Skating on Stilts

Anyone who’s followed my recent posts on state-sponsored hacking knows that I’ve been preaching the importance of attribution.  (See here, here, and here.)

Well, I have to say that attribution is coming along pretty well, as witness the devastating Mandiant report and the risible Chinese response. (My personal favorite: "A spokesman for China’s Ministry of Foreign Affairs [argued] that cyberattacks were difficult to trace because they were 'often carried out internationally and are typically done so anonymously.'" Hmm, or maybe not quite so anonymously as the Ministry thought, huh?)

But attribution is only half of the formula if we want to deter cyberespionage.  The other half is retribution.  Somebody has to pay.

In that regard, I was challenged recently by some national security staffers to identify practical ways we could punish cyberspies, especially those attacking our private sector.  They asked how to do that without compromising the classified sources and methods we’ll need to do attribution right.

Civil suits, they thought, would never work.  It's next to impossible for a U.S. court to get jurisdiction over a hacker in Russia or China.  And trials happen in public, after full discovery of the other side’s evidence.

The good news (if that’s what you call it) is that we deal with these sorts of limitations—lack of jurisdiction and the need to protect classified information—all the time with other kinds of bad guys. When it comes to fighting terrorists or narcotraffickers, we already use classified information to identify terrorist supporters or drug kingpins as "specially designated nationals”  and to impose sanctions on them – seizing their bank accounts and assets, for example, and prohibiting U.S. citizens from doing business with them.  They do have an opportunity to challenge their designation, but, in both the administrative and the judicial proceedings, classified information used in the designation or the review is protected. The most that a litigant can do is compel an in camera review of the information by a judge – and perhaps obtain an unclassified summary of the information, minus the sources and methods.

Remarkably, the President could start a cyberespionage retribution program like this tomorrow, on his own.  Under the International Emergency Economic Powers Act, the President could determine that state-sponsored cyberspying poses “an unusual and extraordinary threat” to the United States and declare a “national emergency.” 

Presidents have done that many times in the past.  Right now, we have in place sanctions against officials in Belarus for threatening democracy in that country, purveyors of conflict diamonds, transnational organized crime organizations, and drug kingpins.  In some cases, Congress has followed suit and passed statutes to consolidate or support sanctions programs (e.g., conflict diamonds, drug kingpins), but the sanctions began with a declaration by the President of a “national emergency.”

Not to sell short the cause of democracy in Belarus, but it seems to me that foreign hackers using the Internet to rob our companies and our government blind is at least as “unusual and extraordinary” a threat to our national interests as many of the individuals and groups already designated under earlier programs.

You might ask, however, whether applying sanctions to an individual hacker will really do any good—after all, sanctions don’t have much of a practical effect on people who don’t do business with the United States in the first place.

There are two answers to that question.  First, I'm struck by how many of the guys who've been identified as cyberspies come from a demimonde, half in government and half out.  Most of them clearly yearn to become entrepreneurs.  They can't do that easily without traveling. Sooner or later, they'll come here.

Second, what if we applied sanctions not just to the hackers themselves but to the companies that benefit from the data they filch from U.S. systems?  Legally, there’s not much difference in criminal responsibility between a thief and the guy he’s stealing for. We won’t have to designate more than a few large companies as “cyberspies” and seize their US assets before other companies start saying “Thanks, but no thanks” to offers of stolen data.

Of course, to do that, we'd have to have those companies dead to rights, and so far we don't.  US security researchers have done a great job of tracking the thieves back home.  But so far researchers have had trouble identifying the companies who ultimately benefit from cyberspying. 

That too is an attribution problem – the second and last attribution problem we have to solve if we want to close the loop.  It looks pretty difficult, but no harder than the first attribution problem looked five years ago. Nailing the customers is going to take a major intelligence campaign, but in the end I think we can catch both the cyberspies and their spymasters red-handed.  (If nothing else, we'll benefit from what I like to think of as Baker's Law:  "Our security may suck, but so does theirs.")  

Then, when we do catch them, it’ll be time for the toughest available sanctions. A sanctions program along these lines could raise the cost of hacking and dampen demand for hacking services.  And it's not like anything else is working.  The President could launch it tomorrow without additional legislative authorities.

