Anger at Chinese hacking continues to build in American business and government circles. As a result, establishment figures have begun to embrace the idea of letting private companies do more than passively defend their networks. The latest evidence is the report of a commission headed by two Obama appointees, former US Ambassador to China (and minor GOP Presidential candidate) Jon Huntsman and former Director of National Intelligence Dennis Blair. The report apparently names Chinese hacking as a major threat to intellectual property (it's due out later today). And according to early press reports the commission calls for an expansion of private companies' authority to track their stolen data back to the attacker's network: "The commission argued that American companies “ought to be able to retrieve their electronic files or prevent the exploitation of their stolen information” by designing their computer files to self-destruct if they fall into the wrong hands. But the authors of the report also say that if the damage “continues at current levels,” the government should consider allowing American companies to counterattack — essentially taking cyberwar private. “If counterattacks against hackers were legal, there are many techniques that companies could employ that would cause severe damage to... Continue reading

I'm testifying today on supply chain vulnerabilities and cybersecurity. The testimony is in a hearing held by the House Commerce Committee's Subcommittee on Communications and Technology. Here's my quick diagnosis of the issue: Intrusions on our networks have reached new heights. They have moved from penetration of government and military systems to wholesale compromises of companies, trade associations, think tanks, and law firms. Most of these attacks have been carried out for espionage purposes – stealing commercial, diplomatic, and military secrets on a massive scale. This espionage campaign has paid dividends for our adversaries, and it’s likely to pay more, because any network that can be compromised for the purpose of espionage can be compromised for the purpose of sabotage. The next time we face the prospect of a serious military conflict, we can expect our adversaries to threaten the destruction of computer networks – and the civilian infrastructure they support – inside the United States, probably before we have fired a shot. From the American point of view, this is a new and profoundly destabilizing vulnerability. From our adversaries’ point of view, it is an exciting new weapon with enormous potential to neutralize many of our traditional military advantages.... Continue reading

I'll be testifying this morning before the Senate Judiciary Committee's subcommittee on crime and terrorism. My testimony will touch on the Attribution Revolution in cybersecurity, the need to move from attribution to creative forms of retribution, and the need to give victims more leeway to investigate the hackers who attack them. Here are some excerpts: That is why I will focus my remarks today on what is shaping up to be an “attribution revolution.” The theory is simple. The same human flaws that have left our networks ever more exposed to attack are undermining our attackers’ anonymity. This is what I like to call Baker’s Law: “Our security may be toast. But so is theirs.” As numerous recent reports show, attackers are only human. They make mistakes when they’re in a hurry or overconfident. They leave bits of code behind on abandoned command-and-control computers. They reuse passwords and email addresses and computers. Their remote access tools are full of vulnerabilities. These are openings that private researchers – from Mandiant and Trend Micro to SecDev and the Citizen Lab – have exploited; they’ve traced cyberattacks to the command and control computers used to carry them out, then to homes and offices... Continue reading

Most people know that China's largest telecommunications supplier, Huawei, has been largely excluded from the US market because of official allegations that it will enable Chinese cyberespionage and wiretapping. What none of us realized, apparently, is the real reason that Huawei's been forced out. Luckily, the company's head of Cyber Security, John Suffolk, is happy to set us straight. According to his blog, it's because Huawei is too much of a civil liberties hero to be allowed into the US market: "Maybe this is why America doesn't want us to sell our equipment to American companies; maybe they will worry that we will see what they do with American Citizens personal data, monitoring and storing of everything that passes through telecommunications." When I said in a recent post that, "The ACLU must be really popular these days in Beijing," I didn't realize how quickly China's advocates would start channeling American civil libertarians. Continue reading

If you’re looking for laws of unintended consequences, you can’t do better than privacy. Take two examples plucked from last week’s front pages: Here’s the New York Times reporting on massive fraud in the billion-dollar settlement of claims that the Agriculture Department discriminated against black, Hispanic, and female farmers: “It was the craziest thing I have ever seen,” one former high-ranking department official said. “We had applications for kids who were 4 or 5 years old. We had cases where every single member of the family applied.” The official added, “You couldn’t have designed it worse if you had tried.” … “[T]here was no way to refute what they said,” said Sandy Grammer, a former program analyst from Indiana who reviewed claims for three years. “Basically, it was a rip-off of the American taxpayers.” The true dimensions of the problem are impossible to gauge. The Agriculture Department insists that the names and addresses of claimants are protected under privacy provisions. And here’s a Boston Herald report on its attempt to find out how many benefits the Tsarnaevs received before their bombing attack on the Boston Marathon: The Patrick administration clamped down the lid yesterday on Herald requests for details of... Continue reading

