Politico: U.S., allies slam China for brazen cyberattacks as Trump administration indicts hackers

Politico: U.S., allies slam China for brazen cyberattacks as Trump administration indicts hackers

By Eric Geller

The Chinese government broke its promise to stop hacking U.S. businesses and stealing their trade secrets, the Trump administration declared Thursday, ratcheting up tensions between two of the world’s cyber superpowers and adding fuel to a trade war that has spooked global markets.

“China stands accused of engaging in criminal activity that victimizes individuals and companies in the United States, violates our laws, and departs from international norms of responsible state behavior,” Deputy Attorney General Rod Rosenstein said at a press conference.

To emphasize the point, the Justice Department on Thursday indicted two Chinese hackers for a long-running economic espionage campaign that resulted in the theft of hundreds of gigabytes of data from companies and government agencies.

Hours later, DHS and the State Department warned Beijing to “abide by its commitment to act responsibly in cyberspace” and said the U.S. would “take appropriate measures to defend our interests.”

Thursday’s actions confirm what private-sector cybersecurity researchers and U.S. intelligence officials have been saying for months: The 2015 agreement in which Beijing pledged to stop hacking U.S. companies for their valuable intellectual property is dead.

“The activity alleged in this indictment violates the commitment that China made to members of the international community,” Rosenstein said. “The evidence suggests that China may not intend to abide by its promises.”

The two Chinese hackers, Zhu Hua and Zhang Shilong, worked for a technology company in Tianjin, China, and “acted in association with” China’s Ministry of State Security, according to the indictment unsealed today in federal court in the Southern District of New York. They were part of a group that security researchers and the government have dubbed APT10, for “advanced persistent threat.”

The men participated in two parallel campaigns of digital intrusions, DOJ said. In the first operation, beginning in 2006, they hacked at least 45 companies and government agencies in at least 12 states and stole vast troves of data from firms in industries such as aviation, oil and natural gas, manufacturing, pharmaceuticals, and telecommunications.

In the second campaign, which began in 2014, they hacked “managed service providers,” which offer technology services to other companies, and stole data from manufacturing, consulting, healthcare, biotechnology, consumer electronics and other companies around the world.

The companies were located in Brazil, Canada, Finland, France, Germany, India, Japan, Sweden, Switzerland, the United Arab Emirates, the United Kingdom and the U.S., according to the indictment.

Prosecutors said that APT10’s “hacking operations evolved over time, demonstrating advances in overcoming network defenses, victim selection, and tradecraft.”

Also on Thursday, the United Kingdom issued statements blaming China’s government for sponsoring economic cyberattacks across the U.S., Europe and Asia.

Adam Segal, who leads the cyber program at the Council on Foreign Relations, praised the U.S. for building a global coalition against Beijing’s activities.

“Getting other countries to call China out is an important step,” he told POLITICO. The Trump administration, he added, is “likely to get more traction with Beijing when it is multilateral, not just the United States criticizing.”

Rep. Jim Langevin (D-R.I.), one of Congress’s most active lawmakers on cyber policy, agreed. “Collective international action, rather than going it alone, is the best way to make it clear to China that their actions are unacceptable,” he said in a statement.

At the press conference in Washington, Rosenstein said that the Chinese government “will find it difficult to pretend that it is not responsible for these actions.”

“In some cases, we know exactly who is sitting at the keyboard perpetrating these crimes in association with the Chinese government,” he said. “There is no free pass to violate American laws merely because they do so under the protection of a foreign state.”

But experts also expressed disappointment at the limited nature of Thursday’s actions. The indictments “fell short of the full punitive response that many in the administration were advocating,” said Paul Triolo, an expert on China and global technology issues at the Eurasia Group.

Treasury Secretary Steven Mnuchin and other “administration moderates … were able to prevail in their efforts to hold back the most punitive actions,” Triolo told POLITICO.

Chris Painter, who was the State Department’s top cyber diplomat from 2011 to 2017 and helped negotiate the 2015 agreement, said the Trump administration should make economic espionage central to the bilateral relationship.

