The Volokh Conspiracy

Anger at Chinese hacking continues to build in American business and government circles.  As a result, establishment figures have begun to embrace the idea of letting private companies do more than passively defend their networks.  The latest evidence is the report of a commission headed by two Obama appointees, former US Ambassador to China (and minor GOP Presidential candidate) Jon Huntsman and former Director of National Intelligence Dennis Blair. The report apparently names Chinese hacking as a major threat to intellectual property (it’s due out later today).  And according to early press reports the commission calls for an expansion of private companies’ authority to track their stolen data back to the attacker’s network:

“The commission argued that American companies “ought to be able to retrieve their electronic files or prevent the exploitation of their stolen information” by designing their computer files to self-destruct if they fall into the wrong hands. But the authors of the report also say that if the damage “continues at current levels,” the government should consider allowing American companies to counterattack — essentially taking cyberwar private.

“If counterattacks against hackers were legal, there are many techniques that companies could employ that would cause severe damage to the capability” of the Chinese or other groups committing computerized theft, the report said. But it added a qualifier: “while properly empowered law enforcement authorities are mobilized.” Many in the administration have opposed such ideas, fearing that they could lead to a cycle of escalation between the United States and other nations that could easily spin out of control.”

The commission also adopts another view first popularized here:  that attribution of attacks should be followed by retribution, and it comes up with at least one clever bit of retribution that I’d missed:  restrictions on access to US stock exchanges:

“The new report does propose specific remedies. One is to mandate that foreign companies that want to be listed on stock exchanges in the United States first pass a review by the Securities and Exchange Commission about whether they use stolen intellectual property. “They all want their shares to be traded here, so this would impose a real cost,” Mr. Blair said. Similarly, whether companies protect intellectual property would be considered by the Committee on Foreign Investment in the United States, which judges whether an investment in the United States could pose a security risk. Currently it looks only at national security implications of investments; this would add a new criterion.”

I’m testifying today on supply chain vulnerabilities and cybersecurity. The testimony is in a hearing held by the House Commerce Committee’s Subcommittee on Communications and Technology. Here’s my quick diagnosis of the issue:

Intrusions on our networks have reached new heights.  They have moved from penetration of government and military systems to wholesale compromises of companies, trade associations, think tanks, and law firms.  Most of these attacks have been carried out for espionage purposes – stealing commercial, diplomatic, and military secrets on a massive scale. 

 This espionage campaign has paid dividends for our adversaries, and it’s likely to pay more, because any network that can be compromised for the purpose of espionage can be compromised for the purpose of sabotage.  The next time we face the prospect of a serious military conflict, we can expect our adversaries to threaten the destruction of computer networks – and the civilian infrastructure they support – inside the United States, probably before we have fired a shot.  From the American point of view, this is a new and profoundly destabilizing vulnerability. From our adversaries’ point of view, it is an exciting new weapon with enormous potential to neutralize many of our traditional military advantages.

 To make things worse, one of the countries that the Obama administration has criticized most often for cyberattacks, China, is also a major supplier of increasingly sophisticated electronic equipment to the United States.  Given the value of cyberespionage for waging both war and peace, it’s only reasonable to assume that every potential adversary asks itself whether it can make the job of its cyberwarriors easier by tinkering with electronic gear before it’s shipped to the United States. Or, as I put it in Skating on Stilts, a book about technology challenges to policymakers, if the “countries that [view] us as an intelligence target … could get their companies to compromise U.S. networks, they’d do it in a heartbeat.”

The remainder of the testimony discusses the limited legal authority that government has to deal with the risk of “intrusion-friendly” technology from abroad:

CFIUS is an inadequate tool for this job.  It gives the government only haphazard insight and leverage over the security of telecommunications and information technology.  That’s because CFIUS has jurisdiction only over corporate acquisitions.  Team Telecom, which I also oversaw from a DHS perspective, adds a bit to that authority, giving national security agencies an ability to impose conditions on foreign telecommunications carriers seeking Federal Communications Commission licenses to operate in the United States.  But Team Telecom has no explicit authority in law; its reach is no greater than the FCC’s.  As a result, even the most dangerous and unreliable suppliers of commercial telecom and IT equipment are free to sell their products in the United States without an inquiry into the security risks the products may pose.

I close with a look at new measures emerging from the government’s recent focus on this risk, from the executive order on cybersecurity to various provisions adopted under the defense authorization or the appropriations process.

Full testimony is here: Baker testimony to House Commerce on supply chain security.

PHOTO: Mschel

I’ll be testifying this morning before the Senate Judiciary Committee’s subcommittee on crime and terrorism. My testimony will touch on the Attribution Revolution in cybersecurity, the need to move from attribution to creative forms of retribution, and the need to give victims more leeway to investigate the hackers who attack them. Here are some excerpts:

That is why I will focus my remarks today on what is shaping up to be an “attribution revolution.” The theory is simple. The same human flaws that have left our networks ever more exposed to attack are undermining our attackers’ anonymity. This is what I like to call Baker’s Law: “Our security may be toast. But so is theirs.”

