US-China cyber agreement: Is it enough of a good thing?

Last week on this blog, I suggested that the Chinese government had likely out-maneuvered the U.S. government on the question of cybertheft in advance of President Xi’s State Visit.  Following meetings between Presidents Obama and Xi on Thursday and Friday of last week, the White House released a Fact Sheet affirming a common position on cybertheft as well as creating (another) high-level dialogue on cyber issues and the creation of a hotline for cyber-related incidents.

The good news?  There was more agreed to than had been hinted at in reporting before the event.  One commentator suggested that it was a “game changer.”

The bad news?  Agreement to state a principle of behavior is still favoring talk over action.  China’s acceptance of the norm is not inconsistent with Chinese protestations of innocence on cybertheft.  Looked at in that light, the Administration may have paid a real price by agreeing not to sanction Chinese individuals and entities under the President’s April 2015 Executive Order (EO) in exchange for a commitment to a norm China insists it follows anyway.

The bottom line on whether to perceive this agreed language as progress or not depends on whether cybertheft is degrading American economic competitiveness by the second or cybertheft is one among a collection of cyber-related problems that can be resolved through deliberative international processes.  The Obama Administration has consistently maintained that Chinese cybertheft represents an urgent national security problem as it degrades U.S. economic competitiveness and, undermines future U.S. growth.  Accepting this premise, the U.S. government should have acted by announcing sanctions rather than settling for a statement that did not break new ground.  If the White House had decided merely to delay sanctions until after the Xi visit, it would have been elevating diplomatic niceties over tough messaging; sanctions in October, however, would have gotten the job done.  Chinese support of a norm against cybertheft without careful definition of the terms, a verification mechanism, or any penalties for violating those words does not.

A long-term goal of achieving agreement on norms of behavior in cyberspace presumes that the problem is not urgent and can be addressed best through an international process that will lead to some eventual multilateral agreement.  (The President, in his remarks to The Business Roundtable earlier this month suggested both that the situation is urgent and that a drawn-out multilateral process provided the most effective way of achieving results, a logically inconsistent position.)  If the long-term trumps the short-term, the results of getting Chinese buy-in on a norm of behavior proscribing cybertheft is a success on which the U.S. can build.  The rhetoric from the Administration, however, does not support that conclusion.

Allow me to add one caveat:  One commentator has suggested that sanctions will still happen and that the Administration only agreed to change the potential targets:  “Expect them to come but to target companies not Chinese officials.”  This information is not part of what the White House released following the visit so it is not possible to verify the extent to which the Administration agreed to defer santions.  If sanctions will still happen, there is a stronger argument that this is a win-win outcome with actions as well as diplomatic words in the offing.  I have a hard time believing that a Chinese envoy and a Chinese President agreed to make the statements on cybertheft in exchange for limited or unspecified forbearance related to sanctions.  The proof should come in the next few weeks as we watch to see whether the U.S. Treasury imposes sanctions or not.

China applies ‘The Art of War’ to Cyber

“The highest form of warfare is to out-think the enemy.”

“In all kinds of warfare, the direct approach is used for attack, but the oblique is what achieves victory.”

“If you do not wish to engage with the enemy, even though your defences are no more than a line in the ground, you can prevent them attacking by luring them away with a feint or a decoy.”

––Sun Zi, The Art of War

In advance of President Xi’s State Visit to Washington this week, White House officials in August previewed what was to be the first use of the powers created by an April Executive Order (EO) aimed at curbing unacceptable cyberactivity. The EO authorizes tough financial sanctions against those who benefit from a country’s illicit cyberactivities, for damaging critical infrastructure and computer networks in the United States and benefiting from the cyber-enabled theft of proprietary information, as these are the components of the U.S. private sector’s economic competitiveness.

At that time, the U.S. government was reeling from reports of the first of two attacks reliably attributed to the Chinese government; against the Office of Personnel Management and attacks involving sensitive health information at Anthem, attributed to Chinese government-directed attackers, and against Sony Pictures Entertainment, which involved physical damage achieved through cyber means and carried out through North Korea’s Internet link that passes through China. The EO added strength to an ongoing campaign by the President and his advisors either to change Chinese government behavior or hold the Chinese government to account for it.

