Posts

The Continued Belief in Unicorn Cyber Deterrence

/10 Comments/in /by

For some reason, people continue to believe Administration leaks that they will retaliate against China (and Russia!) for cyberattacks — beyond what are probably retaliatory moves already enacted.

I think Jack Goldsmith’s uncharacteristically snarky take is probably right. After cataloging the many past leaks about sanctions that have come to no public fruition, Goldsmith talks about the cost of this public hand-wringing.

As I have explained before, figuring out how to sanction China for its cyber intrusions is hard because (among other reasons) (i) the USG cannot coherently sanction China for its intrusions into US public sector (DOD, OPM, etc.) networks since the USG is at least as aggressive in China’s government networks, and (ii) the USG cannot respond effectively to China’s cyber intrusions in the private sector because US firms and the US economy have more to lose than gain (or at least a whole lot to lose) from escalation—especially now, given China’s suddenly precarious economic situation.

But even if sanctions themselves are hard to figure out, the public hand-wringing about whether and how to sanction China is harmful.  It is quite possible that more is happening in secret.  “One of the conclusions we’ve reached is that we need to be a bit more public about our responses, and one reason is deterrence,” a senior administration official in an “aha” moment told Sanger last month.  One certainly hopes the USG is doing more in secret than in public to deter China’s cybertheft.   Moreover, one can never know what cross-cutting machinations by USG officials lie behind the mostly anonymous leaks that undergird the years of stories about indecisiveness.

This performance seems to be directed at domestic politics, because the Chinese aren’t impressed.

A still crazier take, though, is this one, which claims DOJ thought indicting 5 PLA connected hackers last year would have any effect.

But nearly a year and a half after that indictment was unveiled, the five PLA soldiers named in the indictment are no closer to seeing the inside of a federal courtroom, and China’s campaign of economic espionage against U.S. firms continues. With Chinese President Xi Jinping set to arrive in Washington for a high-profile summit with President Barack Obama later this month, the question of how — and, indeed, if — the United States can deter China from pilfering American corporate secrets remains very much open. The indictment of the PLA hackers now stands out as a watershed moment in the escalating campaign by the U.S. government to deter China from its aggressive actions in cyberspace — both as an example of the creative ways in which the United States is trying to fight back and the limits of its ability to actually influence Chinese behavior.

[snip]

In hindsight, the indictment seems less like an exercise in law enforcement than a diplomatic signal to China. That’s an argument the prosecutor behind the case, U.S. Attorney David Hickton, resents. “I believe that’s absolute nonsense,” Hickton told Foreign Policy. “It was not the intention, when we brought this indictment, to at the same time say, ‘We do not intend to bring these people to justice.’”

But it’s unclear exactly what has happened to the five men since Hickton brought charges against them. Their unit suspended some operations in the aftermath of the indictment, but experts like Weedon say the group is still active. “The group is not operating in the same way it was before,” she said. “It seems to have taken new shape.”

Hickton, whose office has made the prosecution of cybersecurity cases a priority, says he considers the law enforcement effort against hackers to be a long-term one and likens it to indictments issued in Florida against South American drug kingpins during the height of the drug war. Then, as now, skeptics wondered what was the point of bringing cases against individuals who seemed all but certainly beyond the reach of U.S. law enforcement. Today, Hickton points out, U.S. prisons are filled with drug traffickers. Left unsaid, of course, is that drugs continue to flow across the border.

That’s because it fundamentally misunderstands what the five hackers got indicted for.

This indictment was not, as claimed, for stealing corporate secrets. It was mostly not for economic espionage, which we claim not to do.

Rather — as I noted at the time — it was for stealing information during ongoing trade disputes.

But the other interesting aspect of this indictment coming out of Pittsburgh is that — at least judging from the charged crimes — there is far less of the straight out IP theft we always complain about with China.

In fact, much of the charged activity involves stealing information about trade disputes — the same thing NSA engages in all the time. Here are the charged crimes committed against US Steel and the United Steelworkers, for example.

