U.S., China Pledge Cyber “Code of Conduct”

The Wall Street Journal’s Felicia Schwartz reports some signs of cooperation between China and the United States on the long fraught issue of cybersecurity. This week’s bilateral Strategic and Economic Dialogue took place against the backdrop of a stream of revelations about the extent of allegedly Chinese intrusions into U.S. government computer systems.

U.S. officials said the talks behind closed doors were “frank,” but public comments Wednesday at the conclusion of the meetings were largely conciliatory. U.S. officials complained about China’s behavior in the South China Sea and cyberspace, while emphasizing steps to narrow differences and find areas of common ground.

[…] “Our dialogue over the last 2½ days included a very frank discussion of some issues on which we have not always seen eye to eye,” Mr. Kerry said. “The U.S. is deeply concerned about cyber incursions that have raised security questions and, frankly, harmed American businesses.”

[…] Mr. Kerry said China had agreed to work with the U.S. to complete a code of conduct on cyber activities. “We believe very strongly that the U.S. and China should be working together to develop and implement a shared understanding of appropriate state behavior in cyberspace,” Mr. Kerry said. [Source]

The Council on Foreign Relations’ Adam Segal noted that no mention of the code is found in the State Department’s 127-point list of “specific outcomes and areas for further cooperation.” Nevertheless, he wrote, the pledge holds some promise:

While it was to be expected that official remarks at the conclusion of the meeting would be conciliatory—both sides want President Xi Jinping’s visit to the in September to go well—Washington and Beijing made parallel calls for cooperation on that could lay the groundwork for future discussions. At the opening of the dialogue, State Councilor Yang Jiechi stated that China wanted to develop with the and other countries an “international code of conduct for cyber information sharing.” though no details were offered on what that exactly means. […]

[…] Of course, the calls for cooperation may be nothing more than niceties, designed to reduce tensions in the run up to the September visit. From China’s perspective, it has always been open to greater cooperation. When accused of , Chinese officials typically deny the claim, question the motives of the accuser, and then ritualistically invoke the need for international cooperation. But the call for cyber information sharing is new, and Washington should push Beijing to clarify what it means by information and how it would like to see sharing work. Good diplomacy can spin opportunities out of the introduction of new ideas. [Source]

When the hacking of the U.S. government’s Office of Personnel Management was first announced early this month, the number of employees affected was said to be around 4 million. With the subsequent discovery of another breach, estimates now reach as high as 18 million, including White House and congressional staff. Contrary to initial reports, the intruders had access to highly sensitive security clearance data for as long as a year. Such information would include “workers’ sexual partners, drug and alcohol abuse, debts, gambling compulsions, marital troubles, and any criminal activity,” which at the blunt end of the spectrum might leave them vulnerable to . More subtly, the data could be used to identify and then recruit potential intelligence sources through bribery or flattery, while providing a clear map of security clearance procedures and their possible weaknesses. Cross-referencing with data from other hacks might allow identification of staff who had failed to disclose information.

China denies any part in the attacks. But Michael Hayden, a former head of the and Central Intelligence Agency, has described the OPM’s data as “a legitimate foreign intelligence target,” adding that “this is not ‘shame on China.’ This is ‘shame on us’ for not protecting that kind of information.”

The OPM’s director offered a different interpretation during sustained congressional grilling over security failures at the agency. From Lisa Rein at The Washington Post:

“We have legacy systems that are very old,” Katherine Archuleta, director of the Office of Personnel Management, told Senate lawmakers at a hearing on the intrusion. “It’s an enterprise-wide problem. I don’t believe anyone is personally responsible.”

She then told Sen. Jerry Moran (R-Kan.), who pressed her repeatedly to take responsibility for failing to shore up the agency’s computer security, that the attackers are the ones to blame.

[…] Archuleta said she is “working very hard on correcting decades of inattention” to weak computer security at her agency, and credited her efforts to add new security defenses for discovering the breach in the first place. But the OPM’s inspector general described a history of failures by the agency to take basic security steps.

[…] Michael Esser, assistant inspector general for audit, testified that numerous recommendations to modernize aging systems and improve the security of modern ones have not been followed. He noted that a number of the systems that were breached in the hack disclosed in June were actually not “legacy systems,” but modern ones. [Source]

The agency’s initial efforts to notify affected employees also attracted criticism for encouraging behavior that could facilitate further attacks. Lax security at the OPM and beyond is described in detail in recent posts by Ars Technica’s Sean Gallagher, who noted that some OPM contractors hired Chinese nationals. At least one of these, said to have had “direct access to every row of data in every database,” was actually based in China.

