Home » Cyber Security
Category Archives: Cyber Security
This entry was originally posted on the blog at Foresight Resilience Strategies here.
As long-time cybersecurity expert Bruce Schneier points out, even if every single person takes the advice of experts and protects themselves through credit freezes, it will not change the business model for data brokers; change may require legislation. With a sufficient legislative and regulatory response, consumers will have less to fear from future breaches. On the other hand, businesses worry about the impacts of a regulatory approach in the cybersecurity arena. What follows is a deeper examination of what proposals have already emerged and a survey of approaches that might eventually become solutions.
Regulatory Landscape: The Patchwork Nature of Existing Controls on Information
The current regulatory environment around companies maintaining large data stores about individuals primarily as a third party (that is, without interacting directly with individuals) is fairly atomized and incomplete. The primary law governing the credit bureaus is the Fair Credit Reporting Act (FCRA). The FCRA imposes requirement on Equifax, Experian, and TransUnion as well as some more sector specific information organizations (such as Innovis, LexisNexis, and Telecheck).
Under the FCRA these consumer reporting agencies must offer the chance for consumers to access their records and correct them. Any obligation to protect the information in those files is generally limited to a duty to correct or delete incorrect information. In addition, the covered organization can face liability for intentionally releasing a consumer’s credit information to a third party without the consent of the consumer. Consumer reporting agencies have no general obligation to provide some minimum level of protection to the consumer’s information from unauthorized access. In other words, if a hacker calls the bureau and successfully requests a consumer’s information, the credit bureau has liability under the FCRA; if the credit bureau leaves that information on an insecure server and the same hacker accesses and downloads it, the credit bureau has no liability.
There are a series of other laws that cover specific types of information: For healthcare information held by covered entities, there is the HIPAA Privacy Rule; for information about children, there is COPPA. The Federal Trade Commission (FTC), in addition to its responsibilities under the FCRA and COPPA, can pursue “unfair or deceptive acts or practices in or affecting commerce” but that requires some evidence of deception. If the company says it will share your personal information with others for profit and then does so, there is no deception. Some of these mechanisms, especially a consumer protection mission similar to that of the FTC, exist in state attorneys general offices as well.
All of these authorities form an incomplete patchwork that means that even in the egregious situation we find in the Equifax breach, in which so many consumers are affected and it seems likely that the security practices of the company were insufficient, there may not be direct liability for failing to provide a basic level of security for consumers.
Data Breach Notification Requirements are Nearly Ubiquitous
At the state level, the most directly relevant form of regulation for events like the Equifax breach are data breach notification laws. Data breach notification laws prescribe how a company that has had a breach must notify the public. Some researchers have credited the nearly ubiquitous data breach notification mandates in U.S. states with creating a culture of transparency. Data breach notifications have driven greater privacy awareness within the U.S. business community, especially when compared with other countries that have more prescriptive privacy laws on their books.
A national data breach notification standard would help in some ways by adding enforcement at the federal level to the system we have now. There was nearly a national data breach notification law passed in 2015 and that bill has now been reintroduced in response to the Equifax breach. It is too early to determine its fate.
Data breach notification has had a positive effect but it seems unlikely that adding a national layer to the requirement will drive additional change in how businesses handle personal data. Data breach notification attempts to close the barn door after the horse has already escaped by imposing requirements on the after-action activities. It does not impose requirement for what companies must do before the breach occurs. Bad practices and a lack of incentives to protect your information are what led to this problem and regulation of those practices is the only way to ensure they improve.
At least one other proposal does the necessary work of improving the FCRA by increasing transparency for consumers and making it easier to seek remedies. This doesn’t change the fundamental lack of protection for consumers’ information before the fact.
How Could Congress Respond?
Legislative proposals to respond to the Equifax breach should regulate what companies that keep personally identifiable information do with that information. One current legislative proposal from Senators Markey, Blumenthal, Whitehouse, and Franken starts to focus on these elements of consumer privacy for the data broker industry. It carves out data brokers already regulated under the FCRA from most of its access, disclosure, and notice provisions. It does not except covered data brokers from the bill’s requirement that companies develop a security plan to protect consumers’ personal information against loss, unauthorized access, use, modification, destruction, or disclosure.
The previous Administration contemplated a more complete implementation of privacy principles into law, recognizing that consumers needed a more complete set of protections than the patchwork found in current law. That draft covered a broader swath of companies and imposed a more complete set of requirements including notice to consumer, consent, access, integrity, security, and enforcement. The proposal mostly relied on a reasonableness standard to determine the way a covered entity could comply with the requirements in each of those areas. It also introduced the concept of safe harbors that would rely on a certified set of privacy practices developed in multistakeholder processes (several have been completed) certified by the Federal Trade Commission.