In 2010, U.S. Steel was participating in trade cases with Chinese steel companies, including one particular state-owned enterprise (SOE-2).  Shortly before the scheduled release of a preliminary determination in one such litigation, Sun sent spearphishing e-mails to U.S. Steel employees, some of whom were in a division associated with the litigation.  Some of these e-mails resulted in the installation of malware on U.S. Steel computers.  Three days later, Wang stole hostnames and descriptions of U.S. Steel computers (including those that controlled physical access to company facilities and mobile device access to company networks).  Wang thereafter took steps to identify and exploit vulnerable servers on that list.

[snip]

In 2012, USW was involved in public disputes over Chinese trade practices in at least two industries.  At or about the time USW issued public statements regarding those trade disputes and related legislative proposals, Wen stole e-mails from senior USW employees containing sensitive, non-public, and deliberative information about USW strategies, including strategies related to pending trade disputes.  USW’s computers continued to beacon to the conspiracy’s infrastructure until at least early 2013.

This is solidly within the ambit of what NSA does in other countries. (Recall, for example, how we partnered with the Australians to obtain information to help us in a clove cigarette trade dispute.)

I in no way mean to minimize the impact of this spying on USS and USW. I also suspect they were targeted because the two organizations partner together on an increasingly successful manufacturing organization. Which would still constitute a fair spying target, but also one against which China has acute interests.

But that still doesn’t make it different from what the US does when it engages in spearphishing — or worse — to steal information to help us in trade negotiations or disputes.

We’ve just criminalized something the NSA does all the time.

The reason this matters is because all the people spotting unicorn cyber-retaliation don’t even understand what they’re seeing, and why. I mean, Hickton (who as I suggested may well run for public office) may have reasons to want to insist he’s championing the rights of Alcoa, US Steel, and the Steelworkers. But he’s not implementing a sound deterrence strategy because — as Goldsmith argues — it’s hard to imagine one that we could implement, much less one that wouldn’t cause more blowback than good.

Before people start investing belief in unicorn cyber deterrence, they’d do well to understand why it presents us such a tough problem.

 

Did China and Russia Really Need Our Help Targeting Spook Techies?

/2 Comments/in , /by

LAT has a story describing what a slew of others — including me — have already laid out. The OPM hack will enable China to cross-reference a bunch of databases to target our spooks. Aside from laying all that out again (which is worthwhile, because not a lot of people are still not publicly discussing that), LAT notes Russia is doing the same.

But other than that (and some false claims the US doesn’t do the same, including working with contractors and “criminal” hackers) and a review of the dubiously legal Junaid Hussain drone killing, LAT includes one piece of actual news.

At least one clandestine network of American engineers and scientists who provide technical assistance to U.S. undercover operatives and agents overseas has been compromised as a result, according to two U.S. officials.

I would be unsurprised that China was rolling up actual HUMINT spies in China as a result of the OPM breach (which would explain why we’d be doing the same in response, if that’s what we’re doing). But the LAT says China (and/or Russia) is targeting “engineers and scientists who provide technical assistance” to spooks — one step removed from the people recruiting Chinese (or Russian) nationals to share its country’s secrets.

I find that description rather curious because of the way it resembles the complaint by CIA contractor whistleblower John Reidy in an appeal of a denial of a whistleblower complaint by CIA’s Inspector General. (Marisa Taylor first reported on Reidy’s case.) As I extrapolated from redactions some weeks ago, it looks like Reidy reported CIA’s reporting system getting hacked at least as early as 2007, but the contractors whose system got (apparently) hacked got him fired and CIA suppressed his complaints, only to have the problem get worse in the following years until CIA finally started doing something about it — with incomplete information — starting in 2010.

Reidy describes playing three roles in 2005: facilitating the dissemination of intelligence reporting to the Intelligence Community, identifying Human Intelligence (HUMINT) targets of interest for exploitation, and (because of resource shortages) handling the daily administrative functions of running a human asset. In the second of those three roles, he was “assigned the telecommunications and information operations account” (which is not surprising, because that’s the kind of service SAIC provides to the intelligence community). In other words, he seems to have worked at the intersection of human assets and electronic reporting on those assets.

Whatever role he played, he described what by 2010 had become a “catastrophic intelligence failure[]” in which “upwards of 70% of our operations had been compromised.” The problem appears to have arisen because “the US communications infrastructure was under siege,” which sounds like CIA may have gotten hacked. At least by 2007, he had warned that several of the CIA’s operations had been compromised, with some sources stopping all communications suddenly and others providing reports that were clearly false, or “atmospherics” submitted as solid reporting to fluff reporting numbers. By 2011 the government had appointed a Task Force to deal with the problem he had identified years earlier, though some on that Task Force didn’t even know how long the problem had existed or that Reidy had tried to alert the CIA and Congress to the problem.

