Absolutely nothing, said several experts MC polled on the wisdom of hitting back at China over its alleged hacking of U.S. computer networks. Chris Christie and John Kasich became the latest GOP contenders this week to call for the United States to launch its own cyberattacks on countries believed to be targeting American secrets.
“It sounds like they don’t know what they’re talking about,” said James Lewis of the Center for Strategic and International Studies. “First, China isn’t waging cyberwar on us. They’re engaging in espionage. We’re doing espionage back.” Going on offense against China would probably only make things worse. “A Chinese PLA officer once said to me the problem is, both countries live in glass houses and both have stones.”
Still, Chris Christie’s threat to steal and release Chinese information is an option, Lewis said — but one that should be used only if China violates the cyber deal President Xi Jinping struck with President Barack Obama in September. As for John Kasich’s suggestion to attack the hackers themselves, Lewis said most intel people would prefer to be inside an opponent’s networks observing rather than enjoy the short-term benefit of destroying systems that can eventually be replaced.
Justin Harvey, chief security officer at Fidelis Cybersecurity, said of the debate-night bravado: “This is one of the more alarming things I’ve seen in the press about cyber in a long time. This has the capability to escalate to a point where there may not be a return.” If China does hold purloined files from the Office of Personnel Management — as administration officials have suggested —Beijing could respond to any cyberstrike by placing that material on the Internet. Added Harvey: “I do not believe we are in a cyber war now. We are more in an arms race or Cold War situation.”
Andre McGregor, security director at Tanium and former FBI cyber liaison to the United Nations, said the U.S. should focus on securing its networks, making them less appealing targets to attack in the first place. “My fear is that it’s a slippery slope when we start to go on the offensive against people who were hacking us,” McGregor said. “The foe of choice right now is China. In a couple of months that’s going to change to a new country threat or nontraditional actor.”
One more thing: There’s also the risk of hitting the wrong target, McGregor said. (Some authorities anonymously blamed the Russian government for the JPMorgan hack, but that wasn’t true. Earlier this week, federal prosecutors indicted a gang of pump-and-dump stock speculators based primarily in Israel.)
HAPPY THURSDAY and welcome to Morning Cybersecurity! Besides cyberwar, we’re thinking a lot these days about who has delivered the best Michael Jackson homage in the past couple decades. The Weeknd has been carrying the torch admirably — http://bit.ly/1IqMgBf — but our vote is at the end of today’s MC. Send your vote, thoughts, feedback and especially your tips to [email protected] and follow @timstarks , @POLITICOPro and @MorningCybersec. Full team info is below.
HACKER’S PARADISE — Brazil isn’t just home to the some of the world’s most successful cyber criminals but some of its flashiest, according to a report from Kaspersky Lab out Wednesday. “A strong indicator of just how immune to prosecution the cyber criminals feel can be seen in the fact that it’s very easy to find videos and pictures of them online or to access their profiles on social networking sites,” the report notes, adding that “invariably, they can be seen flaunting what appears to be stolen money, celebrating the high life, paying for prostitutes in Rio during the carnival, and more.” YouTube videos such as the “Hacker’s Rap” boast “I’ll invade your PC, so heads up; you lose, ‘playboy,’ now your passwords are mine.” Check out the full report here, playboy: http://bit.ly/1Y4XAxf
AT&T ON GUARD — After a long delay, the Department of Homeland Security has awarded a contract to AT&T to protect federal government networks, making it the last of the major Internet service providers to provide intrusion prevention services via Einstein 3, DHS’s intrusion protection and detection program. AT&T expects to have “countermeasures ready this year to help protect government data and .gov websites against cyberattack,” according to a blog post Wednesday by Chris Smith, vice president of technology for AT&T Government Solutions. A former DHS official told Federal Times that the hold-up was over whether the company would receive liability protections for participating in the program, although a DHS spokesman didn’t answer a request for comment about whether the federal government ultimately agreed to provide that legal shield. More: http://bit.ly/1LaK81q
YOUR TV IS BEING HACKED — Owners of Vizio smart televisions have new reason to be upset apart from the so-so color rendering. Researchers from anti-virus software maker Avast found a way to take control of Vizio televisions after the company admitted earlier this week to secretly streaming viewing-habit data across the Internet to a website it controls, tvinteractive.tv. Researchers found they could impersonate the server thanks to poor security design, allowing them to force the TV into playing potentially unwanted content. “America’s Got Talent,” anyone? Vizio has promised to patch the problem, but as Ars Technica’s Dan Goodin notes, it’s right to be “skeptical of the claim of a self-installing update” on a TV. More: http://bit.ly/1MonO6o
DATA LOCATION, LOCATION, LOCATION — U.S. officials have decried countries’ efforts to store data locally because they’re wary of opening up their citizens’ and companies’ information to foreign governments, saying such data localization undermines the promise of the global Internet. The U.S. stance suffered a blow Wednesday. Microsoft announced plans to open Germany-based data centers in the second half of 2016 in partnership with Deutsche Telekom AG. The official trustee of data stored in the servers will be Deutsche Telekom’s sister company T-Systems, Reuters reports. That should prevent U.S. law enforcement from obtaining the data with a warrant and significantly add more roadblocks for U.S. intelligence agencies seeking the data. More from Reuters: http://reut.rs/1kNAKLT
Meanwhile, Russia’s Internet regulator said a change in Twitter’s terms of service will require the microblogging site to store Russian members’ posts inside Russia, the BBC reports. The regulator has made similar demands of Facebook. More from BBC: http://bbc.in/1kpQbdy
UNMASKER UNMASKED — An unidentified “university-based research institute” that could be Carnegie Mellon helped law enforcement find the hidden location of Silk Road 2.0 servers and IP addresses that connected to the online black market, reports Motherboard. The news outlet says the assistance, revealed in court documents filed in the trial of an alleged Silk Road 2.0 vendor, matches the time frame of a secretive 2014 Carnegie Mellon experiment that aimed to unmask Tor IP addresses. Carnegie Mellon researchers were due to give a Black Hat talk about the experiment, but university attorneys abruptly canceled it two weeks before the event. “There is no hard evidence at this time that CMU was the source of the FBI’s information, however, although circumstantial evidence points to it,” Motherboard wrote. A university spokesman told the outlet that it’s against practice to comment on law enforcement investigations or court proceedings. More: http://bit.ly/1Y536zW
The Tor Project, which maintains the technology necessary for hiding website IP addresses, said in a blog post it believes the FBI paid “at least $1 million” for the attack. Coders last year patched the holes researchers exploited to unmask IP addresses, the blog post also says, adding that the attack set a troubling precedent. “If this kind of FBI attack by university proxy is accepted, no one will have meaningful Fourth Amendment protections online and everyone is at risk,” the post said. More: http://bit.ly/1Y58wLl
ON THE MOVE:
— Bug bounty firm HackerOne has a new CEO: Marten Mickos, formerly head of open source cloud software maker Eucalyptus (acquired by HP in September 2014). HackerOne counts Yahoo and Twitter among its customers, who have nearly paid out a collective $5 million to hackers reporting new vulnerabilities.