As numerous recent reports show, attackers are only human. They make mistakes when they’re in a hurry or overconfident. They leave bits of code behind on abandoned command-and-control computers. They reuse passwords and email addresses and computers. Their remote access tools are full of vulnerabilities. These are openings that private researchers – from Mandiant and Trend Micro to SecDev and the Citizen Lab – have exploited; they’ve traced cyberattacks to the command and control computers used to carry them out, then to homes and offices of the hackers that perpetrate them. These reports have identified individuals and institutions closely associated with hacking US companies and agencies. They’ve found the universities where the hackers trained. They’ve found the hackers’ names and instant message addresses . Using these clues, researchers have even tracked the hackers down and called them up for comment. They’ve found the companies that employ the hackers today. In at least one case, hacking victims in the Republic of Georgia have turned the tables and used their attackers’ malware to take an attacker’s picture with his own desktop camera.

The attribution revolution has truly begun.

But attribution is only half of the formula if we want to deter cyberespionage. The other half is retribution. Once we identify our attackers, we need to persuade them to choose another line of work.

That does not necessarily mean that we should rely exclusively or even primarily on the Department of Justice or the Federal Bureau of Investigation. We must look beyond traditional criminal prosecutions to deter cyberespionage.

...

This brings me, finally, to the role that private companies should play. I’ll be blunt. We can’t rely exclusively on the Federal Bureau of Investigation. ... We need better ways to draw on the resources of the private sector and their investigators.

Right now, however, the Justice Department is doing more to hurt than to help companies that want to respond aggressively to the theft of their secrets and their intellectual property.

Let me give you one example. Suppose that a private investigator finds that data is being exfiltrated from his client to a particular command and control server. If the server is in the United States, the investigator may be able to persuade the owner, who is probably himself a hacking victim, to grant access to the server. This happens a lot, and it has great value, especially for attribution. The investigator may be able to identify the attackers and even recapture some of the stolen data.

But what if the hackers get wise and move the server to another location that they actually own? Can the investigator follow them to that other server and use what he knows about the gang’s passwords to get access to the evidence and the stolen data stored there?

Not according the United States Department of Justice, which has begun actively and publicly discouraging any investigations that do not rely on the consent of the network owner, even when the network owner is the hacker himself. Recently, an anonymous Justice Department spokesman told Bloomberg BNA that intruding on an attacker’s network would be both bad policy and “likely a violation” of the Computer Fraud and Abuse Act.

This is unfortunate in so many ways that I can understand why the spokesman insisted on anonymity.

Here’s a link to the whole thing: Download S Baker- Crime and Terrorism SubCommittee Testimony 5-7-13 – Attribution Revolution.  (And, yes, I bowdlerized Baker’s Law for the august halls of Congress.)

Most people know that China’s largest telecommunications supplier, Huawei, has been largely excluded from the US market because of official allegations that it will enable Chinese cyberespionage and wiretapping. What none of us realized, apparently, is the real reason that Huawei’s been forced out.

Luckily, the company’s head of Cyber Security, John Suffolk, is happy to set us straight.  According to his blog, it’s because Huawei is too much of a civil liberties hero to be allowed into the US market: “Maybe
this is why America doesn’t want us to sell our equipment to American
companies; maybe they will worry that we will see what they do with American Citizens personal data, monitoring and storing of everything that passes through telecommunications.”

When I said in a recent post that, “The ACLU must be really popular these days in Beijing,” I didn’t realize how quickly China’s advocates would start channeling American civil libertarians.

If you’re looking for laws of unintended consequences, you can’t do better than privacy.  Take two examples plucked from last week’s front pages:

Here’s the New York Times reporting on massive fraud in the billion-dollar settlement of claims that the Agriculture Department discriminated against black, Hispanic, and female farmers:

“It was the craziest thing I have ever seen,” one former high-ranking department official said. “We had applications for kids who were 4 or 5 years old. We had cases where every single member of the family applied.” The official added, “You couldn’t have designed it worse if you had tried.”

… “[T]here was no way to refute what they said,” said Sandy Grammer, a former program analyst from Indiana who reviewed claims for three years. “Basically, it was a rip-off of the American taxpayers.”

The true dimensions of the problem are impossible to gauge. The Agriculture Department insists that the names and addresses of claimants are protected under privacy provisions.

And here’s a Boston Herald report on its attempt to find out how many benefits the Tsarnaevs received before their bombing attack on the Boston Marathon:

The Patrick administration clamped down the lid yesterday on Herald requests for details of Tamerlan Tsarnaev’s government benefits, citing the dead terror mastermind’s right to privacy.

Across the board, state agencies flatly refused to provide information about the taxpayer-funded lifestyle for the 26-year-old man and his brother and accused accomplice Dzhokhar Tsarnaev, 19.