Security failings at the OPM are hardly unique, The New York Times’ David E. Sanger, Nicole Perlroth and Michael D. Shear reported last weekend:

The administration is urgently working to determine what other agencies are storing similarly sensitive information with weak protections. Officials would not identify their top concerns, but an audit issued early last year, before the Chinese attacks, harshly criticized lax security at the Internal Revenue Service, the Nuclear Regulatory Commission, the Energy Department, the Securities and Exchange Commission — and the Department of Homeland Security, which has responsibility for securing the nation’s critical networks.

At the Nuclear Regulatory Commission, which regulates nuclear facilities, information about crucial components was left on unsecured network drives, and the agency lost track of laptops with critical data.

Computers at the I.R.S. allowed employees to use weak passwords like “password.” One report detailed 7,329 “potential vulnerabilities” because software patches had not been installed. Auditors at the Department of Education, which stores information from millions of student loan applicants, were able to connect “rogue” computers and hardware to the network without being noticed. And at the Securities and Exchange Commission, part of the network had no firewall or intrusion protection for months. [Source]

-linked data mining firm Recorded Future reported this week that it found login details for employees of 47 different government agencies posted online, and that 12 of these organizations failed to use two-factor authentication as an additional layer of security. Meanwhile, traces of malware that struck the OPM have been discovered on computers at the National Archives. ACLU technologist Christopher Soghoian commented:


The intrusions may go much deeper. As the OPM story developed, The Sunday Times reported anonymous British officials’ claims that documents leaked by former NSA contractor had fallen into Russian and Chinese hands. The article was immediately and widely mauled, particularly after its author told CNN that none of its specifics could be verified and that “we just publish what we believe to be the position of the British government at the moment.” At Wired, security technologist Bruce Schneier wrote that Snowden’s actions were probably beside the point anyway:

I believe that both China and Russia had access to all the files that Snowden took well before Snowden took them because they’ve penetrated the NSA networks where those files reside. After all, the NSA has been a prime target for decades.

[…] In general, it’s far easier to attack a network than it is to defend the same network. This isn’t a statement about willpower or budget; it’s how computer and network security work today. A former NSA deputy director recently said that if we were to score cyber the way we score soccer, the tally would be 462–456 twenty minutes into the game. In other words, it’s all offense and no defense.

In this kind of environment, we simply have to assume that even our classified networks have been penetrated. Remember that Snowden was able to wander through the NSA’s networks with impunity, and that the agency had so few controls in place that the only way they can guess what has been taken is to extrapolate based on what has been published. Does anyone believe that Snowden was the first to take advantage of that lax security? I don’t.

[…] I am reminded of a comment made to me in confidence by a US intelligence official. I asked him what he was most worried about, and he replied: “I know how deep we are in our enemies’ networks without them having any idea that we’re there. I’m worried that our networks are penetrated just as deeply.” [Source]

While most have focused on the need for better defenses, some argue for counterattacks. Prospective Republican presidential candidate Mike Huckabee, for example, wrote that:

The response and retaliation to this behavior is simple-America should hack the Chinese government. We should hack the cell phones of some prominent Communist party leaders, hack the bank accounts of intelligence officials, publicly humiliate Chinese families for political corruption, or wipe-out a few critical Chinese computer systems. [Source]

UCLA’s Kristen Eichensehr, examining the OPM breach in light of the Department of Defense’s newly released Law of War Manual, wrote last week at Just Security that such bellicose rhetoric is unrealistic:

Debates are raging over just how damaging the two OPM hacks are. In the first of what are sure to be many congressional hearings on the breaches, Rep. Carolyn Maloney (D-NY) asserted that she “consider[s] this attack … a far more serious one to the national security” of the United States than the 9/11 attacks. Others have called the hacks the long-warned-about cyber 9/11 or cyber Pearl Harbor. But other commentators have pushed back. Robert Knake of CFR noted that he is “a bit blasé” about the hack because “if the Chinese government is indeed behind it, it’s not by any stretch the most dastardly thing they have done in cyberspace.” [Knake listed five worse cases attributed to China in a blog post at CFR.] Prof. Henry Farrell on the Washington Post‘s Monkey Cage blog similarly explained that “hacking into information on U.S. government employees, however sensitive, is not a Pearl Harbor attack,” but rather “an (extremely worrying) exercise in .”