So why doesn't he? C'mon, let's give those Belorussian kleptocrats a rest and go after a real threat for a change.

Who was it that said, "We can't wait"?  

He was right.

Today's New York Times has a remarkable story identifying the Shanghai office building that is the source of hundreds if not thousands of hacking attacks on US computer networks.  And Mandiant has released an even more detailed report on the Chinese hackers responsible for the attacks.

Bloomberg Businessweek has a remarkable story about the identification of another Chinese hacker. It's a long, tangled, and fascinating tale of good sleuthing by several researchers, but the trail ends with Zhang Changhe, a digital entrepreneur and teacher -- at a People's Liberation Army school that is suspected of training PLA hackers.  

In the denouement, Bloomberg actually calls the guy on his mobile phone and gets partial confirmation of the evidence assembled by security researchers:

A Chinese-language search on Google turns up a link to several academic papers co-authored by a Zhang Changhe. One, from 2005, relates to computer espionage methods. He also contributed to research on a Windows rootkit, an advanced hacking technique, in 2007. In 2011, Zhang co-authored an analysis of the security flaws in a type of computer memory and the attack vectors for it. The papers identified Zhang as working at the PLA Information Engineering University. The institution is one of China’s principal centers for electronic intelligence, where professors train junior officers to serve in operations throughout China, says Mark Stokes of the Project 2049 Institute, a think tank in Washington. It’s as if the U.S. National Security Agency had a university.

The gated campus of the PLA Information Engineering University is in Zhengzhou, about four miles north of Zhang Changhe’s mobile shop. The main entrance is at the end of a tree-lined lane, and uniformed men and women come and go, with guards checking vehicles and identification cards. Reached on a cell-phone number listed on the QQ blog, Zhang confirms his identity as a teacher at the university, adding that he was away from Zhengzhou on a work trip. Asked if he still maintained the Henan Mobile telephone business, he says: “No longer, sorry.” About his links to hacking and the command node domains, Zhang says: “I’m not sure.” About what he teaches at the university: “It’s not convenient for me to talk about that.” He denies working for the government, says he won’t answer further questions about his job, and hangs up.

Herb Lin of the National Research Council has launched the first, soft counterattack on those who think victims of cyberespionage should have greater leeway to respond directly to intrusions. Herb always strives for some balance in his work, but it's clear that he's a skeptic, concluding

"It is not clear that the use of offensive operations in response to hostile actions against private parties would in fact mitigate the threat those parties face, or that the benefits would necessarily outweigh the risks. It is certain, however, that taking such actions would raise a host of thorny domestic and international legal and policy issues."

In fact, some of the issues Herb raises aren't "thorny" at all. Should companies defending themselves be able to hire experts to assist them, he asks. Well duh. Is there anyone who thinks that they shouldn't be able to get such help?

And Herb's stance on the international issues is strikingly prescriptive:

"Finally, international forums must be identified where such issues can be discussed and agreement sought. Such forums would have to involve all stakeholders and not presume that only national governments have rights to engage." (Emphasis added.)

Why Herb thinks these things are mandatory, I can't guess. If a right of self-defense depends getting agreement in an international forum that involves all stakeholders, it's safe to say that there won't be much left to defend by the time the negotiators are done.

That said, for a short piece, Herb's article does a good job of flagging the issues that need to be addressed by those of us who advocate a greater private role in counterhacking.

Once again, Ellen Nakashima of the Washington Post has broken a cybersecurity story:

A new intelligence assessment has concluded that the United States is the target of a massive, sustained cyber-espionage campaign that is threatening the country’s economic competitiveness, according to individuals familiar with the report.

The National Intelligence Estimate identifies China as the country most aggressively seeking to penetrate the computer systems of American businesses and institutions to gain access to data that could be used for economic gain.

The report, which represents the consensus view of the U.S. intelligence community, describes a wide range of sectors that have been the focus of hacking over the past five years, including energy, finance, information technology, aerospace and automotives, according to the individuals familiar with the report, who spoke on the condition of anonymity about the classified document.