There's been considerable speculation about how the government handled Tamerlan Tsarnaev's return from Russia. Before Tsarnaev's return, both the FBI and the CIA had suggested that Tsarnaev belonged in the government's classified terrorist database, and according to some reports an alert for Tsarnaev was entered into the DHS border system. Yet according to Secretary Napolitano these systems "pinged" when Tsarnaev left the country but not when he returned six months later. The lack of a ping upon Tsarnaev's return to the United States suggests a gap in US border defenses. In general, the outbound "ping" is not a big deal. It tells us that a terror risk is leaving the country, more a matter for celebration than suspicion. We don't usually inspect or question departing passengers, so it would have taken a pretty unusual notice to earn Tsarnaev much scrutiny on departure. But his return should have been different. He was entering the country, and at the border the government's authority to stop travelers, to question them, and to search their luggage, including their electronics, is at its zenith. If we have any doubts about the intentions of a returning green-card holder, this is the time and place to question... Continue reading

Sources: ACLU on street cameras and CISPA; EFF on street cameras and CISPA Continue reading

This White House sure knows how to snatch defeat from the jaws of victory. The President's threat to veto CISPA (Download Cyber - S A P ) will likely kill cybersecurity legislation for the year. Here's the sentence that I believe will eat away at support for the legislation among its last defenders in Silicon Valley: "The Administration ... remains concerned that the bill does not require private entities to take reasonable steps to remove irrelevant personal information when sending cybersecurity data to the government or other private sector entities." Those last four words signal a big change in the status quo. Most companies today can share information voluntarily with the government without legal constraint, though electronic service providers must demand a subpoena before sharing information. And practically all companies, including electronic service providers, may share cybersecurity information with other private companies without worrying that the government is looking over their shoulders. So in demanding that CISPA limit sharing with "other private sector entities," the Administration is proposing a sweeping new regulatory scheme for the private sector. The scheme will actually impair cybersecurity by restricting the information-sharing companies now conduct to protect their networks. And while the Statement of Administration... Continue reading

Here's the scant good news on cybersecurity It’s getting harder for attackers to hide. The same security weaknesses that bedevil our networks can be found on the systems used by our attackers. A shorter version is something I call Baker’s Law: “Our security sucks. But so does theirs.” That’s good news because, with a little gumption, we can exploit hacker networks, gather evidence that identifies our attackers, and eventually take action that will make them regret their career choices. Unfortunately, the United States has been sitting out this attribution revolution. Our vaunted CyberCommand may be energetically exploiting hacker networks, but it isn’t helping private victims of cyberespionage. Foreign governments are hacking US companies, law firms, activists, and individuals with abandon, but our government seems unable or unwilling to stop the attacks or identify the attackers. In fact, hacking victims who want to gather evidence against the bad guys are being warned off, told that conducting a private investigation could put them at risk of prosecution. As an anonymous Justice Department recently told the press, “Arguments for or against hack-back efforts fall into two categories: law and policy,” the DOJ spokesman told BNA. “Both recommend against hack-back. Under current law, accessing... Continue reading

The House intel committee is amending CISPA to address privacy criticisms. Politico's Tony Romm reports on some of the likely amendments: Still another amendment specifies clearly that CISPA won't allow companies to "hack back" their hackers in pursuit of stolen trade secrets ... Really? A government that can't protect us is debating new measures to make sure we can't protect ourselves? Well, it does sound kind of familiar ... UPDATE: To be fair, I've now seen the proposed amendment, and it tries to avoid taking a position on active defense, simply saying that CISPA doesn't give any additional authority to private actors who want to investigate their attackers. That's still a bad idea, and rather than putting forward a sponsor's amendment, the committee leadership should tell us exactly who asked them to reduce computer hacking victims to helpless computer hacking victims. This article hints that the idea came from the White House and the Justice Department's leadership. Continue reading