All that seems to point to the possibility that tech contractors had set up a reporting system that had been compromised by adversaries, a guess that is reinforced by his stated desire to bring a “qui tam lawsuit brought against CIA contractors for providing products whose maintenance and design are inherently flawed and yet they are still charging the government for the products.” In his complaint, he describes Raytheon employees being reassigned, suggesting that contracting giant may be one of the culprits, but all three named contractors (SAIC, Raytheon, and Mantech) have had their lapses; remember that SAIC was the lead contractor that Thomas Drake and friends exposed.

Reidy’s appeal makes it clear that one of the things that exacerbated this problem was overlapping jurisdiction, with a functional unit apparently taking over control from a geographic unit. While that in no way rules out China, it sounded as much like the conflict between CIA’s Middle East and Counterterrorism groups that has surfaced in other areas as anything else.

The reason I raise Reidy is because — whether or not the engineers targeted as described in the LAT story are the same as the ones Reidy seems to describe — Reidy’s appeal suggests the problem he described arose from contractor incompetence and cover-ups.

I guess you could say the same about the OPM hack (though it was also OPM’s incompetence). Except in the earlier case, you’re talking far more significant intelligence contractors — including SAIC and Raytheon, who both do a lot of cybersecurity contracting on top of their intelligence contracting — and a years-long cover up with the assistance of the agency in question.

All while assets were being exposed, apparently because of insecure computer systems.

China’s hacking is a real threat to the identities of those who recruit human sources (and therefore of the human sources themselves).

But if Reidy’s complaint is true, then it’s not clear how much work China really needs to do to compromise these identities.

The Questions the NCSC Doesn’t Want to Answer

/9 Comments/in /by

A few days ago the WaPo published a story on the OPM hack, focusing (as some earlier commentary already has) on the possibility China will alter intelligence records as part of a way to infiltrate agents or increase distrust.

It’s notable because it relies on the Director of the National Counterintelligence and Security Center, Bill Evanina. The article first presents his comments about that nightmare scenario — altered records.

“The breach itself is issue A,” said William “Bill” Evanina, director of the federal National Counterintelligence and Security Center. But what the thieves do with the information is another question.

“Certainly we are concerned about the destruction of data versus the theft of data,” he said. “It’s a different type of bad situation.” Destroyed or altered records would make a security clearance hard to keep or get.

And only then relays Evanina’s concerns about the more general counterintelligence concerns raised by the heist, that China will use the data to target people for recruitment. Evanina explains he’s more worried about those without extensive operational security training than those overseas who have that experience.

While dangers from the breach for intelligence community workers posted abroad have “the highest risk equation,” Evanina said “they also have the best training to prevent nefarious activity against them. It’s the individuals who don’t have that solid background and training that we’re most concerned with, initially, to provide them with awareness training of what can happen from a foreign intelligence service to them and what to look out for.”

Using stolen personal information to compromise intelligence community members is always a worry.

“That’s a concern we take seriously,” he said.

Curiously, given his concern about those individuals without a solid CI background, Evanina provides no hint of an answer to the questions posed to him in a Ron Wyden letter last week.

  1. Did the NCSC identify OPM’s security clearance database as a counterintelligence vulnerability prior to these security incidents?
  2. Did the NCSC provide OPM with any recommendations to secure this information?
  3. At least one official has said that the background investigation information compromised in the second OPM hack included information on individuals as far back as 1985. Has the NCSC evaluated whether the retention requirements for background investigation information should be reduced to mitigate the vulnerability of maintaining personal information for a significant period of time? If not, please explain why existing retention periods are necessary?

Evanina has asserted he’s particularly worried about the kind of people who would have clearance but not be in one of the better protected (CIA) databases. But was he particularly worried about those people — and therefore OPM’s databases — before the hack?

Is the US Thwarting China’s Anti-Corruption (and Political Crime) Campaign to Retaliate for the OPM Hack?