The Challenge for Industry and Legislators
The Equifax breach is the perfect storm of a security incident:
- The breach broadly impacts the security of the personal information of potentially the majority of U.S. adults,
- Equifax collected and mishandled this sensitive information without ever asking the consumers’ permission, and
- The breach included sensitive data that, unlike a breach involving passwords, consumers cannot easily change
The message that Congress takes from this breach will determine whether it will drive changes to the business practices in this industry. To the extent that the public considers this breach business as usual, Congress will likely restrict its activities to hearings on the topic. Should a larger awareness of the dangers of identity theft from this breach cause a stronger movement for a solution that will try and address the problem before breaches occur, Congress may break the logjam on data breach notification legislation or even go further than that toward substantive privacy or cybersecurity regulation.
The rites of post-election spring in D.C. are constant. Newly elected politicians struggling to get a handle on their job. The blooming of new rumors with regards to who is taking what undersecretary job and who is against them. Like the cherry blossoms bursting forth here in April, it is a dependable ritual.
Another cherished ritual is trying to figure out exactly what kind of policy direction the new Administration needs to pursue on infinitely complex matters – ones that seemed so easy in the campaign. In the case of cyber space and the U.S. intentions and actions therein, it is extraordinarily complicated.
New issues – 21st century issues – are hard to deal with in D.C. This town was born in World War II and its bureaucratic structure is a tribute to mid-20th century organization charts – layered and stove-piped. And they certainly not meant to deal with private sector issues beyond taxation and regulation. But, the cyber world we live in today hardly fits the U.S. Government model.
President Obama was the first to experience cyber space – and its connecting systems of the internet – full blast. Within his eight years, Obama was whipsawed by a world-wide social media explosion, the rapid decline of “old media” information providers, an acceleration of the decline of traditional “brick and mortar” business replaced by virtual offices, and a rapidly expanding “gig economy” for a new generation of young people.
The Obama Administration also experienced a domain in which America lost its position as the dominant player – with less than ten percent of the world’s users and shrinking — that could be outmatched and outwitted by smaller, more agile players from North Korea to groups like Anonymous and WikiLeaks. They exposed our public and private secrets. They reached into our inadequately secured systems. And they did it with relative impunity.
Other larger nation states sensing our vulnerability – particularly Russia and China – have used cyber space to their advantage. While controlling its use over its own population, Moscow and Beijing have gleefully used it to steal our secrets and to exercise power in our elections. They have literally built armies to exploit this new domain. America might be powerful on land, sea, air, and space. But we are more than equaled by them in cyber space.
At home, complicating our actions has been the development of a huge cyber culture. Eighty-five percent of cyber space is held in private hands. Five of the six top U.S. companies by market worth are tech firms ranging from Apple to Facebook to Microsoft. Mark Zuckerberg, Steve Jobs, Jeff Bezos, and Bill Gates are household names. And with them has come a libertarian generation who view all government as inept, and value information security above issues of national security.
So, What Is a Government to Do?
The Obama Administration did what governments traditionally do. They reacted big time. They set up “public-private partnerships.” The cleaved a Cyber Command out of the body of the NSA. They engaged in a series of meetings with international players – governments and corporations – to establish rules of the road in cyber space. And they set up department functions at FBI, DHS, and elsewhere to address specific issues with another in a line of relatively powerless White House czars – always forgetting what happened to the last czar of Russia.
And after all that effort, how is the USG doing? Well, the Russians stuck their noses deeply and freely into their first American election. Security in cyber space remains somewhat of a joke with endless breaches and continued thievery of information. The public-private partnership is a morass of disappointment for both the public and private sector. The internal USG bureaucratic struggles march onward over who is in charge of what and can reach out to whom. Mark Zuckerberg, further solidifying America’s cyber culture, wants to run for President. And we have a President who tweets.
It seems to me the time has come to establish a clear U.S. based doctrine for cyberspace. What does the USG want for our country from cyber space? In the Cold War, we pursued a series of strategies around a doctrine of Containment. We did not want the USSR to make the world communist. We would not allow another country to become communist. We would try to change over the ones that were. And we wanted to tip over the USSR. Not easy. Lots of failed strategies and some pretty successful ones. Took nearly 45 years. But we did it.
So, what about a Cyber Doctrine that simply says America needs to protect itself and its interests at home to maintain a free and secure internet for Americans – a National Cyber Security Doctrine.
First of all, recognize it’s going to take time to build success and we need to be flexible. We are in the earliest stages of cyber world. It’s like trying to determine air power strategy in 1914. In 20 years, we’ve gone from dial-up modems to the Internet of Things. Artificial intelligence is just in its infancy. We don’t know what we don’t know.