Those White House officials left some ambiguity about the timing of sanctions relative to President Xi’s visit and whether sanctions would single out China or include other bad actors. They timed the leak well. Mere weeks before President Obama welcomed Xi to the White House it alerted the Chinese government to the embarrassing possibility that the sanctions would dominate the news around the visit. By leaving open the timing of sanctions, the White House provided the Chinese government with an opening to negotiate on those elements, sparing the Chinese leader the embarrassment of a sanctions announcement on the eve of the visit.

The Obama Administration, however, may not have prepared for the Chinese response very well. They should have re-read The Art of War.

The conversation between the United States and China on cyber has become an endless discordant loop since the beginning of the Obama Administration. The United States has complained that Chinese state-directed hackers have stolen commercially relevant information from U.S. firms; China has denied that such theft––or any inappropriate cyberactivity––has taken place. The U.S. government countered that denial by building a stronger and more detailed case against Chinese government conduct. In some instances, the private sector has also provided public evidence. Last year, in fact, the U.S. government indicted on charges related to their cyberactivities five Chinese officials (whom the U.S. will presumably prosecute should they present themselves in U.S. territory). Naming and shaming, the U.S. government has sought to convince China to come to the negotiating table and discuss how Chinese behavior should change.

This tactic has failed at the most rudimentary level: the Chinese government flatly denies conducting any form of inappropriate cyberactivity––a laughable contention, as nearly all states with capacity engage in some form of espionage in cyberspace––and blames U.S. networks for hosting the majority of illegal cyberactivities. More convincing evidence will not overcome China’s airy denials.

In spite of the absence of meaningful dialogue, the U.S. government has tried to expand the campaign to like-minded nations. To rally the international community against China’s bad cyberbehavior, the U.S. government earlier this year sought support at the United Nations (UN) for certain norms in cyberspace. But that move actually confused the issue. The norms tabled at the UN address obligations to refrain from damaging critical infrastructure and to provide assistance to countries that have suffered an attack; the U.S. government did not include a norm against cyberactivities aimed at stealing the sources of another country’s economic competitiveness. The effort at the UN, then, will result only in Chinese denials to a larger community; it has also distracted from the principal U.S. goal of minimizing cybertheft of the foundations for economic competitiveness.

The Chinese government seems to have absorbed the implicit shift in the U.S. UN submission away from cybertheft. According to media reports this week, U.S. and Chinese negotiators have agreed to some form of code of conduct related to the critical infrastructure-related norms to be announced as a deliverable of Xi’s visit. The Chinese government seems to have realized that the U.S. government might accept a general commitment to norms unrelated to cybertheft, combined with additional commitments to talk, in exchange for taking sanctions off the table. If the agreement discussed in the press is actually limited to norms unrelated to cybertheft, it would not constitute the progress that President Obama last week suggested would suspend U.S. consideration of sanction. In that case, the Chinese will have succeeded beyond any expectation. The United States is left with more words, further delayed action, and Chinese agreement that they will not engage in conduct… that they never acknowledged in the first place.

Would sanctions against Chinese individuals and entities have been a game changer in the ongoing battle over economic competitiveness? The record for unilateral U.S. sanctions changing bad behavior does not provide much reason to think it would, in and of itself, end Chinese cyberhacking. But sanctions would change the calculus for bad cyberactivities in ways that bilateral or international discussions cannot, by closing off valuable U.S. and multinational business and financial access.

The agreement that the two Presidents will make on Friday has to pass a very high bar to be acceptable: in exchange for avoiding sanctions and turning a potential embarrassment for President Xi’s visit into an opportunity for Xi to look like a statesman, the agreement must cover cybertheft and provide concrete means to verify those promises from the Chinese. If so, it may take some time to assess whether the agreement is more than words. Otherwise, President Xi has gotten a State Visit and avoided embarrassment. It will be far less clear what President Obama and the United States have achieved.

Adam Bobrow is the Founder and CEO of Foresight Resilience Strategies and a senior fellow with the GW Center for Cyber and Homeland Security.

New CCHS essay on “The Internet of Everything”

Earlier this week the US Chamber of Commerce Foundation convened a symposium, entitled “The Internet of Everything: Data, Networks and Opportunities,” and released a compendium of essays on that theme. CCHS Director Frank Cilluffo and I contributed to that volume, with an analysis that speaks to the challenges of critical infrastructure protection in the era of the “Internet of Things.”

