents Internet, social media, and even some telecom companies — came out yesterday against the Cyber Intelligence Sharing Act, an information sharing bill that not only wouldn’t be very useful in protecting against hacking, but might have really dangerous unintended consequences, such as gutting regulatory authority over network security negligence (though the Chamber of Commerce, this bill’s biggest backer, may not consider it an unintended consequence).

Most coverage of this decision emphasizes CCIA’s concern about the bill’s danger to privacy.

CISA’s prescribed mechanism for sharing of cyber threat information does not sufficiently protect users’ privacy or appropriately limit the permissible uses of information shared with the government.

But I’m far more interested in CCIA’s stated concern that the bill, in authorizing defensive measures, would permit actions that would damage the Internet’s infrastructure (to which a number of these companies contribute).

In addition, the bill authorizes entities to employ network defense measures that might cause collateral harm to the systems of innocent third parties.

[snip]

But such a system … must not enable activities that might actively destabilize the infrastructure the bill aims to protect.

At least some of these companies that make up our Internet ecosystem think that some other companies, in aggressively pursuing perceived intruders to their systems, will do real damage to Internet as a whole.

It seems like a worthy concern. And yet the Senate runs headlong towards passing this bill anyway.

Time to Get VERY Concerned about CISA Gutting Governmental Leverage on Corporations over Cyber

/12 Comments/in /by

Back in August, I wrote a post wondering whether the following clause in the Cyber Intelligence Sharing Act would provide a way for corporations to avoid any government action punishing them for their negligence on cybersecurity.

(D) FEDERAL REGULATORY AUTHORITY.—

(i) IN GENERAL.—Except as provided in clause (ii), cyber threat indicators and defensive measures provided to the Federal Government under this Act shall not be directly used by any Federal, State, tribal, or local government to regulate, including an enforcement action, the lawful activities of any entity, including activities relating to monitoring, operating defensive measures, or sharing cyber threat indicators.

(ii) EXCEPTIONS.—

(I) REGULATORY AUTHORITY SPECIFICALLY RELATING TO PREVENTION OR MITIGATION OF CYBERSECURITY THREATS.—Cyber threat indicators and defensive measures provided to the Federal Government under this Act may, consistent with Federal or State regulatory authority specifically relating to the prevention or mitigation of cybersecurity threats to information systems, inform the development or implementation of regulations relating to such information systems.

(II) PROCEDURES DEVELOPED AND IMPLEMENTED UNDER THIS ACT.—Clause (i) shall not apply to procedures developed and implemented under this Act.

My worry was that a serial hacking target like Wyndam — or even just a company with sloppy security like GM — could immediately share information on a hack (or even a vulnerability identified by security researcher that technically violated a company’s DMCA rights) with the government, and in doing so avoid any further action from the government on that point.

Something similar appears to happen with the Bank Secrecy Act: banks share information and therefore limit their liability for money laundering or supporting terrorists or what have you.

If my concern is correct, it would provide companies that chose not to fix vulnerabilities a way to avoid NHTSA required recalls or FTC lawsuits.

At Computers Freedom and Privacy, I asked the author of CISA, Senate Intelligence staffer Josh Alexander, about the clause.

His only response was to point to this language  permitting disclosure of information.

(a) Otherwise Lawful Disclosures.—Nothing in this Act shall be construed—

(1) to limit or prohibit otherwise lawful disclosures of communications, records, or other information, including reporting of known or suspected criminal activity, by an entity to any other entity or the Federal Government under this Act; or

(2) to limit or prohibit otherwise lawful use of such disclosures by any Federal entity, even when such otherwise lawful disclosures duplicate or replicate disclosures made under this Act.

He emphasized that the government could still respond to unlawful activity. But bad security is not unlawful.

In other words, he had no response to my concerns. Which leads me to believe CISA guts the government’s ability to punish companies that don’t fix their security issues.

I guess that explains why the Chamber of Commerce is so excited about the bill.

How Did Two CISA Beneficiaries and Numerous Agnostics Come to Support CISA?

/2 Comments/in /by

When the Business Software Alliance released this letter a while back, I was perplexed.