The continuing resolution awaiting the President's signature that I wrote about yesterday could have a big impact on the federal government's procurement of IT equipment from Chinese companies. As described in an earlier post, the resolution includes a provision that bars purchases of an "information technology system" that was "produced, manufactured or assembled" by entities "owned, directed, or subsidized by the People's Republic of China" unless the head of the purchasing agency consults with the FBI and determines that the purchase is "in the national interest of the United States." While the provision doesn't prohibit purchases of Chinese-government-influenced systems, it makes such purchases politically difficult. How will China react? Not well. China has spent years trying to curtail its own purchases of IT from outside its borders, but that won't stop it from calling the bill protectionist and claiming a violation of US WTO obligations. Legally, China may have trouble making such a claim stick. China has not signed on to the WTO's government procurement code; it is just an observer. But China may not have to make the claim stick in its own right. That's because the provision doesn't hit China directly. Instead, it restricts purchases from Chinese-government-influenced entities,... Continue reading

Anger over Chinese cyberespionage continues to mount in Congress, and it's beginning to show in legislation. Not just the bills Congressmen introduce, the ones Congress passes. Demonstrating remarkable bipartisan angst about Chinese hacking and the risks in Chinese high tech equipment, Congress has added tough sanctions to the continuing resolution that funds the federal government and is now awaiting the President's signature. The sanctions provision bars federal government purchases of IT equipment "produced, manufactured or assembled" by entities "owned, directed, or subsidized by the People's Republic of China" unless the head of the purchasing agency consults with the FBI and determines that the purchase is "in the national interest of the United States": Sec. 516. (a) None of the funds appropriated or otherwise made available under this Act may be used by the Departments of Commerce and Justice, the National Aeronautics and Space Administration, or the National Science Foundation to acquire an information technology system unless the head of the entity involved, in consultation with the Federal Bureau of Investigation or other appropriate Federal entity, has made an assessment of any associated risk of cyber-espionage or sabotage associated with the acquisition of such system, including any risk associated with such... Continue reading

Can cyberwar be limited by international law and diplomacy? Those who believe in international "norms" for cyberwar usually argue that cyberattacks on financial institutions are beyond the pale. For example, Harold Koh has declared the State Department's view that cyberwarriors "must distinguish military objectives ... from civilian objects, which under international law are generally protected from attack." And Richard Clarke, a former White House adviser, claimed in 2010 that "most countries would agree to sign a treaty not to attack each other’s international financial and banking system networks. They don’t want to cross that Rubicon, or the entire international banking system could go down." Really? I can't help noticing that, since these speeches were given, DDOS attacks on Western banks have been attributed to Iran and North Korea has been blamed for cyberattacks on banks in South Korea. If you're looking for norms in actual conflicts, as opposed to speeches, cyberattacks on the financial sector are starting to look, well, normal. Continue reading

I've never thought there was much romance in cracking the networks of American companies and agencies, but a recent LA Times article underlines just how dreary it can be. The piece is based on a blog diary kept by Wang Dong, identified in recent reports as the notorious Ugly Gorilla, whose code has been found in many successful attacks on US networks. Though it never reveals Wang's employer or his job, the blog makes clear that the life of even a talented PLA hacker is not a happy one: With no money and little free time, he found solace on the Internet. He shopped, chatted with friends and courted a girlfriend. He watched movie and television shows. He drew particular inspiration from the Fox series "Prison Break," and borrowed its name for his blog. Richard Bejtlich, Mandiant's security chief, said posts written by the blogger, who called himself "Rocy Bird," provided the most detailed first-person account known to date of life inside the hacking establishment. Although the blog was discontinued four years ago, the techniques described in it remain the same. "It is relevant," said Bejtlich. "Things have not changed that much." The hacker, whose real family name is Wang,... Continue reading