Second, understand that we are simply internationally outgunned on this one. There are four billion users of cyber space and the number continues to rise every day. There are 325 million Americans. We are big. But China and India are bigger. And so are the populations of the Middle East, Latin America, and Africa. And most of them don’t have a libertarian viewpoint of the world. We can continue negotiating internationally, but it is going to do little good for now.
Third, the White House needs to ask what can government do to make a secure and free internet at home. Follow the money. Appoint a National Cyber Director based in the Office of Management and Budget and as part of the National Security Council who will direct with money and program control over what the USG will do and will not do. That money and program power is crucial. Otherwise, no one in the USG will pay attention to them one bit.
Fourth, and finally, stay out of the direct intervention business with the private sector. Stay above the fray. You set standards. Provide tax breaks to get corporations and people truly interested in developing security for cyber space. Set legal penalties for when they don’t. For instance, the Internet Service Providers have been lax regarding security practices by their customers. (When is the last time you changed your password into something secure, not 123546 or password.)
A USG focused on security and access to cyber space at home is the best approach in a domain over which we have little practical control. Sometimes doing a little is the hardest thing to do. But a restrained National Cyber Doctrine is much better than doing too much.
Americans really don’t get the Russians. We are a people who pride themselves on divided government, openness, and the exposure of corruption – almost to the point of obsession. The Internet has allowed those truly American attitudes an even greater sway in the its body politic. Now, everyone can be their own “loudspeaker of truth.” In Russia, the story is quite the opposite.
Russia has a 500-year history of oppression from their “leadership.” It started with Czar Ivan the Terrible and continues today under Czar Vladimir the First. Russia is country run by central control; a state that views opposition as criminal and traitorous. And one of the most important parts of state power is controlling what people “think” through the information they are provided.
Thanks to the Internet, the Russians can more easily manipulate information than ever before. And Moscow is now applying gleefully that ability to their overseas goals. Most recently, Moscow been accused by Washington of desiring to control and influence our Presidential elections. And to a limited extent, Moscow have succeeded by the very effort. In the domain of worldwide Internet, perception is reality.
This type of information manipulation for political result is not new. In the Cold War between the U.S. and Russia, perception was often reality. The United States used covert means to supply information to friendly overseas sources to reinforce its positions. Occasionally, such as in Vietnam, it even deluded itself and the American people into believing that a limited, winnable war was possible.
The KGB, Russia’s Cold War spy service, was expert at planting damaging information about the U.S. around the world. It was a way of undermining our influence and the perception of wrong doing was all that mattered in the war of minds. Sometimes it worked quite well and the damage persists to this day. For instance, it was the KGB that floated the idea that American experiments to dominate the Third World created AIDS.
And so it goes today. We deal with Russia relying on old habits reinforced and facilitated with new technologies. The Internet with its hidden corners of attribution is a hard place in which to fight rumor and innuendo. Instantaneous transmission makes it impossible to control or counter the initial message. The very fact the Russian are releasing information about American candidates is damaging to the perceived integrity of our elections. The idea they could fool with our vote count is even more upsetting to the legitimacy of an already spooked electorate.
So, the first game of perception management goes to the Russians. There will be a section of the U.S. population already unhappy with the election results that will forever believe the system is now vulnerable to massive rigging. The reality is that there are several thousand different voting systems – ranging from paper ballots to electronic voting gear rarely updated to the 21st century. Hacking on a mass scale is unlikely though some minor efforts may be made. But that does not really matter. Even a few hacking attempts could be enough to poison perceptions.
So, for this round, the Russians have won an American election. It will be up to a new Administration to make Moscow pay for this interference. The games have only just begun.
For those of us of a certain age, The Godfather movies represented a cultural touchstone and an endless source of “tough guy” quotes. “Leave the gun, take the cannoli.” “I’ll make him an offer he can not refuse.” And, my favorite as one of the lead characters ruefully comments on another’s death, “this is the business we have chosen.”
When I heard about the Yahoo data breach of some 500 million accounts, I was expecting public outrage. What I’ve seen from the public so far is a shrug of the shoulders and a sigh. For cyberspace, leaked information seems to be the cost of doing business. And, so far, the public seems willing to accept it.
I think this dull reaction is a combination of three problems – two technical and one social. The first is the ubiquity of an Internet that was never meant to do what it is doing. Security was not a consideration because the original development was done in national security installations. Thus the issues of outsider break-in and insider threat were not really considered. We are retrofitting security, which makes people feel better – more complex passwords and anti-hacking systems galore. But they are expensive and it is hard to judge their effectiveness versus their cost. But it appears to be a panacea to many concerns for many concern for now.