In addition to its call for Congress to pass a set of designated bills, including ECPA reform, that would give assurances to international customers that US services weren’t more exposed to US spying, the letter also called for passage of cybersecurity sharing legislation.

Cyber Threat Information Sharing Legislation will promote cybersecurity and protect sensitive information by enabling private actors in possession of information about vulnerability and intrusions to more easily share that information voluntarily with others under threat, thus enabling the development of better solutions faster.

As TechDirt noted, the letter didn’t name any particular cyber sharing bill, but there are three and all expand US government access to data. Even if some or all tech companies that make up BSA wanted such a bill it seemed odd to include in a call for legislation that would reassure international customers. I asked around and the impression was it was just convenience to include a CISA-type legislation (but why include it at all)?

So then Fight for the Future went to work. It got thousands of activists to complain to the companies directly about their stated support for a CISA-type legislation. And also announced their intention to stop using Heroku, which is part of Salesforce, as their host.

That led first Salesforce then BSA more generally to deny they had ever supported CISA. The BSA language pretended their original letter called for balanced legislation. And it also claimed to consistently advocate for strong privacy protections on such legislation — which of course they didn’t do in the letter.

There have been questions about our views of the current CISA legislation. For clarity, BSA does not support any of the three current bills pending before Congress, including the Cybersecurity Information Sharing Act (CISA), the Protecting Cyber Networks Act (PCNA), and the National Cybersecurity and Communications Integration Center (NCCIC) Act.

Consistent with this view, BSA’s September 14 data agenda letter to Congressional leaders identified five key areas where Congress can pass legislation to strengthen the policy environment around digital commerce, including voluntary information sharing, and highlighted the need for balanced legislation in this area.

BSA has consistently advocated for strong privacy protections in all information sharing bills currently pending before the Congress.

We will continue to work with the Congress, others in industry and the privacy community to advance legislation that effectively deals with cyber threats, while protecting individual privacy.

All of raises more questions about how the endorsement for cyber sharing at a time when all the cyber sharing bills before Congress don’t balance privacy interests got into the letter.

Especially given the signatories. The signatories include companies — like Apple — that have fought hard to protect their customers’ privacy. It included several — notably Adobe and Siemens — that could significantly benefit from any kind of immunity, given that their products are among the most consistent targets of hacks. Most interesting, it includes several companies — including IBM and Symantec — that will benefit when a CISA bill makes it easier for cybersecurity contractors to get more data with which to serve customers.

Indeed, the language from the original bullet support cyber sharing — “enabling private actors in possession of information about vulnerability and intrusions to more easily share that information voluntarily with others under threat” — might well describe how cybersecurity contractors will get a boost from CISA.

Some members of BSA probably do, individually, support CISA for the immunity and data it would give them. Others neither need it nor want the stigma.

So how did it get in this letter?

Obama and Xi Set Up a Red CyberPhone

/2 Comments/in /by

Here are the terms of the cyber agreement announced today.

  • The United States and China agree that timely responses should be provided to requests for information and assistance concerning malicious cyber activities. Further, both sides agree to cooperate, in a manner consistent with their respective national laws and relevant international obligations, with requests to investigate cybercrimes, collect electronic evidence, and mitigate malicious cyber activity emanating from their territory. Both sides also agree to provide updates on the status and results of those investigation to the other side, as appropriate.
  • The United States and China agree that neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.
  • Both sides are committed to making common effort to further identify and promote appropriate norms of state behavior in cyberspace within the international community. The United States and China welcome the July 2015 report of the UN Group of Governmental Experts in the Field of Information and Telecommunications in the Context of International security, which addresses norms of behavior and other crucial issues for international security in cyberspace. The two sides also agree to create a senior experts group for further discussions on this topic.
  • The United States and China agree to establish a high-level joint dialogue mechanism on fighting cybercrime and related issues. China will designate an official at the ministerial level to be the lead and the Ministry of Public Security, Ministry of State Security, Ministry of Justice, and the State Internet and Information Office will participate in the dialogue. The U.S. Secretary of Homeland Security and the U.S. Attorney General will co-chair the dialogue, with participation from representatives from the Federal Bureau of Investigation, the U.S. Intelligence Community and other agencies, for the United States. This mechanism will be used to review the timeliness and quality of responses to requests for information and assistance with respect to malicious cyber activity of concern identified by either side. As part of this mechanism, both sides agree to establish a hotline for the escalation of issues that may arise in the course of responding to such requests. Finally, both sides agree that the first meeting of this dialogue will be held by the end of 2015, and will occur twice per year thereafter.