/1 Comment/in , /by

Screen Shot 2015-08-17 at 6.13.36 PMTwo weeks after floating a story to the NYT the Obama asked for some creative ways to retaliate against China for the OPM hack, the NYT reported (in both English and a prominently linked Chinese translation) that “in recent weeks” the US told agents trying to chase down Chinese nationals accused of corruption to get out.

The Obama administration has delivered a warning to Beijing about the presence of Chinese government agents operating secretly in the United States to pressure prominent expatriates — some wanted in China on charges of corruption — to return home immediately, according to American officials.

The American officials said that Chinese law enforcement agents covertly in this country are part of Beijing’s global campaign to hunt down and repatriate Chinese fugitives and, in some cases, recover allegedly ill-gotten gains.

The Chinese government has officially named the effort Operation Fox Hunt.

The American warning, which was delivered to Chinese officials in recent weeks and demanded a halt to the activities, reflects escalating anger in Washington about intimidation tactics used by the agents. And it comes at a time of growing tension between Washington and Beijing on a number of issues: from the computer theft of millions of government personnel files that American officials suspect was directed by China, to China’s crackdown on civil liberties, to the devaluation of its currency.

Operation Fox Hunt is not new — or secret. It has been covered before by the US press, including updates on how many people official Chinese sources claim they have gotten to return for prosecution. The NYT follow-up admits — though the original didn’t provide the same level of detail — that DHS agreed in April to prosecute Chinese economic fugitives (which would extend the US habit of asserting jurisdiction where none exists) if provided real evidence of corruption.

But in April, the Department of Homeland Security worked out a new arrangement with China’s Ministry of Public Security, which oversees Operation Fox Hunt, to assist Beijing’s efforts to prosecute economic fugitives according to United States law. American officials, however, say China has so far failed to provide the necessary evidence.

Both NYT articles mention what the WSJ reports in more depth, including details of how these operatives are working: Among the economic fugitives in the US China is aggressively pursuing is Ling Wangcheng, the brother of a former top Hu Jintao aide

Mr. Ling’s brother was a top aide to China’s previous president, Hu Jintao, but was placed under investigation by the Communist Party in December and formally accused in July of bribe-taking, adultery and illegally obtaining state secrets.

For much of 2014, Mr. Ling was living under an alias in a mansion in a gated community in Loomis, Calif., near Sacramento, with Mr. Yuan’s ex-wife, neighbors said. The couple hasn’t been seen there since around October.

Mr. Ling is now the focus of political intrigue that could overshadow a visit to the U.S. in September by China’s leader, Xi Jinping.

Diplomats and analysts said Mr. Ling might have had access through this brother to sensitive information about Chinese leaders. If he sought political asylum, Mr. Ling would be the most significant Chinese defector in decades.

It isn’t clear why Mr. Ling, 55 years old, moved to the U.S. in 2013 or 2014. He lost touch with many friends in China around last fall, a family acquaintance said, but later reassured friends he was safe in the U.S.

The implication from this — and other recent reporting on Ling — is that he did get asylum in October, and has been cooperating with US authorities.

All that is probably only tangentially related to the US leak of its earlier decision — taken precisely as the US tries to find a way to retaliate for the OPM hack — to start cracking down on this Chinese effort.

There are two things I haven’t seen mentioned in coverage of this. First, remember that the US has engaged in a similar effort, using an offer of amnesty for rich tax cheats who had stashed their money in Swiss banks (though there have been what I believe to be similar efforts on the part of the US to expose tax cheats that have mostly focused on non-US citizens).

And don’t forget the lengths to which the US went to get someone who had top secrets to come back to the US, including when it had Austria ground Evo Morales’ plane so it could search for Edward Snowden.

In any case, I suspect the US used Operation Fox Hunt as an opportunity to let China know it knew of these admitted agents. Sort of a way for the US to tell China we know where its operatives in the US are, just as it knows where our operatives are in China, thanks to the OPM hack.

For its part, China’s Xinhua paper has scolded the US for harboring crooks (and provided slightly different details of the agreement pertaining to Fox Hunt).

Corruption is not only a serious problem in China, but also in the rest of the world. And in a world which is more and more connected, countries should take coordinated efforts in fighting corruption.

Although there is no extradition agreement between the United States and China, the two countries actually have already agreed on anti-corruption cooperation.