Among our key points:

The smarter the device, the more likely an adversary can do harm—to it, to the owner, and to third parties. … This built-in weakness, which exponentially expands the surface for potential attack, is particularly problematic when it comes to critical infrastructure sectors…

Recall the widespread concern generated by the shutdown of the New York Stock Exchange in July of this year. The apparent culprit there was just a technical “glitch.” Imagine the damage and mayhem that an actor with malicious intent could cause. …

No system will be foolproof though, so resilience is an equally crucial aspect of the equation. The ability to bounce back and to do so quickly is perhaps the greatest deterrent to those who may wish to do us harm.

Read the entire article, titled “Vulnerability and Resilience in the Internet of Everything,” here.

Remedying the OPM hack: we need an innovative policy response, not just credit and identity monitoring

In the wake of the recent major hacks of Office of Personnel Management (OPM) databases, OPM has announced that the federal government will be offering the millions of affected individuals with access to identity theft monitoring and restoration services. For individuals who are affected by the background check database hack, additional online services will be offered to protect against fraud, misuse of minors’ identities, etc.

The provision of these types of identity theft and credit monitoring services has become a reflexive action for companies and government agencies. When Company Z gets hacked and tens of millions of its customers’ personal and financial information is at risk, it offers free credit monitoring. When Government Agency Y has a data breach, the same routine. These entities then offer to provide such online services for a fixed period of time, and a limited number of affected individuals bother to sign up, at a cost to the company or agency at around $5/month per enrollee. Those who do sign up get a sense of security that any financial misuse of their information will be detected.

But with respect to the recent hack of the OPM security clearance database, the offering of such services is is a woefully inadequate remedy. As former CIA official Charlie Allen noted in a recent piece, this hack creates “a national security risk unlike any I’ve seen in my 50 years in the intelligence community”. Former CIA and NSA Director Michael Hayden provided a similarly dire commentary in a Washington Times op-ed in June.

Given this context, the offering of online credit and identity monitoring services to the affected population is necessary but should only be viewed as a small, preliminary step in responding to this hack. The U.S. government needs to focus its attention on implementing a broader set of policy remedies that will help to prevent and deter the foreign entity that hacked this database from being able to exploit this information for counterintelligence or other nefarious purposes.

One such policy remedy would be a law or executive order (EO) that protects affected individuals against the adverse consequences of public disclosure of information that had been willfully disclosed on an SF-86 but would provide harm or embarrassment if publicly disclosed. For example, such a law or EO could clarify that it is impermissible and illegal to use SF-85/86 information, if derived from hacked documents, in an employment action or in a legal proceeding, with very limited exceptions. If such a policy remedy were put in place, this would hinder the ability of foreign intelligence services to blackmail and recruit Americans working in positions of trust who are potentially exposed by this hack.

The foreign entity that hacked the OPM security clearance database and stole this information could also attempt in the coming months and years to use information to try to smear and slander individuals (perhaps selectively targeting its high-level critics in government), using unwitting third-parties in the news media and other online mechanisms. The federal government needs to look carefully now at how it can protect otherwise innocent employees against such personal attacks, and needs to bring federal law enforcement agencies and Inspectors General into this discussion, so that they can better differentiate between legitimate predicates for internal investigation versus when they have been baited to investigate by an entity that is using misappropriated information. This will also be an area where Congress will need to carry out judicious oversight and perhaps consider legislation.

These are just two examples. There are other scenarios where one can envision this hack leading to the risk of unique adverse consequences for the affected population, in ways that are ultimately harmful to U.S national security. The federal government needs to be much more forward-leaning in addressing this issue than it has been to date (at least based on its public statements), and develop, publicly explain, and implement innovative policy remedies, working with Congress, that can mitigate the counterintelligence risks of this hack and re-establish trust and confidence within the U.S. national security workforce.

Cyber reliability and confidentiality: lessons from the 19th century?

By Sam Klein and Greg Gardner

In light of the significant hack of the Office of Personnel Management (OPM) and the recent revelations by the Washington Post about the insecurity of the internet, it is now time to revisit a proven method for ensuring the viability and privacy of international communications: establishing a truly international, multi-stakeholder organization that places an emphasis on reliability and privacy, oversees policy and standards, and facilitates/coordinates the actual transmission of communications. Globalized, multistakeholder organizations effectively govern other types of communication networks; the same approach would work just as well with the Internet.

