Behind CISPA, the threat of a new cyberwar
Behind the façade of diplomacy and uneasy economic cooperation, the U.S. and China are engaged in a new cold war. The combatants are hackers, and the fields of battle are the computer networks of government agencies and massive corporations.
Congressman Mike Rogers has been trying to sell you on this idea for a long time.
“China’s economic espionage has reached an intolerable level," he said at a congressional hearing in October 2011. Rogers didn't call for any new laws at the time, though he did allude to "legislation" that could help fight this problem. And he made it very clear who the enemy is.
"Beijing is waging a massive trade war on us all," he added.
China is constantly hacking U.S. corporations, according to Rogers, and it hurts American businesses when that information is passed on to competitors overseas. He talked quickly, clearly, and elliptically, cloaking his words in military-intelligence speak. The "intelligence community" had information about "advanced foreign cyber-threats," he said.
Rogers, a former FBI agent, is the Chair of the House Intelligence Committee. The committee's job is to oversee agencies like the FBI and the NSA in intelligence gathering. There was an air of "trust us, this is worse than you think" at the hearing: General Michael Hayden, former head of both the NSA and the CIA, told reporters afterward that "this information is horribly overclassified inside the government." It was as if the intelligence community wanted everyone to know how bad things had gotten, but it was prohibited from saying so.
Before delving too deeply, Rogers thanked three "witnesses" for help in his report. One of those was Kevin Mandia, CEO of cybersecurity consulting firm Mandiant, who, Rogers said, "deals with the consequences of advanced cyber-espionage against American companies every day."
A month later, Rogers introduced his solution, the controversial Cyber Intelligence Security Protection Act (CISPA) in the House for the first time.
"It's a privacy nightmare," legal scholar and Electronic Frontier Foundation activist Trevor Tim later told me on the subject of CISPA. It would let “companies hand over large swaths” of individuals' private information “to the government, without a warrant.”
That's simply a consequence of CISPA, Rogers would argue—not the intent. CISPA is meant to be an "information-sharing" law. It's designed to let companies, when their networks are breached, show the National Security Agency what’s happening. Maybe the NSA can close a security hole or stop further attacks if it can see what's going on, but there are far too many privacy laws currently in place to let that happen. But if, in times of particular cyber-emergency, the NSA could suspend those laws, it could study what happened and help prevent it next time. That's the idea.
When the House went to vote on CISPA in April 2012, there was moderate Internet outcry. Everyone remembered when, three months earlier, the Stop Online Piracy Act (SOPA) garnered so much opposition, so many indignant people calling their representatives, that the bill was tabled indefinitely.
Hacktivist collective Anonymous released a manifesto, decrying CISPA as "another SOPA." More than half a million people signed a petition against the bill, and users promised to change their Facebook and Twitter profiles to a “stop CISPA” message.
But it didn't work.
The mass outcry that happened with SOPA—a major Internet blackout couple with Americans jamming their congressional representatives' phone lines—wasn't there. The bill passed the House handily, 248-168.
Then, however, CISPA lost steam. No one picked it up in the Senate. Perhaps it was because, as with the SOPA protests, progressive Internet companies like Reddit and Mozilla only officially opposed CISPA after the House vote. Perhaps it was because the bill had passed with strong Republican support, and the fact that a bill did so well in a Republican-majority House didn't mean much in a Democratic Senate. Perhaps it was because some cybersecurity researchers claimed they'd crunched the numbers that allegedly proved how bad cyberattacks on the U.S. had become and found them vastly overblown.
Rogers was beaten but unbowed. In October 2012, speaking at the U.S. Chamber of Commerce's cybersecurity conference, he described himself as "an eternal optimist" and pledged to “get this thing sparked back to life."
He alluded to some new intelligence. There "appears to be a new level of threat that would target networks from—I've got to be careful here—an unusual source," he said. He joked about how he wanted to share what he knew but couldn't, because it was classified.
"I look really bad in those orange jumpsuits with the numbers on the back," he told his audience.
The vague threats Rogers warned of reached a boiling point in February 2013. The New York Times announced it had been hit by Chinese hackers, followed shortly by the Washington Post and Wall Street Journal. Then Twitter, Facebook, and Microsoft. Their stories differed, as did the severity of the attacks, but everybody agreed: These hacks were sophisticated, and they all seemed to come from China.
Then came the bombshell: A cybersecurity firm had found the source of those attacks. In no uncertain terms, the firm claimed to have traced the hacking operation to a single, 12-story building outside of Shanghai: People's Liberation Army (PLA) Unit 61398. Hiding in plain sight, the report said, was a dedicated hacking operation run by the Chinese government.
The report was the most detailed hacking allegation ever made against the Chinese government, and it opened with Mike Rogers's statements from that hearing in October 2011.
And the firm that released it? Mandiant, whose CEO advised Rogers that day.