The structure of these bullets, which comes from the White House, is rather interesting. The first and last simply announce an effort to agree to cooperate on cyber issues, with the first bullet announcing the principle and the last describing the nitty gritty of it. Basically, this is a call to implement a red phone — like the one Russia and the US had for nukes — for cybersecurity.

The third bullet, “welcoming” the UN Group of Government Experts report, is also about confidence building.

Which leaves the second bullet, which (unless I’m mistaken) goes far beyond what Obama noted in his press conference with Xi Jinping, but Xi did note in his speech: an agreement “that neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors,” that is, that China stop using hacks to steal from US companies. While the US does steal confidential business information, they don’t do so for competitive advantage of commercial sectors, though I can imagine some scenarios that China might claim did so. I imagine they’ll complain some about our spying on trade negotiations, for example, which probably would fall under this agreement.

I don’t think anyone thinks China will do this (though note the wiggle room in the “conduct or knowingly support” language). Instead, I suspect all the other language about confidence building intends to provide the US a means to more directly complain about this (and perhaps trade off corruption targets for hacker targets?).

Finally, note what was not included: Any promise to end spying for intelligence, like the OPM hack and/or US use of XKeyscore to accomplish the same kind of bulk collection. As I’ve said, I think that hacking might, for the short term, actually help confidence building measures, as it might provide some kind of transparency, though not verification.

We shall see whether a Red Phone for cyber will do any good.

Update: Herb Lin notes that the Red Phone idea is good in theory but hasn’t always worked as it should with China.

Clearly a good thing in principle.  But implementation is an issue, and experience with other hotlines between the United States and China has not always been positive.  A case in point is the military hotline between the United States and China, intended to enable direct communications between senior military leaders on both sides during crisis, has not always been operational even during routine tests of the system.  On several occasions in which the line was tested for operational capability and also in the wake of the 2001 EP-3 incident over Hainan, the Chinese military failed to respond at all.  In addition, the purview seems to be limited to cybercrime (whatever that might mean) and not to cyber issues related to national security.

The Real Story Behind 2014 Indictment of Chinese Hackers: Ben Rhodes Moves the IP Theft Goal Posts

/2 Comments/in /by

As I’ve noted repeatedly, there has been some abysmal reporting on the indictment, in May 2014, of 5 Chinese People’s Liberation Army hackers. Over and over reporters claim, without any caveat, that the indictment was for the theft of intellectual property, the kind of economic espionage we claim to forswear but complain about China conducting. Here are two recent examples.

David Sanger:

And when Unit 61398 of the People’s Liberation Army in China was exposed as the force behind the theft of intellectual property from American companies, the Justice Department announced the indictment of five of the army’s officers. Justice officials hailed that as a breakthrough. Inside the intelligence community and the White House, however, it was regarded as purely symbolic, and the strike on the Office of Personnel Management continued after the indictments were announced.

Elias Groll:

But nearly a year and a half after that indictment was unveiled, the five PLA soldiers named in the indictment are no closer to seeing the inside of a federal courtroom, and China’s campaign of economic espionage against U.S. firms continues.

Given that China’s hacking of US targets is so central to this week’s visit by Chinese President Xi Jinping, I wanted to return to that indictment to tease out what it actually showed. Because it — and Deputy National Security Advisor Ben Rhodes’ description of it in the lead-up to Xi’s visit — makes it clear the US is really talking about far more than IP theft.

The May 2014 indictment was mostly about monitoring negotiations and trade disputes

The indictment includes 31 charges. Just one of those charges — involving the theft of nuclear plant information from Westinghouse — is for economic espionage. Just one of those charges — involving the same theft from Westinghouse — is for theft of a trade secret. I’ll return to the Westinghouse charges in a second.

The additional charges include 9 Computer Fraud and Abuse Act violations (1-9) for breaking into various computers and stealing information, much of it to enable further hacking, 14 charges (10-23) of damaging a computer by planting malware in various computers, and 6 charges ( 24-29) of identity theft for stealing identity information associated with the targets of the attacks.

