The massive Marriott records breach was the latest in a series of economic espionage cases attributed to China. Top cybersecurity experts Lesley Carhart and Adam Segal join this week's Deep Dish podcast to discuss the evolving tactical and policy challenges involved in managing international cyber space.
Brian Hanson: This is Deep Dish on Global Affairs, going beyond the headlines on critical global issues. I'm Brian Hanson and today we're talking about China and cyber security threats that range from industrial espionage to national security. A recent US department of justice report said that China was involved in something like 90% of all economic espionage cases that it handled from 2011 to 2018, and of course there was a big story broke by the New York Times recently of a hack of Marriott Hotels that exposed the information of something like half a billion guest records. So to help understand what's going on, what is motivating this kind of behavior, is it important and what can be done about it? I've got two guests, first is Lesley Carhart, who's a top cyber security expert and works for Dragos Inc, who has extensive experience responding to national security threats and nation state attacks. Welcome Lesley it's great to have you on.
Lesley Carhart: Thanks for having me.
Brian Hanson: And also returning to deep dish is Adam Segal who is director of digital and cyber policy at the council on foreign relations and an expert on Chinese domestic and foreign policy. Welcome back Adam it's great to have you here.
Adam Segal: Nice to be back.
Brian Hanson: So I want to start the conversation by looking at the issue of industrial espionage. And if I can start with you Lesley, you work in this space and see and respond to attacks all the time. What are some examples of what kinds of attacks we see coming from China?
Lesley Carhart: So I divide the attacks we see from nation states into a few different categories. The first one is industrial espionage. So trying to seal secrets for various reasons. Either commercial value, trying to build up industry in the nation that's doing the thieving or trying to collect data to perhaps go after their industrial ... Their defense base. So both targeting the military technologies and the defense technologies and then also stealing commercial technologies. On top of that we also see positioning for perhaps kinetic attacks. So building a presence and gathering information about critical infrastructure in those nations so that in the future when it may be necessitated as part of political action or warfare, they will be in a position to potentially launch an attack that has kinetic impact.
Brian Hanson: And Adam, what are some of the examples that have gathered your attention recently?
Adam Segal: Well as you mentioned at the top of the program, we have seemed to see two of the three categories that Lesley introduced at the beginning, which is intelligence gathering, so the hack of the Marriott database maybe for Chinese counter intelligence purposes, so trying to identify US spies in China or other places in the world, and then a return to higher rates of cyber enabled industrial espionage after a short downturn in ... After the 2015 agreement between president Xi and Obama.
Brian Hanson: You mentioned the 2015 agreement between China and the US on industrial espionage, what was that and did it have an effect on activity?
Adam Segal: It was essentially after a campaign by the United States to publicly name and shame Chinese hackers and indictment of five hackers from the people's liberation army, an agreement between the two sides, that neither would knowingly support or tolerate the cyber enabled theft of commercial secrets for competitive advantage. So the US was basically trying to argue with China that there was good hacking and bad hacking and bad hacking was the theft of commercial secrets for competitive advantage and good hacking would be the theft of secrets for political military espionage which states are doing and will always do and there is little hope that you can kind of restrain that through any international agreement.
After the agreement was signed a number of cyber security companies released public reports that said, we have seen a downturn in the number of attacks, we're not sure if that means the attackers have become more sophisticated and more stealth and we're just not seeing as many or they're going after a different set of targets, but we do see a downturn. US government embraced that point of view too and said yes, we do see a downturn but we're still monitoring and it may be a question that it will come back. That's where we are now, it seems as if they have come back.
Brian Hanson: So that raises a question of who is actually doing these attacks right? This was a government to government agreement in this case. Lesley what's your sense when there are commercial targets, are these attacks being carried out by government entities or they're being carried out by companies and I realize in China there might not be much of a distinction.