In 1875, European governments agreed to ensure confidentiality of telegraph messages under Article 2 of the International Telegraph Convention (ITC). In 1878, the Universal Postal Union (UPU) unified the world’s commercial and private mail networks and promoted robust principles of reliability and confidentiality. And in 1906, European governments extended similar protections to radio communications with the International Radiotelegraph Convention. Of course, there are exceptions, but today, almost 200 countries abide by these conventions.

Unfortunately, as the Washington Post articles demonstrate, this historic respect for assured communications, confidentiality, and privacy does not exist for users of the Internet.

An emphasis on reliability and privacy by international, multi-stakeholder organizations pushed states to respect the structure and contents of mail, telegraph, and radio networks. However, such motivations do not currently exist in the same way for users of computer networks. The Internet emphasizes speed and ease of use to govern messages transiting transit cyberspace. Once countries open their borders to Internet traffic, the Border Gateway Protocol (BGP) automatically routes information packets, regardless of whether the information will remain private while en-route.

Under this design, speed and convenience trump security, tossing reliability and privacy concerns out the window. Unlike users of mail, telegraph, or radio networks regulated by the UPU and its sister organizations, those who send information via the Internet can not choose between ease of use and privacy due to the automatic routing of messages. The paradox of the InfoSec Triad acknowledges this trade-off between ease of use and security – a trade-off that causes friction between users and those responsible for maintaining security and protecting privacy.

Consider the case of Egypt (a member of the UPU since 1875) near the end of the Mubarak regime. On January 27, 2011, in large measure because it could not control the flow of Internet communications, the Egyptian government severed the country’s connections to the Internet, shutting it down. Over 93 percent of Internet connections were severed; only government institutions remained online. With the Egyptian economy losing tens of millions of dollars per day and in the face of increasing domestic unrest and international condemnation, the shutdown did not last long; by 1 February 2011, Internet Service Providers (ISP) were reestablishing all of their services. This event demonstrates, however, how easy it is for a government uncertain about unregulated Internet traffic to operate independently and assert control over digital information flows quickly and decisively despite the presence of a modern, multidimensional, and privatized information sector.

Similarly, the multifaceted approach of government regulation, censorship, monitoring, self-regulation, and protectionism in China (a UPU member since 1914) has been highly effective in restricting the access and digital privacy of China-based Internet users.

The international, multistakeholder governance models that underpin the UPU and the ITC (now known as the International Telecommunication Union) are widely accepted and have much to offer. As Shawn Roberts and Michael Jablonski point out, the origins of those organizations and the historical conditions prompting their charters offer important precedents. For example, the UPU not only standardized postal policies and costs across international borders, but more importantly it fostered norms favoring the availability and confidentiality of correspondence. These policy, standards, and norms were considered crucial to maintaining the world’s first coordinated system of global communication. We would do well to look to them again.

It is time now to establish a similar set of transparent rules governing the assurance and security of global Internet traffic. It is simply unacceptable for the majority of Internet communications to be subject to the whims of either government entities or private service providers and, because they are managed by an automated protocol, to be generally unsecure and unprotected. Security and assured performance must truly co-exist with functionality and ease-of use. We need a Universal Internet Union representing the interests of countries, corporations, and private citizens alike that takes back control of the Internet and brings assured governance to the digital communications that have come to dominate our world.

And we need it now.

Samuel Klein earned his B.A. from The George Washington University where he studied international affairs, cyber-security, and mandarin Chinese. His honor’s thesis investigated China’s information warfare strategy and objectives to assess the possibility of a Chinese cyber-attack targeting US critical physical infrastructure.

Greg Gardner, PhD, is a Senior Fellow with the GW Center for Cyber and Homeland Security.

Bored, Alienated And Islamic

There have been any number of scientific studies and anecdotal evidence to indicate that the most dangerous human beings by age are bored, drifting young males in their mid to late 20’s. A line from the Marlon Brando biker movie “The Wild Ones” best expresses it. When asked what he is revolting against the bored young biker Brando responds, “whaddya got?” The participants in the recent military recruitment attacks and the Boston Bombing seem to confirm the theories about young men. And the narrative of Islamic radicalism is what they’ve “got.”