Yes, all those other 29 charges did involve hacking to obtain information. But that’s the point of what I wrote in my previous post on this: the theft isn’t the core of what we — at least explicitly — complain about China taking, the technology IP of private companies.

Here’s what PLA allegedly took from the five victims other victims, aside from Westinghouse, described in the indictment:

  • SolarWind (a German company with a location in Oregon): PLA allegedly stole detailed information on SolarWind’s financial position at a time when SolarWind was litigating a dumping complaint against Chinese solar manufacturers
  • US Steel: During a period when it was litigating cases against the Chinese steel industry, including against Baosteel, PLA allegedly stole data from (apparently) a sysadmin mapping USS’ computers and mobile devices
  • Allegheny Technologies Incorporated: During a period when it had already started a joint venture with China’s Baosteel but also when it was in anti-dumping litigation against the company, PLA monitored ATI’s computers
  • Alcoa: Immediately after Alcoa and Aluminum Corporation of China bought a 14% stake of Rio Tinto together, PLA monitored Alcoa’s computers
  • US Steel Workers: During a period when it, and the steel industry, was pushing for anti-dumping action against China, PLA stole emails including strategic information

Note the last one: the Steelworkers. A bunch of business reporters are pointing to this indictment — for stealing strategic discussions from a union! — as proof that China is stealing intellectual property from US corporations and sharing it with Chinese companies.

The one case of IP theft in the indictment is reverse engineering, not independent IP theft

In addition to those four corporations and one union, there’s Westinghouse, the one victim against which DOJ actually alleged economic espionage. In 2007, Westinghouse entered into a joint venture, which included significant but carefully negotiated tech transfer. The indictment doesn’t describe which entity involved in the deal it had in mind (several companies were involved, including ones that are more independent from the state), though it is almost certainly China’s State Nuclear Power Technology Corporation, which has no illusions of independence from the state.  The deal was signed with ExIm Bank support and export licensing approval. Since that time, the deal has been renegotiated over what technology would get transferred to China, and Westinghouse is still building new reactors under the deal, with the latest one opening in May 2015. A subsequent contract sold even more advanced nuke plants, with Westinghouse expecting 100% localization through the contract.

In the middle of this 8 year relationship that has and will lead to Westinghouse transferring the technology to build these plants, on May 6, 2010, the indicted hackers allegedly stole information pertaining to design specs for pipes within nuclear power plants; the indictment does not say whether those pipes were included in the technology transfer. In the economic espionage section, the indictment alleges this information got transferred for the benefit of a foreign government, China, not naming even Chinese nuclear authority SNPTC, much less any of the individual joint ventures involved in the deal. That is, even in the charge pertaining to economic espionage, the indictment does not claim this was about benefitting a specific company, but instead was about benefitting the country as a whole. And it’s not like the US can claim it doesn’t spy on specific nuclear companies in the interest of the country as a whole.

And even the Westinghouse hack included the theft of information pertaining to negotiations. The indictment notes that in the advance of Hu Jintao’s state visit to the US in 2011, as Westinghouse and SNPTC were negotiating further construction, one of the hackers targeted deliberative emails regarding these negotiations.

Some stolen e-mails described the status of the four AP1000 plants’ construction. Many other stolen e-mails, however, concerned Westinghouse’s confidential business strategies relating to [SNPTC], including Westinghouse’s (a) strategies for reaching an agreement with [SNPTC] on future nuclear power plant construction in China; and (b) discussions regarding cooperation and potential future competition with [SNPTC] in the development of nuclear power plants elsewhere around the world.

Altogether, the indictment alleges, PLA hackers took 1.4G of data, which in the grand scale of nuclear plans and negotiations is not all that much data.

All of which is to say that the economic espionage charge was a fairly minor theft in the scope of the larger indictment, constituting nowhere near the kinds of data China steals from Defense contractors, and not alleging a transfer to a specific company. It’s also, both in the scale of data stolen from US companies doing business in China (where reverse engineering is often considered the cost of doing business) and the scale of Chinese IP theft here, miniscule.

