Cyberespionage

Professor Corri Zoli Speaks to Vox About China and Iran Meddling in US Elections

Are China and Iran meddling in US elections? It’s complicated.

(Vox | Sept. 15, 2020) This spring, the Chinese state-run news agency Xinhua posted a roughly two-minute video titled “Once Upon a Virus” on social media, including on official Chinese government accounts.

The video is in English and features Lego-like figures. One of the Statue of Liberty, representing America, and a warrior Lego representing China, with what looks like medical workers decked out in PPE, behind it…

… “There’s no question China’s the most technologically sophisticated for influence campaigns that reach beyond just elections,” Corri Zoli, associate teaching professor and director of research for the Institute for Security Policy and Law at Syracuse University, told me …

… And Iran definitely has cyber capabilities. But Zoli said, overall, they’re not sophisticated enough to have a truly enormous impact. “They don’t have the capabilities and they haven’t thought through a really multi-pronged strategy. They’re not going after, you know, these ancillary institutional sites to try to have a big impact on political decision-making” …

… Zoli told me she sees the ODNI document as educational, not so much for what it tells us about what our adversaries are up to, but as a way to “raise the public’s awareness that these election interferences are common and consistent. And you need to be kind of on guard about them. And you need to harden your approach to them” …

Read the full article.

 

Chinese Hacking Indictments: Professor Corri Zoli Speaks to SCMP

US indicts Chinese hackers on charges of targeting coronavirus vaccine data and defence secrets

(South China Morning Post | July 22, 2020) The US government has indicted two Chinese nationals in connection with long-running cyber espionage operations that aimed to net information on Covid-19 vaccines, military weapons and human rights activists, in what is the second Justice Department indictment against individuals from China in recent days.

“You’re seeing more inter-agency cooperation to manage this threat.”

Li Xiaoyu, 34, and Dong Jiazhi, 33, were charged with 11 counts of conspiracy, identity theft and fraud related to operations carried out from China since 2009, some in conjunction with China’s Ministry of State Security (MSS), according to an indictment filed on July 7 with the US District Court for the Eastern District of Washington and unsealed on Tuesday …

…“This is information warfare so there’s a lot of evasion and distraction going on here,” said Corrinne Zoli, director of research at the Institute for Security Policy & Law at Syracuse University in New York. “I think the issue is not that the Chinese need more clinical data to sort out their own vaccine programmes.”

China is more likely to be “trying to probe the US response to what really is an economic and security threat that is the pandemic”, she added. “They’re trying to figure out if the response is leading to the US to be more stable or unstable, if their response is indicative of a government that resilient or a government that’s in crisis” …

… “What you’re seeing now is just an administration that’s got a more of a forward posture … you’re seeing more inter-governmental operability, you’re seeing more inter-agency cooperation to manage this threat,” said Zoli. “Any nation state that has capacity, and usually that’s any nation state with a developed military, is going to have some information warfare capacity,” including the US.

The difference, she added, is that while the US government limits cyber espionage to the countering of national security threats, China is more inclined to hack for economic and commercial secrets as well.
“That’s where I think they are in a league of their own,” she said …

Read the full story.

 

Corri Zoli Discusses Arrest of Chinese Researcher with SCMP

US ties activities of arrested Chinese military officer to those by defendant in Boston case

(South China Morning Post | June 25, 2020) US federal prosecutors in Los Angeles have tied the activities of an arrested Chinese military officer conducting research at the University of California to that of a Chinese defendant charged in another high-profile case, in what Washington sees as a coordinated pattern of spying.

The indictments reflect the US government’s efforts to prevent advanced technologies developed in America from being transferred to China’s military, as lawmakers and government officials all the way up to President Donald Trump warn of Beijing’s attempts to undermine national security …

… Corri Zoli, director of research at the Institute for Security Policy & Law at Syracuse University in New York, went further: “I can’t imagine that the Chinese government would be sending active-duty military officers to academic tech programmes, who are on their payroll and engaging is some sort of transfer of research technology, and they’re not somehow involved” in an orchestrated tech transfer strategy, she said.