I read the story at the ABA winter meeting, where Harvey Rishikof, Emily Frye, Steve Chabinsky, and I talked about whether private companies could do more to protect themselves than simply raise the wall around their systems:

The issue, agreed three experts who spoke on the panel, is to what extent private concerns may go to track down the intruders who break into their computer systems and where the intruders hide that data to avoid detection. The dilemma, said Steven Chabinsky, is that the federal government has the statutory authority to carry out such investigations but lacks the resources and capabilities, while the private sector has the capability but lacks clear legal authority.

The two events are tied together by something Steve Chabinsky said during the panel discussion: We're used to the idea that cybersecurity is an arms race, with defense chasing offense and vice versa, and that the US and its adversaries are constantly trying to counter the other's tactics.  What we haven't absorbed is how quickly proliferation occurs.  

Once a nation has found a tool that overtops America's national security defenses, the tool will only work for a while.  Eventually its thrust will be parried by the Defense Department. At that point, the code isn't good for its original purpose, but it's still plenty good for breaking into private networks, and it will keep working until a good defensive tactic has spread across the entire Internet. 

So as network attackers develop new tools, they have every reason to repurpose the old ones, either shifting the old attacks to softer targets or rewarding criminal allies and less talented nations like North Korea and Iran by handing them lightly used offensive tools. The Defense Department keeps building higher walls, and the Russians and Chinese keep building higher ladders. 

When the US wall gets to thirteen feet, what do the Russians do with all their twelve-foot ladders?  Naturally, they don't want them to go to waste; they look around for companies that still have eleven-foot walls.

There's a deeply discouraging aspect to this dynamic. It means that all of us, whether individuals, law firms, oil companies, banks, or human rights groups, are caught up in a race between governments.  And if our defenses aren't good enough to keep out the most sophisticated governments, it won't be long before those governments come after us, directly or by proxy. So all those comforting lists of defensive tactics that stop 90% of attacks suddenly aren't so comforting.  Adopting those tactics is like building an eleven-foot wall.  It just increases the market value of used twelve-foot ladders.

I'm not sure I've fully plumbed the policy implications of the "used ladder market" effect, but some things seem clear. Using an arms race metaphor tends to trigger calls for American restraint and arms control negotiation. But that won't work here; the only way to show restraint in this contest is to stop defending against new attacks.  And even then, attackers have a long-term incentive to hand off their used tools to other actors, so you're leaving your network open to more and more bad guys.

I suspect that the used ladder effect is another argument for moving from pure defense to a mixed strategy that includes attribution, punishment, and deterrence.  The market for ladders wouldn't be so robust if there were a pack of Dobermans on the other side of even the ten-foot walls.  But it also reveals just how much we're going to need ways for DOD to share information about the attacks it is experiencing, because those attacks are bound to be heading our way, and soon.

PHOTO credit:  SOIR

Every new computing technology seems to bring with it a privacy flap. Cloud computing is going through that phase right now, at least outside the United States. Canadian and European elites fear that putting data in the cloud will somehow let the US government paw through it at will, a fear that usually centers on Section 215 of the USA PATRIOT Act.

The debate has been fed by interest groups worried about their future in a world of cloud computing. It was first raised as part of a campaign by the British Columbia Government Employees Unionagainst the outsourcing of British Columbia's health insurance data processing. (Full disclosure: I worked on the issue for clients both at the time and more recently.)

After years of remission, the issue has recently returned even more virulently, when Europe’s small cloud providers began using the Patriot Act as a marketing tool. In November of 2011, two European companies announced the creation of a European cloud offering that they advertised as providing a “safe haven from the reaches of the U.S. Patriot Act” in a press release that goes on to say, “Under the Patriot Act, data from EU users of U.S.-owned cloud-based services can currently be shared with U.S. law enforcement agencies without the need to tell the user.”

This is pretty clearly a reference to section 215 of the Patriot Act, which once allowed the FBI to “gag” recipients of 215 orders. (That authority was substantially cut back by Congress in 2005; now recipients may challenge gag orders in court annually until they are revoked. See 50 USC 1861(f)(2)(A).)