On EBT card status or spending, state welfare spokesman Alec Loftus would only say Tamerlan Tsarnaev, his wife and 3-year-old daughter received benefits that ended in 2012. He declined further comment.

On unemployment compensation, labor department spokesman Kevin Franck refused to say whether Tamerlan Tsarnaev ever collected, saying it was “confidential and not a matter of public record.”

On Dzhokhar Tsarnaev’s college aid, University of Massachusetts Dartmouth spokesman Robert Connolly said, “It is our position — and I believe the accepted position in higher education — that student records including academic records and financial records (including financial aid) cannot under federal law be released without a student’s consent.”

On cellphones, the Federal Communications Commission would not say whether either brother had a government-paid cellphone, also citing privacy laws.

Who knew?  Thanks to privacy law, people making dubious claims on a judgment fund don’t have to be identified as though they were litigants; and benefit recipients are protected from embarrassment even after death has made embarrassment the least of their troubles.

Actually, privacy laws have a long history of unintended consequences. Libertarians were outraged when citizens got arrested for recording the police; but those arrests were often based on state privacy laws that prohibited “eavesdropping” on conversations without all parties’ permission.  And laws inspired by Louis Brandeis’s famous right to privacy have become the mechanism by which celebrities extract fees for commercial use of their photos.  

These unintended consequences aren’t really an accident.  We think we know what we want when we pass laws protecting privacy, but it turns out that our notions of privacy are remarkably fluid and situational, so by the time the laws are actually applied they don’t actually correspond to our sense of right and wrong.  It works about as well as a law codifying and punishing rude behavior in public.

But in another way, there’s nothing at all surprising about the consequences of privacy laws.  From arresting citizen photographers to clamping a lid on government scandals, privacy laws almost always turn out to be remarkably convenient for the powers that be. 

Again, that’s not an accident.  As particular privacy laws lose their connection to evolving cultural standards, we slowly stop enforcing them (see, e.g., Brandeis, supra) .  But they still get dusted off and enforced in a couple of situations:  (1) To punish people whom the authorities don’t like but who haven’t violated any other laws and (2) to protect the kind of people who end up running the government.

Or, to put it another way, it looks as though privacy laws are doing for the twenty-first century what loitering laws did for the twentieth. 

PHOTO: Kai Strandskov

UPDATE: I realized after posting that I had improperly lumped two unintended consequences of privacy laws together in blaming Louis Brandeis for arrests of citizens photographing the police.  Instead those arrests are the heritage of privacy campaigners from the 1960s, who insisted that anti-eavesdropping law prohibit all unconsensual recording.  Louis Brandeis did, however, inspire  the quasi-intellectual-property “right of publicity,” an equally unintended outcome of laws adopted to preserve privacy.

There’s been considerable speculation about how the government handled Tamerlan Tsarnaev’s return from Russia. Before Tsarnaev’s return, both the FBI and the CIA had suggested that Tsarnaev belonged in the government’s classified terrorist database, and according to some reports an alert for Tsarnaev was entered into the DHS border system. Yet according to Secretary Napolitano  these systems “pinged” when Tsarnaev left the country but not when he returned six months later.

The lack of a ping upon Tsarnaev’s return to the United States suggests a gap in US border defenses.  In general, the outbound “ping” is not a big deal.  It tells us that a terror risk is leaving the country, more a matter for celebration than suspicion.  We don’t usually inspect or question departing passengers, so it would have taken a pretty unusual notice to earn Tsarnaev much scrutiny on departure.

But his return should have been different.  He was entering the country, and at the border the government’s authority to stop travelers, to question them, and to search their luggage, including their electronics, is at its zenith.  If we have any doubts about the intentions of a returning green-card holder, this is the time and place to question him.

When the FBI paid a visit to Tsarnaev’s home, Tsarnaev had complete control of the interview.  He could throw the agents out whenever he chose, and he could certainly refuse to let them look at his computer and phone.  At the border, though, he can’t.  We could have learned a lot more about Tsarnaev’s journey into radicalism there.  For example, the FBI’s preliminary investigation included checking to see if Tsarnaev had posted on certain radical Islamist websites, but it couldn’t know what he might have downloaded, and it’s not clear that the FBI had any way to tell what he might have posted under a pseudonym.  Again, the government had its best chance of discovering those things by conducting a secondary inspection of Tsarnaev when he returned from Russia.

So why didn’t it? I doubt that it was a lack of DHS resources or a flood of higher priority travelers.  There may be half a million people in the terror database, but on any given day, there can’t be more than a couple of dozen flying into the United States. Since DHS conducts hundreds if not thousands of secondary inspections at airports every day, you’d expect it to routinely take a look at everyone who’s ended up in the terrorist database.