“These efforts are very much a kind of fourth-generation warfare or information-warfare-type strategy, and this is the way of our contemporary world,” Zoli added.

“It’s not just China doing this. It’s everybody. This is the way that we’re evolving into a new battlespace, but China happens to be very effective at it.”

Read the full article

Between Hacks and Hostilities: Are the US Government and Private Sector Ready for Persistent Engagement?

By the Hon. James E. Baker

(Re-published from ABA Journal | May 9, 2019) Cybersecurity is necessarily an issue that crosses international boundaries, raising complex questions of sovereignty, jurisdiction, law and policy. In response, lawyers have struggled to find the right legal metaphor or framework to apply to cyberspace. Each of these issues concerns the American Bar Association Rule of Law Initiative because the way we as a society choose to address these challenges implicates what it means to live and operate under the rule of law.

“What would be even more remarkable would be if the U.S. government did in fact use all the instruments of national power to enforce cyber norms, as it once used all the instruments of national power to contain the Soviet Union.”

The United States government produces almost as many reports and strategies as the ABA. One recent document warrants the attention of the bar, and not just security practitioners. The Department of Defense Cyber Strategy released in September—or more precisely, the unclassified part of the Strategy available to the public—breaks new and important ground, potentially marking a significant shift in the federal government’s strategic posture. How important the Strategy is will depend in large part on whether it is tied to an effective policy and decision-making process.

If I were briefing a senior policymaker on the substance and import of this new Strategy, I would highlight the following key statement:

“We are engaged in a long-term strategic competition with China and Russia. … The United States seeks to use all instruments of national power to deter adversaries from conducting malicious cyberspace activity that would threaten U.S. national interests, our allies, or our partners. … [The United States will] persistently contest malicious cyber activity in day-to-day competition.”

What is remarkable here is not the content of the statement, but the willingness to say it publicly. What would be even more remarkable would be if the U.S. government did in fact use all the instruments of national power to enforce cyber norms, as it once used all the instruments of national power to contain the Soviet Union. Gen. Paul Nakasone, in his capacity as the commander of U.S. Cyber Command, has advocated this approach encapsulated in the concept of “persistent engagement” …

Read the full article.

 

William C. Snyder Discusses Huawei as a Security Threat With The Verge

Is Huawei a Security Threat? Seven Experts Weigh In

(The Verge | March 17, 2019) The United States government is cracking down hard on Huawei. Lawmakers and intelligence officials have claimed the telecommunications giant could be exploited by the Chinese government for espionage, presenting a potentially grave national security risk, especially as the US builds out its next-generation 5G network. To meet that threat, officials say, they’ve blocked government use of the company’s equipment, while the Justice Department has also accused Huawei’s chief financial officer of violating sanctions against Iran, and the company itself of stealing trade secrets.

Huawei’s status as a threat is hardly unique. Not only are other Chinese companies such as ZTE and China Mobile embedded in the supply chain, but so are those of other countries.

Huawei’s response has been simple: it’s not a security threat. Most importantly, the company’s leaders have said the US has not produced evidence that it works inappropriately with the Chinese government or that it would in the future. Moreover, they say, there are ways to mitigate risk — ones that have worked successfully in other countries. Huawei’s chairman has even gone so far as to call the US government hypocritical, criticizing China while the National Security Agency spies around the globe. The company has also denied any criminal wrongdoing …

WILLIAM SNYDER, PROFESSOR OF LAW, SYRACUSE UNIVERSITY

Huawei is a threat to US national security, but that misses the bigger point. Vulnerabilities in the supply chain of network hardware and software is, has been, and will continue to be a threat to the national security of the United States and many other countries, including China. It remains very difficult to audit that a chip with millions of embedded transistors or software with millions of lines of code does only what consumers know and consent to it doing. Even if Huawei is not committing the sort of crimes for which a US grand jury indicted it, any company that supplies such a large percentage of the market for components of telecommunications networks and has such ties to the People’s Liberation Army is a threat. Huawei’s need to operate under Chinese laws about cooperation with Chinese military and intelligence agencies is of concern.

