Most governments don't prosecute Information War activities in court because it forces a country to give up too much information about sources and methods to get a conviction. So, it should not be a surprise to anyone that when the Special Council tried to do it, too much information went straight to the public. The Russians are going to make this as painful as possible and they have already started.
The Wall Street Journal article says "hackers obtained and leaked confidential information" that Robert Mueller linked to the disinformation campaign used in the 2016 election. The indictment linked that case to the documents that were posted and named the Internet Research Agency and private companies in Russia to the campaign. These were covert operations run by the Russian government and they do not like the idea of having them coming to court. It reminded me of John Carlin's book the Dawn of the Code War. He says sometimes law enforcement "was not always the right tool to solve a problem" which I don't think covers half of the problem here.
If you want to undermine a covert operation, you do it with another covert operation that doesn't expose some of the ways you know what Russia is doing. In court that is going to be very obvious. The defense always says, "It wasn't us." You have to prove how you know it was them, and you can't use articles in the New York Times and Washington Post to prove it. You can't interview witnesses unless Russia gives them over and you believe what they have to say. I like Mr. Mueller a lot, but he knows there are limits to what he can get and to what those witnesses can say. The attempt has just started to give up secrets that go deep into the sources and methods of how we know what we know about these Russian operations.
The Special Prosecutor would be better served to not be involved in things that are linked to intelligence service operations in the US and should have known better than to bring criminal charges on these kinds of operations (two others charges are made by the Justice Department against the GRU on tampering with the Anti-Doping Agency the International Olympic Committee (IOC), the Fédération Internationale de Football Association (“FIFA”) and other locations to find information about ongoing investigations. The Russian agents succeeded in releasing information on 250 athletes in over 30 countries).
Russia has deniability on these cases and wants us to reveal how we knew what we knew so it can discredit those sources as soon as they are known. They control their press and the agencies named, so they have the ability to do it. These are Friends of Putin who were indicted. Do we think he is willingly going to see them prosecuted? Guess again.
Thursday, January 31, 2019
Huawei Indictment for T-Mobile Tech Theft
In what is one of the most interesting documents of its type, we get to see the case against Huawei for trying to steal detailed information about a robotic telephone testing system made by T-Mobile. It carries some lessons for anyone doing business with Huawei, should the stated charges turn out to be representative of Huawei's actions.
It is obvious in the indictment that T-Mobile and Huawei U.S. were trying to follow rules established by T-Mobile for the protection of its proprietary testing robot. They had an area set aside for the testing and restricted access, initially to only T-Mobile testers. They might have been better served to stay with that approach. They had a physical guard and entry requirements. They had non-disclosure agreements. Huawei in the US actually listened to what T-Mobile told them, but asked the questions that Huawei China asked them to ask. Repeatedly, Huawei US told Huawei China that T-Mobile was not going to give up that information.
What they found was that over a two-three year period the questions got more detailed and more persistent. There was increasing pressure and soft warnings. Huawei phones were not passing the tests and they really wanted a robot to test before sending them to the US for sale. T-Mobile wouldn't sell them one, so according to the indictment, they set out to steal what they needed. When T-Mobile caught wind of what they were up to, they were banned from the testing lab but kept coming back. When caught the second time, Huawei US did an "internal investigation" and found employees were "rouge" and fired them (I remind you that the Chinese have done these firings before and moved the individuals to other jobs in their own affiliates, or in the case of ZTE, didn't fire them). Huawei and T-Mobile settled this on their own, after T-Mobile threatened a civil suit. But, Huawei China made this more difficult by offering bounty money for information on certain types of technical data its employees could get.
It seems odd that five years later we get an unsealing of the indictment and a criminal prosecution. but, what it does point out is how difficult it is for US operating locations to say no to their corporate parents. US subsidiaries, large customers dependent on Huawei for devices, and retailers might think twice about entering into this kind of arrangement with a company that was clearly intent on getting the proprietary information it was after, using whatever methods it could force on the business partners. This is a great case study for business schools.
It is obvious in the indictment that T-Mobile and Huawei U.S. were trying to follow rules established by T-Mobile for the protection of its proprietary testing robot. They had an area set aside for the testing and restricted access, initially to only T-Mobile testers. They might have been better served to stay with that approach. They had a physical guard and entry requirements. They had non-disclosure agreements. Huawei in the US actually listened to what T-Mobile told them, but asked the questions that Huawei China asked them to ask. Repeatedly, Huawei US told Huawei China that T-Mobile was not going to give up that information.
What they found was that over a two-three year period the questions got more detailed and more persistent. There was increasing pressure and soft warnings. Huawei phones were not passing the tests and they really wanted a robot to test before sending them to the US for sale. T-Mobile wouldn't sell them one, so according to the indictment, they set out to steal what they needed. When T-Mobile caught wind of what they were up to, they were banned from the testing lab but kept coming back. When caught the second time, Huawei US did an "internal investigation" and found employees were "rouge" and fired them (I remind you that the Chinese have done these firings before and moved the individuals to other jobs in their own affiliates, or in the case of ZTE, didn't fire them). Huawei and T-Mobile settled this on their own, after T-Mobile threatened a civil suit. But, Huawei China made this more difficult by offering bounty money for information on certain types of technical data its employees could get.
It seems odd that five years later we get an unsealing of the indictment and a criminal prosecution. but, what it does point out is how difficult it is for US operating locations to say no to their corporate parents. US subsidiaries, large customers dependent on Huawei for devices, and retailers might think twice about entering into this kind of arrangement with a company that was clearly intent on getting the proprietary information it was after, using whatever methods it could force on the business partners. This is a great case study for business schools.
Wednesday, January 30, 2019
Don't Blame the Intelligence Messenger
I have seen a few Presidents and senior government officials question the analysis made by the Intelligence Community. I always wondered why they did it. It is a lot like arguing with your attorney about what is right course to take. You can ignore that advice, or not, but it helps if you are a lawyer yourself.
