Skip to content

Category Archives: Cybersecurity: Crime and Espionage

New McAfee/CSIS Report on Cybercrime

By
Monday, June 9, 2014 at 11:56 AM

I participated today in a CSIS/McAfee roll-out of their latest report on the economic impact of cybercrime.  Their bottom line is that cybercrime has an annual effect of roughly $455 billion globally, with 200K jobs lost in the US alone as a result.  A nice summary of the report by the Washington Post is available here, . . .
Read more »

Germany’s Prosecutor Rolls Up His Sleeves On NSA Surveillance

By
Friday, June 6, 2014 at 10:34 AM

A few weeks ago, Ben posted some comments about a Der Spiegel article that suggested the tensions between the United States and Germany were likely to die down. Not so fast, it appears. Germany’s top prosecutor has announced that he is opening an investigation into the alleged tapping of Chancellor Angela Merkel’s cell phone. A statement . . .
Read more »

The GameOver Zeus/CryptoLocker Indictment

By
Tuesday, June 3, 2014 at 11:42 AM

Following up on last weeks indictment of 5 Chinese PLA members for economic espionage, the Department of Justice continued yesterday its apparent prosecutorial offensive against cyber criminals.  The case, brought again in W.D. Pa. charges a Russian gang led by Evgeniy Bogachev with operating a huge botnet, known as GameOver Zeus.  Comprising perhaps as many as . . .
Read more »

Bits and Bytes

By
Wednesday, May 28, 2014 at 12:15 PM

Two interesting items today: Shane Harris has a look inside the FBI’s efforts to track the Chinese hackers.  Here’s the intro: “SolarWorld was fighting a losing battle. The U.S. subsidiary of the German solar panel manufacturer knew that its Chinese competitors, backed by generous government subsidies, were flooding the American market with steeply discounted solar . . .
Read more »

John Carlin’s Speech at Brookings on “Defending Our Nation by Prosecuting State-Sponsored Cyber Theft”

By
Thursday, May 22, 2014 at 2:00 PM

Watch the event with Assistant Attorney General John Carlin here: And here are his remarks as prepared for delivery: Defending Our Nation by Prosecuting State-Sponsored Cyber Theft Thanks for that kind introduction. I’m grateful to be here at Brookings today discussing emerging national security threats. On Monday, the Department of Justice announced charges against five members of the . . .
Read more »

The U.S. Corporate Theft Principle

By
Wednesday, May 21, 2014 at 8:07 AM

David Sanger’s piece in this morning’s NYT explores the USG’s attempts to justify cracking down on cyber-theft of intellectual property of U.S. firms while at the same time continuing to spy on non-U.S. firms for different purposes.  We are familiar with the USG policy.  As DNI Clapper says in Sanger’s story, the USG does not . . .
Read more »

Schneier on Hoarding v. Patching Vulnerabilities

By
Tuesday, May 20, 2014 at 12:11 PM

Bruce Schneier has a very good piece on whether the USG should “stockpile Internet vulnerabilities or disclose and fix them.”  Part of his  answer: If vulnerabilities are sparse, then it’s obvious that every vulnerability we find and fix improves security. We render a vulnerability unusable, even if the Chinese government already knows about it. We . . .
Read more »

More Thoughts on the DOJ China Indictment

By
Tuesday, May 20, 2014 at 9:40 AM

Jack has already offered a number of thoughts on the indictment yesterday of 5 Chinese PLA members for cyber espionage.  Let me offer a few additional thoughts that pick up on some of those threads: If the NYT article by Sanger is to be credited, this indictment was part of a strategy adopted more than . . .
Read more »

Why Did DOJ Indict the Chinese Military Officers?