In April 2015, U.S. Homeland Security Secretary Jeh Johnson met Chinese Public Security Minister Guo Shengkun in Beijing, and they agreed to strengthen cooperation in law enforcement.

They agreed not to provide shelter for the other side’s fugitives and would try to repatriate them in accordance with law. Specifically, Johnson also promised to actively support China’s “Sky Net” and “Fox Hunt” operations, which aim to bring back corrupt officials.

So the U.S. government’s decision to force China’s law enforcement stuff to leave the country obviously reveals that Washington lacks sincerity and has failed to translate its words into action.

Some analysts even say that the United States is reluctant to repatriate those corrupt officials for the sake of their money of course.

Therefore, the United States, as a country that often stresses the rule of law, should clarify the issue and by no means become a safe haven for Chinese criminal suspects.

The US may have decided this would be an easy way to push back on China, but that won’t prevent China from scoring points from it.

Several Supporters of CISA Admit Its Inadequacy

/6 Comments/in /by

In recent days, there have been reports that the same (presumed Chinese) hackers who stole vast amounts of data from the Office of Personnel Management have also hacked at least United Airlines and American. (Presuming the Chinese attribution is correct — and I believe it — I would be surprised if Chinese hackers hadn’t also tried to hack Delta, given that it has a huge footprint in Asia, including China; if that’s right and Delta managed to withstand the attack, we should find out how and why.)

Those hacks — and the presumption that the Chinese are stealing the data to flesh out their already detailed map of the activities of US intelligence personnel — have led a bunch of Cyber Information Sharing Act supporters (Susan Collins and Barb Mikulski have already voted for it, and Bill Nelson almost surely will, because he loves surveillance) to admit its inadequacy.

In recent months, hackers have infiltrated the U.S. air traffic control system, forced airlines to ground planes and potentially stolen detailed travel records on millions of people.

Yet the industry lacks strict requirements to report these cyber incidents, or even adhere to specific cybersecurity standards.

“There should be a requirement for immediate reporting to the federal government,” Sen. Susan Collins (R-Maine), who chairs the Appropriations subcommittee that oversees the Federal Aviation Administration (FAA), told The Hill.

“We need to address that,” agreed Sen. Bill Nelson (D-Fla.), the top Democrat on the Senate Commerce Committee.

[snip]

“We need a two-way exchange of information so that when a threat is identified by the private sector, it’s shared with the government, and vice versa,” Collins added. “That’s the only way that we have any hope of stopping further breaches.”

[snip]

That’s why, Nelson said, the airline industry needs mandatory, immediate reporting requirements.

“All the more reason for a cybersecurity bill,” he said.

But for years, Congress has been unsuccessful in its efforts.

Sen. Barbara Mikulski (D-Md.), the Senate Appropriations Committee’s top Democrat, tried three years ago to move a cyber bill that would have included rigid breach reporting requirements for critical infrastructure sectors, including aviation.

“We were blocked,” she told The Hill recently. “So it’s time for not looking at an individual bill, but one that’s overall for critical infrastructure.”

So now we have some Senators calling for heightened cybersecurity standards for cars, and different, hawkish Senators calling for heightened cybersecurity sharing (though they don’t mention security standards) for airlines. Bank regulators are already demanding higher standards from them.

And someday soon someone will start talking about mandating response time for operating system fixes, given the problems with Android updates.

Maybe the recognition that one after another industry requires not immunity, but an approach to cybersecurity that actually requires some minimal actions from the companies in question, ought to lead Congress to halt before passing CISA and giving corporations immunity and think more seriously about what a serious approach to our cyber problems might look like.

That said, note that the hawks in this story are still adopting what is probably an approach of limited use here. Indeed, the story is notable in that it cites a cyber contractor, JAS Global Advisors Jeff Schmidt, actually raising questions whether mandated info-sharing (with the government, not the public) would be all that effective.

If OPM has finally demonstrated the real impact of cyberattacks, then maybe it’s time to have a real discussion of what might help to keep this country safe — because simply immunizing corporations is not going to do it.

In NYT’s Fictional Presentation, China Pioneered the “Collect It All” Strategy

/9 Comments/in /by

Way down in the second-to-last paragraph of this NYT piece claiming the US will retaliate against China for the OPM hack, national security reporter David Sanger makes this claim about the hack, about experts affiliated with an agency that aspires to “Collect it all.”