As a competitive strategy, this line of attack has some problems. It assumes that, while US-owned companies can be compelled to produce data from around the world, European companies can safely refuse to comply. The argument that the US can compel global compliance is grounded in a line of cases ordering banks to produce records from foreign branches. Unfortunately for the European companies making this pitch, the line of cases is named after the unsuccessful party – the Bank of, uh, Nova Scotia-- which is rather plainly not a US company and thus hardly the best case to cite if you're arguing that people can defeat American discovery orders by giving their records to companies headquartered outside the US.

Nonetheless, the argument is still shaking up customers and officials in Europe, who are understandably not comforted by the response that even European cloud companies can be compelled to produce records. I think for several reasons that this risk has been severely hyped – there are only a couple of hundred section 215 orders a year, compared to tens of thousands of criminal subpoenas, and the Justice Department discourages foreign fishing expeditions. But those reasons have been discussed by others. Instead of digging into them, I’d like to explore a point that hasn’t been discussed as widely: the utter uselessness of serving a section 215 order on a cloud computing company.

In essence, it seems to me pretty clear that section 215, entitled “Access to certain business records,” is designed to collect a company’s business records. And a company’s business records are ordinarily viewed as the records the company uses to conduct business, not information belonging to the company’s customers.

Why does this matter for European privacy buffs? Because the records that cloud companies need to conduct business are very different from the records kept by the Bank of Nova Scotia. Banks must keep track of how much money you move in and out of your account, since that determines how much interest they owe you, how much they can charge for wire transfers and bounced checks, and so on.

Put another way, your transactions are part of the bank’s business records. But the records you store on cloud computing platforms aren’t part of the cloud company’s business records, because that’s not how they measure their costs and revenues, among other reasons.

Judging by this calculation, the data that cloud computing companies need to send out their bills is a lot less interesting. They need to keep records of how many CPUs the customer rented, for how many hours, with how much storage space (RAM and disk), on how fast a network. Last I looked, that is information that I already tell the world about my own computer when I visit any site on the Internet.

If that’s all the US government can get by serving a 215 order on cloud companies, it’s no wonder that we haven’t actually seen or heard of such an order in real life.

So, am I right? The best argument against this conclusion is that the title of section 215 doesn’t really tell you what the government can demand. Although the title speaks of “access to business records,” the body of the provision allows the court to order “the production of any tangible things (including books, records, papers, documents, and other items).” That sounds pretty broad, but also pretty familiar. Under the federal rules of criminal procedure, a federal grand jury “subpoena may order the witness to produce any books, papers, documents, data, or other objects.” But as broad language as this language is, the government doesn’t ordinarily use grand jury subpoenas to order people to produce things that belong to other parties. That practice is prudent, given that some courts, notably the Sixth Circuit in Warshak v. United States, think the fourth amendment requires use of a warrant, and the Congressional authorizations for administrative subpoenas require notice to the target.

The link between section 215 and criminal investigative practice is firmed up by a sentence added to section 215 when it was renewed in 2005. The new sentence says, in essence, that section 215 can only “only require the production of a tangible thing if such thing can be obtained with a [grand jury] subpoena.” See 50 U.S.C. § 1861(c)(2)(D).

It seems to me that this puts a special new burden on the Europeans who think that section 215 is a problem for American cloud providers. When it was the spooky, subterranean, and evil Patriot Act they were construing, they could plausibly say, “Who knows what the government is doing behind those gag orders in that secret court?” But now that the tie between 215 and grand jury subpoenas has been clearly written into the statute, there is no dearth of information about US practice. We have fifty years or more of criminal procedure, and tens of thousands of criminal subpoenas a year, to draw upon. If grand jury subpoenas have been used to obtain third-party records across international boundaries, especially from cloud providers, then the European merchants of FUD have a point. If not, they can safely be ignored, by customers and policymakers alike.

PHOTO: Michael Jastremski

 Well, that was quick.  At the age of 6, my grandson, Asa Baker-Rouse, has already accumulated more Internet clout than I’ve been able to assemble in a career.  What’s more he did it with pure sweetness. (Perhaps that’s where I went wrong.)  A Middlebury student named Bianca Giaever turned one of Asa’s stories into a 7-minute film that has now received hundreds of thousands of hits.  

 

It has no political content whatsoever, but it does have a lesson of sorts.  And for those of you who always want the backstory, Asa's younger brother is named Toby.