That might sound like breaking news from 1983, but this time we're not talking movie plots, we're talking business. Specifically how Chinese cyberespionage could affect Hollywood's bottom line. The Hollywood Reporter asked me to talk about that impact in a guest column, out this week. Here's some of what I said: Hollywood might be blinded by its own product. China's cyberspies aren't intrepid Jolt-drinking loners (with an occasional adoring girlfriend) navigating dangerous networks to snatch secrets and flee before they're geo-located by their opponent's giant global tracking system. No, the hacking campaigns described by Mandiant and others have all the flash and derring-do of your latest trip to the dry cleaners. ... It's routine. So routine, in fact, that most of the hacking is done between 8 a.m. and 5 p.m. Beijing time. ... Hollywood might not have big secrets, but it's got plenty of little secrets that someone in China probably wants. No government on Earth is more sensitive to its depiction in mass media than China's. Why wouldn't its government want to read the earliest versions of Hollywood's scripts or have a ringside seat while studio execs debate how best to accommodate Chinese censors? And don't rule out... Continue reading

Last fall, Orin Kerr and I engaged in an online debate over the Computer Fraud and Abuse Act -- specifically whether it is lawful for the victim of computer crime to follow his stolen data into networks controlled by the thief. The debate spread across several posts and into the comments, but it's been pulled into one place here. Despite its length, I felt that Orin and I still hadn't closed on some important issues, so I was pleased when the Federalist Society invited us to engage in a podcast dialogue about what has been called "active" or "comprehensive" defense. The podcast is here. The podcast reveals a surprising amount of common ground between Orin and me, especially on the policy front. We agree that law enforcement and intelligence agencies have full authority to engage in such tactics, and that private companies can "borrow" that authority by working with law enforcement agencies -- including the Alameda County Sheriff. We also agree that the CFAA does not deal effectively with the problem of foreign government hacking, and Orin allowed that a tailored amendment to the CFAA to allow more effective responses would be worth considering. Orin pushes me to specify the... Continue reading

Anyone who’s followed my recent posts on state-sponsored hacking knows that I’ve been preaching the importance of attribution. (See here, here, and here.) Well, I have to say that attribution is coming along pretty well, as witness the devastating Mandiant report and the risible Chinese response. (My personal favorite: "A spokesman for China’s Ministry of Foreign Affairs [argued] that cyberattacks were difficult to trace because they were 'often carried out internationally and are typically done so anonymously.'" Hmm, or maybe not quite so anonymously as the Ministry thought, huh?) But attribution is only half of the formula if we want to deter cyberespionage. The other half is retribution. Somebody has to pay. In that regard, I was challenged recently by some national security staffers to identify practical ways we could punish cyberspies, especially those attacking our private sector. They asked how to do that without compromising the classified sources and methods we’ll need to do attribution right. Civil suits, they thought, would never work. It's next to impossible for a U.S. court to get jurisdiction over a hacker in Russia or China. And trials happen in public, after full discovery of the other side’s evidence. The good news (if that’s... Continue reading

Today's New York Times has a remarkable story identifying the Shanghai office building that is the source of hundreds if not thousands of hacking attacks on US computer networks. And Mandiant has released an even more detailed report on the Chinese hackers responsible for the attacks. Continue reading

Bloomberg Businessweek has a remarkable story about the identification of another Chinese hacker. It's a long, tangled, and fascinating tale of good sleuthing by several researchers, but the trail ends with Zhang Changhe, a digital entrepreneur and teacher -- at a People's Liberation Army school that is suspected of training PLA hackers. In the denouement, Bloomberg actually calls the guy on his mobile phone and gets partial confirmation of the evidence assembled by security researchers: A Chinese-language search on Google turns up a link to several academic papers co-authored by a Zhang Changhe. One, from 2005, relates to computer espionage methods. He also contributed to research on a Windows rootkit, an advanced hacking technique, in 2007. In 2011, Zhang co-authored an analysis of the security flaws in a type of computer memory and the attack vectors for it. The papers identified Zhang as working at the PLA Information Engineering University. The institution is one of China’s principal centers for electronic intelligence, where professors train junior officers to serve in operations throughout China, says Mark Stokes of the Project 2049 Institute, a think tank in Washington. It’s as if the U.S. National Security Agency had a university. The gated campus of... Continue reading