There also remains in the socially powerful Silicon Valley – a producer of much security software — an interesting 1960’s attitude toward free sharing of information and anti-government interference. This has produced a generation of younger libertarian people who expect their information to be protected from government surveillance and is outraged at government efforts to “surveil” them. In consternation to my generation of national security types, the breaches don’t seem to bother them as much.
The third problem is simply the problem of the public’s lowered expectations. The continuous drumbeat of breaches from OPM to Sony to Yahoo and hundreds of others have conditioned the public to accept this level of lax security. And until individuals are hit with some sort of personal cost – stolen credit card charges, fake bank accounts, and damaged credit – the cost does not really come home.
Some like former NSA head Michael Hayden have suggested a “high side” secure Internet. Many others are adopting forms of encryption – much to the pain of a government charged with national security in an Internet age when the bad guys use the Net.
So, unless there is some form of real and extensive public outrage, we are likely to continue in this pattern of a stream of security breaches and temporary wringing of hands. This may be the cyber business we have chosen, but paraphrasing The Godfather characters, it’s about time we make the illegal hackers an offer they can’t refuse.”
The cyber hack of the Democratic National Committee, and the subsequent release of 19,000 e-mails by Wikileaks, is the leading political news story today, with the news media reporting on ignominious details from many of the e-mails, and the DNC Chairwoman resigning her position at least in part as the result of these e-mails. Moreover, numerous reports indicate that many experts and government officials believe that one or more Russian intelligence agencies are behind the hack, using Wikileaks as a cut-out to disseminate the e-mails.
This cyber hack and data dump is the latest in a series of similar such attacks against organizations and individuals over the past few years, including the Sony hack in 2014 (reportedly carried out by North Korea), the hack of CIA Director John Brennan’s personal e-mail account in 2015, and hacks and massive data dumps of informaion from private sector companies such as Stratfor, HBGary, and Hacking Team. In each of these cases, and especially with Sony, the news media reported not just on the fact of the hack but also on the contents of the stolen and leaked information. This reporting has magnified the impact of all of these hacks, helping the hackers and leakers to achieve the intended consequences of their efforts, and thus implicitly encouraging future hacks and data dumps.
This trend raises serious questions as to how the news media should act with respect to hacked information:
1. Should the news media be reporting at all on the content of stolen, hacked information? Would news media outlets report on materials that had been physically stolen from companies’ offices? If not, then why is cyber different?
2. If the answer to the question above is ‘yes’, are there limits on what should be reported on? Is “newsworthiness” enough? Should there be some standard of wrong-doing (criminal activity, corruption, etc.) as the basis for reporting, similar to standards for whistle-blowing within the US Government?
3. Should the news media exercise different degrees of restraint depending upon the target of the hack, i.e. whether it is a government agency, corporation, non-profit organization or individual?
4. How should information about the likely perpetrator of the hack influence decisions by the news media about what to publish? For example, with respect to the DNC hack, it appears probable that a foreign intelligence service is conducting an operation that is intended to undermine and influence the democratic process in the U.S. Does the U.S. news media really want to be in the role of facilitating such an operation?
5. How should the additional factor of a criminal investigation or indictment influence decisions by the news media to report on the leaked content from hacks?
These issues are as deserving of discussion within the news media as the content of the leaks themselves. While there is no feasible way to completely restrain dissemination of hacked information from such leaks, given the proliferation of blogs and independent news media outlets over the last decade, I would hope that mainstream news media outlets would develop a self-enforced code of conduct and set of policies for reporting on such hacked information, guided by the core principle that information from a cyber hack is the ill-gotten gain of a criminal act and should be treated with the same restraint as information purloined from the burglary of an office suite.
If we continue to see broad-based reporting by the media on hacked information, however, then there is a strong risk that this cycle of hack and leak will only grow worse, in a way that not only harms the hacked organizations but undermines American interests and values.
Last September, during his State Visit in Washington, China’s President Xi Jinping committed (see paragraph 48) to President Obama that China would not conduct or support cybertheft to benefit China’s economic competitiveness. President Xi then took that non-binding commitment with the United States on the road and became its primary advocate, culminating in the inclusion of similar language in the Antalya Communiqué agreed by the leaders of the G20 in November.
As I noted on this blog (twice in September and again in December), accepting that non-binding commitment as progress delayed taking meaningful action–in the form of economic sanctions–to try and actively influence the cyber behavior of China’s state-sponsored hackers. My argument at that time, and still today, is that in adopting that non-binding commitment, the Chinese President was practicing the Art of War on the United States by making a rhetorical feint while continuing the cyber activities–state-sponsored and state-supported cybertheft of U.S. companies’ proprietary information–that violate that commitment and continue to undermine the U.S. economy.