The Intelligence Community does estimates. They gather as many facts as they can and come to a conclusion. It is a best guess, and it comes with a confidence factor - we assess that this conclusion is given with a high confidence. It is the same as advice from the lawyer. You are free to disagree. You are free to ignore the conclusions. But, don't question the process that goes with it.
An assessment usually comes from a lot of information sources, but sometimes those are limited to what is available. North Korea, for example does not have as much as anyone would want, those might have less confidence. They also come with many analyst's views, aggregated into a product that none of agree with exactly, but all of them support. If not, they can write a minority opinion - kind of. That can be done formally, or just internally to say "I told you so".
Now, while this process has some blatant failures on occasion, it has been worked and refined for a long, long time. It is influenced by politics, even though the members of the Community would not agree that it is. I saw that with Missile Defense when the Congress was splitting hairs on whether a missile could hit the United States. The Clinton Administration said it couldn't, but agreed that it could hit Hawaii and Alaska. Ted Stevens from Alaska and Innoue from Hawaii thought this was ludicrous thinking and said so because it was a matter of record that it could hit Hawaii and Alaska. Clinton didn't care about that. It wasn't what the IC had said, but there were interpretations of the final product on all political levels including the President. There always will be. They fought about it but it didn't become public. President Clinton wanted to reduce the amount of money going into missile defense and needed a justification for doing that. He got it by twisting what had been said.
So, take the advice or reject it, but don't complain about the assessment as given. Order a review of the assessment if you want, or keep quiet and ignore the statements. Making it public makes it worse on both sides.
The Intelligence Community does estimates. They gather as many facts as they can and come to a conclusion. It is a best guess, and it comes with a confidence factor - we assess that this conclusion is given with a high confidence. It is the same as advice from the lawyer. You are free to disagree. You are free to ignore the conclusions. But, don't question the process that goes with it.
An assessment usually comes from a lot of information sources, but sometimes those are limited to what is available. North Korea, for example does not have as much as anyone would want, those might have less confidence. They also come with many analyst's views, aggregated into a product that none of agree with exactly, but all of them support. If not, they can write a minority opinion - kind of. That can be done formally, or just internally to say "I told you so".
Now, while this process has some blatant failures on occasion, it has been worked and refined for a long, long time. It is influenced by politics, even though the members of the Community would not agree that it is. I saw that with Missile Defense when the Congress was splitting hairs on whether a missile could hit the United States. The Clinton Administration said it couldn't, but agreed that it could hit Hawaii and Alaska. Ted Stevens from Alaska and Innoue from Hawaii thought this was ludicrous thinking and said so because it was a matter of record that it could hit Hawaii and Alaska. Clinton didn't care about that. It wasn't what the IC had said, but there were interpretations of the final product on all political levels including the President. There always will be. They fought about it but it didn't become public. President Clinton wanted to reduce the amount of money going into missile defense and needed a justification for doing that. He got it by twisting what had been said.
So, take the advice or reject it, but don't complain about the assessment as given. Order a review of the assessment if you want, or keep quiet and ignore the statements. Making it public makes it worse on both sides.
Forbes Says China "Blindsided"
Forbes says today that China was "blindsided" by the sanctions against Huawei in the buildup to trade negotiations. Steve Mnuchin, Treasury Secretary was on Fox Business yesterday saying these sanctions are part of the Justice Department actions and have nothing to do with trade talks. While I do agree that the Justice Department has not been very concerned with how its arrest warrant for a Huawei official or sanctions affect the outcomes of trade talks - in both cases their timing sucked - we have to consider they have finally gotten around to doing something on a case that started in 2013. That is not exactly lightning speed. Justice is slow rolling everything on Huawei, and they really don't care how it makes the negotiations with China more difficult.
The Forbes story is what the Chinese want us to believe. They are hardly ever blindsided by anything a government does. They have employees everywhere on the hill and working for governments all over the world. Their intelligence services have links into all aspects of our government decision making. They are not surprised, and not blindsided by much of anything we do. It would be nice if we could blindside them now and again, but we can't.
Second, the Chinese trade delegation has a task that is not related to anything about Huawei, though it may affect them. The US wants reciprocal trade and there is none in telecommunications. China does not allow US carriers to buy into the Chinese telecom infrastructure, but they want to complain when Huawei is denied a chance to do the same thing in the US. Neither side will allow the telecoms of the other country to buy into the infrastructures of the other and that is not going to change after these trade talks. There will be trade, but not in this area because both countries believe this is a national security issue and not a trade issue. Mnuchin even alluded to his membership in the National Security Council.
China doesn't need help in these trade talks, especially help from the US press corps.
The Forbes story is what the Chinese want us to believe. They are hardly ever blindsided by anything a government does. They have employees everywhere on the hill and working for governments all over the world. Their intelligence services have links into all aspects of our government decision making. They are not surprised, and not blindsided by much of anything we do. It would be nice if we could blindside them now and again, but we can't.
Second, the Chinese trade delegation has a task that is not related to anything about Huawei, though it may affect them. The US wants reciprocal trade and there is none in telecommunications. China does not allow US carriers to buy into the Chinese telecom infrastructure, but they want to complain when Huawei is denied a chance to do the same thing in the US. Neither side will allow the telecoms of the other country to buy into the infrastructures of the other and that is not going to change after these trade talks. There will be trade, but not in this area because both countries believe this is a national security issue and not a trade issue. Mnuchin even alluded to his membership in the National Security Council.
China doesn't need help in these trade talks, especially help from the US press corps.
Tuesday, January 29, 2019
New Report from US-China Economic and Security Review
Today they USCC released a staff research report entitled "China’s Missile Program and Potential U.S. Withdrawal from the Intermediate-Range Nuclear Forces (INF) Treaty."