Lesley Carhart: There's not too much of a distinction there in a lot of cases, so it's hard to say. And one of the things that's really important to note about attribution to nation states is it's hard to do. Unless you have boots in the ground intelligence. Unless you have operatives who are actually watching over people's shoulders and doing human intelligence, it's really hard to say who the actual end adversary is. We can break things into groups who have sets of tools, tactics and procedures that distinguish them from other groups potentially. But there's always overlap and you know, there's probably similar situations in a lot of countries where you have contractors that are working for governments as well as multiple military units, and they all probably share some intelligence. So actually distinguishing things as a specific group really requires a kind of intelligence that most cyber security companies don't have. So we know there's combinations of those various types of groups that are involved in it but again the importance okay knowing that distinction for most commercial firms is not really there. They need to know how to defend against various sets of TTPs, tools, tactics and procedures, not that it's a Joe Bob sitting in an office at this address, that's not relevant to their needs.
Brian Hanson: So they've got vulnerabilities and they need to defend themselves no matter who is the source of the attack. Is there a distinction ... I mean our conversation is framed around China and threats from China, so let me pursue this point just a little bit. Is there a distinction between the kind of threat that is created by nation states as they try to use cyber means for advantage versus other groups on a smaller scale?
Lesley Carhart: The distinction is pretty interesting actually, it's not necessarily that nation states are more sophisticated technically, we see some very very sophisticated commodity malware and crime ware groups out there that are creating some pretty advanced stuff. The resource difference is what's really intriguing is these nation states have the ability to do attacks over a long period of time with human people doing analysis of their findings. So when you're looking at things like say infrastructure attacks, they have time to have somebody sit there and learn how say power grid systems work in a specific environment. And commodity malware groups don't necessarily have the time and the resource to expand on doing that, they are obviously trying to make as much money as they can as quickly as possible. So there are distinctions but it's not necessarily what people believe when they see reports about these groups.
Brian Hanson: So Adam you talked a moment ago about commercial espionage and using cyber means in order to gain competitive advantage. Talk a little bit about what can be obtained, how big a deal is this. What kinds of knowledge or trade secrets are actually actionable and can be turned into a commercial advantage exist and how do you go about getting that stuff?
Adam Segal: Well in some ways it's hard to say, we know that the Chinese have targeted many sectors and we know that there's some focus given to the Chinese operators based on the technologies and sectors Chinese think are important for future competition, so if you look at Chinese science technology plans, there will be a list of mega projects or critical technologies and often the hackers will go out and go seek those technologies from the companies themselves, often they'll target suppliers or their law firms or other places where they main gain some information or insight into the development of the technology. What the impact on US competitiveness is has been hard to measure, there was an IP commission, intellectual property commission that was shared by ambassador Danny Blair and John Huntsman which came up with a number of about 250 million annually, with most of that loss coming from China, but you know it's very hard for companies to say we lost this intellectual property, it's worth X amount. Are you just valuing what it cost you to develop it? Are you valuing the potential market loss? Are you valuing what it cost you to mediate the attack and then build new defenses?
So it's been very hard to get a real sense of what the cost might be. The cases that I can point to that have a very specific cost were in fact not cyber enabled, they were just industrial espionage of a more old school type. And probably the most prominent example is American super conductor which produces software for management of wind farms and turbines. It had a very large contract with a Chinese supplier, with Chinese consumer Cynibel, and they eventually just stole the information and cut the contract with American super conductor. So it had a very direct impact. But on the cyber side it's very hard to find specific cases where you can pretty much [inaudible 00:10:41].
Brian Hanson: So you talked about the increase of cyber activity particularly in the commercial sector in recent years after our sense of what happened with the 2015 agreement. Is there an understanding of why the Chinese appear to have become more active, we know that there's increased tensions, commercial and political tensions particularly between this administration and China's that have something to do with something to do with what we're seeing?