“This cyber activity is only part of a larger set of issues with China,” he said, “and there needs to be consistent messaging that continuing this malicious activity is a roadblock to solving other issues between our countries.”

Segal, Painter and Langevin urged the U.S. and other Western countries to sanction the Chinese firms that benefited from Beijing’s cyber thefts.

“Chinese business leaders need to understand that if they make a Faustian pact with their government, they will not be welcome in the international community,” said Langevin.

Thursday’s actions mark the most aggressive turn in a months-long effort by the Trump administration to shine a spotlight on Beijing’s malicious cyber activity, especially its use of cyberattacks to steal U.S. intellectual property and hand it off to Chinese businesses.

In March, the Office of the U.S. Trade Representative issued a report on Chinese intellectual property theft that detailed Beijing’s decade-long campaign of “cyber intrusions into U.S. commercial networks targeting confidential business information held by U.S. firms.”

“Through these cyber intrusions, China’s government has gained unauthorized access to a wide range of commercially valuable business information, including trade secrets, technical data, negotiating positions and sensitive and proprietary internal communications,” the report said. “These acts, policies, or practices by the Chinese government are unreasonable or discriminatory and burden or restrict U.S. commerce.”

China is linked to more than 90 percent of DOJ’s economic espionage cases over the past seven years, as well as more than two-thirds of its trade secrets theft cases, Rosenstein said today.

Speaking after Rosenstein, FBI Director Christopher Wray told reporters that “no country poses a broader, more severe, long-term threat to our nation’s economy and cyber infrastructure than China.”

Intellectual property theft has long been a source of tension between the U.S. and China, the world’s two largest economies, and in 2015 the issue came to a head before a summit between Presidents Barack Obama and Xi Jinping.

Facing the threat of sanctions just as Xi and his high-level delegation were set to arrive in Washington, Beijing agreed to a deal that would ban the “cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.” Xi and Obama announced the agreement from the Rose Garden following their summit.

Cybersecurity researchers saw a significant drop-off in Chinese intellectual property theft following the deal. But in recent years, as trade tensions escalated following Trump’s election, the hacking resumed its previous pace and expanded to new areas, including “dual-use” technology that has commercial and military applications, experts said.

“On the one hand the diplomatic agreement definitely worked, but on the other hand it established a narrow norm that Beijing has continued working around using all elements of national power to improve their economy at the expense of U.S. competitors,” Christopher Porter, chief intelligence strategist at the security firm FireEye, told POLITICO.

For a while, the U.S. government avoided directly accusing China of breaching the 2015 agreement. But that changed in recent months. In November, Rob Joyce, a senior NSA cybersecurity official, said it was “clear that they are well beyond the bounds” of the deal.

“We’ve certainly seen the behavior erode in the last year,” said Joyce, who previously served as Trump’s cyber coordinator in the White House. “And we’re very concerned with those troubling trends.”

On Oct. 30, the Justice Department announced charges against Chinese intelligence officers and their contract hackers for a five-year cyber campaign that targeted, among other things, the proprietary design for a jet engine.

“At the time of the intrusions,” the government said, “a Chinese state-owned aerospace company was working to develop a comparable engine for use in commercial aircraft manufactured in China and elsewhere.”

The indictment followed news that Belgian authorities had extradited to the U.S. a senior officer of China’s Ministry of State Security to face economic espionage charges, also related to aviation firms. Officials said it was the first U.S. extradition of a Chinese spy.

Another aspect of the counter-China offensive is a focus on the so-called supply chain, the complex and often opaque web of companies that design, produce and sell technology products and services.

U.S. intelligence officials worry the Chinese government will pressure its telecom giants, Huawei and ZTE, to manipulate the equipment they sell to Western countries for espionage and disruptive cyberattacks. The U.S. is trying to persuade its closest allies to stop using those companies’ products, but the effort has met with mixed results.

Washington is also concerned about Chinese cyberattacks on corporations and government agencies that host vast troves of Americans’ personal data, especially information — like security clearance applications and health records — that could help Beijing turn Americans into double agents.

