08 Jan Politico | “Chinese in D.C. for cyber talks”
“The technology is agnostic,” he said in a telephone interview. “It’s how do people use it.” – Robert Ackerman Jr.
Posted from Politico.com – 12/01/2015
U.S.-CHINA TALKS — U.S. and Chinese officials are scheduled to hold their first meeting on implementing their agreement to refrain from computer hacking for commercial gain. Though the meeting is not a deadline for determining whether China is complying with the accord, U.S. officials hope the talks “on fighting cybercrime and related issues” will help ease tensions.
Homeland Security Secretary Jeh Johnson will lead the U.S. negotiators. China’s Public Security Minister Guo Shengkun will be the senior Chinese representative, according to Chinese state media reports via Reuters.
MEANWHILE IN PARIS — While Johnson and Guo confab in Washington, President Barack Obama and Chinese President Xi Jinping are attending talks on climate change in the French capital. Obama stressed the need for “full adherence” to the pair’s September no-commercial hacking agreement during a summit sidebar, the White House said. Before the meeting, Obama noted that he and Xi “have developed a candid way of discussing” cyber and maritime disputes.
IS THE PLA BEHAVING? — The Chinese People’s Liberation Army, a major perpetrator of commercial hacking, has vastly curtailed its activities since a grand jury in the U.S. indicted five Chinese military officers in 2014, The Washington Post said Monday. Reports of the demise of PLA’s hacking units, however, may be exaggerated. Since the indictments, numerous private-sector reports from firms such as ThreatConnect have been released tying hacking operations to the PLA. And China’s civilian spy agency, the Ministry of State Security, still conducts its own commercial hacking, the Post story notes.
UKRAINE SHOWS RUSSIAN RESTRAINT (SERIOUSLY) — Russia has been accused of many things in Ukraine over the past year, but restraint isn’t among them. Yet, the conflict there has not witnessed the sort of massive cyberattack Russia launched in earlier showdowns with Estonia and Georgia. Why? Ukraine simply lacks “very lucrative targets for destructive cyberattacks and physical attacks,” according to a book out today from NATO’s Cooperative Cyber Defense Center of Excellence in Tallinn, Estonia. Russian espionage and disinformation campaigns trumped cyber priorities and both sides were interested in controlling the conflict’s escalation, writes center director Sven Sakkov. Russia was able to achieve many of its goals through physical rather than virtual means. “If a cable can be cut physically, there is no need to use sophisticated cyberattacks,” the report says. So maybe the Russians don’t deserve much credit for restraint after all.
AT&T’S STEPHENSON WEIGHS IN ON ENCRYPTION — AT&T CEO Randall Stephenson wrote to employees last week, citing the renewed debate over encryption in the wake of the attacks in Paris in calling on the president and Congress to find a balance between privacy and security. “We are firmly committed to the obligation we have to guard the personal privacy of the people we serve,” Stephenson wrote, according to a copy of the letter obtained by POLITICO. But “all companies must help law enforcement keep Americans safe by complying with valid court orders and legal warrants.” He called for a balance between competing interests but said it is up to policymakers, “not individual companies, to determine that balance.”
CAN’T BE DONE — Count venture capitalist Robert Ackerman among those who doubt anything will come of official Washington’s renewed interest in encrypted communications. The post-Paris calls for such systems to include a “backdoor” for the authorities – which have come from FBI Director James Comey and senior lawmakers in both parties — are doomed, says the founder of Palo Alto-based Allegis Capital. “Can you have a secure backdoor? The answer is emphatically ‘no,’” said Ackerman. “The bad guys are just as smart as the good guys. If there is a vulnerability, they will find it and exploit it.”
Ackerman has a window into the state of technology through his investments in companies such as Area 1 Security and Synack. The veteran investor, who shifted his portfolio about five years ago to a 100 percent focus on cybersecurity and related areas, says the encryption fuss is misplaced. “The technology is agnostic,” he said in a telephone interview. “It’s how do people use it.”
Ackerman also worries that the federal government lacks the needed know-how to work out the encryption puzzle. “This is an area of policy where you really need to understand the technology and the implications of what you’re doing,” he said. “And the expertise around that – there’s not an overabundance of that in the political environs in Washington, D.C.”
RECENTLY ON PRO CYBERSECURITY — Sen. Susan Collins and other sponsors of a Cybersecurity Information Sharing Act provision requiring a plan to cope with cyberattacks against critical digital infrastructure are rebutting financial industry critics who call the provision a backdoor to new mandates:http://politico.pro/1NEhYUj. The FTC is appealing an administrative judge’s dismissal of its cybersecurity case against LabMD, a lab-testing company: http://politico.pro/1XCQu0R. The United States and European Union should agree by Dec. 17 on how to transfer data across the Atlantic, replacing a “safe harbor” pact struck down by a European court last month, a European commissioner said: http://politico.pro/1QQcJRL.
GOODLATTE PROMISES HEARING ON LEGAL ACCESS TO DATA ABROAD — House Judiciary Chairman Bob Goodlatte plans to call for a hearing on U.S. requests for data stored abroad at a hearing today on reforming the Electronic Communications Privacy Act. The question of whether ECPA allows U.S. law enforcement to issue warrants for customer emails that U.S. companies are storing abroad is at the center of a legal battle between Microsoft and the Justice Department, which awaits a ruling from the U.S. Court of Appeals for the Second Circuit. In the House, Judiciary Committee members Tom Marino and Suzan DelBene have introduced a bill that would limit the ability of U.S. agencies to access data about non-U.S. persons that’s housed overseas. Similar legislation has been introduced in the Senate.
HO– USE PASSES CYBERCRIME BILL — The House on Monday passed on a voice vote legislation requiring the Secret Service to provide education and training to state and local investigators responsible for investigating cybercrimes. The Strengthening State and Local Cyber Crime Fighting Act also gives the service authority to provide law enforcement, prosecutors and judges with tools to aid such investigations. House Judiciary Chairman Bob Goodlatte praised the passage in a statement and urged the Senate to take up the bill.
COMPUTER FRAUD ACT — Legal scholar Orin Kerr has a new theory about ways to improve application of the Computer Fraud and Abuse Act. The main anti-hacking law is a security researcher’s nightmare, used to prosecute actions that don’t always correspond to the common understanding of computer hacking. A key problem: Although the law criminalizes unauthorized access to a computer, it doesn’t define “authorization.”
Kerr, a law professor at George Washington University and one of the nation’s foremost scholars of the anti-hacking law, suggests applying societal norms from the physical world to cyberspace. Whether a physical trespass occurs in the real world depends on “social understandings about access rights drawn from different signals within the relevant space,” he writes in a new paper. So too in cyberspace.
Kerr writes that if a computer resource such as a website is made publicly available to any user without an obstacle such as a password-controlled logon, the website owner has effectively granted authorization. Terms of service have no bearing on authorization, since “access regulated by written terms is not authenticated access.”
But computer users who repeatedly are prevented from accessing a Wi-Fi network and then create a new account to circumvent the ban risk crossing into unauthorized use. If the ban is meant as a signal to cease a particular behavior, the user could avoid trespass by conforming to the network owner’s expectations through a new account. But “when the ban would be reasonably interpreted as ‘go away and never come back,’ creating another account is unauthorized,” Kerr writes.
Computer luminary Aaron Swartz, for example, crossed into trespass in 2011 by repeatedly logging onto the Massachusetts Institute of Technology’s Wi-Fi network with the intent of continuing the prohibited behavior that got him knocked off, Kerr says.
By: Joseph Marks
With help from David J. Lynch, David Perera and Tim Starks