The Continued Belief in Unicorn Cyber Deterrence

For some reason, people continue to believe Administration leaks that they will retaliate against China (and Russia!) for cyberattacks — beyond what are probably retaliatory moves already enacted.

I think Jack Goldsmith’s uncharacteristically snarky take is probably right. After cataloging the many past leaks about sanctions that have come to no public fruition, Goldsmith talks about the cost of this public hand-wringing.

As I have explained before, figuring out how to sanction China for its cyber intrusions is hard because (among other reasons) (i) the USG cannot coherently sanction China for its intrusions into US public sector (DOD, OPM, etc.) networks since the USG is at least as aggressive in China’s government networks, and (ii) the USG cannot respond effectively to China’s cyber intrusions in the private sector because US firms and the US economy have more to lose than gain (or at least a whole lot to lose) from escalation—especially now, given China’s suddenly precarious economic situation.

But even if sanctions themselves are hard to figure out, the public hand-wringing about whether and how to sanction China is harmful.  It is quite possible that more is happening in secret.  “One of the conclusions we’ve reached is that we need to be a bit more public about our responses, and one reason is deterrence,” a senior administration official in an “aha” moment told Sanger last month.  One certainly hopes the USG is doing more in secret than in public to deter China’s cybertheft.   Moreover, one can never know what cross-cutting machinations by USG officials lie behind the mostly anonymous leaks that undergird the years of stories about indecisiveness.

This performance seems to be directed at domestic politics, because the Chinese aren’t impressed.

A still crazier take, though, is this one, which claims DOJ thought indicting 5 PLA connected hackers last year would have any effect.

But nearly a year and a half after that indictment was unveiled, the five PLA soldiers named in the indictment are no closer to seeing the inside of a federal courtroom, and China’s campaign of economic espionage against U.S. firms continues. With Chinese President Xi Jinping set to arrive in Washington for a high-profile summit with President Barack Obama later this month, the question of how — and, indeed, if — the United States can deter China from pilfering American corporate secrets remains very much open. The indictment of the PLA hackers now stands out as a watershed moment in the escalating campaign by the U.S. government to deter China from its aggressive actions in cyberspace — both as an example of the creative ways in which the United States is trying to fight back and the limits of its ability to actually influence Chinese behavior.

[snip]

In hindsight, the indictment seems less like an exercise in law enforcement than a diplomatic signal to China. That’s an argument the prosecutor behind the case, U.S. Attorney David Hickton, resents. “I believe that’s absolute nonsense,” Hickton told Foreign Policy. “It was not the intention, when we brought this indictment, to at the same time say, ‘We do not intend to bring these people to justice.’”

But it’s unclear exactly what has happened to the five men since Hickton brought charges against them. Their unit suspended some operations in the aftermath of the indictment, but experts like Weedon say the group is still active. “The group is not operating in the same way it was before,” she said. “It seems to have taken new shape.”

Hickton, whose office has made the prosecution of cybersecurity cases a priority, says he considers the law enforcement effort against hackers to be a long-term one and likens it to indictments issued in Florida against South American drug kingpins during the height of the drug war. Then, as now, skeptics wondered what was the point of bringing cases against individuals who seemed all but certainly beyond the reach of U.S. law enforcement. Today, Hickton points out, U.S. prisons are filled with drug traffickers. Left unsaid, of course, is that drugs continue to flow across the border.

That’s because it fundamentally misunderstands what the five hackers got indicted for.

This indictment was not, as claimed, for stealing corporate secrets. It was mostly not for economic espionage, which we claim not to do.

Rather — as I noted at the time — it was for stealing information during ongoing trade disputes.

But the other interesting aspect of this indictment coming out of Pittsburgh is that — at least judging from the charged crimes — there is far less of the straight out IP theft we always complain about with China.

In fact, much of the charged activity involves stealing information about trade disputes — the same thing NSA engages in all the time. Here are the charged crimes committed against US Steel and the United Steelworkers, for example.

In 2010, U.S. Steel was participating in trade cases with Chinese steel companies, including one particular state-owned enterprise (SOE-2).  Shortly before the scheduled release of a preliminary determination in one such litigation, Sun sent spearphishing e-mails to U.S. Steel employees, some of whom were in a division associated with the litigation.  Some of these e-mails resulted in the installation of malware on U.S. Steel computers.  Three days later, Wang stole hostnames and descriptions of U.S. Steel computers (including those that controlled physical access to company facilities and mobile device access to company networks).  Wang thereafter took steps to identify and exploit vulnerable servers on that list.

[snip]

In 2012, USW was involved in public disputes over Chinese trade practices in at least two industries.  At or about the time USW issued public statements regarding those trade disputes and related legislative proposals, Wen stole e-mails from senior USW employees containing sensitive, non-public, and deliberative information about USW strategies, including strategies related to pending trade disputes.  USW’s computers continued to beacon to the conspiracy’s infrastructure until at least early 2013.

This is solidly within the ambit of what NSA does in other countries. (Recall, for example, how we partnered with the Australians to obtain information to help us in a clove cigarette trade dispute.)

I in no way mean to minimize the impact of this spying on USS and USW. I also suspect they were targeted because the two organizations partner together on an increasingly successful manufacturing organization. Which would still constitute a fair spying target, but also one against which China has acute interests.

But that still doesn’t make it different from what the US does when it engages in spearphishing — or worse — to steal information to help us in trade negotiations or disputes.

We’ve just criminalized something the NSA does all the time.