As alluded to above, the reason President Xi felt the need to send his high-level envoy Meng Jianzhu to negotiate the non-binding commitment appears to be the widely reported fact that the Administration was readying a package of sanctions against Chinese individuals and entities. The Chinese President prefered to take on a commitment to which its government has no intention of abiding rather than face inconvenience and loss of face that sanctions would cause. If the Administration had moved forward with sanctions last fall, China would have been the first country to have its entities and citizens targeted by sanctions under President Obama’s April 2015 Executive Order announcing a national emergency on cybersecurity and authorizing such sanctions.
Now just over six months after President Xi’s State Visit during which he endorsed the norm against cybertheft, that commitment appears to have done its job completely…for China. This issue, which used to be very high on the list of difficult problems in communications between the two Presidents, barely got a mention last week when the Presidents met in Washington on the sidelines of the Nuclear Security Summit. Based on the readout from that meeting, “[t]he President reiterated that we will continue to monitor whether Chinese actions demonstrate their adherence to the commitments.” But has anything changed that would merit continued passivity in the face of China’s cybertheft?
The best source of such information is the federal government, but it is not forthcoming about its information for obvious reasons. Still, we can look at the sources that told us there was no change toward the end of last year–both private sector and government–but there has not been much further discussion of whether this type of hacking continues through the first 3 months of 2016. Discussion about the direction of China-based intrusion sets in CrowdStrike’s 2015 Global Threat Report, released in February 2016, asserted that “[t]he economic downturn and new Five Year Plan in China will continue to drive their state-sponsored cyber espionage activities.” The report also details how the current economic cybertheft intrusion sets CrowdStrike has identified over time map to the priority economic sectors listed in China’s new Five Year Plan. And in comments to Politico last week, counsel to the Intellectual Property and Technology, Media and Telecoms group in Hong Kong suggested that there may have been an increase in cybertheft.
The Intelligence Community provided additional information this year in the Congressional testimonies of both Director of National Intelligence Jim Clapper and the leader of Cyber Command and NSA Director Admiral Michael Rogers. Both concluded, in identical language in their written testimonies that, “China continues cyber espionage against the United States.” And Director Clapper further elaborated that, “China continues to have success in cyber espionage against the US Government, our allies, and US companies” (emphasis added). Clearly, China has not stopped the conduct that nearly resulted in the imposition of economic sanctions last Fall.
On that basis, the time has come for the Administration to impose such sanctions on Chinese entities and individuals. The testimonies of both IC officials, however, raises a troubling question about whether the Administration is making the situation worse for American businesses. In both Director Clapper’s testimony and in responses to questions from the Senate Armed Services Committee by Admiral Rogers, the IC leaders suggested that without evidence of “…the use of exfiltrated data for commercial gain,” the jury would be out. As Admiral Rogers put it this week, “The question I think we still need to ask is, is that activity then in turn shared with the Chinese private industry?”
In fact, several reports have asserted attribution of intrusion sets focused on commercial information to Chinese state actors going back several years, but the additional burden of showing the stolen data used for specific commercial gain by Chinese industry adds a tremendous complication to any attempt to sanction Chinese cyber activities that threaten U.S. competitiveness. Such a burden would delay any such sanctions until they were far too late to be of any use. Perhaps more importantly, President Obama’s April 2015 Executive Order adopted a “reasonably likely” standard for imposing sanctions on persons or entities that engage in cybertheft. Adopting the IC’s standard–putting the onus to detect, attribute, and trace the misappropriated information through to its use by a commercial entity–is far too generous to the hackers. Combined with the reduced attention paid to the problem since President Xi’s State Visit, the adoption of this standard would render sanctions for hacking activity a dead letter.
The question the Obama Administration faces now, six months after it allowed President Xi to take the initiative, is how to regain the momentum in its fight against Chinese cybertheft. As detailed in December, the indictments of five Chinese People’s Liberation Army (PLA) hackers by the Justice Department in May 2014 had a measurable effect on the PLA’s cybertheft activities. If that is the case, indictments against hackers from the Ministry of State Security, China’s external intelligence agency, or the Ministry of Public Security, China’s domestic police agency, could be one way forward. Indictments are not a great policy option because as a law enforcement action, it is insulated–appropriately–from the policy process. As successful as those indictments were at sending a message, using that tool on a regular basis would be difficult for an Administration to control or direct. The real hope is that the White House would look at the continued cybertheft conducted by China and revisit its decision not to impose sanctions on China immediately after President Xi’s State Visit. With significant continued cybertheft originating from China, one hopes for that reversal very soon.