The US spies on trade disputes too

The rest of the indictment — by far the bulk of the charges — involves spying during a range of negotiations, several of them international trade disputes (though there’s also an aspect of intimidation anytime takes a trade dispute against China). We know that NSA spies on other countries involved in trade disputes, including spying on the American attorneys representing foreign governments in trade disputes. It spies rampantly in advance of larger trade negotiations. And I would be shocked if the US didn’t spy on countries considering huge arms deals with ostensibly private US companies, especially when those deals are central to the petrodollar laundering that serves as the foundation to our Middle East strategy. That is, much of what we charged China’s PLA hackers for in this indictment, the US does. And we certainly spy on individual foreign companies for US national advantage, as when we mapped out Huawei very similarly to the way China mapped out USS.

None of that’s to excuse it. But it is to say no one should expect an indictment that involved — in the grand scheme of things — miniscule amounts of IP theft and lots more amounts of trade negotiation theft to teach China a lesson about IP theft. If we want to teach China a lesson about IP theft, then maybe we should indict it for IP theft, especially the kind of IP theft outside the realm of ongoing business relations which we claim to be the real concern.

That has never happened, and reporters should stop claiming it has.

Ben Rhodes now says this is about IP theft and confidential information

All that said, in the run-up to Xi Jinping’s visit, the Administration has actually gotten slippery on what it means when it invokes this kind of theft.

In an on the record conference call Tuesday, Ben Rhodes claimed (according to the transcript), “the United States government has already engaged in law enforcement actions, for instance, that targeted Chinese entities who we believed were behind that type of activity,” referring to this 2014 indictment. He had just described the activity as, “cyber-enabled theft of confidential business information and proprietary technology from U.S. companies” and described the goals as, “the protection of intellectual property and the ability of businesses to operate without concern of cyber theft.” In addition to “proprietary technology,” Rhodes is now including the cyber-enabled theft of “confidential business information” to China’s sins.

That is, in the days before a big public discussion about cyber theft, Ben Rhodes is moving the goal posts, describing the action of concern to include both “proprietary technology” — what they’ve been talking about for years — and “confidential business information” — which definitely describes what the PLA hackers took but doesn’t describe what they usually talk about when discussing IP theft.

Interestingly, Rhodes went on to suggest China would change its ways because otherwise US corporations won’t want to do business with them. “[T]he chief reason I think the Chinese have an interest in changing some of their behavior in the cyber realm is because if they’re operating outside of established international rules and norms, they’re ultimately going to alienate businesses, including U.S. businesses who have been critical to Chinese economic growth.” This is not the model of stealing data on the F-35 from Lockheed and subcontractors, the quintessential example of IP theft people like to point to. Rather, it’s the use of hacking to reverse engineer products China is buying from US companies, something Chinese companies usually do by stealing tools used in plants in China. Maybe Rhodes is correct that companies aren’t going to rush headlong into the fastest growing market anymore knowing China will reverse engineer, including by cyber-theft, of the things they’re buying, though I think that’s only likely if China’s growth continues to skid to a halt.

Ultimately, Rhodes accused China of cheating capitalism at a more fundamental level. “[T]hat’s something that gets at the integrity of the global economy, and that’s why we’ve been so focused on this.” Which is where it gets rather farcical, because it’s not like the US as a country doesn’t do what it can to bend the rules for its companies. Plus, if the Administration wants to take on China’s cheating, there are far easier ways to do it, such as on currency.

The roll-out of some kind of mutual understanding on cyber issues this week will be interesting regardless of Rhodes’ moving of the goal posts. But that he has done so — and broadened our age-old complaint about IP theft to now include the theft of confidential business information (some, but not all of which, we also do), is itself notable.

BREAKING: OPM and DOD (Claim They) Don’t Think Fingerprint Databases Are All That Useful

/17 Comments/in /by

In the most negative news dump released behind the cover of Pope Francis’ skirts, Office of Public Management just announced that rather than previous reports that 1.1 million people had had their fingerprints stolen from OPM’s databases, instead 5.6 million have.

Aside from the big numbers involved, there are several interesting aspects of this announcement.

First, it seems OPM had an archive of records on 4.5 million people, including fingerprint data, they hadn’t realized was there at first.