The 2014 hack of the U.S. Office of Personnel Management, which compromised the records of 21.5 million current, former and prospective federal employees, was part of this campaign, officials have said. So too was the hack of the giant health insurer Anthem, disclosed in January 2015, which exposed more than 37.5 million patient records.

U.S. officials believe the massive Marriott data breach, which compromised as many as 500 million people’s information, was also part of this counterintelligence project. That hack, which the company disclosed on Nov. 30, included not only basic information like names, phone numbers and street addresses, but also passport numbers. Secretary of State Mike Pompeo publicly blamed China for the hack last week.

None of the OPM, Marriott or Anthem data have surfaced online, which would be unusual if it lay in the hands of garden-variety cyber criminals. The U.S. believes Beijing’s analysts are pouring over the data, trying to determine who is most susceptible to recruitment by China’s spy services.

Complicating efforts to reduce this type of hacking is the fact that the U.S. — along with every other country with an advanced cyber program — also conducts cyber espionage. Efforts to prosecute foreign government hackers for digital spycraft risk creating a norm that intelligence and national security officials see as unwise. In addition, other countries might try to charge NSA or CIA hackers using the U.S.’ rationale.

While China’s intelligence operations may perennially bedevil U.S. investigators, senior DOJ officials appeared confident Thursday that exposing Beijing’s economic espionage would yield results.

“Today’s charges mark an important step in revealing to the world China’s continued practice of stealing commercial data,” said Rosenstein.

MeriTalk: New Bipartisan Bill to Authorize $10 Million for Cyber Education

MeriTalk: New Bipartisan Bill to Authorize $10 Million for Cyber Education

SOURCE: MeriTalk

WASHINGTON, D.C. – On Tuesday, Representatives Jim Langevin, D-R.I., and Glenn Thompson, R-Penn., introduced the Cybersecurity Education Integration Act, a bill that would establish a grant program to develop career and technical education (CTE) classes that include cybersecurity fundamentals.

“Whether in our hospitals or our power grid, vital systems are increasingly being connected to the Internet,” said Langevin. “We need to offer better training for the workers who deal with these systems on a day-to-day basis, particularly in safety critical industries where lives can be put in jeopardy by malicious cyber actors.”

The bill includes $10 million to establish a competitive grant program run by the Department of Education to provide grants up to $500,000 to partnerships of educational institutions and employers that commit to include cybersecurity in career and technical education. Applicants would need to describe which sector of critical infrastructure their program plans to train for, the workforce needs of that sector, the work-based learning opportunities available to program participants, and how the program would lead to a recognized postsecondary credential, among other criteria.

“We must ensure we’re protecting sensitive data and critical infrastructure from bad actors, and this bill is one step in the right direction,” said Thompson. “By enabling our next generation of learners to have the most sophisticated and comprehensive educational programs out there, we will be better prepared to protect our most critical systems and assets.”

The bill also requires the Department of Education to consult with the Department of Homeland Security and the National Institute of Standards and Technology to find the most pressing workforce needs in critical infrastructure.

The bill has been referred to the House Committee on Education and the Workforce for further consideration.

Federal News Network: Top House Armed Services Democrat wants oversight of new DoD cyber strategy

Federal News Network: Top House Armed Services Democrat wants oversight of new DoD cyber strategy

By Scott Maucione

With the Democrats taking control of the House starting in January, the likely-incoming chairman of the House Armed Services Emerging Threats and Capabilities Subcommittee is whittling down his priorities for the panel in the next legislative session. The top areas he wants to cover have a common thread that should come as no surprise: cyber.

Rep. Jim Langevin (D-R.I.) was just reelected to his tenth term in Congress, and is poised to take the gavel from current chairman, Rep. Joe Wilson (R-S.C.).

In an interview with Federal News Network, Langevin said cybersecurity, election security and keeping a watchful eye over the Trump administration’s new defense cyber policy are some of the most important topics the subcommittee will face in the coming year.

“We want to make sure they are held accountable and we are properly implementing these new strategies,” Langevin said.