Recently, the Trump Administration cited China as a major reason behind its decision to announce U.S. intentions to withdraw from the 1987 Intermediate-Range Nuclear Forces (INF) Treaty with Russia. This report explains the importance of China’s ground-launched missiles to Beijing’s overall military strategy; surveys Chinese reactions to the potential U.S. withdrawal from the INF Treaty; and assesses both the positive and negative implications of U.S. withdrawal for the military balance in Asia, global arms control regime, U.S. relations with Asian allies, and China-Russia ties.
Happy to answer on this report, which can be found here.
to withdraw from the 1987 Intermediate-Range Nuclear Forces (INF) Treaty with Russia. Washington has
not yet initiated the formal process of leaving the treaty, which requires six months advance notice.
Beijing is not a party to the INF Treaty. In contrast to the restrictions the agreement imposes on the United
States and Russia, remaining outside the pact has allowed China to rapidly expand its missile arsenal as
part of a military strategy designed to counter U.S. and allied military power in Asia.
China opposes both U.S. withdrawal from the INF Treaty and expanding the accord to include Beijing.
Implicit in this position is a recognition that limits on the United States and Russia that do not constrain
China advantage Beijing.
Chinese experts see the likely U.S. withdrawal as emblematic of a more aggressive U.S. nuclear and missile
posture as well as a means for Washington to pressure Moscow. Chinese scholars have proposed punishing
U.S. allies in Asia if they host U.S. missiles in the future.
U.S. withdrawal from the INF Treaty would have significant policy implications for the military balance in
Asia, the global arms control regime, U.S. relations with Asian allies, and China-Russia ties. Withdrawal
would have mixed impacts that potentially could improve or detract from regional and global security and
the U.S. and allied ability to deter China.
Huawei and Dilbert
Years ago, the brain of Scott Adams created the cartoon Dilbert. Dilbert was working with a company from a fictitious country, Ebonia. The Ebonians worked for nothing and would write software for any company that wanted to use them. Dilbert's pointy haired boss thought that was a great idea. Dilbert thought something was amiss.
I saw Gordon Chang on Fox Business yesterday and he was describing much the same kind of thing with some of Huawei's work for African nations. We will build your infrastructure for free, and you can buy services from us afterwards. A lot of the data they were processing on those infrastructures was going right back to China every day. This is not an even complicated way to collect intelligence, but Huawei says it is not a part of the intelligence services of China.
There are two sides to this story. The first one says there is no free lunch, unless you are the potential client and business is taking you out. Anyone would have to be thinking, "Why are they giving me a very expensive infrastructure for free?" Is there a catch? Come on! Yes, there is a catch and anyone who thought more than a minute on the subject could know what "free" means in a case like this. When a politician sells his soul to the idea that anything free must be good, he should serve time in a new place in hell. Even Dante did not see that one coming.
The second part of that is more and more countries are seeing the connection between Huawei and Chinese intelligence, knowledge they had years ago when I wrote my first book. Our government had denied Huawei attempts to buy into technology sectors and the infrastructure of the United States. They finally gave up, though they got quite a bit of what they wanted in many of those cases because some business leaders are a lot like Dilbert's boss. Those payments from Huawei, in the form of joint ventures and partnerships were too good to pass up. They never even looked twice at the reasons for the U.S. stopping so many of those deals going through. They got their money and Huawei got what it wanted.
Last February, the heads of FBI, CIA, and NSA said don't use phones made by ZTE or Huawei, yet they are still for sale here. Routers are an even greater problem but they still sell those too. Where is Scott Adams when you need him?
I saw Gordon Chang on Fox Business yesterday and he was describing much the same kind of thing with some of Huawei's work for African nations. We will build your infrastructure for free, and you can buy services from us afterwards. A lot of the data they were processing on those infrastructures was going right back to China every day. This is not an even complicated way to collect intelligence, but Huawei says it is not a part of the intelligence services of China.
There are two sides to this story. The first one says there is no free lunch, unless you are the potential client and business is taking you out. Anyone would have to be thinking, "Why are they giving me a very expensive infrastructure for free?" Is there a catch? Come on! Yes, there is a catch and anyone who thought more than a minute on the subject could know what "free" means in a case like this. When a politician sells his soul to the idea that anything free must be good, he should serve time in a new place in hell. Even Dante did not see that one coming.
The second part of that is more and more countries are seeing the connection between Huawei and Chinese intelligence, knowledge they had years ago when I wrote my first book. Our government had denied Huawei attempts to buy into technology sectors and the infrastructure of the United States. They finally gave up, though they got quite a bit of what they wanted in many of those cases because some business leaders are a lot like Dilbert's boss. Those payments from Huawei, in the form of joint ventures and partnerships were too good to pass up. They never even looked twice at the reasons for the U.S. stopping so many of those deals going through. They got their money and Huawei got what it wanted.
Last February, the heads of FBI, CIA, and NSA said don't use phones made by ZTE or Huawei, yet they are still for sale here. Routers are an even greater problem but they still sell those too. Where is Scott Adams when you need him?
Monday, January 28, 2019
Hackback on the Burner Again
Andy Kessler is hardly the person I would have thought of when stories of hacking surfaced today in the Wall Street Journal. He is strongly advocating that when attacked, we hack back - retaliate. He pointed out that Cyber Command has done next to nothing to create defenses against these attacks and we should use them to take steps to deter these kinds of attacks.
Yes, I see his point, but we have been dealing with the problem for 30 years so I have heard all the arguments on both sides for at least that long. Cybrwar is not fun; it will not be more rewarding to attack someone who attacks us because the satisfaction of defense is only good for as long at the second strike that takes place. When you start this war, you better be ready. I imagine this is why Cyber command does not attack {and talk about) any of the things the Journal is pointing to.
I was always a big proponent of attacking our enemies when they attack us. I still am.