Playwright Neil Simon wrote a play called “The Odd Couple.” It was the story of very different two men trying to share a NY apartment. Oscar was a total slob who was a top sports reporter. Felix was a total neat freak who was a top photographer. Yet, somehow they arrived at an accommodation though living in constant disagreement. In cyber world, Oscar is Silicon Valley and Washington is Felix. And, paraphrasing the opening of the Odd Couple – can they share cyber world without driving each other crazy?
If you had to pick two nearly opposite cultures, Silicon Valley and DC are it. The former is new, entrepreneurially brash, libertarian and a child of the open and easygoing lifestyle of the West Coast. It also strongly internationalist and driven by money as a metric and has loads of money made sometimes too easily in a market less devoted to results than “flipping a company” to gain more money. Still, it has become the creator and driving force of arguably one of the greatest technological and innovative bursts in mankind’s history.
In contrast, Washington is a staid place that is hugely powerful – arguably the capital of the most powerful nation on the planet for 70 years. It is filled with people drawn from around the country who are lawyers, social and hard scientists that do their best not to “stick up” from their surrounding fellows. Well established, it is a place of bureaucracy and order. Progress is not measured in money and quick results. It is measured in holding office and position – both of which provide power. It is also measured in compromise and a balancing of different interests for what is determined to be for the “public good.” Speed of decision is not its forte.
Not unexpectedly the first 15 years of the 21st century have constituted a long, drawn out sniping war between the two places. Washington pursues its national interests and Silicon Valley pursues its international interests. Washington thinks in terms of regulation and regards cyberspace as a public utility to be overseen. Silicon Valley loathes the DC oversight and fears the damage to its international business and independent spirit.
As time moves forward, however, the Oscar and Felix are beginning to see some common ground. While they argue vehemently over the use of encryption to secure cyber space, both DC and Silicon Valley recognize the constant barrage of cyber attacks as bad for public confidence.
Moreover, despite their internationalist viewpoint, Silicon Valley is beginning to feel the pinch overseas from nations who are not so happy about the free sharing of information or lack of control over content. As Facebook and Twitter are finding, for instance, China, Russia, Brazil, and UAE are not as welcoming to their efforts. Even India – the largest open market in the world now that China has stepped hard to regulate cyberspace – is balking at various proposals by Silicon Valley to break open India’s cyber world. These are arenas where the US government can help, if not necessary solve the challenges by pushing for international standards of openness and trade.
From the US Government standpoint, it is woefully behind the rest of the world – indeed the country – in terms of its own cyber security. The largest data leaks in the world have taken place in the US Government – from NSA’s Snowden to the Office of Personnel Management leak. Moreover, nation states and non-nation states — like China, Russia and innumerable private hackers with various agendas – have stripped sensitive technological information out of our most important projects. It needs Silicon Valley’s expertise to move beyond its 20th century, hide bound hierarchical structure and comprehensively adapt Silicon Valley’s new technologies and some of its spirit.
The Obama Administration’s recent high-level outreach to Silicon Valley is a good start to bridge that gap. Silicon Valley is also beginning to understand that it must better present its case in Washington.
Perhaps like Oscar and Felix, both sides can understand they live in the same cyber world and need each other.
Otto von Bismarck, the master politician who built modern Germany in the late 19th century said that “laws are like sausages, it is better not to see them being made.” The Omnibus bill that Congress is passing to fund the US government through next September is one huge, ugly sausage. Filled with chunks of budget, it is equally stuffed with a number of new laws. One of those chunks is the Cybersecurity Act of 2015, which includes an updated compromise version of the Cybersecurity Information Sharing Act (CISA). And a lot of people do not like the taste of this one bit.
CISA has been kicking around Capitol Hill for a number of years. Proponents say it is about sharing cyber threat and Internet information traffic between the government and the private sector. Opponents have labeled it a civil liberties danger with vast amounts of personal information being controlled and shared among government agencies with little oversight. Now, with a dash of oversight protection by Inspectors General and the Government Accountability Office thrown in, CISA was made part of the omnibus appropriations bill. And thus cyber sausage is made.
To add fuel to the cyber debate, Senate Majority Leader Mitch McConnell has said recently the legislative agenda for next year will include a review of the revisions to the PATRIOT Act from last year – pre-San Bernardino. The cyber industry response was swift and negative with one major lobbying organization calling such actions “reactionary.” An opposing wit compared the cyber industry’s reaction to the National Rifle Association – the Internet does not kill people, people kill people.