Unless they’ve been cleared.  There was a hint in Secretary Napolitano’s testimony that Tsarnaev wasn’t interviewed at the border because the FBI had closed its investigation.  This may mean that the administration has adopted a policy of treating the closure of an FBI preliminary investigation as “clearing” the subject of the investigation.

There are lots of ways that such a policy could have come about.  The FBI could have claimed exclusive authority to interview terror risks at the border, so when DHS calls to say “We’ve got this guy Tsarnaev coming in; do you want to talk to him?” and the bureau says, “Nah, we closed his case,” then DHS is expected to stand down.

If that’s the policy, it’s dumb.  The FBI may have closed its investigation because it didn’t find anything using its very limited authorities, but that should not prevent other agencies from using broader authorities to explore the Russian warnings in more detail.

It’s also possible that DHS itself has adopted a policy of not inspecting people in the terrorist database if the investigation has been closed.  That would be equally dumb; closing an investigation for lack of evidence is not the same as clearing the traveler of all suspicion, especially given the FBI’s limited ability to act on a vague tip from Russia.

In any event, this is one place where we should be seeking lessons from the Tsarnaev matter.  It sure looks as though the system failed.  Tsarnaev should have been given a very close look as he entered the United States. But it seems as though someone — probably at the FBI, perhaps at DHS or elsewhere — decided we should just say “Welcome home” and wave him through.

We should know who made that call, and we should know why.

Sources: ACLU on street cameras and CISPA; EFF on street cameras and CISPA

This White House sure knows how to snatch defeat from the jaws of victory.

The President’s threat to veto CISPA (Download Cyber – S A P ) will likely kill cybersecurity legislation for the year.

Here’s the sentence that I believe will eat away at support for the legislation among its last defenders in Silicon Valley:  “The Administration ... remains concerned that the bill does not require private entities to take reasonable steps to remove irrelevant personal information when sending cybersecurity data to the government or other private sector entities.”

Those last four words signal a big change in the status quo.  Most companies today can share information voluntarily with the government without legal constraint, though electronic service providers must demand a subpoena before sharing information. And practically all companies, including electronic service providers, may share cybersecurity information with other private companies without worrying that the government is looking over their shoulders.

So in demanding that CISPA limit sharing with “other private sector entities,” the Administration is proposing a sweeping new regulatory scheme for the private sector. The scheme will actually impair cybersecurity by restricting the information-sharing companies now conduct to protect their networks.

And while the Statement of Administration Position tries to make the new regulatory scheme sound less harsh by claiming that it only requires “reasonable” steps to remove “irrelevant” private information, those words are code for “You’ll need a lawyer before you share any cybersecurity information with anyone.”  After all, reasonableness is a famously elastic concept in the law; you only really know whether your actions were reasonable five years after the fact, when the judge rules. 

And what is “irrelevant personal data” exactly?  Can an ISP identify the IP address of the computers sending DDOS packets toward a victim?  Much of the time an IP address is personal — it identifies an individual, or at least a family.  So is it “relevant” under the Administration’s new proposal?  Maybe. Stopping a DDOS attack is often easier if the victim knows the attackers’ IP addresses, but does the ISP have to verify that the IP address will actually help the victim stop the attack before handing it over? Will these quick decisions all be second-guessed at leisure by some privacy bureaucrat?   

I say security, you say liability. Let’s call the whole thing off. 

It’s hard to imagine any company supporting a bill that turns today’s largely functional and scandal-free cybersecurity information exchanges into minefields of uncertainty.  And in the absence of industry support, CISPA will be SOPA without Hollywood.

What’s remarkable is that the President started this debate by asking for almost exactly what the House Intelligence Committee has delivered.  Here is the Administration’s original legislative proposal on information sharing. On a quick review, I don’t see any limitations in the President’s proposal on what data the private sector can share — only limitations on what the government can do with the information it receives. Now that it comes to that, I don’t see a lot of the things that the President is suddenly highlighting as fatal flaws in CISPA.

So the short version of this story is simple:  The President says he will veto CISPA because it lacks features that he didn’t even bother to include in his own version of the same bill. 

This is some of the flakiest policy making I’ve ever seen at such a high level, and it strongly suggests that the Administration just isn’t that serious about information sharing for cybersecurity.

PHOTO: Donovan Govan

NOTE:  For those who complained that Steve McQueen was an anachronistic cultural reference, please note that I have taken your advice to heart and am now appealing to an entirely different generation.

Here’s the scant good news on cybersecurity It’s getting harder for attackers to hide.  The same security weaknesses that bedevil our networks can be found on the systems used by our attackers. A shorter version is something I call Baker’s Law: “Our security sucks.  But so does theirs.”

That’s good news because, with a little gumption, we can exploit hacker networks, gather evidence that identifies our attackers, and eventually take action that will make them regret their career choices.