But these kinds of attacks are kind of like sailing ships through the Straits of Taiwan. They are public displays of a response to actions that are clearly intended to keep the US away from Taiwan. The Chinese have escalated the potential cost of doing this kind of deterrent by reinforcing their little islands and making diplomatic moves like working with embassies around the world to recognize Taiwan as part of China. Both sides are taking public steps that aggravate the situation, thinking their own actions will reduce tension and win over the world public opinion. Not likely.
First, the theft of information by China is largely from its own intelligence services. China denies it does such things, even though they also know they are lying to us. They are covert activities with plausible deniability. A response is usually going to be the same - covert and with deniability for anyone who responds. We have no idea of what may have already been done, or which country did it, and we will likely not know for years. Israel kept a secret of its attack on a nuclear reactor until last year. It was 6 September 2007, when the Israelis bombed the nuclear facility at Al-Kubar in eastern Syria. Everyone knew somebody attacked it, and there was speculation that Israel might have done it, but there was no proof. It didn't even make the evening news when they announced that they did it. Iran must have been keeping an eye on that situation but may not have known for sure. It was a good deterrent and the reason they put their facilities underground.
Second, the business community is often the target - insurance companies, banking institutions, government agencies are the targets. Are we suggesting each one retaliates? There isn't a cry from these institutions to do that because they know that they can't start a war they would lose with a government. Nobody wants to be on that target list and retaliation does that. I have had a few large banks think they could do something, but none of them ever did. A couple of commercial companies wanted to do the same thing, but also never did. They actually had the technical expertise. Only the governments can do it on behalf of them so the business community is isolated from the retaliation.
Third, a government that attacks better be ready for the response. I wonder if China thinks it can defend itself against retaliation? They are grossly overestimating their skills if they do. They have pockets just like every country does, but pockets will not help a country survive for long if this really gets turned up. Only arrogance would allow them to think that they can't be embarrassed.
Militaries are the ones who start this kind of thinking. I have rarely met a military cyber group that thinks it could not damage an adversary and avoid retaliation. They are safe in their assumptions until the second strike.
Diplomacy is probably the only answer, as much as we hate it. We don't trust China and they don't do well at keeping their agreements. This is what brings us to the Journal approach. If we are going to be striking back, we better be ready. Decide for yourself if you think we are.
Yes, I see his point, but we have been dealing with the problem for 30 years so I have heard all the arguments on both sides for at least that long. Cybrwar is not fun; it will not be more rewarding to attack someone who attacks us because the satisfaction of defense is only good for as long at the second strike that takes place. When you start this war, you better be ready. I imagine this is why Cyber command does not attack {and talk about) any of the things the Journal is pointing to.
I was always a big proponent of attacking our enemies when they attack us. I still am.
But these kinds of attacks are kind of like sailing ships through the Straits of Taiwan. They are public displays of a response to actions that are clearly intended to keep the US away from Taiwan. The Chinese have escalated the potential cost of doing this kind of deterrent by reinforcing their little islands and making diplomatic moves like working with embassies around the world to recognize Taiwan as part of China. Both sides are taking public steps that aggravate the situation, thinking their own actions will reduce tension and win over the world public opinion. Not likely.
First, the theft of information by China is largely from its own intelligence services. China denies it does such things, even though they also know they are lying to us. They are covert activities with plausible deniability. A response is usually going to be the same - covert and with deniability for anyone who responds. We have no idea of what may have already been done, or which country did it, and we will likely not know for years. Israel kept a secret of its attack on a nuclear reactor until last year. It was 6 September 2007, when the Israelis bombed the nuclear facility at Al-Kubar in eastern Syria. Everyone knew somebody attacked it, and there was speculation that Israel might have done it, but there was no proof. It didn't even make the evening news when they announced that they did it. Iran must have been keeping an eye on that situation but may not have known for sure. It was a good deterrent and the reason they put their facilities underground.
Second, the business community is often the target - insurance companies, banking institutions, government agencies are the targets. Are we suggesting each one retaliates? There isn't a cry from these institutions to do that because they know that they can't start a war they would lose with a government. Nobody wants to be on that target list and retaliation does that. I have had a few large banks think they could do something, but none of them ever did. A couple of commercial companies wanted to do the same thing, but also never did. They actually had the technical expertise. Only the governments can do it on behalf of them so the business community is isolated from the retaliation.
Third, a government that attacks better be ready for the response. I wonder if China thinks it can defend itself against retaliation? They are grossly overestimating their skills if they do. They have pockets just like every country does, but pockets will not help a country survive for long if this really gets turned up. Only arrogance would allow them to think that they can't be embarrassed.
Militaries are the ones who start this kind of thinking. I have rarely met a military cyber group that thinks it could not damage an adversary and avoid retaliation. They are safe in their assumptions until the second strike.
Diplomacy is probably the only answer, as much as we hate it. We don't trust China and they don't do well at keeping their agreements. This is what brings us to the Journal approach. If we are going to be striking back, we better be ready. Decide for yourself if you think we are.
Huawei Saving Itself
Huawei is having help spreading the "Party Line" for why the world should buy Huawei products even though there might be some concerns about security. You can see a number of stories like this one in US News, and one you can't see in the Financial Times. More on the latter one later.
Huawei has suddenly become essential to the development of global 5G. "Efforts to limit involvement of Chinese technology in upcoming 5G projects in Europe might bring 'serious consequences to the global economic and scientific co-operation,' Ambassador Zhang Ming said in an interview with FT."
We might have some trouble believing that any company would be the root of 5G to the rest of the world when the standards for 5G are still just barely on solid ground after years of work. We are not sure what the 5G we are supposedly getting from vendors this year can even be used as 5G is envisioned. Huawei is not going to be essential to global development anymore than any other of the big suppliers. Let China have its own 5G if it wants. Lets see how the world interoperability works itself out if they do. Huawei has already done a lot for international standards and that is something we need to start reviewing again in light of the connections between Huawei and Chinese intelligence services. Maybe we don't want that kind of interoperability.