Mandiant's report, backed by pages of data and years of research, relies on a few simple pieces of evidence. A loose coalition of similarly styled hacks all stem from the same source, codenamed APT1 (short for “Advanced Persistent Threat”). Mandiant traced the vast majority of the attacks to China—Shanghai, specifically—and noted that Unit 61398 was uniquely capable of sustaining such a sophisticated operation.
"Mandiant provided lots of facts about the PLA, and they provided a lot of facts about how APT1 works," Jeff Carr, CEO of a different cybersecurity firm, Taia Global, told me. "I'm not disputing those.
"What I'm disputing is the conclusion that they drew. They created a table: In one column was characteristics of the PLA, the other was APT1, and they seemed to believe that the only possible conclusion was that the PLA is APT1. Well, that's not the only possible conclusion."
Those other possibilities include Russia, Israel, and France, which the U.S. has acknowledged engages in cyber-espionage. It could also include Ukraine, Taiwan, or Germany. Or "APT1 could just be a group of professional hackers that are stealing information and selling it,” Carr said. “In fact, that makes more sense to me because of the lack of operation security that's been exhibited by these guys.”
The fact that most hackers' Internet protocol (IP) addresses trace back to China doesn't mean much. Those are easy to fake—heck, moderately sophisticated Internet pirates fake theirs all the time to avoid getting caught. China, indignant, countered the Mandiant report, partially on those lines.
"As we all know, hacker attacks almost always steal IP addresses. It is common practice online," China's Department of Defense announced after Mandiant's report, though it also said it traced a million hacks on its own network to the U.S., via those attackers' IP addresses.
"Mandiant does very good work; they are certainly highly regarded in terms of incident response," Carr said. But "there is no getting it wrong or getting it right. You can make a claim, but it's going to be next to impossible to show that the claim is not valid. Unless somebody comes forward, or you arrest members of the APT1 crew and they confess, you're never going to know.
"Mandiant doesn't really have anything to lose here. And it's certainly a PR win; they've gotten huge press over this."
The corporate cybersecurity industry is worth about $30 billion a year, according to a 2011 study by PricewaterhouseCoopers, and it's growing by 10 to 15 percent every year. The phrase "cybersecurity industrial complex" returns more than 4 million Google hits. Mandiant was paid about $100 million for its services in 2012, 60 percent more than the year before. The company claims it has worked with 40 percent of the companies listed on the Fortune 500.
"It was a wonderful report," applauded Hayden, who 16 months earlier implied there was so much more intelligence he wished he could share about Chinese hacking. "Everybody is saying, 'It's about time.'"
When announcing CISPA's reintroduction to the House on Feb. 13, Rogers's partner on the bill, Maryland Democrat Dutch Ruppersberger, had an odd way of putting things.
"The bill does not authorize the government to monitor your computer, your email, your Facebook, your Twitter," he said.
Less than two weeks prior, on Feb. 1, Twitter announced it had been hacked by "extremely sophisticated" agents, thought to be Chinese. It noted that while it expected accounts to be safe, it had changed a quarter-million users' passwords as a precaution. And on Feb. 15, Facebook announced it had been attacked back in January, but that nobody's personal information had been breached.
Ruppersberger used the occasion to tout CISPA's alleged privacy protections, saying "we listened to the privacy groups." He noted that he'd consulted with the American Civil Liberties Union (ACLU) to make sure CISPA didn't violate the Fourth Amendment, which protects Americans from being unreasonably searched without a warrant.
"Ruppersberger says ACLU consulted on #CISPA," ACLU cybersecurity lobbyist Michelle Richardson tweeted during the remarks. "True. But they didn't fix [our privacy concerns] and we opposed. Still do."
I later asked Richardson if Ruppersberger was telling the truth—if CISPA could, indeed, be used to let the government see what's privately hidden on your Facebook account.
"CISPA won't let the government compel Facebook to turn over your info, but instead gives Facebook permission to voluntarily turn it over if they determine it to be relevant to cybersecurity," she said. "So he would be right, but ... voluntarily shared info is the problem."
In other words, CISPA would allow private companies (like Facebook, or your Internet service provider) to share your emails, text messages, or stored files with the government for "cybersecurity purposes," and it would trump the existing laws that allow you to sue those companies for privacy violations.
"China is like the boogeyman to promote [CISPA]," Carr added. "If you increase the fear around China, and then you wave CISPA, hopefully you will attract more movement to simply pass that—some blind attempt to heighten security.”
However, he said, an information-sharing bill like CISPA is fundamentally flawed as an answer to the attacks, wherever they're coming from.
"It's the company's fault," he said.
"The solution is to assume your network is going to be breached, and you need to be able to identify what's of value on that network, and segregate it and monitor it in real time. If somebody does gain access, and they're accessing it from an IP address you don't recognize or at a time of day where they shouldn't be, you can immediately lock down that file. It's known as data protection.
"It's like the TSA. You tried to bring a bomb aboard in your shoe, so from now on we'll just have everybody take off their shoes. [Information-sharing is] always looking in reverse. It's never going to work. The same is true in information security. It's just not a solution."
Art by Jason Reed