Unfortunately, the United States has been sitting out this attribution revolution.  Our vaunted CyberCommand may be energetically exploiting hacker networks, but it isn’t helping private victims of cyberespionage. Foreign governments are hacking US companies, law firms, activists, and individuals with abandon, but our government seems unable or unwilling to stop the attacks or identify the attackers.  In fact, hacking victims who want to gather evidence against the bad guys are being warned off, told that conducting a private investigation could put them at risk of prosecution.  As an anonymous Justice Department recently told the press,

“Arguments for or against hack-back efforts fall into two categories: law and policy,” the DOJ spokesman told BNA. “Both recommend against hack-back. Under current law, accessing a computer that you do not own or operate without permission is likely a violation of law. And while there might be something satisfying about the notion of hack-back on a primal level, it is not good policy either.”

Actually, the spokesman could have stated the Department’s policy even more concisely: “We don’t know how to protect you, but we do know how to keep you from protecting yourselves.”

Justice wants to cut off the debate over hacking back. But it’s too late for that.  Even if Justice adopts something tougher than its carefully qualified (and longstanding) statement that hackbacks are “likely a violation” of federal law, all it can really do is drive hackbacks offshore, leaving US companies more exposed to intrusions than companies in more tough-minded jurisdictions.

Exhibit A for this theory is a recent cybersecurity report from two Luxembourg entities, a private computer incident response team and iTrust Consulting.  Because it turns out that, as far as hackbacks go, little Luxembourg has more cojones than the entire United States cybersecurity establishment.

The report, by Paul Rascagnères, focuses on “APT1” — the cyberespionage gang recently identified by Mandiant as Unit 61398 of the Chinese People’s Liberation Army.  For those of us who think hackback is a useful cybersecurity policy tool, the report is both informative and fun — because Rascagnères served APT1 a double helping of what the unit has been dishing out to the rest of us for years.  

Inspired by Mandiant, Rascagnères decided to go hunting for the hacking unit’s command and control infrastructure.  Unlike Mandiant, though, he didn’t start with victims and track back to the controllers.  Instead, he started at the other end, scanning whole networks of machines to find ones that were running Poison Ivy, the hackers’ favorite Remote Access Tool, or RAT.  Poison Ivy operates in a client-server model, where the client is installed on a victim’s computer and connects to the attacker’s server. The server software presents a graphical user interface for surreptitiously controlling another persons computer. (Several screenshots of this “exploit GUI” are included in the report.)

The first thing Rascagnères discovered was that APT1 only ran its Poison Ivy servers during office hours – 8 to 5 Shanghai time. That by itself was a pretty good clue for attribution, but Rascagnères was just getting started.

Building on another researcher’s identification of weaknesses in Poison Ivy, Rascagnères did what any red-blooded Luxembourger would do (someone please cover the Justice Department’s eyes):  he broke into and mapped the hackers’ exploitation network.

And he collected valuable intelligence about how the Chinese unit is responding to the publicity generated by Mandiant’s report.  The Mandiant report described a unit that controlled many victims through a single command and control server, often a compromised machine in the United States.  This meant that when Mandiant got access to that command and control machine, Mandiant could identify dozens of other victim networks.

What Rascagnères found was more sophisticated – and partially protected from Mandiant’s technique.  Now, it appears, the Chinese hacking unit is covering its tracks by assigning every victim his own dedicated proxy server connected to his own Poison Ivy server. Both machines are remotely controlled by mechanisms (Remote Desktop Protocol and VMWare remote desktop) that obscure the actual location of APT1.  All of this makes it much harder to develop signatures of compromise, since exposing one exfiltration route reveals only a single “bad” IP address and no additional victims.

But Rascagnères caught the Chinese unit recycling IP addresses. When a victim realized he’d been infiltrated and started blocking his dedicated Poison Ivy IP address, the unit simply assigned that address to a different victim. So it’s still possible to assemble a list of victims and bad IP addresses, but only if each victim shares every “bad” IP address used against him, and that information is widely disseminated to other potential victims.  These changes tell us a couple of things about the Chinese unit.  First, they’re too cheap, too poor, or too invested to get a new IP address for every new compromise; that’s
 a weakness we can work.  And second, given how easily their new scheme can be defeated by widespread information sharing, they must be betting against adoption of CISPA. (The ACLU must be really popular these days in Beijing.)

Even these discoveries didn’t end the drama.  At one point, the Chinese hackers realized that their network had been penetrated.  They started searching for the intruder, but so hamhandedly that he spotted the effort.  He installed a keylogger on the Poison Ivy servers that he had hacked and waited for the Chinese to log in to their proxy servers.  Then he dropped his compromised connection to the Poison Ivy servers and instead hacked the proxy servers using the Chinese hackers’ credentials. Once in the proxy server, his connection to the network looked like every other victim network communicating with its controller.