As part of the government’s ongoing work to notify individuals affected by the theft of background investigation records, the Office of Personnel Management and the Department of Defense have been analyzing impacted data to verify its quality and completeness. During that process, OPM and DoD identified archived records containing additional fingerprint data not previously analyzed.

If, as it appears, this means OPM had databases of key counterintelligence lying around it wasn’t aware of (and therefore wasn’t using), it suggests Ron Wyden’s concern that the government is retaining data unnecessarily is absolutely correct.

Rather bizarrely, upon learning that someone found and went through archived databases to obtain more fingerprint data, “federal experts” claim that “as of now, the ability to misuse fingerprint data is limited.”

As EFF just revealed, since February the FBI has been busy adding fingerprint data it gets when it does when it does background checks on job applicants into its Next Generation Identification database.

Being a job seeker isn’t a crime. But the FBI has made a big change in how it deals with fingerprints that might make it seem that way. For the first time, fingerprints and biographical information sent to the FBI for a background check will be stored and searched right along with fingerprints taken for criminal purposes.

The change, which the FBI revealed quietly in a February 2015 Privacy Impact Assessment (PIA), means that if you ever have your fingerprints taken for licensing or for a background check, they will most likely end up living indefinitely in the FBI’s NGI database. They’ll be searched thousands of times a day by law enforcement agencies across the country—even if your prints didn’t match any criminal records when they were first submitted to the system.

This is the first time the FBI has allowed routine criminal searches of its civil fingerprint data. Although employers and certifying agencies have submitted prints to the FBI for decades, the FBI says it rarely retained these non-criminal prints. And even when it did retain prints in the past, they “were not readily accessible or searchable.” Now, not only will these prints—and the biographical data included with them—be available to any law enforcement agent who wants to look for them, they will be searched as a matter of course along with all prints collected for a clearly criminal purpose (like upon arrest or at time of booking).

In its PIA explaining the move, FBI boasts that this will serve as “an ‘ongoing’ background check that permits employers, licensors, and other authorized entities to learn of criminal conduct by a trusted individual.” To suggest that a massive database of fingerprints can provide the FBI real-time updates on certain behaviors, but pretend it wouldn’t serve a similar purpose to the Chinese, defies logic. Heck, why is OPM keeping fingerprint information if it can’t be used? And of course, all that assumes none of the 5.6 million people affected has a fingerprint-authenticating iPhone.

Of course this can be used, otherwise the Chinese wouldn’t have gone out of their way to get it!

But OPM’s claim that the Chinese just went out of their way to get that fingerprint data for no good reason provides the agency with a way to delay notification while FBI, DHS, DOD and “other members of the Intelligence Community” come up with ways to limit the damage of this.

If, in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach.

After which OPM spends two paragraphs talking about the identity protection those whose identities have been stolen will get, as if that mitigates a huge counterintelligence problem.

It sure sounds like OPM is stalling on informing the people who’ve been exposed about how badly they’ve been exposed, under the incredible claim that databases of fingerprints aren’t all that useful.

Did the OPM Hack Fix Jack Goldsmith’s Anonymity Problem?

/3 Comments/in /by

In a piece claiming “the most pressing problem the United States sees in its cyber relations with China [is] the widespread espionage and theft by China in U.S. public and private digital networks,” Jack Goldsmith argues any cyber agreement with China won’t be all that useful because we would never be able to verify it.

I still adhere what I once wrote in response to this: “in the absence of decent verification, we cannot be confident that transparency measures are in fact transparent, or that revealed doctrine is actual doctrine.  Nor can norms get much purchase in a world without serious attribution and verification; anonymity is a norm destroyer.”

Goldsmith says this in a piece that claims to adopt Sanger’s expressed concerns about the proposed deal and what it won’t cover. Here’s Sanger:

But it seems unlikely that any deal coming out of the talks would directly address the most urgent problems with cyberattacks of Chinese origin, according to officials who spoke on the condition of anonymity to describe continuing negotiations.

Most of those attacks have focused on espionage and theft of intellectual property. The rules under discussion would have done nothing to stop the theft of 22 million personal security files from the Office of Personnel Management, which the director of national intelligence, James R. Clapper Jr., recently told Congress did not constitute an “attack” because it was intelligence collection — something the United States does, too.