Instead, the goal was espionage, on a scale that no one imagined before.

He follows it — he ends the entire article — with uncritical citation of this statement from a senior intelligence official.

“This is one of those cases where you have to ask, ‘Does the size of the operation change the nature of it?’ ” one senior intelligence official said. “Clearly, it does.”

Several paragraphs earlier, the reporter who did a lot of the most important work exposing the first-of-its-type StuxNet attack makes this claim. (NYLibertarian noted this earlier today.)

The United States has been cautious about using cyberweapons or even discussing it.

In other words, built into this story, written by a person who knows better, is a fiction about the US’ own aggressive spying and cyberwar. Sanger even suggests that the sensors we’ve got buried in Chinese networks exist solely to warn of attacks, and not to collect information just like that which China stole from OPM.

So if someone creating either a willful or lazy fiction also says this …

That does not mean a response will happen anytime soon — or be obvious when it does. The White House could determine that the downsides of any meaningful, yet proportionate, retaliation outweigh the benefits, or will lead to retaliation on American firms or individuals doing work in China. President Obama, clearly seeking leverage, has asked his staff to come up with a more creative set of responses.

… We’d do well to ask whether this is nothing more than propaganda, an effort to dissipate calls for a more aggressive response from Congress and others.

There is, however, one other underlying potential tension here. Yesterday, Aram Roston explained why some folks who work at NSA may be even more dissatisfied then they were when a contractor exposed their secrets for the world to see.

Employees at the National Security Agency complain that the director, Adm. Michael Rogers, is neglecting the intelligence agency in favor of his other job, running the military’s Cyber Command, three sources with deep knowledge of the NSA have told BuzzFeed News.

“He’s spending all his time at CYBERCOM,” one NSA insider said. “Morale is bad because of a lack of leadership.” A second source, who is close to the agency, agreed that employees are complaining that Rogers doesn’t seem to focus on leading the agency. A third said “there is that vibe going on. But I don’t know if it’s true.”

[snip]

[O]ne of the NSA sources said Rogers appears to be focusing on CYBERCOM not just because the new organization is growing rapidly but also because it has a more direct mission and simpler military structure than the complex and scandal-ridden NSA in its post-Snowden era. That makes focusing on CYBERCOM easier, that source said, “than trying to redesign the National Security Agency.”

If true (note one of Roston’s sources suggests it may not be), it suggests one of the most important advisors on the issue of how to respond to China’s pawning the US is institutionally limiting his focus to his offensive role, not on his information collection (to say nothing of defensive) role. So if Roston’s sources are correct, we are in a very dangerous position, having a guy who is neglecting other potential options drive the discussion about how to respond to the OPM hack.

And there’s one detail in Sanger’s story that suggests Roston’s sources may be right — where Rogers describes “creating costs” for China, but those costs consist of an escalation of what is, in fact, a two-sided intelligence bonanza.

Admiral Rogers stressed the need for “creating costs” for attackers responsible for the intrusion,

Those of us without the weapons Rogers has at his disposal think of other ways of “creating costs” — of raising the costs on the front end, to make spies adopt a more targeted approach to their spying. Those methods, too, might be worth considering in this situation. If we’re going to brainstorm about how to deal with the new scenario where both the world’s major powers have adopted a bulk collection approach, maybe the entire world would be safer thinking outside the offensive weapon box?

After Targeting OPM, Hackers Moved onto United?

/5 Comments/in /by

Bloomberg reports that the same people who hacked OPM then went on to target United, which does a lot of business with the government (and, though the story doesn’t say it, a lot of flights to China).

United, the world’s second-largest airline, detected an incursion into its computer systems in May or early June, said several people familiar with the probe. According to three of these people, investigators working with the carrier have linked the attack to a group of China-backed hackers they say are behind several other large heists — including the theft of security-clearance records from the U.S. Office of Personnel Management and medical data from health insurer Anthem Inc.

[snip]

The timing of the United breach also raises questions about whether it’s linked to computer faults that stranded thousands of the airline’s passengers in two incidents over the past couple of months. Two additional people close to the probe, who like the others asked not to be identified when discussing the investigation, say the carrier has found no connection between the hack and a July 8 systems failure that halted flights for two hours. They didn’t rule out a possible, tangential connection to an outage on June 2.