That’s impressive but Luxembourg’s finest wasn’t even close to done. While he was in the hacker’s network Rascagnères copied their remote access logs to map the attackers’ workstation machines.  Then he rifled the Poison Ivy servers to find the tools the hackers were using — as well as all the data they were stealing from victim networks. The data had been password-protected by the hackers, so he brute-forced their passwords. And, while the Chinese unit was probably still desperately trying to figure out whether they’d successfully locked the intruder out, he exfiltrated  all their stuff out from under their noses.

For those who’ve been the victims of Unit 61398, that sure sounds familiar.  And deeply satisfying.  Unless you’re the United States Justice Department, in which case it sounds like a felony, and “not good policy either.”

Justice couldn’t be more wrong.  This kind of tactic is absolutely essential if we want to create an effective defense against cyberespionage. Thanks to Luxembourg’s machismo, we won’t have to learn Unit 61398’s new tactics by trial and error; and we already have ways to thwart the new tactics, plus a store of tools and stolen data.

Oh and one more thing:  while he was playing with their command and control system, Rascagnères discovered that it didn’t correctly parse data sent by a victim machine.  Using that flaw, he wrote what looks to me like the first public zero-day exploit of the hackers’ own tool and released the code for other researchers to use.

Perhaps the Justice Department thinks that the government could have found all of this out on its own.  Maybe the government already knows all this from its own supersecret penetrations of Chinese hacker networks, achieved without any help from vigilantes like Rascagnères.  I kind of doubt it, but the more important fact is that it doesn’t really matter to all the private victims in this country what the government knows.  We need to know it too.  And because it wants to protect its sources and methods, the government isn’t likely ever to tell us.  After all, it didn’t tell us about Unit 61398, or about Luckycat, or about Ghostnet.  Everything we know about China’s hackers we owe to brave private citizens like Trend Micro and Mandiant and Citizen Lab, who went right up to the line that Justice is busily waving everyone away from.

Now we owe a lot to Paul Rascagnères, though he seems to have treated the Justice Department’s line the way Steve McQueen treated the fence in The Great Escape.

Well, God bless him, he’s showing us a new path to cybersecurity.  It’s better than the old path, for sure.  And no matter what the Justice Department says to American companies, the rest of the world is going to follow.

ART CREDIT: iTrust Consulting and Malware.lu

CAVEAT:  As always, I welcome corrections to my understanding of technical matters.

The House intel committee is amending CISPA to address privacy criticisms.  Politico’s Tony Romm reports on some of the likely amendments:

Still another amendment specifies clearly that CISPA won’t allow companies to “hack back” their hackers in pursuit of stolen trade secrets ...

Really?  A government that can’t protect us is debating new measures to make sure we can’t protect ourselves?

Well, it does sound kind of familiar ...

UPDATE:  To be fair, I’ve now seen the proposed  amendment, and it tries to avoid taking a position on active defense, simply saying that CISPA doesn’t give any additional authority to private actors who want to investigate their attackers.  That’s still a bad idea, and rather than putting forward a sponsor’s amendment, the committee leadership should tell us exactly who asked them to reduce computer hacking victims to helpless computer hacking victims.  This article hints that the idea came from the White House and the Justice Department’s leadership.

The continuing resolution that I wrote about yesterday could have a big impact on the federal government’s procurement of IT equipment from Chinese companies. As described in an earlier post, the resolution includes a provision that bars purchases of an “information technology system” that was “produced, manufactured or assembled” by entities “owned, directed, or subsidized by the People’s Republic of China” unless the head of the purchasing agency consults with the FBI and determines that the purchase is “in the national interest of the United States.” 

While the provision doesn’t prohibit purchases of Chinese-government-influenced systems, it makes such purchases politically difficult. How will China react?  Not well.  China has spent years trying to curtail its own purchases of IT from outside its borders, but that won’t stop it from calling the bill protectionist and claiming a violation of US WTO obligations.  Legally, China may have trouble making such a claim stick. China has not signed on to the WTO’s government procurement code; it is just an observer.

But China may not have to make the claim stick in its own right.  That’s because the provision doesn’t hit China directly.  Instead, it restricts purchases from Chinese-government-influenced entities, no matter where those entities manufacture their products.  This means that the provision could prevent purchases of Lenovo computers manufactured in Germany, or Huawei handsets designed in Britain. Both of these countries have joined the WTO government procurement code, which obliges its members not to discriminate against other member countries in procuring data processing software and hardware. This means the US could see WTO challenges to the provision from its own allies (unless they’re so sick of Chinese hacking that they decide to emulate the new provision rather than attack it).  

Would such claims prevail?  You might think that they would face an uphill fight; most WTO undertakings have an exemption for national security measures, and the procurement code is no exception. What’s more, there’s no doubt that buying commercial IT products from an untrusted source does raise serious security issues.  Indeed, we can thank China’s hackers for demonstrating to the world just how serious those security issues are.