So where does this leave us in December 2015? The pressure post-San Bernardino to increase surveillance on the Internet and within social media next year is going to be huge. You can guess how each side will argue the debate based on previous positions. White papers are being drawn up. Metaphorical cyber wagons are being circled. And Presidential year politics will be filled with bombastic arguments on both sides.
Let me suggest, however, that in the middle of this debate the most important thing to keep in mind is what do we need to do to keep our citizens safe — safe from terrorists and safe from massive government intrusion in our lives.
This is a balance and it always will be a balance. If we now err on the side of more collection then it needs to be done with better oversight than we’ve had so far. Frankly, whatever you may think of Edward Snowden, he brought home the ugly truth that massive, legal collection was taking place. Few knew how massive and fewer were providing something beyond rubber stamp oversight.
However, we also need to remember that there is no such thing as 100 percent security. We can collect every cyber haystack looking for terrorist needles and still miss the leads to a pending event.
Still, as heated, as the debate will be in 2016, it is better done in the open with both sides having at it and reaching some form of working agreement that will likely please no one. As Bismarck also said, “politics is the art of the possible, the attainable – the art of the next best.” No matter what we decide, nothing will be 100 percent satisfactory to everyone.
Chinese President Xi Jinping has had a busy autumn as the globe’s cyber diplomat-in-chief. How does the U.S. government now get Chinese government-supported hackers to change their behavior in a way that matches President Xi’s rhetoric?
On December 1 and 2, Homeland Security Secretary Jeh Johnson and Attorney General Loretta Lynch hosted a Chinese delegation led by State Councilor and Minister of Public Security Guo Shengkun in the first meeting of the U.S.-China High-Level Joint Dialogue On Cybercrime And Related Issues. The Dialogue, as described in the Joint Statement released at the end of President Xi’s State Visit in September, is to “review the timeliness and quality of responses to requests for information and assistance with respect to malicious cyber activity of concern identified by either side” and provide a hotline to escalate cases that could not be resolved through working-level cooperation.
Surprisingly, the press release issued by the U.S. Departments of Justice and Homeland Security after the meeting contained no mention of the norm proscribing cybertheft – the government-directed, cyber-enabled theft of proprietary business information used for competitive advantage – or even any generic suggestion that the U.S. side raised cases that illustrate U.S. concerns about Chinese conduct in that regard.
In fact, China’s agreement to a norm proscribing cybertheft – optimistically described as an agreement by China not to conduct cybertheft – was the main event at the State Visit. Afterwards, President Xi even followed up with two months of aggressive diplomacy designed to make China the primary proponent of this norm. During visits to other Western countries, Xi and his Prime Minister Li Keqiang added the norm to joint statements and the G20 leaders even adopted it in the Antalya Communiqué issued at their meeting last month in Turkey.
Surely, the broad push to adopt this norm represents a new understanding by Chinese leaders that such activity needs to end? Unfortunately, as I’ve written previously in this space, the agreement on the principle is accompanied by Chinese denials that they conduct cybertheft – denials that mirror denials on malicious activities in cyberspace heard from Chinese officials in the past. And this week, the Chinese government also redirected attention from cybertheft when it confirmed that before President Xi’s visit to Washington it detained an unspecified number of unidentified independent hackers in connection with the OPM data breach earlier this year – not the Chinese government cyber operators the Administration originally fingered.
One possible interpretation of China’s aggressive diplomatic push in favor of the norm and its effort to shift responsibility for the OPM hack away from government actors is a true change of heart in Beijing. Perhaps the Chinese government has concluded that stealing the innovative output of other countries is ultimately self-defeating and that such theft will no longer be a major component of its approach to innovation. After all, such theft is essentially parasitic and it requires a healthy host to support it (see p. 6). If the theft continued across decades, it would undermine—even more surely than failure to enforce intellectual property rights—the fundamental capability of innovative elements of the developed world’s economy to receive a return on the sector’s large investment in R&D. If the parasitic activity eventually kills the host, the result is a loss for both the developed world and China.
But that seems too optimistic. U.S. cybersecurity firms reported about one month after the State Visit that private U.S. companies were still being attacked by Chinese hackers operating with an unchanged methodology. And in mid-November, Bill Evanina, the Director of the Office of the U.S. National Counterintelligence Executive, had seen “no indication” that Chinese behavior had changed. So, in spite of a diplomatic blitz in favor of this norm against cybertheft, the Chinese leadership still treats its statements about refraining from cybertheft with the same cynicism displayed regarding promises not to militarize the South China Sea and never to pursue hegemony.