But what I find most interesting is that OPM developed a list of potential victims, including United, and alerted them of the signatures related to the hack.

The China-backed hackers that cybersecurity experts have linked to that attack have embedded the name of targets in web domains, phishing e-mails and other attack infrastructure, according to one of the people familiar with the investigation.

In May, the OPM investigators began drawing up a list of possible victims in the private sector and provided the companies with digital signatures that would indicate their systems had been breached. United Airlines was on that list.

That’s interesting for two reasons. First, OPM alerted United before it alerted even the less exposed OPM victims, those whose personnel data got stolen; OPM has yet to formally alert those whose security clearance data got taken. I get that you might want to alert additional targets before confirming publicly you know about the hack (potentially to learn more about the perpetrators).

But it also shows that data sharing — alleged to be the urgent need calling for CISA — is not a problem.

The Bullshit Excuses for Not Retaliating for OPM

/17 Comments/in /by

A handful of anonymous sources have given Ellen Nakashima some bullshit explanations for why the Administration is not retaliating against China for the OPM hack.

Most laughable is that they’re willing to retaliate for “economic” spying but not “political” spying. While also mentioning the Sony example, Nakashima points to the DOJ case against Chinese hackers for eavesdropping on discussions about trade disputes from the steel industry.

As a result, China has so far escaped any major consequence for what U.S. officials have described as one of the most damaging cyber thefts in U.S. government history — an outcome that also appears to reflect an emerging divide in how the United States responds to commercial vs. traditional espionage.

Over the past year and a half, the United States has moved aggressively against foreign governments accused of stealing the corporate secrets of major U.S. firms. Most notably, the Justice Department last year filed criminal charges against five Chinese military officers accused of involvement in alleged hacks of U.S. Steel, Westinghouse and other companies.

Nakashima doesn’t say whether her sources made this connection or she did, but it’s an inapt example. As I pointed out at the time, spying on trade negotiation adversaries is precisely the kind of “commercial” spying we embrace. We do this all the time. DOJ chose to indict on those trade dispute discussions but not on a never-ending list of hacks against more sensitive targets — like the F-35 development team — that fit more comfortably (though still not entirely) in the kind of “economic” spying we fancy others do but we don’t; DOJ probably made that choice because both the target and the evidence was segregable from more sensitive issues (the Chinese government and our clusterfuck of DOD contracting cyberdefense). In other words, it is not (as Nakashima claims uncritically) an example of the split between political and economic spying we claim to adhere to. That indictment is far better understood as us indicting Chinese hackers for something we not only do but also falls into what is considered acceptable spying internationally — that is, us trying to subject the rest of the world to our legal system — but doing so in an area where we won’t have to give any secrets away to prosecute.

The rest of the WaPo story focuses on another nonsensical explanation for not going after China: to avoid revealing sources and methods.

“We have chosen not to make any official assertions about attribution at this point,” said a senior administration official, despite the widely held conviction that Beijing was responsible. The official cited factors including concern that making a public case against China could require exposing details of the United States’ own espionage and cyber capabilities.

Again, this is nonsensical and should not have been repeated uncritically.

The FBI and everyone else has been happy to blame North Korea for the Sony hack. But we’ve gotten no more proof there than we have that China is behind the OPM hack. Rather than exposing sources and methods to prove attribution, the government simply said, “trust us.” There’s no reason they couldn’t do the same here (indeed, that’s what they have been saying in secret). The Sony hack is proof that the government doesn’t feel like it needs to offer proof before it blames another country for a hack.

There are two far more likely reasons we’re not retaliating against China in this case (though the fact that we do this kind of stuff to China all the time — and they could happily point to proof of that to demonize us in response — is one of them).

First, we simply don’t “retaliate” against countries that are big enough to fight back (as Nakashima’s other example, of the Russian hack of State for which we haven’t retaliated, makes clear). It’s one thing to go after a group of hackers from which China can claim some plausible deniability. It’s another to go after China itself.

Finally, Nakashima alludes to what is probably the real reason we’re going to remain quiet about this hack.