But when I dug out the national security exemption, I was surprised to see that the US Trade Representative’s office had negotiated a strikingly weak security exemption for the WTO procurement code. The first paragraph of the exemption (article XXIII) only allows the US to restrict procurements that are “indispensable for national security or for national defence purposes.” In other words, the exemption is based on the nature of the goods being bought, and not on the nature of the threat. The US can make a good case that attacks on the Commerce Department or the Justice Department information systems threaten national security, but it’s hard to argue that the IT systems those departments buy are themselves indispensable for national security. 

There’s a second security provision in the code that might help the US defend the provision.  It allows “measures necessary to protect public morals, order or safety” but only if they are “not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination between countries where the same conditions prevail or a disguised restriction on international trade.” I think the US could defend the provision on the ground that it protects order and safety, but it would have the burden of showing that in application it is not an “unjustifiable discrimination” or a “disguised restriction” on trade.  These words virtually invite a highly subjective inquiry by a WTO panel, and there’s no telling how that would turn out.

Having stacked the deck against security in negotiating the code, USTR is no doubt now lobbying strenuously inside the administration for an interpretation that will make the continuing resolution meaningless.  

On first look there are a couple of ways it might do that.  For one, it could take the provision at face value.  “National interest” waivers are permitted under the law, and the President could require agencies to consider the nation’s WTO obligations in determining the national interest, setting the stage for numerous waivers.  That won’t be attractive to the White House, though.  It will expose the President to two rounds of criticism, first when he announces the national interest standard and again when each waiver is granted. 

So the administration may look for another way out, perhaps by narrowing the definition of an “information technology system.”  Borrowing from interpretations of the Buy American Act, the administration could decide that a new information technology “system” is created whenever an English-language manual is shrinkwrapped to a Chinese-sourced router.  As long as the shrinkwrapping is done by an American contractor, the newly minted “system” might fall outside the scope of the law. But that interpretation so clearly flouts the intent of the provision that it could raise serious political problems on both sides of the aisle for the administration, which could find itself painted as an apologist for Chinese cyberespionage — something it has worked hard to avoid in the past.

Anger over Chinese cyberespionage continues to mount in Congress, and it’s beginning to show in legislation. Not just the bills Congressmen introduce, the ones Congress passes. 

Demonstrating remarkable bipartisan angst about Chinese hacking and the risks in Chinese high tech equipment, Congress has added tough sanctions to the continuing resolution that funds the federal government and is now awaiting the President’s signature. The sanctions provision bars federal government purchases of IT equipment “produced, manufactured or assembled” by entities “owned, directed, or subsidized by the People’s Republic of China” unless the head of the purchasing agency consults with the FBI and determines that the purchase is “in the national interest of the United States”: 

Sec. 516. (a) None of the funds appropriated or otherwise made available under this Act may be used by the Departments of Commerce and Justice, the National Aeronautics and Space Administration, or the National Science Foundation to acquire an information technology system unless the head of the entity involved, in consultation with the Federal Bureau of Investigation or other appropriate Federal entity, has made an assessment of any associated risk of cyber-espionage or sabotage associated with the acquisition of such system, including any risk associated with such system being produced, manufactured or assembled by one or more entities that are owned, directed or subsidized by the People’s Republic of China.

(b) None of the funds appropriated or otherwise made available under this Act may be used to acquire an information technology system described in an assessment required by subsection (a) and produced, manufactured or assembled by one or more entities that are owned, directed or subsidized by the People’s Republic of China unless the head of the assessing entity described in subsection (a) determines, and reports that determination to the Committees on Appropriations of the House of Representatives and the Senate, that the acquisition of such system is in the national interest of the United States.

This could turn out to be a harsh blow for companies like Lenovo that have so far escaped the spotlight trained on Huawei and ZTE. But it may also bring some surprises for American companies selling commercial IT gear to the government.  It’s not clear that they even know which of their suppliers and assemblers are directed or subsidized by the Chinese government. Where the IT system is manufactured doesn’t answer the question; sanctions will depend not on where the system is made but on whether the company that supplies it is tainted by close ties to China’s government.

It will make life equally awkward for the Obama Administration, which has been slowly and hesitantly toughening its stance on Chinese cyberespionage.  The CR language will force the pace of retaliation, probably faster than the administration would like.  But the statutory alternative to implementing the ban is for the administration to certify purchases as in the national interest — possibly over the objections of FBI analysts who mistrust the gear. 

The continuing resolution passed both houses with this provision in it; the President could in theory refuse to sign it.  But this is a much-anticipated funding bill that heads off a government shutdown.  With Congress having for once avoided a Perils-of-Pauline crisis, it’s politically impossible for the President to put Pauline back on the railroad tracks — especially so the government can buy suspect equipment from China.  A veto is even less palatable than living with the provision.

Can cyberwar be limited by international law and diplomacy?  Those who believe in international “norms” for cyberwar usually argue that cyberattacks on financial institutions are beyond the pale.