Huawei’s status as a threat is hardly unique. Not only are other Chinese companies such as ZTE and China Mobile embedded in the supply chain, but so are those of other countries. Huawei itself buys components from major US firms, including Qualcomm. Those companies are subject to US laws concerning cooperation with US intelligence agencies. Given the essentially free market economy of the United States, rarely, if ever, will a US company be as closely tied to the government as Chinese companies are. Still, if you are a security policymaker of a nation like India — with several times the population of the US — wouldn’t you worry about how many major militaries have back doors into your networks?

As long as conflict occurs at the nation-state level while critical cyber networks are designed and manufactured internationally, we all must be very careful. This is a systemic problem. Currently, Huawei’s size and ties to the PLA make it the focus of concern. In the future, another supply chain threat will take center stage.

Read the full article.

 

Setting the Terms: William C. Banks Discusses Christopher Wray’s Senate Testimony

Professor Emeritus William C. Banks discusses the recent Senate testimony by FBI director Christopher Wray, who named China as the number one threat to the US. Banks also discusses the FBI’s handling of the second Justice Kavanaugh background check and the future of domestic unmanned aerial vehicle (drone) regulation, among other topics raised at the hearing.

Banks’ segment starts at 6m 09s

INSCT Hosts State Board of Elections Cybersecurity Tabletop Exercise

On June 7, 2018, the Institute for National Security and Counterterrorism (INSCT) hosted one of a series of statewide exercises that focus on cybersecurity preparedness and response to threats to New York State election systems. These first-of-their-kind tabletop exercises are sponsored by NYS Board of Elections (BOE) and US Department of Homeland Security (DHS) in partnership with the NY Division of Homeland Security and Emergency Services, NY State Police, and the NYS Intelligence Center.

Taking place in the College of Law, the Onondaga County tabletop exercise–like the other five regional exercises–was designed to identify areas for improvement in cyber incident planning, preparedness, and response through realistic scenarios that simulate the undermining of voter confidence, voting operations interference, and attacks on the integrity of elections.

State and local officials, led by the BOE and DHS Cyber Incident Response Team, will utilize information gleaned from these tabletop exercises with state, local, and federal stakeholders to identify risks and develop necessary steps to safeguard the election process.

Contoured for each region, the scenarios are based on a combination of real world events and potential risks facing election infrastructure. These threats include possible social media manipulation, disruption of voter registration information systems and processes, attacks on voting machines, and the exploitation of board of elections business networks.

The tabletop exercises are part of a BOE cybersecurity plan that was approved on May 3, 2018, to further strengthen cyber protections for New York’s elections infrastructure through the Secure Elections Center.

NYSBOE_Tabletop_Exercise

William C. Snyder Quoted in Medium.Com InfoSec Article

OSINT isn’t Evidence, or Why InfoSec Needs To Take A Step Back

(Re-published from Medium.com | Dec. 4, 2017) The ForeignPolicy.com headline read “Feds Quietly Reveal Chinese State-Backed Hacking Operation.

But that headline is misleading because the indictment issued by the U.S. Attorney’s office in Western Pennsylvania didn’t name the Chinese government at all. It only named three employees of the Guangzhou Bo Yu Information Technology Company Limited (Boyusec).

“The indictment makes no allegations regarding state sponsorship,” said Justice Department spokesman Wyn Hornbuckle, who added that prosecutors only “included the allegations that we are prepared to prove in court with admissible evidence.”

Elias Groll, who wrote the article, apparently questioned why the DOJ didn’t include the Chinese government like they did in the 2014 indictment that named five Chinese PLA officers, and which also came from the same U.S. Attorney’s office in Western Pennsylvania. Groll contacted FireEye’s John Hultquist and quoted from past research by RecordedFuture in support of his headline that directly refuted what the DOJ said.