DoD’s new cyber strategy, which was released in September, is much more “forward leaning” than strategies of the past, Langevin said. The strategy focuses on great power competition and also allows DoD to more readily conduct cyber operations in defense of the nation outside of its own networks.

What’s concerning is “the unintended consequences,” Langevin said. “If we are going to be more proactive in cyberspace, I think that can be a good thing, but working with allies and having international coordination is essential.”

To that point, Langevin criticized the administration’s decision to eliminate the cybersecurity coordinator at the State Department and the cybersecurity coordinator role on the National Security Council.

The Trump administration said it got rid of the roles in the NSC and State Department as part of an effort to cut back bureaucracy and streamline decision making.

“Big mistake,” Langevin said. “Cybersecurity is not just a U.S. problem or challenge; it’s an international problem and challenge that we need to work on together. Having an international focus and having someone at the State Department is going to help coordinate those cyber strategies and responses.”

While Langevin thinks international cooperation is imperative to the nation’s cybersecurity, he also thinks the government and private sector need to ramp up their communication about cyber threats.

“We are going to continue to track the implementation of the Cybersecurity Information Sharing Act of 2015,” Langevin said. “It has not lived up to its potential or what I certainly hoped we would accomplish in terms of sharing robust threat information, threat signatures and network speed. That has not happened at all to the level it needs to happen.”

Currently, only six companies are sharing cyber threat information with the government and about 200 are taking the information the government is offering, Langevin said.

“That just seems incomprehensible to that the numbers would be low, but that’s the reality and we have to do better,” Langevin said. He added that it is unclear why the companies are not signing up for the program.

“We need to get our arms around why and how we can incentivize more robust information sharing,” Langevin said. “The only way we are going to really effectively protect ourselves and the government is to properly inoculate ourselves when we know of a threat signature that could pose harm.”

Langevin is also planning on keeping a close eye on the delegation of authorities given to U.S. Cyber Command as it grows in its role as a full combatant command.

The congressman also stressed the need for a law that governs how quickly data breaches need to be reported. Currently each state has its own law about how quickly breaches need to be reported, Langevin wants a federal standard of 30 days.

Numbers around the 2020 Defense budget are already beginning to fly. Langevin said he agreed with Rep. Adam Smith (D-Wash.), who will likely chair the House Armed Services Committee, that the United States needs to specialize in certain areas and leave some slack for allies to pick up. That could have an effect on how big the Defense budget ends up.

Smith said Democrats will look at how they can, within a reasonable budget, manage risk while also prioritizing other factors that make a country “safe, secure and prosperous” like paying down debt and fixing infrastructure.

“The biggest problem I feel that we’ve had is, because we get this ‘Oh my God we have to cover everything [mindset],’ we wind up covering nothing well and that leaves the men and women who serve us in a position where they are not properly trained, properly equipped to meet all the missions we want them to meet,” he said. “It’s a complete impossibility to meet all the missions that we dream up.”

Langevin stated the sequestration caps for both defense and nondefense need to be lifted.

NextGov: DHS and Pentagon Memo Details Future Cyber Cooperation

NextGov: DHS and Pentagon Memo Details Future Cyber Cooperation

By Joseph Marks

The Pentagon and Homeland Security Department have established a memorandum of understanding that details how the departments will work together on cybersecurity in the future, a Homeland Security official confirmed Wednesday.

That agreement “reflects the commitment of both departments in collaborating to improve the protection and defense of the U.S. homeland from strategic cyber threats,” according to written testimony from Homeland Security Assistant Secretary Jeanette Manfra.

It also “clarifies roles and responsibilities between DOD and DHS to enhance U.S. government readiness to respond to cyber threats and establish coordinated lines of efforts to secure, protect, and defend the homeland,” according to the statement delivered to a joint hearing of the cyber panels of the House Homeland Security and Armed Services committees.

A Homeland Security official confirmed the agreement is completed but did not provide additional details.

Rep. Cedric Richmond, D-La., described the agreement in broad terms during the hearing. Richmond, who is the ranking Democrat on the Homeland Security panel, said he has not read the memorandum yet.