The agreement being negotiated would also not appear to cover the use of tools to steal intellectual property, as the Chinese military does often to bolster state-owned industries, according to an indictment of five officers of the People’s Liberation Army last year. And it is not clear that the rules would prohibit the kind of attack carried out last year against Sony Pictures Entertainment, for which the United States blamed North Korea. That attack melted down about 70 percent of Sony’s computer systems.

So Sanger quotes James Clapper saying he doesn’t consider OPM an attack (for good reason), but says that’s one of the most urgent concerns about Chinese hacking. Clapper’s response doesn’t seem to substantiate Sanger’s claim about the centrality of that as a concern, though I think it is a huge concern. I’ll come back to this.

Then Sanger — in a piece that once again repeats the shitty reporting that last year’s indictment showed the theft of IP to bolster state-owned industries (see this post, but I’m working on a follow-up) — says the agreement won’t cover IP theft. Finally, Sanger says that the agreement might not cover a Sony pictures hack, which the Chinese haven’t been accused of doing, so why would that be important in an agreement with the Chinese?

That last bit is where Goldsmith actually doesn’t adopt what Sanger has laid out. Indeed, he seems to say the agreement is about Sony type hacks.

[T]he ostensible “agreement” won’t have anything to do with the most pressing problem the United States sees in its cyber relations with China – the widespread espionage and theft by China in U.S. public and private digital networks.  The negotiation is mainly about cyberattacks (cyber operations that disrupt, destroy, degrade, or manipulate information on adversary networks) and not about cyberexpoitation (cyber operations involving theft, intelligence-gathering, and the like on digital networks).

The Sony hack certainly disrupted and destroyed the film studio’s networks, even while exposing a bunch of embarrassing intelligence. But thus far, we’re proceeding as if China hasn’t done that to “us” (to the extent a Japanese owned film studio counts as the US), North Korea has. We don’t even ever talk about whether China, in addition to robbing the F-35 program blind, also sabotaged it;  I remain agnostic about whether the US defense industry needed China’s help to sabotage the program, but China definitely had the persistence in networks to sabotage key parts that have since proven faulty. Plus, we’re taking it on faith that claims that the NYSE/United outages that happened on the same day are really unrelated, and curiously we’re not talking about the serial air travel outages we’ve experienced of late (after United, the FAA and then American went down because of “software problems”). I would suggest that the IC may have reason to have urgent concern about China’s ability and willingness to sabotage us, above and beyond its IP theft and intelligence theft, but if it does it’s not telling us.

But let’s take a step back. Since when did we conflate IP theft and the OPM hack? Those are different problems, and I’d really love to have a discussion — which surely wouldn’t happen with any government officials in any unclassified forum — whether the OPM hack is now considered a more urgent threat than serial Chinese IP theft, or whether Clapper is being honest in consistently dismissing it as similar behavior to what we do. Sure, IP theft used to be the most urgent issue, but did that change when China absconded with a database of much of our clearance data? The relative urgency of the two seems an utterly critical thing to understand, given that China pwned us in the OPM hack, and now 3 months after discovering that, we’re signing a cyber agreement.

All the more so given that the OPM hack goes right to the issue of anonymity though not, perhaps, verifiability.

In his piece, Goldsmith is a bit more trusting of the Clapper claim — which I laid out here — that we lost technical accesses in the wake of the Snowden leaks. I think that may well be the case, but it’s just as likely that’s disinformation, either for Congress in advance of the Xi Jinping visit, or for the Chinese. Goldsmith presents that as one more reason why we can’t verify any agreement, and therefore it will be largely worthless.

But does it matter that the OPM hack created symmetry in transparency of personnel (which is different from technical accesses) between China and the US? Does it matter that, with the OPM hack, the Chinese largely replicated our ability to create fingerprints using XKS, and through that figure out who in China was doing what?

That is, we may not have full attribution ability right now — in Clapper’s description it sounded like we could consistently ID tools and persona, but not necessarily tie that persona back to the Chinese state, though, again, that my have been disinformation. But both the US (through XKS) and China (through OPM) have achieved a kind of transparency in personnel.