Adam Segal: Yeah, I think there are two explanations, so one is as you said, is that there is increased tension. The Chinese may have decided that there's little to be gained and following the agreement, other routes of access to technology are being closed off to China, so the United States and many of its partners are reconsidering Chinese foreign investment in high tech sectors so it has been harder to acquire the technology legitimately. But the other thing is that the ... We know that the downturn in the hacking also matched a internal reorganization of how China organized it's cyber forces. So basically it's around the same time the Chinese created the strategic support forces which brought cyber and information operations, electronic warfare, space warfare, all together. And there seem to be a shifting of a lot of the cyber enabled industrial espionage away from the PLA to the ministry of state security.
Brian Hanson: Which is the People's Liberation Army. So away from the armed services and more to intelligence.
Adam Segal: Into the intelligence services, right. And so it may have been that the Chinese really never intended to give up the cyber enabled theft, they just took advantage of a downturn that was going to happen anyways as they reorganized and restructured it and shifted responsibility.
Brian Hanson: So in addition to the commercial challenges that we've been talking about, Lesley you talked about also kinetic attack which really means actively using cyber means in order to destroy stuff right? To be simple minded about it. I know that your job and your company works closely on those kinds of threats, what are some of the most dramatic ... Or the things that we should be most concerned about in this area.
Lesley Carhart: So I'd like to step back a moment to the previous point if I could for a moment. Because it kind of ... It's a nice transition into this concept of the more kinetic attacks is, when we were looking at Chinese ... Ostensibly Chinese attacks in 2011 to 2013, they were attacking a broad range of organizations. It was almost like get a foothold in these organizations and see if you need stuff later or just see what you can get. Gain some persistence, hold onto it, and have this wide spot of access across competitive industry. That's not efficient. That's incredibly resource intensive for whatever organization inside your government or military is doing it. You'd have to constantly maintain and feed and water these connections to make sure that they aren't detected and they maintain viability. In some ways it's possible that with the reorganization of Chinese cyber operations they decided to add something efficiency and some rhyme and reason to these intrusions. Instead of just throwing everything and seeing what stuck.
So I believe that might be a component as well, it's costly to maintain persistence in target networks, and it requires a lot of human operation as well as technology.
Brian Hanson: And one of the vantage points that you have is that you're dealing with this day in and day out right?
Lesley Carhart: Yes.
Brian Hanson: You see it, so in terms of current activities, in terms of infrastructure, in terms of the potential for some sort of debilitating attack, what are the areas that you see greatest focus on now?
Lesley Carhart: So the interesting thing now is that in terms of nation state adversaries looking into more kinetic types attacks is they're doing the same thing that we saw in 2011, 2012 in terms of corporate espionage, is gaining a foothold and gaining an intel about a lot of different firms and a lot of different agencies and organizations. So it's easy to say that kinetic attacks against infrastructure aren't a threat because we don't see many of them outside of say Ukraine, which is kind of a test bed for those types of attacks for obviously reasons. But there are ostensively nation states occurring against a lot of different organizations but they're mostly foothold and intelligence gathering efforts. So there's not a reason for somebody to bring down the power to a town right now. There might be in the future, they want to have that capacity but to do so now would be foolhardy. It would be a major political event, it would be incredibly disruptive, incredibly noticeable so in terms of various nation states staging for potential future kinetic attacks, it's right now a matter of gaining a wide swath of intelligence across a broad range of different industry verticals and organizations and maintaining some kind of foothold in their network in a lot of cases.
Brian Hanson: So Adam what do you see going on in addition to that?
Adam Segal: I'll just add that the worrying aspect of this is not only that they gain presence and there's a potential but that the two sides really have no shared understanding about what type of attacks or what type of these operations are legitimate and which are maybe escalatory or destabilizing. Because you have to assume that the United States is doing something very similar to Chinese infrastructure, that it is also preparing and gaining access in case it has to launch an attack with a potential kinetic outcome. And so both sides are seeing the others in their networks, they kind of have some assumption of what they're doing there but not always. We're not sure if they're there to collect intelligence, are they there to prepare for an attack later. And it's like we said, right now it's fairly easy. You can monitor, you don't think they're going to launch an attack, there would be no reason, there's no incentive. But if the two sides were in a much more tense situation, political situation. If for example there was some incident in the South China Sea or in the Taiwan [inaudible 00:17:32], and you saw an operation like that, a new operation, you might be much less optimistic in your interpretation of what the attackers are doing.
So the fact that there's really no discussion between Beijing and Washington right now about can we agree upon some red lines, are there some shared understandings of what type of targets are legitimate, makes the situation more destabilizing.
Brian Hanson: And just to play out that scenario a little bit one of the things that went through my head is if there's an incident in the South China sea, perhaps a ... Lesley your example of the small town who's power all of a sudden goes out right? One of those things that could be interpreted as the Chinese sending a signal. You don't want to escalate because this is an example of what we could do on a much bigger scale if you continue to go. That's the kind of thing that people worry about and obviously could escalate. Because if we make that interpretation we might take an action China.
Lesley Carhart: I was on a panel a few weeks ago and the number one fear from the non-technical audience was EMP taking out power to the entire United States.
Brian Hanson: And EMP being?
Lesley Carhart: Electromagnetic pulse.
Brian Hanson: Okay.
Lesley Carhart: So they were concerned about that scenario where an adversary decides to take out power and wreak massive destruction across the United States and I mean there's endless scenarios. We can hypothesize all day about what various militaries would do during an escalation which could happen very rapidly in current political climate. But really those small impacts are much more feasible from a cyber standpoint and they can be very impactful. Bringing down power to a small town or causing something that looks like potentially an accident but nobody is sure. That could cause a lot of confusion and chaos, and that's usually the end goal of those types of sabotage situations is causing confusion and chaos and despair among the populations.
Brian Hanson: And you talked about earlier how attribution can be hard to establish. And I could imagine in a crisis situation where you're trying to sort out who's doing what to you with what intent. But this could be all the more difficult.
Lesley Carhart: It takes time, incident response is a long process. We all watch shows on TV like CSI or whatever, we watch the forensic analyst on there sit there and within the 60 minute episode they've figured out who the bad guy was and what they did on their computer. And it doesn't work like that. Forensics and incident response take a long time and even looking at the Marriott case, I wouldn't go out there today and say it was China on the internet. It's not that it doesn't look like things we expect, tools, tactics and procedures we see from China but I don't have enough information to claim that as an expert. I haven't had a month with the evidence to pursue it with out threat intelligence that we have available to us so ... I mean attribution is very difficult. And misattribution is a pretty dangerous thing too because there have been a lot of false flag operations in the cyber space countries trying to emulate other countries to cause disruption and even more confusions.
Brian Hanson: So it strikes me Adam that one of the reasons that rules of road or agreements about what should or shouldn't be done isn't important in these kinds of situations, are those kinds of discussions and negotiations going on to create some of their shared understandings?
Adam Segal: They aren't right now, there was a process in the United Nations of a group called the group of government experts, where there was a discussion about can we start identifying some of those rules or what they call norms of cyber space. That group unfortunately was unable to reach a consensus in 2017, there has been a resolution passed of restarting it, so hopefully that will discuss, but given the state of bilateral relations between Washington and Beijing and Washington and Moscow right now, those discussions are really happening outside of capitals and academic conferences and in fact Microsoft, the company is playing a large role in trying to promote some of these discussions but it's not happening at the pace to keep up with the proliferation of threats and the increasing usage of it we see from state operators.
Brian Hanson: So if we're not establishing those kinds of norms, what are the actions people are taking in order to defend themselves. Lesley what do you see in the commercial space?
Lesley Carhart: Oh people really are making effort of better defend on both the advanced manufacturing front and the intellectual property front and in the critical infrastructure front, people are doing work and I don't want people to get the idea that it's the wild west and everything is vulnerable. People are making a concerted effort. Both in the governmental levels and inside the industry , which is fantastic and there's a lot of great initiatives out there. We need to move faster, we need to put more money into these programs and especially security teams that critical infrastructure organizations need management buy-in and funding to properly prepare for the future of cyber attacks, but there's some great initiatives out there. DHS has some great programs right now that are-
Brian Hanson: So department of homeland security, so government things.
Lesley Carhart: Indeed they are doing some integration efforts between commercial and government sectors to build up infrastructure security. So there's good programs out there, but we need to do more. We need to be [inaudible 00:23:15] of these threats. Just because something hasn't happened to your organization, doesn't mean that there isn't an adversary that's positioning to launch an attack in the future.
Brian Hanson: And Lesley just thinking about the commercial space, I mean there are so many places to attack and so many different private companies who have their own systems, their own I.T. systems, their own control systems. It sounds like a massive challenges on a company cut by company basis. In order to be effective in that space, how much needs to be done, simple mindedly how much needs to be done by industry, what is the role of government in that?
Lesley Carhart: So it's a complicated problem. The first thing I'd say about that is cyber hygiene really is critical. Adversaries, computer hackers are ... I guess I'll just say outright lazy. I mean human beings are lazy. We take the path of least resistance. When we're trying to do anything. Why would we do something that requires more effort. So if you lack basic cyber hygiene, like patching your computers, installing antivirus, installing modern security appliances, changing passwords. I you lack those things in your environment an adversary isn't going to waste sophisticated exploitation or malware on you, they're going to take that path of least resistance. Now if a very sophisticated adversary absolutely wants to get into your infrastructure they're going to do it. They're going to find a way. But we need to put that defense in depth in place. And try to [inaudible 00:24:44] as much as possible, cause them as much heartache as possible to slow down their attacks and make them more costly to the adversaries.
Brian Hanson: And Adam on the policy side? On the government side? What are the things that we should be doing in order to defend ourselves?
Adam Segal: Well what we've seen is a shift away from the idea of deterrence to one of more ... For leading defense or actively engaging the attackers so this year the defense department came out with a new cyber security strategy, and it promotes the idea of full defense, which seems to suggest that US cyber command would disrupt attackers before they got to US networks, so there's no description of what that means but it sounds like either being in third country routers or networks or in the attackers routers and networks and preventing them from launching the attack. The strategy came out in the context of discussions about Russian interference in the elections, but there's no reason to think that the US is also not thinking about those types of defenses, or active defense or fuller defense against Chinese operators as well. And we also know that the president changed the authority over who is able to launch a cyber attack, or a cyber operation. Under President Obama any cyber operation that was going to have widespread effects would have to be approved by the president, that seems to ... Authority seems to have been shifted down, although that remains classified.
Brian Hanson: So to what extent has the controversy over what did or didn't happen in 2016 in terms of Russian attacks and the Trump administrations position versus Russia and whether or not they were trying to advance his candidacy for president, those political factors, have they affected our response as a nation?
Adam Segal: I think the response has been very [inaudible 00:26:57], on one hand I think, as Lesley pointed out, the private sector continues to move ahead, congress it still very interested and there has been a lot of effort to ensure that the department of homeland security's authority over cyber issues has been strengthened and increasing it's capabilities and technical skills. As I mentioned the defense department has a new strategy and there has been a new wave of sanctions on Chinese and Russian hackers that came out of the department of justice. I think the real issue has been White House leadership. And here the issues both on the president's own statements about the Russian hackings which in some ways undermines a lot of what the US in trying to do internationally, and then just organizationally on the leadership side, the White House eliminated the position of what was known as the cyber [inaudible 00:28:05], the cyber coordinator and the national security council. So right now there is no one person at a senior level who is responsible for all these issues.
Lesley Carhart: It's certainly a strange thing to see or work become politically polarized. I mean for a long time my work was very non partisan, and now I've seen my research and my work become very political so it's been kind of a stunning transition.
Brian Hanson: So as we think about new steps that could be taken in this environment, are there specific things that each of you think are important that receive more emphasis or more effort than they have so far?
Lesley Carhart: In terms of government I'm glad to see people getting more cyber security education, for a long time there was a strong temptation to relate cyber concepts to physical you know ... Conventional warfare concepts. We here people talking about things like cyber Pearl Harbor, and it can be more misleading and complicating than it is helpful, so we're starting to see people in leadership positions gaining a better understanding of what cyber attacks really are, what they involve and the technologies that are involved in those attacks. So that's a good sign, that's very encouraging and that's one of the reasons I think in some organizations we're seeing an improvement in response.
Brian Hanson: Adam what do you think could be most helpful to counter this threat?
Adam Segal: So I think ... Right now our conversation is focused a lot of US, China, which makes sense, but this is ... I think the US wants to internationalize a multi lateralize this problem. It's not that just the Chinese operators are going after US technology, they're also going after German and Japanese and other technology. The Chinese signed similar agreements on cyber espionage with those countries, they don't seem to be holding up those either. And so I think the Trump administration could be doing a much better job in getting out allies to also put increasing pressure on China, as opposed to engaging in [inaudible 00:30:23] disputes and other things with our allies right now. So I think that that's really what's missing from the strategy right now is a broader pushback against Beijing, that would include closer work with Europe and Japan and others.
Lesley Carhart: I definitely agree that legislative and those diplomatic efforts are really critical. At some point things come down to laws and dollars and from a technical perspective there's a lot of things that organizations can be doing. The basic cyber hygiene up to building out better threat intelligence and threat intelligence sharing between organizations in the same verticals, there's a lot of technical measures that can be taken to increase defense in depth and monitoring and response times. But a lot of these efforts against nation states really do come down to policy and governance and we're going to rely heavily on international cooperation in take down efforts and in analysis of these threats and response.
Brian Hanson: So as we close, there will no doubt be a litany of more attacks that happen, more hacking that is done, and potentially cooperation in order to respond to them. As these stories come out, why does one area where you would encourage our listeners to pay particular attention to try to get a deeper understanding of what's changing and what isn't in this issue.
Lesley Carhart: So look for multiple corroborating stories when you're seeing a major cyber story in the news, look for independent confirmation from intelligence agencies as well as security research firms. There's been a lot of stories lately that have not had solid corroboration and have been highly contentious and later disproven, so definitely look for those multiple sources when you're talking about any cyber story. But also do consider even if things don't fit your political views or your political outlook, most competent cyber security researchers are no partisan and it is disheartening to see research, scientific research with solid presented evidence becoming partisan and political and being discounted.
Brian Hanson: Adam?
Adam Segal: Yes, I definitely agree with Lesley is that you never really want to respond to the first stories because often they will be ... new technical evidence will come into play, this will change, who we think might be behind the attack and what the purpose might be. And I also think we're going to see and we have ... We constantly see the evolution of these types of attacks, just given the new technologies that are introduced, we saw North Korea fairly [inaudible 00:33:10] use ransomware, which is when your computer is encrypted and you have to pay a ransom to get it released. And so we may see others adopting that measure or new technologies, new types of tech that are going to come out that none of us have thought about now that are going to be fairly commonplace a year or two years from now.
Brian Hanson: Well Lesley and Adam I want to thank you both for helping us gain an understanding of not only what's happening through threats from China but help put this conversation into a bigger context, so thanks the both of you for being on.
Lesley Carhart: Sure it's an absolute pleasure.
Adam Segal: My pleasure.
Brian Hanson: And thank you for tuning into this episode of Deep Dish, if you like the show please do me a favor, tap on the subscribe button on your podcast app so that you can get each and every new episode as it comes out. You can find our show under Deep Dish on global affairs wherever you listen to podcasts. If you think you would know someone who would be interested in today's episode, please tap the share button and send it to them. I would also appreciate it if you let others know about Deep Dish on global affairs so that we can continue to build the audience and build knowledge about important foreign policy issues. As a reminder, the opinions you heard today belong to the people who expressed them and not the Chicago council on global affairs. This episode of Deep Dish was produced be Evan [Fazzio 00:34:37]. Our audio engineer is Andy [Zarneci 00:34:37] I'm Brian Hanson and we'll be back soon with another slice of Deep Dish.