The reason this matters is because all the people spotting unicorn cyber-retaliation don’t even understand what they’re seeing, and why. I mean, Hickton (who as I suggested may well run for public office) may have reasons to want to insist he’s championing the rights of Alcoa, US Steel, and the Steelworkers. But he’s not implementing a sound deterrence strategy because — as Goldsmith argues — it’s hard to imagine one that we could implement, much less one that wouldn’t cause more blowback than good.

Before people start investing belief in unicorn cyber deterrence, they’d do well to understand why it presents us such a tough problem.

 

image_print
10 replies
  1. orionATL says:

    what is all this nonsense about the importance of retaliation. what a tedious, boring public issue. after all, we have been screwing these folks over for decades, as best our nsa spies can manage, and they us.

    it has been, is, and will remain spy v. spy.

    what’s to retaliate against when you’ve been stealing their signals forever. this is clearly a matter to put in roger godell’s lap.

    now if our government wants to quit retaliation planning, spying on merkel, scolding n. korea for doing us all a favor re: sony trash, inc., releasing stuxnet and duqu, etc.

    maybe our spy boys and fbi boys could be reassigned to put an end to the sources and problems associated with the deluge of computer malware daily gaining entry into our personal and small business computers. but that would require government assisstance to non-campaign contributors and individuals outside the aegis of the chamber of commerce.

  2. orionATL says:

    on retaliation – we done been there; done that – for 65 f… years.

    […Spy vs. Spy is a wordless comic strip published in Mad magazine. It features two agents involved in espionage activities who are completely identical save for the fact that one is dressed all in white and the other all in black. The pair are constantly warring with each other, using a variety of booby-traps to inflict harm on the other. The spies usually alternate between victory and defeat with each new strip. A metaphor for the Cold War, the strip was created by Cuban expatriate cartoonist Antonio Prohías, and debuted in Mad #60, dated January 1961. …]
    .
    .
    [… The cover copy of the The All New Mad Secret File on Spy vs. Spy provides early insight to the characters and Prohías’ views on the Castro regime and the CIA (who were constantly attempting to oust Castro):

    You are about to meet Black Spy and White Spy – the two MADdest spies in the whole world. Their antics are almost as funny as the CIA’s. . . . When it comes to intrigue, these guys make it way outtrigue. They are the only two spies we know who haven’t the sense to come in out of the cold. But they have a ball – mainly trying to outwit each other.[2] …]
    .
    .
    https://en.m.wikipedia.org/wiki/Spy_vs._Spy
    .
    .
    “don’t have the sense…”

    “but having a ball… ”

    that makes sense

    and says it all.

  3. bloopie2 says:

    ICYMI, here’s the latest in computerized defense systems: A fully autonomous drone submarine that is programmed to kill a certain type of evil animal – specifically, one species of starfish, nothing else. Just wait until the Chinese get their hands on a few of these and fiddle with the programming, then pop them into the Potomac. Password theft is sooo last year.
    .
    http://www.engadget.com/2015/09/03/autonomous-robosub-hunts-starfish-with-poison-tipped-needles/

  4. scribe says:

    I think that our government (and other governments) are experiencing being stripped naked and deprived of privacy (they call it secrecy) in the same way we individuals were so stripped and deprived over the last 10 years. To preserve some modicum of secrecy, they’ll wind up having to air-gap the stuff they want to keep secret and then never discuss it anywhere electronic. This will prove to be wildly inconvenient with the kind of workarounds and inanities we’re seeing with the ongoing Clinton email story. She wanted to discuss stuff with people she trusted who were not in government and had a work-around that seemed secure. Information will be free, and it came out.
    .
    And the same obtains for all government and industrial secrets.
    .
    We get told “privacy is dead” and similar crap and are told to get used to it. Information cannot distinguish between governments, industries and individuals. Governments and industries should get used to it, too.

    • orionATL says:

      wow!
      hit the mark.
      .

      we can’t see the goddamned electrons involved or their path(s); we must take it on faith that they are going where we intended and only there, and with what info we intended and only that info.

      the bundeswhatever didn’t know if angela’s voice’s electrons were heading to berlin only or were on their way to fort meade as well.

      if i send an email to emptywheel or the new york times, i have no idea what info, in addition to the words i type, is being transmitted and to whomelse.

  5. wallace says:

    Here’s an idea. Let’s pass a law saying US based companies MUST hire only US citizens IN the US, and then once our workforce is building stuff for US, the working stiffs of America will have money to buy stuff from US thereby retaliating against China by not buying their crap. Then see how long their economy lasts. Easy. Who needs retaliation when we can fuck em up economically.

    Of course, we won’t be able to borrow from China for more wars and nukes and a bloated DOD. Or make the Walmart Oligarchy rich as their cheap Chinese labor won’t be allowed. And we’ll have to balance the US budget. And cut the pay for the Congress etc. And then of course, we’ll be in the black, and won’t have to pay all that interest to China. Right?

    umm.. wait…naw…that’s too complicated. never mind. Let’s just keep on the path to the poor house and annihilation. It’s easier.

  6. Rayne says:

    In the mean time, there’s a propaganda war going on. Pity I have to read about one salvo via Jalopnik, of all places, and the other in the Newscorp puppet, WSJ.

    Retaliatory measures in cyberspace don’t happen in a vacuum. They’re only a single facet of the asymmetric portion of warfare. It’s so ignorant to think other forms of warfare aren’t going on, or aren’t possible if we retaliate for China’s retaliation of our previous attack on them.

Comments are closed.