Now, about that Financial Times article.... When I get pointed to an article by Flipboard, my news aggregator, I expect to be able to read that article, not see an ad for the electronic version of FT. That is not news. That is advertising. FT is not the only one, but they are not allowing a reader to read the article being referred to them. The news outlets should examine advertising and restrict its use on platforms like Flipboard. I wonder if Flipboard is getting revenue from this. Apple, Microsoft and Google all have these kinds of links.
Huawei has suddenly become essential to the development of global 5G. "Efforts to limit involvement of Chinese technology in upcoming 5G projects in Europe might bring 'serious consequences to the global economic and scientific co-operation,' Ambassador Zhang Ming said in an interview with FT."
We might have some trouble believing that any company would be the root of 5G to the rest of the world when the standards for 5G are still just barely on solid ground after years of work. We are not sure what the 5G we are supposedly getting from vendors this year can even be used as 5G is envisioned. Huawei is not going to be essential to global development anymore than any other of the big suppliers. Let China have its own 5G if it wants. Lets see how the world interoperability works itself out if they do. Huawei has already done a lot for international standards and that is something we need to start reviewing again in light of the connections between Huawei and Chinese intelligence services. Maybe we don't want that kind of interoperability.
Now, about that Financial Times article.... When I get pointed to an article by Flipboard, my news aggregator, I expect to be able to read that article, not see an ad for the electronic version of FT. That is not news. That is advertising. FT is not the only one, but they are not allowing a reader to read the article being referred to them. The news outlets should examine advertising and restrict its use on platforms like Flipboard. I wonder if Flipboard is getting revenue from this. Apple, Microsoft and Google all have these kinds of links.
Friday, January 25, 2019
More to Poland's Huawei Story
Wow, there seems to be more of the Huawei story of spying on Poland that is leaking out. It seems to be difficult to keep secrets about anything Huawei.
A story in the Wall Street Journal today brings some surprising news about how Huawei was recruiting from the Military University of Technology, an elite school that provides some of the high tech people who enter/support Poland's government. The article says, "Mr. Wang had visited the university in conjunction with a contest run by Huawei called 'Seeds of the Future,' according to the university. In recent years, students there have been among the winners of the contest, which offers all-expenses-paid trips to China, including a week at company headquarters in Shenzhen."
Huawei would say this is just good recruiting in a country that has 50% of its infrastructure provided by Huawei. However, this also looks suspiciously like the paradigm for spies operating in a country who recruit other spies to get information. The Polish official arrested was teaching at the University where he could identify "winners" for the Huawei program and bring them to China to get a better look and make an assessment. Only a few would be good enough. That sounds a lot like spying, not good business recruiting.
A story in the Wall Street Journal today brings some surprising news about how Huawei was recruiting from the Military University of Technology, an elite school that provides some of the high tech people who enter/support Poland's government. The article says, "Mr. Wang had visited the university in conjunction with a contest run by Huawei called 'Seeds of the Future,' according to the university. In recent years, students there have been among the winners of the contest, which offers all-expenses-paid trips to China, including a week at company headquarters in Shenzhen."
Huawei would say this is just good recruiting in a country that has 50% of its infrastructure provided by Huawei. However, this also looks suspiciously like the paradigm for spies operating in a country who recruit other spies to get information. The Polish official arrested was teaching at the University where he could identify "winners" for the Huawei program and bring them to China to get a better look and make an assessment. Only a few would be good enough. That sounds a lot like spying, not good business recruiting.
Thursday, January 24, 2019
Fake Washington Post
It becomes harder to identify those people who publish and distribute fake versions news media like the Washington Post which had a cover story on the resignation of President Trump. NPR had a story on this last week, which attributes the paper to L.A. Kauffman. It seems the Washington Post legal office is nowhere to be found on this.
I wonder what would have happened if some of the political right published a fake Washington Post with the lead story being the arrest of Nancy Pelosi for impersonating a Congresswoman. The Post would be on that in a second for copyright and trademark violations. By doing nothing, they encourage others to do the same thing, which will allow both right and left to do the same thing.
I wonder what would have happened if some of the political right published a fake Washington Post with the lead story being the arrest of Nancy Pelosi for impersonating a Congresswoman. The Post would be on that in a second for copyright and trademark violations. By doing nothing, they encourage others to do the same thing, which will allow both right and left to do the same thing.
Huawei blasted from all Sides
Huawei blasted from all sides
It does not seem to be a coincidence that so many news outlets are blasting one aspect or another of Huawei's business. Today, the Wall Street Journal had a story on the U.S. perceived lack of need to "show proof" that Huawei was spying on business and government outside of China. Reuters has one that says Universities are backing away from Huawei's equipment, blaming President Trump for this seemingly alarmist reaction to nothing. And there were others that are becoming so numerous they are hard to keep up with.
As to proof that Huawei is cooperating with the Chinese intelligence services to collect information on those who buy their equipment, the U.S. already knows whether that is true or not. I have several times cited a list of leaks from the Obama Administration that indicate the government knows about those links. Starting in 2013, a long line of intelligence agency leaders have said there is evidence of Huawei spying for the Chinese government, though no details have ever been provided in public. That is not unusual, since those reports are classified and would not normally, anywhere outside of the Washington Post and New York Times, be presented in public forums. Both have run articles on this in the past.
Huawei has ignored most of the public comment because it makes good business sense to do that. The more they protest their innocence, the less likely they are to escape these continued accusations. Having some of its employees arrested for espionage and Iran sanctions violations has not helped them keep this out of the limelight.