The perpetrators of these violent are young men with Islamic backgrounds who lived in the United States for extended periods. They seem to fit in somewhat with their new country. Still, they also hang out with friends, play modern music – yet they feel alienated from society by upbringing and first generation communities that often do not understand their problems. And they also often have strong issues with US authorities on policy regarding the Middle East and Islam writ large. Thus, the appeal of fighting for Islam is strong and ISIS presents a tempting thing in which to believe.

There was an old radio show that opened with the line “who knows what evil lurks in the mind of man?” Psychologists will give you varying answers from alienation to the society to a desire to belong to something bigger than them. But no one can give you the exact moment and person that will step over the line to violent action. But violent action is on fertile ground when young men are bored and alienated.

As we try to deal with these young men, US officials are knee deep into areas where the US government and America itself has grown uncomfortable since the end of the Cold War. We seem to lack an appealing narrative about who we are.

Oh, we’ve got the against terrorism business – and we arrest and kill on a daily basis to emphasize that point. And, I know we’ll never get 100 percent of these young men with us. But, we are heading into deeper waters as ISIS recruits these “dudes” aggressively online and trains those that make it to the Holy War. They have no problem with their narrative.

So what does that mean for us? It means we have to do things with which we are most uncomfortable. First, we must say who we are and what we believe in. Clearly, distinctly and repeatedly. And we need to do it through the social media that is being used every day. A few thousand twitters from State Department are simply not enough. We need to respond in the millions that our freedoms are their freedoms. That all humans have rights. And that disagreement cannot end with a belt bomb or a beheading. This is against the fundamentals of all societies – Islam, Christian, Jews, or any others.

In this effort, we need to reach out and embrace the social media in the United States and elsewhere. This is difficult given the libertarian streak of the cyber world and the stiff-necked approach of the Feds to them, but it is mutually beneficial to both sides. The Feds need the outlets, and the outlets need credibility that they are not transfer mechanisms of hate and destruction that can be pointed at them as well as the rest of the society.

Second, we also need to work more openly and closely with the Muslim community in the U.S. The latter have been concerned but relatively quiet about this behavior. First generation settlers in the past have also had problems criticizing their misbehavers. Anarchist movements, Nazi sympathizers, and Communist agents some time found the support of silence in their communities. However, in each case, brave people began to stand up and counter their narratives and changed and took away their base of support.

And finally, we need to integrate these young people into our society. This also requires working with local communities to find these young men a purpose whether helping their communities or serving their religion through mosque-guided efforts. Their efforts and energies need to be focused as Muslim-Americans socially and politically active here in the 21st century in America — not pursuing some 16th century violent chimera of a Caliphate.

None of this is easy nor is it short term. But, we face a clear and present danger in a radicalization of young people that is going unchecked. We have pledged in our Constitution to “ensure domestic tranquility, provide for the common defense.” This now requires more than the necessary law enforcement and military action. We have provided successful narratives and have integrated immigrants in the past. We need to do it again.

Testimony this week by CCHS Program on Extremism expert

Yesterday the Deputy Director of CCHS’ Program on Extremism Seamus Hughes testified before the House Homeland Security Committee on “The Rise of Radicalization:  Is the U.S. Government Failing to Counter International and Domestic Terrorism?”  Acknowledging that combating violent extremism (CVE) is “a delicate exercise”, Hughes emphasized that “governments and communities have a moral responsibility to try” nevertheless.  Noting that the U.S. government does have a CVE strategy, Hughes observed that “the U.S. effort is disjointed and underfunded.”  Strikingly, he pointed out that “more Americans have died in Syria fighting with ISIS than have been assigned to work on CVE.”

You can read the entire written testimony at this link.

Cyber attack on Canadian government points to need for resilience

Last week, the Canadian government was hit by a distributed denial of service (DDoS) attack. The hacktivist group Anonymous claimed responsibility, saying the attack was a protest against proposed federal anti-terrorism legislation that has since become law.

Curiously, the incident seems to have generated little analysis or comment in the public square, at least beyond the initial media reports. Perhaps we have simply become inured to the pace, breadth, and depth of cyber events in the headlines worldwide?