For example, Harold Koh has declared the State Department’s view that cyberwarriors “must distinguish military objectives ... from civilian objects, which under international law are generally protected from attack.” And Richard Clarke, a former White House adviser, claimed in 2010 that “most countries would agree to sign a treaty not to attack each other’s international financial and banking system networks. They don’t want to cross that Rubicon, or the entire international banking system could go down.”

Really?

I can’t help noticing that, since these speeches were given, DDOS attacks on Western banks have been attributed to Iran and North Korea has been blamed for cyberattacks on banks in South Korea. If you’re looking for norms in actual conflicts, as opposed to speeches, cyberattacks on the financial sector are starting to look, well, normal.

I’ve never thought there was much romance in cracking the networks of American companies and agencies, but a recent LA Times article underlines just how dreary it can be.

The piece is based on a blog diary kept by Wang Dong, identified in recent reports as the notorious Ugly Gorilla, whose code has been found in many successful attacks on US networks.  Though it never reveals Wang’s employer or his job, the blog makes clear that the life of even a talented PLA hacker is not a happy one:

With no money and little free time, he found solace on the Internet. He shopped, chatted with friends and courted a girlfriend. He watched movie and television shows. He drew particular inspiration from the Fox series “Prison Break,” and borrowed its name for his blog.

Richard Bejtlich, Mandiant’s security chief, said posts written by the blogger, who called himself “Rocy Bird,” provided the most detailed first-person account known to date of life inside the hacking establishment. Although the blog was discontinued four years ago, the techniques described in it remain the same. “It is relevant,” said Bejtlich. “Things have not changed that much.”

The hacker, whose real family name is Wang, posted some 625 entries between 2006 and 2009. “Fate has made me feel that I am imprisoned,” he wrote in his first entry on Sina.com. “I want to escape.”

Hmm, maybe he can.

In the past, I’ve proposed that the US deny visas to people and institutions that contribute to cyberattacks. But sometimes carrots work better than sticks, and visas can certainly play that role as well. 

The Justice Department is authorized to issue a couple of hundred “S” visas each year to foreign nationals “in possession of critical reliable information concerning a criminal organization or enterprise.” The visa allows family members to enter as well, and it becomes a permanent residency if the witness’s “information has substantially contributed to the success of an authorized criminal investigation.”

Systematically hacking US companies and agencies surely constitutes a criminal enterprise under US law, and I note that an investigation can apparently be deemed a success without leading to a criminal conviction. 

So under current law, the Justice Department could send QQ messages to all the guys we’ve already identified as Chinese hackers, saying “The first of you who shows up at a US consulate with a full flash drive will get an S visa and a million bucks; the second one will get an S visa and $100,000.  The third will get an S visa and $10,000.  And the rest of you will be indicted with the evidence supplied by the first three, making China a prison you’ll never break out of.”

Somehow it just seems fitting for Prison Break to meet Prisoner’s Dilemma.

Credit:  Thanks to the official who first suggested this idea to me.  You know who you are!

That might sound like breaking news from 1983, but this time we’re not talking movie plots, we’re talking business.  Specifically how Chinese cyberespionage could affect Hollywood’s bottom line.  The Hollywood Reporter asked me to talk about that impact in a guest column, out this week.  Here’s some of what I said:

Hollywood might be blinded by its own product. China’s cyberspies aren’t intrepid Jolt-drinking loners (with an occasional adoring girlfriend) navigating dangerous networks to snatch secrets and flee before they’re geo-located by their opponent’s giant global tracking system.

No, the hacking campaigns described by Mandiant and others have all the flash and derring-do of your latest trip to the dry cleaners. ...

It’s routine. So routine, in fact, that most of the hacking is done between 8 a.m. and 5 p.m. Beijing time. ...

Hollywood might not have big secrets, but it’s got plenty of little secrets that someone in China probably wants. No government on Earth is more sensitive to its depiction in mass media than China’s. Why wouldn’t its government want to read the earliest versions of Hollywood’s scripts or have a ringside seat while studio execs debate how best to accommodate Chinese censors?

And don’t rule out what might be called crony espionage, either. Any company that has juice with the central government is a candidate for the cheapest form of state aid: free access to the secrets of their competitors and joint-venture partners. China is an enormous market, with the potential for great profits. But if the other side knows just how hungry the studios are — by reading their internal communications — the studios won’t leave the table with more than crumbs. Once you know the other side’s bottom line, it’s amazing how good a negotiator you can be.

Disputes that arise after the deal is done can be handled the same way. People who sue Chinese companies, along with their lawyers, are targeted by hackers. When security researchers are asked how many of the 100 largest U.S. law firms have been compromised by China, estimates range from 80 to, well, 100.

As for corruption, there’s no more sensitive topic in China. If a Western company is under investigation for paying bribes to Chinese officials, as many entertainment companies are now rumored to be, it’s safe to assume that the Chinese government will want to know — ahead of time — what the company is planning to tell the U.S. Securities and Exchange Commission.