Which brings me to my central question, in response to Goldsmith’s claim this agreement is pretty meaningless because of the attribution and verification problems. He may well be right it will be a mostly symbolic agreement (though if we move towards norms that may be a positive step).

But until we tease out the real interaction of the old problem — the IP theft — with the new one — that China has our intelligence community by the balls, and until we develop more certainty that some other acts of sabotage aren’t, in fact, cyberattacks, I’m not sure we’re really understanding the dynamics behind the agreement.

Just as importantly, it seems, we need to understand what a new kind of personnel transparency affects our expectations about verification or trust in cyberspace. I don’t know the answer to whether this kind of symmetry chances the considerations on verification or not, but it does seem a relevant question.

What’s So Tricky about DOD’s PKI That It Needs to Expose Thousands of Service Members?

/7 Comments/in /by

Motherboard decided to call out DOD for not using STARTTLS to encrypt the transiting email of much of DOD’s emails.

[A]s encryption spreads to government sites, it hasn’t reached government emails yet. Most of the military as well as the intelligence community do not use encryption to protect emails travelling across the internet.

[snip]

In fact, according to an online testing tool, among the military only the Air Force encrypts emails in transit using a technology called STARTTLS, which has existed since 2002. Other branches of the Pentagon, including the Army, the Navy, the Defense Security Service, and DARPA, don’t use it. Even the standard military email provider mail.mil, doesn’t support STARTTLS.

[snip]

In a statement emailed to Motherboard, a spokesperson for the Defense Information Systems Agency (DISA), the Pentagon’s branch that oversees email and other technologies, said the DISA’s DOD Enterprise Email (DEE) does not support STARTTLS.

This part of the story is bad enough. I take it to mean that as people stationed overseas email home, their email — and therefore significant hints about deployment — would be accessible to anyone who wanted to steal them in transit. While more sensitive discussions would be secure, there would be plenty accessible to Russia or China or technically savvy terrorists to make stealing the email worthwhile.

But I’m just as struck by DOD’s excuse.

“STARTTLS is an extension for the Post Office Protocol 3 and Internet Message Access protocols, which rely on username and password for system access,” the spokesperson wrote. “To remain compliant with DOD PKI policy, DEE does not support the use of username and password to grant access, and does not leverage either protocol.”

First of all, this doesn’t make any sense. The Public Key Infrastructure system, which controls access to DOD networks, should be totally separate from the email system.

Worse still: we know a little bit about what — and when — DOD implemented its PKI, because it came up in Congressional hearings in the wake of the Chelsea Manning leaks. Here’s what DOD’s witnesses explained back in 2011.

One of the major contributing factors in the WikiLeaks incident was the large amount of data that was accessible with little or no access controls. Broad access to information can be combined with access controls in order to mitigate this vulnerability. While there are many sites on SIPRNet that do have access controls, these are mostly password-based and therefore do not scale well. The administration of thousands of passwords is labor intensive and it is difficult to determine who should (and should not) have access.

DoD has begun to issue a Public Key Infrastructure (PKI)-based identity credential on a hardened smart card. This is very similar to the Common Access Card (CAC) we use on our unclassified network. We will complete issuing 500,000 cards to our SIPRNet users, along with card readers and software, by the end of 2012. This will provide very strong identification of the person accessing the network and requesting data. It will both deter bad behavior and require absolute identification of who is accessing data and managing that access.

In conjunction with this, all DoD organizations will configure their SIPRNetbased systems to use the PKI credentials to strongly authenticate end-users who are accessing information in the system. This provides the link between end users and the specific data they can access – not just network access. This should, based on our experience on the unclassified networks, be straightforward.

DoD’s goal is that by 2013, following completion of credential issuance, all SIPRNet users will log into their local computers with their SIPRNet PKI/smart card credential. This will mirror what we already do on the unclassified networks with CACs.

Remember, this describes the log-in process to DOD’s classified network, generally, not to email.

The point is, though, that in response to an internal leaker, DOD only rolled out the kind of network controls most businesses have on its Secret (not Top Secret) network in 2011. Even if there were something about that roll-out that did impact email, what DOD would have you believe that as late as 2011, they made decisions that resulted in keeping email insecure in transit.