Whatever the case, we would all do well to re-energize and refocus our efforts on cyber-resilience, given the scope and scale of global cyber challenges. See my commentary on the subject, which takes the Canadian case as jump-off point, and which was published today by IPI’s Global Observatory.

Bouncing off the cyber walls

In the movie “Apollo 13,” the saga of the near fatal moon mission, there is a harrowing scene toward the end of the film that has reminded me of the last several days in cyber world. Two of the exhausted astronauts get into a horrific argument over their plight. The commander, Jim Lovell, equally tired tells them to “stop bouncing off the walls” as their problems will remain the same after whatever time they waste yelling about it. So, it is with our current beatings taking place over the OPM information breach and its potential consequences.

Whatever the finger pointing and vituperative remarks, there remain four fundamental issues that must be addressed in our Federal government’s cyber world, or the mistakes of the past will continue to be repeated:

First, we need to the address the “ignorance” of senior managers regarding their IT systems. This problem lies with the challenge of getting government IT guys wrapped in their own world to better explain exactly what the risks are to their management and their personnel. Legacy systems and no centralized buying procedures have been a bane of IT people within the government and that needs to be fully explained as well. But, also, it would not hurt for the senior managers to take some time to listen and fully engage with their IT people.

Second, contractors must be able and willing to tell the truth about the vulnerability of their systems and government procurers have to stop beating them up for it. No contractor – no matter how good they are — wants to say their product can’t fully protect the system they are bidding to install and/ or proposing to protect. The government must also understand that there is no such thing as 100 percent security in any system – no matter what the promises.

Third, everyone needs to understand the challenge of internal threats and outside capabilities to break into systems will exist no matter what. This is a simple case of risk management in a risk averse age. No matter what we spend on security, how often we give background checks or polygraphs to the information handlers, something is going to happen. If you don’t want your “crown jewels” stolen, limit your access to them. But realize that there will always be some form or way to get to them.

Fourth, and finally, this is the moment for a true public-private partnership on the subject of IT security. Both sides need to come together to discuss best practices in a comprehensive way now. The government simply cannot do this on its own. There is too much going on that is cutting edge in the private sector, and government ignorance of the full field of what is available is costing us too much in privacy and in national security threat to its employees.

As much as it is a feel good exercise to beat up OPM, bouncing off the cyber walls gets us nowhere. We know the problems. It is up to senior members of our government to act swiftly to take care of them.

Ronald Marks is a member of the GW Center for Cyber & Homeland Security’s Board of Directors.

Paying for Non-Secrets

Former Director of Central Intelligence George Tenet famously said when asked about so-called open source (unclassified) intelligence, “we only pay for secrets.” He spoke with the confidence of a man born and raised in the world of the 20th century spy and the Cold War. With the massive leak of government employee information from the Office of Personnel Management (OPM), Director Tenet’s statement has been proven quite wrong for the 21st century. China and others are willing to pay for “non-secrets” and they matter.

As data breaches go, the OPM break in was not the biggest one experienced in the past few years. Target, JP Morgan Chase and a few others were larger in breath and scope. But, they did not contain information that could be used to target and engage in spying on the US government.

As an old spy, I wanted information. I wanted people’s background: where they live and had lived, who their relatives were, and what personal problems they might have. That way I could figure out how to develop a successful “relationship” with someone who would spy for me. And, also, target more successfully – not waste time on someone who did not matter.

You see, the real trick is human intelligence is finding people with access to important people and their information. I don’t want to recruit the Secretary of State — too big, too awkward to meet and not likely to be recruited. No, I want someone on his staff or someone who has access to his staff and especially their work product.

The OPM leak contains millions of personnel files that will help China do just that. Files on government employees and their contractors with a summary of their backgrounds and what programs they have access to is quite sufficient for my targeting purposes.

In the 21st century, information contained in files like OPM need to be treated like the old fashioned state secrets were. I am sure whatever investigation there is will turn up either woefully inadequate IT security, inside actions, or both. I am not going to debate that right now.

What I am going to say is it up to the current Administration and those going forward to understand why data breaches like OPM are so dangerous to the national security of this country. Just because something is unclassified does not make it unworthy of security.

Welcome to 21st Century cyber conflict. Information is a weapon to use and target and cyber space is the battlefield. So far, if OPM is the indicator, the U.S. government is getting skunked.