So let’s be clear about what FireEye, RecordedFuture, and every other cyber security company puts out in a commercial white paper designed to generate headlines and attract sales, and what the DOJ develops in order to get a conviction. Only one of those two things can properly be called “evidence.”

In 2014, I spoke with William C. Snyder, a former Assistant U.S. Attorney who served in the Western District of Pennsylvania and the District of Columbia and who today is a professor at Syracuse University’s College of Law. My question for him at that time was what must a cyber intelligence report have to deliver in order for an AUSA to pursue an indictment with the intent to prosecute. Here is an excerpt of his response to me.

First, the report by the non-government company is hearsay and is not admissible in court to prove any of the findings in the report. What the U.S. Attorney will be looking for in the report is a path to admissible evidence.

Here is a simple example. Guy opens Yahoo email accounts in names of boss who fired him and cop who arrested him. Guy sends emails from both accounts to the White House, threatening to blow it up. Desk at White House snags both emails and finds that they came from same IP.

For USSS, I issue on behalf of a grand jury a subpoena to the cable company for basic subscriber info for that IP. It comes back to a static IP for an account in the name of Joe Defendant at the address of his house. Ready to indict? No.

Agents interview exboss and cop. Both deny sending emails to White House and both have had runins with Mr. Defendant.

Agents interview postal carrier and neighbors. Mr. Defendant lives at the house with his wife and small child. Interviews continue, and local pastor and others indicate that wife and child were at church at the time emails to White House were sent. I take agents to a judge, who issues search warrant for Mr. Defendant ’s house and computers …

To read the full article, click here.

 

Equifax Data Breach: Let the Blame Game Begin

By Christopher W. Folk (LAW ’17)

In the data breach, Equifax blames Apache >>> Apache rebuts—In the end consumers still lose

(Re-published from Crossroads: Cybersecurity Law & Policy | Sept. 11, 2017) In the wake of a massive data breach, Equifax appears to be blaming a vulnerability in the Apache Software Foundation’s Apache Struts Web Framework, according to a post on Apache.org.  

The Apache Struts Project Management Committee’s post goes on to say that the assumption that the Equifax breach may have relied on a vulnerability in the struts framework that was discovered on Sept. 4, 2017. The post posits that this indicates that if the attackers relied on this vulnerability this would be a zero-day exploit since the issue was not detected until well after the attacks which took place starting in mid-May of 2017.  Furthermore, the PMC’s post asserts that this particular exploit outlined in CVE-2017-9805 may have existed for nine years; however, it was not a known issue during that timeframe and in fact the PMC asserts that as soon as Apache became aware of the issue a fix was developed and made available.

PMC’s post goes on to outline a few key steps that businesses and individuals using Apache struts (or any other supporting software) should implement:

  1. Inventory the frameworks and libraries you are using in your software development and products and maintain visibility into new releases, patches, vulnerabilities, etc.
  2. For each of those, create and utilize a process to test and roll-out security fixes in shorter time-periods (e.g. days vs. weeks).
  3. Don’t build your products on the assumption that the software you are using is flawless.
  4. Create security layers: don’t create a situation where a breach from the presentation (e.g., webpage layer) can endanger underlying back-end data.
  5. Establish baselines to monitor for unusual traffic or data flows which will help to identify network anomalies and potential intrusions and exfiltrations.

By way of comment, I have written an open letter to Equifax …

Dear Equifax:

Please wake up and realize that finger-pointing, trying to blame Apache or any other software products—in addition to the incredibly poor-timing of the executive stock option sales before this breach was made public—are not going to help you in the court of public opinion, nor in any court of law where jurors may sit.