Examining China’s major reversal over the last three months closely, you can find a clue to why China has gone from chief denier of government-supported cybertheft to primary proponent of this norm. The switch was flipped when a leak from the White House about the threat of sanctions against Chinese entities and individuals for cybertheft under President Obama’s April 2015 Executive Order brought President Xi’s negotiator, Meng Jianzhu, to Washington to orchestrate President Xi’s acquiescence to the anti-cybertheft norm. Although unilateral economic sanctions, especially those that are very limited in scope, are thought to be more a way to send a message than to fundamentally alter a regime’s behavior, the reaction to merely the threat of sanctions was dramatic and immediate.
As I wrote in this space immediately following the State Visit, on cybertheft China has offered words in exchange for a change in action on the part of the U.S. government in a classic tactical gambit drawn directly from Sun Zi’s Art of War. But if the mere threat of sanctions resulted in the diplomatic reversal, why should the U.S. government suppose that limited sanctions would change behavior? Because such targeted actions appear to have worked with China on this issue in the last 18 months. When the U.S. government indicted five People’s Liberation Army (PLA) officers for cybertheft in May 2014, the diplomatic response from China was furious and seemed counterproductive: China withdrew from the State Department-led bilateral cyber dialogue and demanded the withdrawal of the indictments in most of its diplomatic engagements with U.S. officials. According to the Washington Post this week, however, behind the scenes, the PLA’s responded by dramatically reducing the level of economic espionage conducted by PLA-controlled actors. In other words, the indictments changed the behavior that has so frustrated U.S. policy makers.
Imposing the sanctions that the White House had contemplated in August might have resulted in a difficult diplomatic fallout. The upside, however, is that those sanctions also might have convinced the civilian hackers in China’s Ministry of State Security to curtail their cybertheft practices in the same way last year’s indictments convinced the PLA. It is not too late to learn this lesson. Now that China has agreed to appropriate norms of behavior in cyberspace without actually curtailing its malicious activities, the time has come to sanction Chinese entities and individuals responsible for cybertheft to get the change that will actually matter for the U.S. economy.
Last week on this blog, I suggested that the Chinese government had likely out-maneuvered the U.S. government on the question of cybertheft in advance of President Xi’s State Visit. Following meetings between Presidents Obama and Xi on Thursday and Friday of last week, the White House released a Fact Sheet affirming a common position on cybertheft as well as creating (another) high-level dialogue on cyber issues and the creation of a hotline for cyber-related incidents.
The bad news? Agreement to state a principle of behavior is still favoring talk over action. China’s acceptance of the norm is not inconsistent with Chinese protestations of innocence on cybertheft. Looked at in that light, the Administration may have paid a real price by agreeing not to sanction Chinese individuals and entities under the President’s April 2015 Executive Order (EO) in exchange for a commitment to a norm China insists it follows anyway.
The bottom line on whether to perceive this agreed language as progress or not depends on whether cybertheft is degrading American economic competitiveness by the second or cybertheft is one among a collection of cyber-related problems that can be resolved through deliberative international processes. The Obama Administration has consistently maintained that Chinese cybertheft represents an urgent national security problem as it degrades U.S. economic competitiveness and, undermines future U.S. growth. Accepting this premise, the U.S. government should have acted by announcing sanctions rather than settling for a statement that did not break new ground. If the White House had decided merely to delay sanctions until after the Xi visit, it would have been elevating diplomatic niceties over tough messaging; sanctions in October, however, would have gotten the job done. Chinese support of a norm against cybertheft without careful definition of the terms, a verification mechanism, or any penalties for violating those words does not.
A long-term goal of achieving agreement on norms of behavior in cyberspace presumes that the problem is not urgent and can be addressed best through an international process that will lead to some eventual multilateral agreement. (The President, in his remarks to The Business Roundtable earlier this month suggested both that the situation is urgent and that a drawn-out multilateral process provided the most effective way of achieving results, a logically inconsistent position.) If the long-term trumps the short-term, the results of getting Chinese buy-in on a norm of behavior proscribing cybertheft is a success on which the U.S. can build. The rhetoric from the Administration, however, does not support that conclusion.
Allow me to add one caveat: One commentator has suggested that sanctions will still happen and that the Administration only agreed to change the potential targets: “Expect them to come but to target companies not Chinese officials.” This information is not part of what the White House released following the visit so it is not possible to verify the extent to which the Administration agreed to defer santions. If sanctions will still happen, there is a stronger argument that this is a win-win outcome with actions as well as diplomatic words in the offing. I have a hard time believing that a Chinese envoy and a Chinese President agreed to make the statements on cybertheft in exchange for limited or unspecified forbearance related to sanctions. The proof should come in the next few weeks as we watch to see whether the U.S. Treasury imposes sanctions or not.