The civilian-military agreement comes as the government is trying to ramp up civilian and military cooperation in cyberspace, especially when it comes to protecting election systems and other critical infrastructure such as banks, hospitals and airports.

In advance of last week’s midterm elections, 11 Pentagon cyber officials came over to Homeland Security’s cyber operations center as liaisons, Manfra told lawmakers during the hearing.

Those liaison officers were there to pave the way for their colleagues in case an election cyber threat popped up that state and local officials couldn’t handle on their own with Homeland Security’s support and the military needed to help out, Manfra said.

Though the departments were prepared, that threat didn’t materialize.

Rep. Jim Langevin, D-R.I., the ranking member on the Armed Services panel, praised the Pentagon and Homeland Security for removing legal and bureaucratic barriers to cooperation in advance of the election.

In the future, it will be critical for the two departments to work together on cyber threats, he said.

“While Congress has been abundantly clear about DHS’ primacy in defending civilian networks in the United States, coordination, collaboration and information sharing with the DOD will be critical to the defense of the homeland,” [Rep. Langevin] said.
Congress officially authorized the Defense Department to send those detailees to Homeland Security in August in a pilot program included in the most recent version of the National Defense Authorization Act, an annual defense policy bill.

The mammoth policy bill also mandated other Defense Department efforts to help the civilian government and critical infrastructure providers, such as banks and hospitals, repel cyberattacks if called upon.

The bill also mandated a study on whether to create cyber components in the military reserves that could assist states during a cyber emergency.

Overall, in the months leading up to the election, Homeland Security, the Pentagon and FBI made more progress on sharing cyber threat information and developing a common cyber operations picture than in the prior decade, Manfra told lawmakers.

CyberScoop: GAO report shows how easy it is to hack DOD weapon systems

CyberScoop: GAO report shows how easy it is to hack DOD weapon systems

By Sean Lygaas

In cybersecurity probes of Department of Defense weapon systems in recent years, penetration testers were able to gain control of systems with relative ease and generally operate undetected, according to a Government Accountability Office report.

“We found that from 2012 to 2017, DOD testers routinely found mission-critical cyber vulnerabilities in nearly all weapon systems that were under development,” the report states.

In one test, a two-person team gained initial access to a system in an hour, then gained full control of the system in a day, the watchdog said. In another, the pen-testers seized control of the operators’ terminals, could see what the operators saw on their screens, and “could manipulate the system,” GAO found. Many of the testers said they could change or delete data. In one case they downloaded 100 gigabytes of it.

The scathing report chalks up the insecurities in the Pentagon’s weapon systems to defense officials’ “nascent understanding of how to develop more secure weapon systems” and the fact that those systems are more networked than ever. Until recently, according to GAO, the Pentagon did not prioritize weapon-system cybersecurity. Furthermore, DOD program officials the watchdog met with “believed their systems were secure and discounted some test results as unrealistic,” the report says.

“Due to this lack of focus on weapon systems cybersecurity, DOD likely has an entire generation of systems that were designed and built without adequately considering cybersecurity,” GAO researchers added.

DOD’s evaluators did not pull out top-drawer tools to breach the weapon systems, but instead used simple techniques that were sufficient in the face of a “poor password management and unencrypted communications,” according to GAO.

The report, which focuses mainly on under-development weapon systems, is the product of a 15-month audit that included interviews with officials from the National Security Agency, military testing organizations, and DOD acquisition offices, among other agencies. GAO said its researchers will give Congress a classified briefing on their findings.

Not all of GAO’s findings were negative. The Pentagon has recently moved to improve weapon-system cybersecurity through policy guidance and initiatives to better understand vulnerabilities, according to the watchdog. And one penetration test reviewed by GAO “found that the weapon system satisfactorily prevented unauthorized access by remote users,” albeit not from insiders.

But the report makes clear that DOD’s work to date is far from sufficient in tackling the problem.

“Several DOD officials explained that it will take some time, and possibly some missteps, for the department to learn what works and does not work with respect to weapon-systems cybersecurity,” the report says.