Second, China needs to end this use of public companies to undermine the Internet and use it for spying on the rest of the world. Google stopped honoring Chinese certs for networks because some of them were bogus. The government bears most of this responsibility. If you follow the University of Toronto analysis of web browsers, you can see a trend there that point to a central collection policy mandated by the government. It can't be coincidence that so many companies have separately decided to collect my cell identification, my hard drive serial number, and the WIFI connections near my location. Who needs that except their spies? It isn't just Huawei and ZTE doing these kinds of things and we probably shouldn't be singling them out. They are just the representatives of a much larger problem with using commercial companies to spy. It is part of the culture of China and will take a long time to change.
It does not seem to be a coincidence that so many news outlets are blasting one aspect or another of Huawei's business. Today, the Wall Street Journal had a story on the U.S. perceived lack of need to "show proof" that Huawei was spying on business and government outside of China. Reuters has one that says Universities are backing away from Huawei's equipment, blaming President Trump for this seemingly alarmist reaction to nothing. And there were others that are becoming so numerous they are hard to keep up with.
As to proof that Huawei is cooperating with the Chinese intelligence services to collect information on those who buy their equipment, the U.S. already knows whether that is true or not. I have several times cited a list of leaks from the Obama Administration that indicate the government knows about those links. Starting in 2013, a long line of intelligence agency leaders have said there is evidence of Huawei spying for the Chinese government, though no details have ever been provided in public. That is not unusual, since those reports are classified and would not normally, anywhere outside of the Washington Post and New York Times, be presented in public forums. Both have run articles on this in the past.
Huawei has ignored most of the public comment because it makes good business sense to do that. The more they protest their innocence, the less likely they are to escape these continued accusations. Having some of its employees arrested for espionage and Iran sanctions violations has not helped them keep this out of the limelight.
Second, China needs to end this use of public companies to undermine the Internet and use it for spying on the rest of the world. Google stopped honoring Chinese certs for networks because some of them were bogus. The government bears most of this responsibility. If you follow the University of Toronto analysis of web browsers, you can see a trend there that point to a central collection policy mandated by the government. It can't be coincidence that so many companies have separately decided to collect my cell identification, my hard drive serial number, and the WIFI connections near my location. Who needs that except their spies? It isn't just Huawei and ZTE doing these kinds of things and we probably shouldn't be singling them out. They are just the representatives of a much larger problem with using commercial companies to spy. It is part of the culture of China and will take a long time to change.
Wednesday, January 23, 2019
The New Player in Missile Defense
When the US President gave his speech on a Missile Defense Review, he talked more about Iran than North Korea. In my day in missile defense, North Korea was the main concern. China was able to sit back and watch while North Korea threatened nuclear attack on Guam or Hawaii, though they probably were bluffing in those days. Only the Chinese made outright threats to detonate a nuclear weapon over Los Angeles, but even then they backed off of that threat days after it was made. Iran was only an after thought.
So, while a small part of the EU continues to think the Iran nuclear agreement is a good idea, Iran goes on with booster testing and, more likely, weapons too. This is not likely to go well if the Iranians get down the road towards a real nuclear weapon. The Israelis have not shied from attacks on Iran's capabilities if they got far enough along. In June 1981, Israel bombed the Osirak nuclear reactor being built for Iraq by French and Italian contractors. That bombing was announced, and not covert. However, that was the second bombing attack on the facility. The first, allegedly encouraged by the Israelis, took place 30 September 1980, during the Iran-Iraq War, with two aircraft the Israelis said were Iranian F-4 jets. On 6 September 2007, the Israelis bombed the nuclear facility at Al-Kubar in eastern Syria. That was not acknowledged until last year. It remained a secret for all that time. They know how to keep a secret.
Worried about Iran? We are. Israel is. How about Europe? Yes, coming around, but slowly.
Shipler, David K, Israeli Jets Destroy Iraqi Atomic Reactor; Attack Condemned by U.S. and Arab Nations, The New York Times, 9 June 1981, https://www.nytimes.com/1981/06/09/world/israeli-jets-destroy-iraqi-atomic-reactor-attack-condemned-us-arab-nations.html.
Pirseyedi, Bobi, Arms Control and Iranian Foreign Policy, (Routeledge: New York, New York) 2013, page 120.
So, while a small part of the EU continues to think the Iran nuclear agreement is a good idea, Iran goes on with booster testing and, more likely, weapons too. This is not likely to go well if the Iranians get down the road towards a real nuclear weapon. The Israelis have not shied from attacks on Iran's capabilities if they got far enough along. In June 1981, Israel bombed the Osirak nuclear reactor being built for Iraq by French and Italian contractors. That bombing was announced, and not covert. However, that was the second bombing attack on the facility. The first, allegedly encouraged by the Israelis, took place 30 September 1980, during the Iran-Iraq War, with two aircraft the Israelis said were Iranian F-4 jets. On 6 September 2007, the Israelis bombed the nuclear facility at Al-Kubar in eastern Syria. That was not acknowledged until last year. It remained a secret for all that time. They know how to keep a secret.
Worried about Iran? We are. Israel is. How about Europe? Yes, coming around, but slowly.
Shipler, David K, Israeli Jets Destroy Iraqi Atomic Reactor; Attack Condemned by U.S. and Arab Nations, The New York Times, 9 June 1981, https://www.nytimes.com/1981/06/09/world/israeli-jets-destroy-iraqi-atomic-reactor-attack-condemned-us-arab-nations.html.
Pirseyedi, Bobi, Arms Control and Iranian Foreign Policy, (Routeledge: New York, New York) 2013, page 120.
The Complexity of Electronic Warfare
Part of Information Warfare is Electronic Warfare and I ran across an article this week that describes some of that with some graphics that were familiar. Several years ago, I was briefing the Director of Ballistic Missile Defense on an exercise we had run that looked at the complexities of trying to secure and defend a multi-nation combat force. Like this article, I showed the aircraft, space assets, ships, missiles systems, commercial support, and all the little things that get involved in communications across a global battlespace. The General looked at this description for a minute or two and he smiled. "I get your point," he said. Then he paused and added, "...but don't ever show me that slide again."