Herb Lin of the National Research Council has launched the first, soft counterattack on those who think victims of cyberespionage should have greater leeway to respond directly to intrusions. Herb always strives for some balance in his work, but it's clear that he's a skeptic, concluding "It is not clear that the use of offensive operations in response to hostile actions against private parties would in fact mitigate the threat those parties face, or that the benefits would necessarily outweigh the risks. It is certain, however, that taking such actions would raise a host of thorny domestic and international legal and policy issues." In fact, some of the issues Herb raises aren't "thorny" at all. Should companies defending themselves be able to hire experts to assist them, he asks. Well duh. Is there anyone who thinks that they shouldn't be able to get such help? And Herb's stance on the international issues is strikingly prescriptive: "Finally, international forums must be identified where such issues can be discussed and agreement sought. Such forums would have to involve all stakeholders and not presume that only national governments have rights to engage." (Emphasis added.) Why Herb thinks these things are mandatory, I can't... Continue reading

Once again, Ellen Nakashima of the Washington Post has broken a cybersecurity story: A new intelligence assessment has concluded that the United States is the target of a massive, sustained cyber-espionage campaign that is threatening the country’s economic competitiveness, according to individuals familiar with the report. The National Intelligence Estimate identifies China as the country most aggressively seeking to penetrate the computer systems of American businesses and institutions to gain access to data that could be used for economic gain. The report, which represents the consensus view of the U.S. intelligence community, describes a wide range of sectors that have been the focus of hacking over the past five years, including energy, finance, information technology, aerospace and automotives, according to the individuals familiar with the report, who spoke on the condition of anonymity about the classified document. I read the story at the ABA winter meeting, where Harvey Rishikof, Emily Frye, Steve Chabinsky, and I talked about whether private companies could do more to protect themselves than simply raise the wall around their systems: The issue, agreed three experts who spoke on the panel, is to what extent private concerns may go to track down the intruders who break into... Continue reading

Every new computing technology seems to bring with it a privacy flap. Cloud computing is going through that phase right now, at least outside the United States. Canadian and European elites fear that putting data in the cloud will somehow let the US government paw through it at will, a fear that usually centers on Section 215 of the USA PATRIOT Act. The debate has been fed by interest groups worried about their future in a world of cloud computing. It was first raised as part of a campaign by the British Columbia Government Employees Unionagainst the outsourcing of British Columbia's health insurance data processing. (Full disclosure: I worked on the issue for clients both at the time and more recently.) After years of remission, the issue has recently returned even more virulently, when Europe’s small cloud providers began using the Patriot Act as a marketing tool. In November of 2011, two European companies announced the creation of a European cloud offering that they advertised as providing a “safe haven from the reaches of the U.S. Patriot Act” in a press release that goes on to say, “Under the Patriot Act, data from EU users of U.S.-owned cloud-based services can... Continue reading

Well, that was quick. At the age of 6, my grandson, Asa Baker-Rouse, has already accumulated more Internet clout than I’ve been able to assemble in a career. What’s more he did it with pure sweetness. (Perhaps that’s where I went wrong.) A Middlebury student named Bianca Giaever turned one of Asa’s stories into a 7-minute film that has now received hundreds of thousands of hits. It has no political content whatsoever, but it does have a lesson of sorts. And for those of you who always want the backstory, Asa's younger brother is named Toby. Continue reading

I've just looked at the new proposal for revising the Computer Fraud and Abuse Act (CFAA) offered by Orin Kerr, Jennifer Granick and the EFF. Essentially, they would set a higher threshold for deciding when a hacker has accessed a computer “without authorization,” by requiring that the defendant circumvent a technological barrier that “effectively controls” access. On first impression, it looks to me like a pretty bad idea, for any number of reasons. 1. First, if this is meant to be “Aaron’s Law,” a cure for the overreaching by federal prosecutors in the Swartz case, it misses the mark. By the time he was through playing cat and mouse with MIT security officers, Swartz was clearly circumventing an effective technological control – unless you define “effective” very strictly, a bad idea I’ll get to in a minute. 2. The EFF proposal doesn’t come from thin air. It’s directly borrowed from the Digital Millennium Copyright Act, which lets copyright holders sue anyone who circumvents technical copy-protection measures, as long as those measures “effectively control access to a work” protected by copyright. Let’s pause for a moment to consider why the EFF equates the DMCA and the CFAA. On one level it... Continue reading