Due to testing limitations, “the vulnerabilities that DOD is aware of likely represent a fraction of total vulnerabilities” in systems, according to GAO.

Defense officials provided technical comments in response to a draft of the GAO report. CyberScoop has requested further comment from the Pentagon.

“The GAO report released today highlighted a shocking reality: just how far behind we actually are in adequately protecting our weapons systems and industrial suppliers from cyber threats,” said Sen. Jim Inhofe, R-Okla., chairman of the Senate Armed Services Committee.

Rep. Jim Langevin, D-R.I., a member of the House Armed Services Committee, said he wasn’t surprised by GAO’s findings. “While DOD has made progress in lowering its cybersecurity risks, it has not moved fast enough,” Langevin said. That is why, he added, Congress has mandated that the Pentagon carry out cyber vulnerability assessments.

URI Today: U.S. Rep. James Langevin to host Coastal Resiliency Symposium at the University of Rhode Island

URI Today: U.S. Rep. James Langevin to host Coastal Resiliency Symposium at the University of Rhode Island

KINGSTON, R.I., — U.S. Rep. James Langevin, along with a number of University of Rhode Island experts, will convene for a symposium on the topic of extreme weather conditions, including storm surge and flooding, as they affect military installations and the Rhode Island coastline.

URI faculty with expertise in storm modelling and mapping, response and resiliency, ocean and civil engineering, and geologic oceanography will participate in the symposium to be held Tuesday, Oct. 16 from 10:30 a.m. to 12: 30 p.m., in Corless Auditorium at URI’s Bay Campus, 215 South Ferry Road, Narragansett, Rhode Island. Registration is at 9:30 a.m.

A 2018 Department of Defense study indicated that more than half of the 3,500 U.S. military’s sites located both in the U.S. and internationally are affected by instances of extreme weather.  Storm surge, here in Rhode Island as well as other coastal regions, can be a particular risk, with more than 200 domestic sites alone reporting flooding—an increase of more than 500 percent over the number reported in 2008.

Rear Admiral (Ret.) Jonathan W. White, former commander of the Naval Meteorology and Oceanographic Command, will deliver the keynote address. White has a B.S. in oceanographic technology from the Florida Institute of Technology and holds a master’s degree in meteorology and oceanography from the U.S. Naval Postgraduate School.

He was commissioned through Navy Officer Candidate School in 1983, and has had operational shore assignments at Jacksonville, Florida; Guam; Monterey, California; and Stuttgart, Germany, where his joint duty included Special Operations Command Europe, and strike plans officer for U.S. European Command during Operation Allied Force in Kosovo and Serbia. White commanded the Naval Training Meteorology and Oceanography Facility, Pensacola, Florida, and was the 50th superintendent of the United States Naval Observatory.

White’s sea tours as a naval oceanographer include commander, Cruiser Destroyer Group 12, where he completed deployments on board USS Saratoga (CV 60) and USS Wasp (LHD 1). He was promoted to the rank of rear admiral (upper half) in August 2012 as he assumed his duties as director, Task Force Climate Change, and Navy deputy to National Oceanic and Atmospheric Administration. Rear Admiral White retired in 2015. He presently serves as president and CEO of the Consortium for Ocean Leadership.

Symposium panelists and topics are:

  • Christopher D.P. Baxter, professor, ocean, civil and environmental engineering— “Engineering’s Role in Resiliency and Educating the Next Generation.”
  • Austin Becker, assistant professor, coastal planning, policy and design— “Stimulating Transformational Thinking for Long-Term Climate Resilience.”
  • John King, professor, geological oceanography— “Climate Model Predictions and Trends in Observational Data for Coastal Environments.”
  • Pamela Rubinoff, coastal management and climate extension specialist, Coastal Resources Center and Rhode Island Sea Grant— “Engaging Decision Makers in Resilience.”

Congressman Langevin, URI President David M. Dooley, and URI’s Vice President for Research and Economic Development Peter J. Snyder will speak at the symposium.

The event is free and open to the public, however, registration is suggested. For more information, and registration link, visit: uri.edu/coastalresilience.