The government also is pursuing an array of counter-intelligence measures aimed at guarding against the Chinese government’s ability to use the stolen data to identify federal workers who might be induced to spy for Beijing.

China has much of our intelligence community — and many other easily embarrassed types, including politicians — by the nuts right now. It knows who our spooks are, where they are, what they might know, what their fingerprints are, and what extramarital affairs they’ve admitted to. When someone has you by the nuts like that, it’s usually a good idea to extract your nuts before you start trying to throw punches. It’s going to take a long time for the US to do that.

Which strongly suggests that the more laughable excuses for not retaliating — the claim we’re not blaming China because of sources and methods and some split between economic and political spying that we don’t really follow — serve no other purpose than to avoid admitting how much China does have us by the nuts.

FBI’s 26-Day Old OPM FLASH Notice

/6 Comments/in /by

Shane Harris, who has been closely tracking the bureaucratic implications of the OPM hack, has an update describing a “FLASH” notice FBI just sent out to the private sector.

Or rather, FBI just re-sent the FLASH notice they sent on June 5, 26 days earlier, because they realized some recipients (including government contractors working on classified projects) did not have their filters set to accept such notices from the FBI.

The FBI is warning U.S. companies to be on the lookout for a malicious computer program that has been linked to the hack of the Office of Personnel Management. Security experts say the malware is known to be used by hackers in China, including those believed to be behind the OPM breach.

The FBI warning, which was sent to companies Wednesday, includes so-called hash values for the malware, called Sakula, that can be used to search a company’s systems to see if they’ve been affected.

The warning, known as an FBI Liaison Alert System, or FLASH, contains technical details of the malware and describes how it works. While the message doesn’t mention the OPM hack, the Sakula malware is used by Chinese hacker groups, according to security experts. And the FBI message is identical to one the bureau sent companies on June 5, a day after the Obama administration said the OPM had been hacked, exposing millions of government employees’ personal information. Among the recipients of both alerts are government contractors working on sensitive and classified projects.

[snip]

In an email obtained by The Daily Beast, the FBI said it was sending the alert again because of concerns that not all companies had received it the first time. Apparently, some of their email filters weren’t configured to let the FBI message through.

Consider the implications of this.

It is unsurprising that the initial FLASH got stuck in companies’ email filters if the hashes included with the notice were treated as suspicious code by the companies’ anti-malware screens. The message likely looked like malware because it is. (Of course, this story may now have alerted those trying to hack recipients of FBI’s FLASH notices that the FBI wasn’t previously whitelisted by recipients, but probably just got whitelisted, but that’s a matter for another day.)

The delayed FLASH receipt says far more about the current state of data-sharing, just as the Senate sets to debate the Cybersecurity Information Sharing Act, which (Senate boosters claim) companies ostensibly need before they’re willing to share data with the government.

First, it suggests that FBI either did not send out such a FLASH in response to what it learned from Anthem hack, which presumably would have gone out at least by February (which, if even OPM had acted on the alert, might have identified its hack 2 months before it did get identified), or if it did it also got stuck in companies’ — and OPM’s — malware filter.

But it also seems to suggest that the private sector — including sensitive government contractors — haven’t been receiving other FBI FLASHes (presuming the filter settings have been set to exclude any such notice including something that looked like malware). They either never noticed they weren’t getting them or never bothered to set their filters to receive them.

That may reflect a larger issue, though. As Jennifer Granick has repeatedly noted, key researchers and corporations have not, up to now anyway, seen much value in sharing with the government.

I’ve been told by many entities, corporate and academic, that they don’t share with the government because the government doesn’t share back. Silicon Valley engineers have wondered aloud what value DHS has to offer in their efforts to secure their employer’s services. It’s not like DHS is setting a great security example for anyone to follow. OPM’s Inspector General warned the government about security problems that, left unaddressed, led to the OPM breach.

Perhaps recipients didn’t have their filters set to accept notices from FBI because none of them have ever been useful?

Another factor behind reluctance to share with the government is an unwillingness to get personnel security clearances, though that should not be a factor here.

The implication appears to be, though, that the government was unable — because of recipient behavior and predispositions — to share information on the most important hack of recent years.

We’re about to have a debate about immunizing corporations further, as if that’s the problem. But this delayed FLASH strongly suggests it is not.