By
Tuesday, May 20, 2014 at 6:55 AM

Why did the USG indict Chinese military officers for cybertheft?  It knows that there is no practical chance of convictions (because, among other reasons, the defendants will never appear in the United States).  It knows that mere indictments are unlikely to slow China’s corporate cyber-espionage, and thus might make even more obvious the fecklessness of USG . . .
Read more »

DOJ’s Summary of the Charges in the Chinese Economic Cyberespionage Case

By
Monday, May 19, 2014 at 10:55 AM

A remarkable development out of a grand jury in the Western District of Pennsylvania: five named members of the Chinese military have been indicted for economic cyberespionage.  Details from the DOJ press release follow: WASHINGTON—A grand jury in the Western District of Pennsylvania (WDPA) indicted five Chinese military hackers for computer hacking, economic espionage and . . .
Read more »

For the Delicious Irony Files

By
Friday, May 16, 2014 at 9:20 AM

A report from the cyber underground where most of my Lawfare colleagues don’t normally follow:  File this one as a delicious irony (or, if you prefer, a delightful irrationality).  Many will recall that back in 2010 when WikiLeaks first started releasing classified materials many of the financial intermediaries (Visa, Mastercard, Western Union and PayPal) started . . .
Read more »

White House on Disclosing Cyber Vulnerabilities

By
Monday, April 28, 2014 at 5:10 PM

Michael Daniel, White House Cybersecurity Coordinator, just published this important post on the White House blog about how and when the government decides to disclose cyber vulnerabilities: When President Truman created the National Security Agency in 1952, its very existence was not publicly disclosed. Earlier this month, the NSA sent out a Tweet making clear that . . .
Read more »

Heartbleed as Metaphor

By
Monday, April 21, 2014 at 1:30 PM

I begin with a paragraph from Wikipedia: Self-organized criticality is one of a number of important discoveries made in statistical physics and related fields over the latter half of the 20th century, discoveries which relate particularly to the study of complexity in nature.  For example, the study of cellular automata, from the early discoveries of . . .
Read more »

The Policy Tension on Zero-Days Will Not Go Away

By
Monday, April 14, 2014 at 11:32 AM

The proposition that NSA should under no circumstances stockpile zero-day vulnerabilities, but should in all cases disclose them in order to perfect defenses, apparently has appeal in some quarters.  It is based on at least two false assumptions.  The first is that the number of zero-days is finite, or, if not finite, then at least . . .
Read more »

Three Speeches on Cybersecurity by Dan Geer

By
Thursday, April 3, 2014 at 3:00 PM

Cyber security maven Dan Geer has given three speeches in the last six months that are worth a read: (a) APT in a World of Rising Interdependence, given last month at the NSA; (b) We Are All Intelligence Officers Now, given at the RSA Conference in February; and (c) Trends in Cyber Security, given at NRO last November. . . .
Read more »

The NYT on NSA’s Huawei Penetration [UPDATED]

By
Saturday, March 22, 2014 at 8:41 PM

David Sanger and Nicole Perlroth report about how the NSA has successfully placed backdoors into the networks of the Chinese Telecommunications giant Huawei for purposes of (a) discerning Huawei’s links to the People’s Liberation Army and (b) preparing for offensive operations in third countries.   It also has some detail (apparently based on leaks other than . . .
Read more »

Snowden Disclosures and Norms of Cyber-Attacks

By
Thursday, March 20, 2014 at 11:00 AM

Secrecy—of the sort that typically shrouds cyber-defense and cyber-attack capabilities and doctrine—complicates the development of international norms.  Secrecy makes it difficult to engage in sustained diplomacy about rules.  Officials can talk about them at high levels of generality, but can’t get very specific, and it’s therefore hard to reach agreement.  Secrecy makes it difficult to . . .
Read more »

A Modest Proposal for NSA

By
Tuesday, March 18, 2014 at 11:29 AM

I had an idea the other day—a way for NSA to serve the national interest, do good for humanity, and improve its public image all at once. Drum roll, please! NSA should get into the business of publishing trade secrets stolen from companies in countries that conduct active industrial espionage against U.S. companies. Before you . . .
Read more »

Two Videos from RSA

By
Thursday, February 27, 2014 at 2:56 PM

I haven’t watched these two speeches from the RSA conference yet, but Paul tells me they are both worth seeing:

No “No Spy” Agreements?

By
Thursday, February 13, 2014 at 4:48 PM

President Obama on Tuesday affirmatively stated that the United States does not have any “no spy” agreements with other countries.  Many journalists, scholars, and foreign officials have been laboring under the impression that the United States does have at least some of these agreements.  What’s the source of the disconnect? Readers will recall that discussions of . . .
Read more »