China's cyber offense comes of age
Episode 270 of the Cyberlaw Podcast
The theme this week is China's growing confidence in using cyberweapons in new and sophisticated ways, and the US struggle to find an answer to China's growing ambition in this sphere. Our interview guest, Chris Bing of Reuters, talks about his story on Chinese penetration of managed service providers like HP Enterprise – a penetration that allowed APT10 access to hundreds of other companies that rely on managed service providers for most of their IT. Most chilling for the customers are strong suggestions that the providers often didn't provide notice of the intrusions to their customers – or, worse, that the providers' contracts may have prevented their customers from launching quick and thorough investigations when their own security systems detected anomalous behavior originating with the providers. After this episode, a lot of CISOs will be rereading their managed service contracts. Chris also tells the story of an apparent "Five Eyes" intrusion into Yandex, the big Russian search engine.
Returning to China, in our News Roundup Nate Jones covers the latest in the US-China trade war before diving into a Wall Street Journal article (by Kate O'Keeffe) that I call the Rosetta Stone for the last two years of cyber policymaking. Looking for the unifying theme in the lobbying fight over FIRRMA, the president's executive orders on cyber, and sanctions on companies like Sugon? Look no further than AMD, particularly its accommodation of China's ambitions in chip manufacture and the Pentagon's desperate effort to thwart its plans. Nate and I also consider a possible new US requirement that domestic 5G equipment be made outside China.
What is China planning to do with all that cyber power? Jordan Cannon lays out one possibility, focusing on a little-followed story in which China seems to have taken an election-tilting page straight out of Vladimir Putin's textbook. And Nate covers a newly patient Chinese hacking cadre willing to compromise a dozen telcos for years just to collect metadata on as few as twenty telco customers.
Speaking of metadata, David Kris explains why Congress is more exercised over NSA's access to American phone metadata than China's. Congress took the view that NSA should not collect the metadata of innocent Americans, even if it only searched the data when it had a legal basis for doing so. Instead, Congress constructed a new Section 215 program that depended on each telco to do searches of data that remained in its hands. Unsurprisingly, the telcos have done that badly, sending the wrong data to NSA on more than one occasion. Naturally, Congress now blames NSA for "overcollecting." Don't hold your breath waiting for an apology from the Congressional cranks who got us into this mess.
Are you a conservative comforting yourself with the idea that Silicon Valley censorship is just a creature of platform monopoly that can be cured by more competition? Guess again. Two more conservative-hostile moves by Silicon Valley show that competition isn't likely to end virtue signaling in the Valley. After Google banned Project Veritas's video exposé of YouTube for, uh, privacy – that's it, privacy – violations, its distant No. 2 competitor Vimeo responded to the competitive opportunity by also banning the video for, uh, defamation or something. And when Twitter competitor Parler offered a home to conservatives, Apple reportedly threatened (at least briefly) not to distribute the app unless it kicked some unspecified bad actors off the service.
Meanwhile, two Silicon Valley platforms that really do depend on at least a few conservative voices were singing that famous C&W song, "I hate you. I need you. And I hate that I need you." (Okay, I made that up, but there really should be a Taylor Swift song with those lyrics.) Anyway, the needy haters of Silicon Valley have been searching for ways to show their contempt for people they're afraid to shut down completely, and now they've found it. Reddit "quarantined" their wildly popular subreddit, r/the_donald, over posts the moderators said they'd never seen and had never been reported to them. And Twitter announced that it planned to salve its SJW conscience while still profiting from Trump's tweets by attaching disapproving labels to them. Nate tries to hose me down, but it's too late.
Finally, in breaking news from 1993, David reports that the Trump Administration is considering an encryption crackdown but can't choose between a toothless statement of principles and a feckless proposal of legislation that will not pass. I offer the suggestion that the statement of principles could be enough to undercut Silicon Valley's campaign to stop encryption controls in countries like Australia, the UK, and Germany. That's where controls will eventually come from, David and I agree. If so, I'm looking forward to hearing all those folks who told us that GDPR was just the voice of civilization calling across the Atlantic say the same about European encryption mandates.
As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!
The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.