Header graphic for print
Steptoe Cyberblog

Episode 270: China’s cyber offense comes of age

Posted in CFIUS, Cloud Computing, International, Security Programs & Policies

 

The theme this week is China’s growing confidence in using cyberweapons in new and sophisticated ways, as the US struggles to find an answer to China’s growing ambition to dominate technology. Our interview guest, Chris Bing of Reuters, talks about his deep dive story on Chinese penetration of managed service providers like HP Enterprise – penetration that allowed them access to hundreds of other companies that rely on managed service providers for most of their IT. Most chilling for the customers are strong suggestions that the providers often didn’t provide notice of the intrusions to their customers – or that the providers’ contracts may have prevented their customers from launching quick and thorough investigations when their own security systems detected anomalous behavior originating with the providers. Chris also tells the story of an apparent “Five Eyes” intrusion into Yandex, the big Russian search engine.

Returning to China, in our News Roundup Nate Jones covers the latest in the US-China trade war before diving into a Wall Street Journal article (by Kate O’Keeffe) that I call the Rosetta Stone for the last two years of cyber policymaking. Looking for the unifying theme in the lobbying fight over FIRRMA, the president’s executive orders on cyber, and sanctions on companies like Sugon? Look no further than AMD, its aggressive accommodation of China’s ambitions in chip manufacture, and the Pentagon’s desperate effort to thwart the company’s plans. Nate and I also consider a possible new US requirement that domestic 5G equipment be made outside China.

What is China planning to do with all that cyber power? Jordan Cannon lays out one little-followed story in which China seems to have taken an election-tilting page straight out of Vladimir Putin’s textbook. And Nate covers a newly patient Chinese hacking cadre willing to compromise a dozen telcos for years just to collect metadata on as few as twenty telco customers.

Speaking of metadata, David Kris explains why Congress is more exercised over NSA’s access to American phone metadata than China’s. Congress took the view that NSA should not collect the metadata of innocent Americans, even if it only searched the data when it had a legal basis for doing so. Instead, Congress constructed a new Section 215 program that depended on each telco to do searches of data that remained in their hands. Unsurprisingly, the telcos have done that badly, sending the wrong data to NSA on more than one occasion. Naturally, Congress now blames NSA for “overcollecting.” Don’t hold your breath waiting for an apology from the Congressional cranks.

Are you a conservative comforting yourself with the idea that Silicon Valley censorship is just a creature of platform monopoly that can be cured by more competition? Better stop reading the newspaper, as of last week. Two more conservative-hostile moves by Silicon Valley show that competition isn’t likely to end virtue signaling in the Valley. After Google banned Project Veritas’s video exposé of YouTube for, uh, privacy – that’s it, privacy – violations, its distant No. 2 competitor Vimeo responded to the competitive opportunity by also banning the video for, uh, defamation or something. And when Twitter competitor Parler offered a home to conservatives, Apple reportedly threatened (at least briefly) not to distribute the app unless it kicked some unspecified bad actors off the service.

Meanwhile, two Silicon Valley platforms that really do need at least a few conservatives were singing that famous C&W song, “I hate you. I need you. I hate that I need you.” And just to show their contempt for people they’re afraid to shut down completely, Reddit “quarantined” their wildly popular subreddit r/the_donald over posts the moderators said they’d never seen or had reported to them. And Twitter announced that it planned to salve its SJW conscience while still profiting from Trump’s tweets by attaching disapproving labels to them. Nate tries to hose me down, but it’s too late.

Finally, in breaking news from 1993, David reports that the Trump Administration is considering an encryption crackdown but can’t choose between a toothless statement of principles and a feckless proposal of legislation that will not pass. I offer the suggestion that the statement of principles will be enough to undercut Silicon Valley’s campaign to stop encryption controls in countries like Australia, the UK, and Germany. That’s where controls will eventually come from, David and I agree. I’m looking forward to all those folks who told us that GDPR was just the voice of civilization calling across the Atlantic saying the same about European encryption mandates.


 

Download the 270th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.