As a consumer, and a business professional, it would have been reassuring to learn that the breach was only to grab encrypted records, since that is how you should be storing our data, or to learn that you were giving those executives the boot since the mere appearance of impropriety was tantamount to deceit and malfeasance.  However, you chose instead to state that the executives had no idea there had been a breach days after it was discovered (in spite of the fact that the breach had been underway since mid-May) and then to assert that it wasn’t really your fault since the attacker used an exploit to exfiltrate unencrypted records.  

Furthermore, if you had performed input validation or sanitization then the vulnerability in struts could not have been exploited in the first place (see this post from Imperva).

Needless to say, at this early stage in the game, your handling of this breach ever since it has been discovered appears to be a case study in what not to do.  As your shares continue their downward movement and as consumers and businesses alike start to realize the repercussions of this breach, it is unlikely that you have issued a single statement or taken a single step to help yourself, or your consumers and users.

Several days after the breach was disclosed, some Equifax executives were able to sell their stock at around $145 to $146 per share. Today (Sept. 11) Equifax shares closed at $113.12.  Meanwhile 143 million of us are waiting to sign up for “free” credit monitoring so we can see when someone tries to use this data to steal our identities.  However, as the government OPM breach taught us, data is worth so much more than just identify theft.  Once you get enough data points on a person, the sky’s the limit.

In short, “thanks” for encrypting our precious data, which would have cost you a little bit of money and would have slowed down some of your back-end processes but would have made the attackers work a whole lot harder to grab our data (in a readable and usable format).

Sincerely,

John Q. Public

Christopher W. Folk is a 2017 graduate of SU College of Law. 

The Enemy Online: The Future of Terrorism Resides Across the Internet

(Re-published from Maxwell Perspective | Spring 2017) National rhetoric surrounding terrorism and countersecurity focuses on ISIS and on immigration policy. But Maxwell experts say the real, day-to-day threat is far more insidious: disruptive transnational cyber attacks.

“There couldn’t be a bigger assault on the United States than to try to undermine our democracy by changing who we select to be our leaders, whether it’s the presidency or a Congressional race,” says William C. Banks of Russian interference in the 2016 U.S. presidential election. Banks is a pro-fessor of public administration and international affairs with a distinguished professor appointment in SU’s College of Law. He is also the founding director of SU’s Institute for National Security and Counterterrorism (INSCT).

He says there’s no evidence hackers infiltrated the voting tabulation systems in any of the 50 states. But Russian-hired trolls may have been successful in swinging election results in key states — Wisconsin, Michigan, and Pennsylvania — with innumerable “fake news” hits on social media.

While Banks views such election interference as “a direct threat to everything we stand for,” he says there are many ways foreign governments and terror groups can inflict harm through cyber means. While the election has given foreign hacking a high profile, cyber attacks occur on a daily basis to both private and government entities.

“Hackers, cybercriminals, insurgents, and terrorists penetrate private sector and government net-works and steal personal information; trade secrets and other commercially valuable data; and infect sys-tems with malware that attempts to disrupt, degrade, and sometimes destroy the systems that host and transmit our most important information,” he says.

An internationally recognized authority on national security, counterterrorism, war powers, and re-lated topics, Banks has collaborated on security issues with organizations around the world, ranging from NATO to The Hague. He is the author of seminal books in the field, including Soldiers on the Home Front: The Domestic Role of the American Military (Harvard University Press), among many others. He is edi-tor-in-chief of the Journal of National Security Law & Policy.

“The attacker seeks to exploit system weaknesses their targets are not aware of.”—RENÉE DE NEVERS

Banks warns that nation/states and private actors who couldn’t match us in a conventional conflict could inflict tremendous cyber damage. He points to a major cyber attack by Russian hackers on Tallin, Estonia, in 2007, which impacted the Estonian parliament, banks, ministries, newspapers, and broadcasting. “Estonia is arguably the most wired country in the world, and its banking system was effectively shut down, severely impacting the country’s economy,” says Banks.

In the aftermath, NATO established the Cooperative Cyber Defence Centre of Excellence, in Tallin, a multinational and interdisciplinary hub of cyber defense expertise to study law governing cyber warfare, which partners with INSCT to hold joint workshops and conferences related to cyber warfare and defense.