[…] Despite the debate over exactly how bad the OPM hacks are for national security, there is no doubt that they are a blow, the magnitude of which will become clearer over time. Where any US claim to the legal or moral high ground would be shaky at best, we should assume that spies are going to spy and act accordingly. This means that the government must better secure its sensitive information going forward and take steps to protect the individuals already put at risk. Beyond such responses, allusions to 9/11 and Pearl Harbor are misplaced and tend to frame these hacks in terms countenanced neither by realism in international relations nor by the rules of international law. [Source]

In any case, it remains unproven that China is the real culprit. The OPM hacks are thought to be the work of “Deep Panda,” an outfit associated with China’s Ministry of Public Security. But when Director of National Intelligence James Clapper said this week that China is “the leading suspect,” it was the strongest such statement to date by a serving U.S. official on the record. Michael Rogers, NSA director and commander of U.S. Cyber Command, has emphasized the enduring uncertainty about attribution of the attacks. From Patrick Tucker at Defense One:

Rogers spoke in response to a question about how the National Security Agency was going about attributing the breach to the Chinese government. “You’ve put an assumption in your question,” he said. “I’m not going to get into the specifics of attribution. It’s a process that’s ongoing.”

[…] The cybersecurity group FireEye says it’s “highly confident” that Chinese did it, based on the kind of cables and telecommunications equipment involved, the type of data stolen, and the specific backdoors that the thieves used. “These backdoors, they’re commonly used by Chinese threat actors,” Michael Oppenheim, the intelligence operations manager at FireEye, told Defense One.

Oppenheim stopped short of formally accusing the Chinese government but added, “We believe that this aligns with Chinese interests.”

Oppenheim said that he was sympathetic to Rogers’s reluctance to formally attribute the breach to the Chinese government. “For someone in his position, you want to be 100-percent sure,” he said. [Source]

Another recent hacking case showed attackers leaving false tracks meant to implicate China. Russian security company Kaspersky revealed this month that it had discovered malware dubbed “Duqu 2” within its own systems. The firm’s technical paper on the intrusion refrained from explicit attribution (PDF), but noted:

[… T]he attackers have tried to include several false flags throughout the code, designed to send researchers in the wrong direction. For instance, one of the drivers contains the string “ugly.gorilla”, which obviously refers to Wang Dong, a Chinese hacker believed to be associated with the APT1/Comment Crew. The usage of the Camellia cypher in the MSI VFSes, previously seen in APT1-associated Poison Ivy samples is another false flag planted by the attackers to make researchers believe they are dealing with APT1 related malware. […]

Nevertheless, such false flags are relatively easy to spot, especially when the attacker is extremely careful not to make any other mistakes. [Source (PDF)]

The attackers also used a digital certificate apparently stolen from Taiwan-based Foxconn, possibly for similar reasons. From Kim Zetter at Wired:

The Taiwanese firm makes hardware for most of the major tech players, including Apple, Dell, Google, and Microsoft, manufacturing the likes of iPhones, iPads and PlayStation 4s. Taiwanese companies have been fruitful for this hacking group, who many believe to be Israeli: This marks at least the fourth time they have used a digital certificate taken from a Taiwan-based firm to get their malware successfully onto systems.

It’s unclear why the attackers focus on digital certificates from Taiwanese companies, but it may be to plant a false flag and misdirect investigators into thinking China is behind the malware attacks, says Costin Raiu, director of Kaspersky’s Global Research and Analysis Team.

The strategy of stealing and corrupting otherwise-legitimate certificates is particularly galling to the security community because it undermines one of the crucial means for authenticating legitimate software. [Source]

Kaspersky found that Duqu 2 had been used to infiltrate hotels hosting Iran nuclear talks, allowing access to security cameras, microphones, Wi-Fi networks, phone communications, and hotel records. Coincidentally, reports last week indicated that the U.S. State Department will no longer use the Waldorf Astoria as a New York base for its staff following its acquisition by the Beijing-based Anbang Insurance Group last year.