The whole room laughed, including me. It is overwhelming and too much for a person to absorb without building up to it. Yet, it is not complicated enough to describe Information War.
There are no simple ways to describe all the aspects that overlap and involve aspects which are not traditional defense. How do we characterize the countering of propaganda feeds from state-controlled media, software manipulation in the telecommunications infrastructure, or political influence campaigns like the ones Russia ran during the Presidential and mid-term elections in the United States? Most defensive strategies do not take this kind of strategy into consideration. Maybe, as our Director of National Intelligence pointed out, that is why the Russians, Chinese and Iranians found it so advantageous
The whole room laughed, including me. It is overwhelming and too much for a person to absorb without building up to it. Yet, it is not complicated enough to describe Information War.
There are no simple ways to describe all the aspects that overlap and involve aspects which are not traditional defense. How do we characterize the countering of propaganda feeds from state-controlled media, software manipulation in the telecommunications infrastructure, or political influence campaigns like the ones Russia ran during the Presidential and mid-term elections in the United States? Most defensive strategies do not take this kind of strategy into consideration. Maybe, as our Director of National Intelligence pointed out, that is why the Russians, Chinese and Iranians found it so advantageous
Tuesday, January 22, 2019
Shame, Shame
Forbes has a story today that came from London. It seems the Kings College in London has published a report saying it might be better to shame companies that don't protect their data very well. That approach is hardly noticeable in this report, and I wonder why any reasonable person would have picked out that part of it. I picked out this part:
"The first is that ACD in its initial iteration has only been used to protect the public sector. NCSC has described this as an ‘eat your own dog food’ attitude, ‘using government as a guinea pig’.40 The presumption here is that government will not ask anyone to implement cybersecurity solutions that it has not tested on itself."
I think this part of the report is right to the point of having anyone testing commercial businesses to find out of their security is adequate. The testers are just as likely to be full of holes in their own systems until they do something about it. The governments of the world are awful at security and the main reason why so much data is stolen every year. Our tax service (the IRS) has been hacked multiple times without much improvement being made to correct those problems. I don't even want to go into the whole list of Federal agencies that have been hacked but it is long. Get those in order before starting to shame anyone into doing better security.
Second, in my experience, the shaming method does not work very well. Introduce liability instead. It is subtle, but briefing the Board of companies on their vulnerabilities is more effective. The Board members then know, as they are required to know, what they are doing that makes them vulnerable. That is harder to ignore. Public shaming ,which causes more trouble and gets people fired who may not be the real problem, is a panic attack inducing approach that ruins careers. Getting the Board's attention is usually effective. Where it isn't, there might be a need for more than public shaming.
Third, who gets to decide if a company is secure or not? What this report is describing is having an intelligence service doing the criteria and testing commercial establishments on that criteria. I don't think very many countries would be willing to follow that approach,
Fourth, cyber security is much more complicated than this part of the solution suggests. There are issues with liability, testing results, sharing of testing results, public knowledge of testing vulnerabilities and hackers who will use this data to attack the weak. Even testing teams have to have extraordinary knowledge of multiple systems that few people have and I wonder about having government members on those teams. China would hack those teams and so would lots of others.
"The first is that ACD in its initial iteration has only been used to protect the public sector. NCSC has described this as an ‘eat your own dog food’ attitude, ‘using government as a guinea pig’.40 The presumption here is that government will not ask anyone to implement cybersecurity solutions that it has not tested on itself."
I think this part of the report is right to the point of having anyone testing commercial businesses to find out of their security is adequate. The testers are just as likely to be full of holes in their own systems until they do something about it. The governments of the world are awful at security and the main reason why so much data is stolen every year. Our tax service (the IRS) has been hacked multiple times without much improvement being made to correct those problems. I don't even want to go into the whole list of Federal agencies that have been hacked but it is long. Get those in order before starting to shame anyone into doing better security.
Second, in my experience, the shaming method does not work very well. Introduce liability instead. It is subtle, but briefing the Board of companies on their vulnerabilities is more effective. The Board members then know, as they are required to know, what they are doing that makes them vulnerable. That is harder to ignore. Public shaming ,which causes more trouble and gets people fired who may not be the real problem, is a panic attack inducing approach that ruins careers. Getting the Board's attention is usually effective. Where it isn't, there might be a need for more than public shaming.
Third, who gets to decide if a company is secure or not? What this report is describing is having an intelligence service doing the criteria and testing commercial establishments on that criteria. I don't think very many countries would be willing to follow that approach,
Fourth, cyber security is much more complicated than this part of the solution suggests. There are issues with liability, testing results, sharing of testing results, public knowledge of testing vulnerabilities and hackers who will use this data to attack the weak. Even testing teams have to have extraordinary knowledge of multiple systems that few people have and I wonder about having government members on those teams. China would hack those teams and so would lots of others.
Monday, January 21, 2019
Latest from US-China Economic and Security
The US-China Economic and Security Review Committee regularly publishes updates and this is from their latest:
" From December 19 to 21, 2018, China held its annual Central Economic Work Conference (CEWC), during which Chinese Communist Party leaders review China’s economy over the past year and set the direction of economic policy for the next year.* The conference comes as trade tensions with the United States and weakening domestic consumption increasingly weigh on China’s economy.
Although the CEWC’s proceedings are kept secret, Chinese state-run media outlet Xinhua publishes an official summary of the conference.1 Although it is doubtful the readout is fully transparent about the contents of the meeting or the assessment of the assembled group, it reflected a darkened economic outlook, acknowledging “new and worrisome developments” and a “complicated and severe” external environment.2 . In response, Chinese leaders promised increased economic support measures, with a greater emphasis on fiscal over monetary policy.3 “China will strengthen counter-cyclical adjustments in its macro policy, continue to implement proactive fiscal policy and
prudent monetary policy, make preemptive adjustments and fine-tune policies at the proper times, and ensure stable aggregate demand,” the statement said.4 Without directly referencing the “Made in China 2025” industrial plan— which the government has been downplaying lately†—Chinese leaders identified “high-quality development in manufacturing” as a key economic priority for 2019.5" .