According to David Van Slyke, dean of the Maxwell School and an expert on public-private partnerships, America is especially vulnerable. “Infrastructure in the United States — transportation, energy, water and sewer, logistics, and others — has shared ownership with public, private, and pub-lic-private configurations. One of the unique challenges with cyber-security threats is the need for information sharing, coordination, and vigilant monitoring among public and private organizations, each of which has some level of mistrust of what each is doing, sharing, and not doing.”

Van Slyke, who is also the Louis A. Bantle Chair in Business and Government Policy, says a proactive defense against cyberterrorism must depend upon “strong rules of engagement between public and private partners.”

“Despite ongoing improvements in cyber security, preventing cyber attacks is difficult because the attacker seeks to exploit system weaknesses their targets are not aware of, so the ‘defender’ is reacting to attacks, rather than being able to prevent them from happening,” says Renée de Nevers, asso-ciate professor of public administration and an expert on national and international security. She says the human factor makes it difficult to keep systems secure, because people slip up on cyber security measures, since these are sometimes perceived as nuisances.

De Nevers, who has served as a research fellow at the Belfer Center for Science and International Affairs, the Center for International Security and Cooperation, the Hoover Institution at Stanford University, and the International Institute for Strategic Studies, says that some cyber attacks appear to be phishing ef-forts seeking information while others are more destructive in intent, trying to override control systems or cause infrastructure breakdowns. “Both kinds of attacks are worrisome because phishing may give the at-tacker valuable information to use for other unknown purposes down the road,” she says.

Often the targets are unaware of attacks for weeks or even longer. And it can be hard to determine who is behind an attack, whether it was initiated by state actors or other groups or individuals, says de Nevers, co-author of Combating Terrorism: Strategies and Approaches (CQ Press), with Banks and former Maxwell dean Mitchel Wallerstein. “It appears that actors in several countries, including Russia, China, and Iran, engage in cyber attacks against other states frequently, as does North Korea,” she says.

While cyber warfare is typically thought of outside conventional forms of conflict, retired Vice Admiral Robert Murrett says our military experiences cyber attacks on a daily basis. “It’s just part of the landscape now, something that happens all the time relative to what we describe as ‘phase zero’ operations we’re engaged in around the world,” he says.

In 2009, U.S. Cyber Command was created under U.S. Strategic Command, to provide a centralized military command of cyberspace operations and defense of military networks. “I’d like to think we’re doing a better job of protecting against vulnerabilities,” Murrett says.

Murrett became deputy director of INSCT and a professor of practice in public administration and international affairs after a long and distinguished career at senior levels within the U.S. defense and intelligence fields, serving as director of Naval Intelligence and director of the National Geospatial-Intelligence Agency.

While routine cyber attacks are a significant threat, Murrett is focused on aggression from Russia and Iran and the activities of non-state actors working out of ungoverned areas (known as “black spots”), which can be used as a base for conducting operations against us or our allies. (See article at left.) He re-mains concerned about the proliferation of nuclear weapons. “The global inventory of nuclear weapons is well in excess of 15,000 and varies widely,” he says.

Aside from a deliberate attack are ongoing issues of maintenance and security in countries such as Russia and Pakistan, says Murrett, who is also a staff member at the RAND Corporation and the Institute for Defense Analyses. Regarding state actors, he says he’s most worried about North Korea, “which has a very small inventory, but is most worrisome on a weapon-per-weapon basis.”

And of course, while computer systems controlling our own nuclear arsenal are subject to near continuous cyber attack, Banks reminds that the United States is also in the game.

Cyberwarfare is a likely tool the United States would employ to prevent a nuclear strike. Potentially, he says, “you could shut down command and control and really influence the outcome of a kinetic war by using cyber weaponry.”

https://www.maxwell.syr.edu/news.aspx?id=152471347903