3 November 2018

China's Alleged Big Hack -- 'No There, There'

By David Craig

Responding to Bloomberg’s blockbuster story last week regarding China’s alleged implanting of microchips into the U.S. supply chain, National Security Agency official Rob Joyce says the NSA found “no there, there.”

At a Wednesday event hosted by the U.S. Chamber of Commerce and RealClearPolitics, Joyce was asked twice about the sensational Oct. 4 story headlined “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies.” The piece asserted that in 2015 spyware in the form of tiny microchips was surreptitiously placed – apparently by the Chinese military -- on mother boards assembled in San Jose, Calif., for computer servers sold to American companies, including Amazon’s AWS and Apple Inc.

This purported effort to exploit the U.S. supply chain with manipulated hardware shocked national security officials as well as private sector cybersecurity officers already under siege from cyberattacks. Joyce, the senior adviser for cybersecurity strategy to the director of the NSA, downplayed the threat, however, saying that neither the agency nor any of the supposedly infiltrated companies have found any compromised mother boards.

In his remarks to an audience of mostly private-sector cybersecurity officials, Joyce urged anyone with firsthand information about attacks on the supply chain to come forward. He also pointed out that the motherboard depicted in the Bloomberg article was merely a product image, adding that lawyers for Apple, Amazon, and others have issued specific, written denials of having been breached in this way – assertions that would put them at legal jeopardy if they were not telling the truth.

Bottom line? In Joyce’s view, there have been no intrusions into the U.S. supply chain -- at least not yet.

The session, titled “Securing Cyberspace: Forging a Collective Defense,” took place at the Chamber of Commerce’s downtown Washington, D.C., headquarters, across Lafayette Park from the White House, where Joyce worked until last April as the administration’s top cybersecurity official. He left after a reorganization that was widely seen as a de-emphasis of cybersecurity on the part of the Trump administration, but returned to the NSA, his port-of-call for the previous 27 years – where he resumed a leadership role in this field.

Following Joyce’s one-on-one conversation with RealClearPolitics Executive Editor Carl Cannon, the event featured a panel discussion with five other experts in the field: Bill Evanina and Jeanette Manfra from the government, Christopher Roberti and Justin Somaini from the private sector, and James A. “Sandy” Winnefeld Jr., a retired U.S. Navy admiral. Under questioning by moderator Andrew Walworth, all agreed that cyberthreats from state actors -- most notably China -- pose persistent threats to national security, yet garner an exponentially smaller portion of the national security budget.

Neither Joyce nor the panel expressed undue concern about the security of the 2018 midterm elections, a source of heightened worry in the wake of Russian meddling in 2016. The consensus is that China is not actively seeking to hack into our elections infrastructure, but instead is involved in “soft power” type influence operations to counter candidates and officeholders who promote tariffs against China.

China, Russia, Iran and North Korea do pose a significant threat to American supply chains in the defense industry, however, according to the panelists. Manfra, assistant secretary for cybersecurity and communications at the Department of Homeland Security, said that Operation Cloud Hopper, known in the security community as APT10, poses a massive threat to the managed service providers used by nearly every corporation, large and small. Operation Cloud Hopper was discovered by researchers from PricewaterhouseCoopers and BAE Systems. Taking advantage of open-source software, intruders believed to be from China employ sophisticated hacking methods to attack service providers in the U.S., Canada, Japan, India, and South Korea – apparently to steal intellectual property.

Yet, as Bill Evanina -- director of the National Counterintelligence and Security Center at the Office of the Director of National Intelligence -- pointed out, the biggest vulnerability to U.S. companies and government agencies continues to come from employees who fall victim to phishing schemes or don’t follow basic security procedures and protocols.

Politicians and national security officials have proposed unleashing offensive cyber operations to exact revenge or impose costs on those who conduct cyberattacks against the U.S. The panel suggested, as did Rob Joyce, that the risks of escalation outweigh the benefits.

On the other hand, being sanguine in the face of attacks is not a sound option either, several of the panelists noted. Winnefeld said that the 2014 cyberattack on Sony by North Korean hackers cost the company some $300 million – and he suggested that the tepid U.S. government response had emboldened North Korea.

During the Q&A portion of the program, Joyce was asked whether he agreed that U.S. government spending on cybersecurity isn’t nearly commensurate with the threat. The top-ranking NSA cybersecurity official said dutifully that he supported the president’s budget requests. With a smile, he then encouraged the audience to lobby Congress to provide more money for the huge tasks ahead. Left hanging in the air at the end of the event was this question: Will it take a cyber version of 9/11 to compel Capitol Hill and the nation to respond to the rapidly increasing cyberthreats our nation faces? Or will we have the foresight to invest our attention, and treasure, in making the country secure?

No comments: