As the dust settles on Donald Trump’s extraordinary ascent to the White House, what do we know of his plans for cybersecurity? I’ve been speaking to a variety of experts for an upcoming Infosecurity Magazine feature and, believe it or not, the majority are not particularly optimistic of the future.
His official website, outlining the Trump ‘vision’ for cybersecurity, focuses on some easy wins:
- An immediate review of critical infrastructure and federal cyber “defences and vulnerabilities” by a Cyber Review Team comprised of members of the military, law enforcement and private sector
- The same team to establish “protocols and mandatory awareness training” for all federal employees
- DoJ to create Joint Task Forces to co-ordinate federal, state and local law enforcement cybersecurity responses
- Defence secretary to make recommendations on enhancing US Cyber Command
- Development of offensive cyber capabilities
Doug Henkin, litigation partner at Baker Botts, said the focus on awareness raising is a positive.
“This appears to be a good development for setting a positive tone to lead from above with respect to best practices for protecting against cybersecurity threats and is also essential for corporations seeking to ensure good cybersecurity preparedness,” he argued.
“It is essential to increase training as the new administration has recognised, while also remaining vigilant to how cyber attacks occur.”
That’s pretty much where the good news ends.
It might be too early to judge president-elect Trump on his cybersecurity credentials. But it must be remembered that, despite his bluster over ‘Crooked Hillary’ and her email blunder, his businesses were found to be a whole lot worse when it comes to security. Independent researcher Kevin Beaumont scanned publicly available records last month and found many of Trump organizations’ messaging servers are running the no-longer supported Windows Server 2003 and Internet Information Server (IIS) 6. He also found 2FA unsupported, meaning user accounts are vulnerable to password phishing or brute force attacks.
What’s more, as a briefing document from think tank the Information Technology and Innovation Foundation (ITIF) tells us, Trump has promised in the past to apply tariffs against China if it “fails to stop illegal activities” and to “adopt a zero tolerance policy on intellectual property theft.”
Given what we know about China, this is a dangerous game to play. Beijing will continue to pretend it is abiding by the agreement between presidents Obama and Xi to stop state-sponsored economic cybercrime. And that could lead to heavy reciprocal penalties on US tech firms in China, such as Apple. The state-backed Global Times has already warned China will adopt a tit-for-tat approach if Trump plays it tough.
Silicon Valley scares
Trump’s election is also a disaster for Silicon Valley. The former reality TV star has expressed support in the past for the FBI’s stance in trying to force Apple into building a backdoor to unlock the San Bernardino shooter’s phone. He even called for a ban on Apple products in response to the firm’s refusal to do so. We can therefore expect more pressure on them to undermine encryption, which would be a disaster for businesses and consumers everywhere, as well as the American tech firms themselves.
As if that weren’t enough, he’s also a big fan of the Patriot Act and will inherit a fearsome surveillance apparatus from Obama. The Democrat is already being blamed for failing to overhaul the huge encroachment on civil liberties enacted by the Bush administration. Writing in the Guardian, Freedom of the Press Foundation executive director, Trevor Timm, had this:
“What horrors are in store for us during the reign of President Trump is anyone’s guess, but he will have all the tools at his disposal to wreak havoc on our rights here at home and countless lives of those abroad. We should have seen this coming, and we should have put in place the safeguards to limit the damage.”
Let’s hope he surprises us all.
China’s head honcho when it comes to censorship recently stepped down. This being China, no-one seems to know whether he was effectively sacked, or asked to move to a new bigger and better role. But what we do know is that things aren’t going to get any better for those inside the Great Firewall.
Over the past three years, Lu Wei has been a constant thorn in the side of rights groups, diplomats and Silicon Valley bosses. His aggressive defence of China’s sovereign right to do with its internet what it sees fit – most notably at the laughably titled World Internet Conference in Wuzhen – has been jarring at times. The Cyberspace Administration of China (CAC) he headed up also runs root CA and .cn operator the Chinese Internet Network Information Center (CNNIC). As such, it was blamed by Google last year for issuing unauthorized TLS certificates for several of its domains, which were subsequently used in man-in-the-middle (MITM) attacks.
Even more damning, the CAC was accused of launching Man in the Middle attacks on Outlook users last year in response to its migration to HTTPS, which the authorities can’t monitor. And then it was pegged for a DDoS attack on anti-censorship organisation Greatfire.org – a constant thorn in the side of the authorities in Beijing.
I spoke to Greatfire.org co-founder Charlie Smith about the reasons for and implications of Lu’s departure.
“If it ain’t broke, don’t fix it, right? We probably just had the quietest anniversary of Tiananmen [Square massacre] yet, in terms of online dissent and discussion. There is more censorship in general. Less circumvention because of a crackdown on VPNs. And fewer foreign companies are trying to challenge the status quo,” he told me via email.
“We know controlling the medium is pretty near the top of [president] Xi Jinping’s agenda. So why make a change now? The timing likely indicates that this was a planned and not a rash decision. There was no need to unsettle things before the 4 June anniversary and the change happens well before the next ‘World’ Internet Conference in Wuzhen.”
Smith went on to argue that, even though Lu presided over an unprecedented crack down on internet freedom – primarily through a new regulation banning the spread of “rumours” online – he didn’t go far enough.
“Lu was not perfect. As we have shown, it is impossible to completely block all information for those inside China,” Smith continued. “Maybe in this regard, Lu was being blamed and Xi decided he wanted somebody who can get the job done. Maybe Xi was upset about being ‘vilified as a murder suspect’ and could not comprehend why Lu Wei was unable to scrub information from the Chinese internet.”
Lu’s removal, if that is what it was, may also have been an attempt by Xi at curbing his growing influence – after all, propaganda is at the heart of the Party’s power and everyone inside knows it. His replacement, Xu Lin, is a Xi Jinping acolyte and one time deputy secretary of Tibet’s Shigatse Prefecture who will certainly toe the presidential line.
As Smith put it, “if Xu Lin fails to quell ‘rumours and slander’ Xi does not have to second-guess whether or not Xu is doing everything within his power to stop these attacks.”
So what prospects for the future? Pretty grim if you’re inside China and are a fan of human rights and internet freedom.
Beijing was one of a few countries – Russia, India, Indonesia included – that voted against a non-binding resolution at the UN this week stating all individuals must be afforded the same rights online as offline and that the universal right to freedom of expression should be upheld online.
As Smith said, if Xu Lin “handles information control on the Chinese internet the same way the authorities handle information control in Tibet then the situation could even get worse.”
There is some hope for businesses and individuals which need to leap the Great Firewall.
The hope is that it will encourage greater use of VPNs and help developers improve their circumvention products, as well as provide a much needed additional source of revenue for Greatfire.
The concern is that if it gets popular enough, Beijing will do all it can to put it out of action.
News emerged a few days ago that Foxconn had effectively laid off 60,000 workers in China and replaced them with robots. “So what?” you might think. And to be honest, if it keeps the cost of our tech devices down, then good for Foxconn, right? Well, unfortunately it’s not that simple.
The changing dynamics of the Chinese labour market could have a profound effect on us here in the West, and even portend similar disruption to our own workforce in the not-too-distant future.
These stories have been doing the rounds for years because – well – contract manufacturers like Foxconn and others have been investing significant sums into robotics for years. Why? The answer’s pretty simple, according to IHS analyst, Alex West.
“Robots don’t need to stop working, but they don’t get drowsy, distracted or depressed either, so quality and consistency of manufacturing is enhanced. With the developments in AI and predictive analytics, robots are also far less likely to get ‘sick’, reducing downtime,” he told me.
To that I’d add that they don’t go on strike, commit suicide or complain to the papers about poor working conditions – all problems Foxconn for one has encountered. But robots can also add value in other ways, such as helping firms win business from their rivals, according to West.
“Robots are evolving, becoming more intelligent as AI solutions help them to ‘learn’ on the job, but also becoming far easier to program and integrate on production lines,” he continued. “Collaborative robots are also making robotic solutions safer and easier to install without the additional safety concerns and equipment.”
There’s clearly a drive for this in China, the tech manufacturing centre of the world. The Chinese government has made investment in robotics a priority in its 13th Five-Year Plan, with IHS forecasting a 30% CAGR. But this threatens to create social instability as human workers are shelved in favour of machines. Foxconn and others claim bots are only used for repetitive tasks that humans don’t want anyway. But there’s no guarantee that there are enough skilled roles to fill the gap.
“Dull, repetitive jobs on the plant floor will be replaced by a range of higher-skilled positions such as robot/systems integrators, programmers, and data scientists supporting enhanced AI,” argued West.
“However, there will be less of these more advanced roles, and some of the type that existing workers will not have the skillsets to be able to transition to.”
This might seem a long way from the UK. But our workforce is also facing a robot invasion – not from these industrial bots, but service robots like Softbanks’ Pizza Hut-serving Pepper. In fact, a Deloitte study has claimed that 35% of UK jobs have a high chance of being automated in the next decade or two.
Robots still only account for 0.3% of all machinery produced in China last year, according to West, so there’s still a long way to go. But it’s probably time to start getting nervous in the UK.
Huawei has leaped over local rival Xiaomi to take number one spot in China’s much prized smartphone market, according to Canalys. I covered the news for IDG Connect and asked Canalys VP analysis, Rachel Lashford, whether she thought the Middle Kingdom now belonged to domestic players.
She argued that the market has actually decelerated slightly of late (1% from 1H14 to 1H15) which has increased the pressure on all vendors – but Apple and Samsung are still flying the flag for the Rest of the World.
“Apple still has a very powerful brand in China and we expect to see the latest product launches to continue its popularity,” Lashford told me.
Samsung, meanwhile, has dropped from the top spot of a 15% share in 1H14 to fourth place (9%) a year later.
“But it is recovering in the high end and has really focused on investing in localised marketing messages,” Lashford added, by email. “Combined with recent restructuring of its channels, focusing on large retail and operators, it should be well equipped to keep the pressure up on its local competition.”
So what of Huawei and Xiaomi? The former’s rise has come on the back off a steady building out of online channels over the past two years and a focus on its offline channel presence. Aiming squarely at the mid-range ($200-500), it has increased investment in the brand to good effect, concentrated on quality and kept momentum with regular product updates.
Xiaomi, on the other hand, may have taken its eye off the ball by concentrating on wearables, TVs and other smart home kit. It will need a “refreshed flagship” in time for Chinese New Year to wrest back momentum, she claimed.
And what of the two vendors’ plans for international expansion? Well, half of Huawei’s sales already come from outside the massive China market. But Xiaomi will need more help to get it competing beyond the Great Firewall.
“Many vendors are hindered by the lack of patents and having the difficulties and expense of licensing those in order to enter markets like the US and Western Europe where these are adhered to, so this needs to be overcome,” claimed Lashford.
“As does the adoption of a successful channel strategy. Xioami’s focus has been directly online, but it will still likely need the expertise of distributors mobility businesses – like Tech Data and Ingram Micro – in order to navigate the complexities of bringing those products to market.”
China, Russia, Eastern Europe, the Middle East – the list of hacking hotspots on the radar of most threat intelligence operatives is growing all the time. But what about Japan? For such an apparently technologically advanced nation, you might be surprised to learn its cybercrime underground is still in its infancy.
The security giant claimed that Japanese cybercriminals haven’t yet built up the technical know-how to create malware themselves, preferring to buy from other countries and then share tips on how to use it on many of the local underground bulletin board forums.
These forums also sell the usual suspects of child porn, stolen card data, stolen phone numbers, weapons, and so on.
There were several interesting distinctions Trend Micro uncovered between the Japanese cybercrime underground and elsewhere:
- Cybercriminals accept gift cards from Amazon and the like in lieu of payment
- CAPTCHA in Japanese is used to access the forums, keeping their membership mainly to locals
- URLs for some secret BBSs hosted on Tor and other anonymising platforms can actually be found published in books and magazines
- Japanese cybercriminals are ultra cautious, even using code words when discussing certain contraband, like the kanji character for “cold” when referring to methamphetamine.
So far, the notorious yakuza organised crime gangs have largely stayed out of the game, and that’s the way it’ll stay for some time to come, report author Akira Urano told me. That’s because of a combination of strict cybersecurity laws and the fact that offline scams still work a treat. But it might not be that way forever.
“If ever organized crime groups like the yakuza ever venture into darknets, all they would need is the aid of tech-savvy individuals to engage in criminal transactions,” Urano argues in the report.
I was curious to hear a second opinion on Japanese cybercrime, so I asked FireEye’s local experts.
They hit me with a few stats from the National Police Agency (NPA) which show that, infancy or not, there’s a pretty healthy cybercrime industry in Japan.
Some 88 people were arrested for cybercrimes in the first half of the year, 58% of whom were Japanese. The country is also a major victim of banking fraud – second only to the US, according to other stats.
The country’s public and private sectors also have to withstand a barrage of likely state-backed cyber attacks, launched from outside the country.
Japan’s strengths in advanced technology and engineering, as well as its hand in territorial disputes, have made it a target for China.
Aerospace and defence, transportation, high-tech, construction and telecoms are some of the highest risk industries.
FireEye told me the following by email.
“FireEye observes similar tactics and techniques on Japanese networks as we see elsewhere in the world. However, the key difference is localization: APT actors tailor their phishing e-mails, CnC infrastructure, and even their exploits to Japanese end users. For instance, we have observed threat activity against Japanese targets exploit the Japanese Ichitaro word processing system; zero days against the program are not uncommon.”
How much do you think Chinese state-sponsored cyber spies steal from the US each year? No, you’re way off. It’s in the region of $5 trillion – 30% of GDP – according to one expert interviewed in a new exposé of Beijing-backed cyber attacks by the Epoch Times.
I covered this one for Infosecurity and IDG Connect because although most of the info for the article came from publicly available sources, it had some interesting insight from various industry experts and tied together the whole shadowy web of guanxi-tinged goings-on in the Middle Kingdom very well.
Particularly illuminating were claims that there are hundreds of state-backed “tech transfer centres” whose mission is to earmark IP they want, send scientists abroad to study in relevant industries and then reverse engineer products from stolen IP. It’s China investing in state-sanctioned theft because it’s quicker, easier and way cheaper than doing R&D the legal way. It’s happening on an industrial scale, to feed the country’s military aspirations and economic growth – many of the products are produced cheaply and sold back to the West at a fraction of the cost of the originals.
It’s thoroughly depressing but fascinating stuff and will make for frustrating reading if you’re a US tech CEO. If you haven’t been breached yet, you will be – or maybe you just haven’t found out about it yet.
China can do this, of course, because there’s a very fine line between government, academia, military, state-owned enterprise and even private business. All organisations must have a CCP committee which some believe sits even higher than the board. And all are expected to pull together for the betterment of Team China. But while the report calls out state-owned enterprises, there is in fact little in the way of evidence that private businesses have capitalised on stolen IP to accelerate R&D and produce cheap kit with which to flood Western markets.
Report author Josh Philipp told me that evidence was hard to find – even the US indictment of five PLA hackers last year referenced only SoEs. IP theft does happen, however, especially by contract manufacturers making products for US firms, although this is slightly different from the cyber espionage/tech transfer cycle mentioned in the report.
“Any private company involved would likely be running a small-scale counterfeit operation, which would be hard to pin down,” Philipp told me.
What is clear is that despite recent exhortations from the top to create an “innovation driven” country – an admission in itself that hitherto China’s economic growth and military might has been built on theft – the Chinese communist regime is unlikely to change things around anytime soon.
Western firms must get better at deflecting these attacks – and in so doing force up the size of investment needed by Beijing into cyber espionage activity, so that attack campaigns are just not worth the return in many cases. If they don’t, we can expect the same old breach headlines to continue ad infinitum.