Now the question is will they change policies to get trade talks back to normal. We hear quite a bit about China's changes that are pending, but not much has been said about making those moves permanent. The Chinese issue "window guidance" on policy that interprets how policy will be implemented, but that guidance is modified as the reaction starts coming in. The basic polices are vague and full of words that have multiple meanings. Can we trust them to implement a policy that will stick? In a word, no.
" From December 19 to 21, 2018, China held its annual Central Economic Work Conference (CEWC), during which Chinese Communist Party leaders review China’s economy over the past year and set the direction of economic policy for the next year.* The conference comes as trade tensions with the United States and weakening domestic consumption increasingly weigh on China’s economy.
Although the CEWC’s proceedings are kept secret, Chinese state-run media outlet Xinhua publishes an official summary of the conference.1 Although it is doubtful the readout is fully transparent about the contents of the meeting or the assessment of the assembled group, it reflected a darkened economic outlook, acknowledging “new and worrisome developments” and a “complicated and severe” external environment.2 . In response, Chinese leaders promised increased economic support measures, with a greater emphasis on fiscal over monetary policy.3 “China will strengthen counter-cyclical adjustments in its macro policy, continue to implement proactive fiscal policy and
prudent monetary policy, make preemptive adjustments and fine-tune policies at the proper times, and ensure stable aggregate demand,” the statement said.4 Without directly referencing the “Made in China 2025” industrial plan— which the government has been downplaying lately†—Chinese leaders identified “high-quality development in manufacturing” as a key economic priority for 2019.5" .
Now the question is will they change policies to get trade talks back to normal. We hear quite a bit about China's changes that are pending, but not much has been said about making those moves permanent. The Chinese issue "window guidance" on policy that interprets how policy will be implemented, but that guidance is modified as the reaction starts coming in. The basic polices are vague and full of words that have multiple meanings. Can we trust them to implement a policy that will stick? In a word, no.
China's Economy One Step Ahead of Turkey
There was a Forbes article over the weekend that pointed out a few facts about the decline of the Chinese economy. One of them was that the Shanghai Composite is down 30% over the last 12 months and only Turkey did worse. The article goes on to mention the many other other ways that China was losing the Trade War and probably knows it. That looks better for the negotiators who want to make an agreement with the U.S.
Sweden's Little Spat with China
The South China Morning Post has a story from Saturday that is asking Sweden to reconsider its look at its Chinese connections in contracts and interactions. One of them is a Chinese satellite downlink built 200km from the North Pole, owned and operated by the Chinese military. We do have to ask ourselves why Sweden agreed to building this thing to begin with when we have to wonder why they would welcome in the military under any circumstances. They are wondering the same thing.
It seems like there are quite a few countries finding out that they have all kinds of agreements and contracts with places in China that, had they thought about it, probably wouldn't have been done. It reminds me of 9/11 and all the changes in policy that came about as a result. We looked at some of the contractors who had access to the Pentagon and asked, "What are we doing here?" Some countries are having that kind of moment now. These are people in government making decisions that seemed OK at the time, but when they have a spotlight shined on them, don't look so good. The US and its allies should have a standing committee that reviews these contracts on a regular basis to avoid that kind of belated recognition of the threat.
It seems like there are quite a few countries finding out that they have all kinds of agreements and contracts with places in China that, had they thought about it, probably wouldn't have been done. It reminds me of 9/11 and all the changes in policy that came about as a result. We looked at some of the contractors who had access to the Pentagon and asked, "What are we doing here?" Some countries are having that kind of moment now. These are people in government making decisions that seemed OK at the time, but when they have a spotlight shined on them, don't look so good. The US and its allies should have a standing committee that reviews these contracts on a regular basis to avoid that kind of belated recognition of the threat.
Friday, January 18, 2019
Retroactive filing as AOFP
You have already heard about the Paul Manafort's dealings with the Ukraine, but one element has been added this week. That was the hiring of Skadden, Arps, Slate, Meagher & Flom in 2012 to work for the Ukraine government. Politico says today, "The settlement doesn’t name the Skadden partner, but it appears to be Greg Craig, a former White House counsel under President Barack Obama who led the Ukraine work."
This article also points out that when Skadden, Arps was asked to file as an agent of a foreign government, they said they weren't. Now they will register, after seven years and the prosecution by the Mueller team of Lawyer Alex van der Zwaan who pleaded guilty last year to lying to the FBI about the firm’s work for Ukraine.
This article also points out that when Skadden, Arps was asked to file as an agent of a foreign government, they said they weren't. Now they will register, after seven years and the prosecution by the Mueller team of Lawyer Alex van der Zwaan who pleaded guilty last year to lying to the FBI about the firm’s work for Ukraine.
Thursday, January 17, 2019
There is Piling On, Then there is ...
When China sentenced a Canadian citizen to death, we all got the idea that they were not kidding around about the detention of one its own from Huawei. But, they also know what happens when this kind of thing gets going, and there is much more to come for the hapless employee-owned company. This time Huawei will face criminal charges for stealing proprietary information from T-Mobile. It was a typical Chinese theft case. The company working with T-Mobile apparently tried to steal a small probe used in testing of smartphones by T-Mobile. It is almost laughable that the Chinese would want to steal something so small (see the Wall Street Journal with picture) that nobody could possibly think it was worthy of this kind of risk. Yet, the Chinese may well have taken that risk anyway. That will all come out in charges if and when they are finally brought.
It really does show a couple of things: (1) the Chinese will steal almost anything they want and think they need and (2) even when they get caught and have to go to court, they can settle their way out of any criminal charges.
If it looks like piling on (a term used in football when a player is tackled and other players fall on him - mostly to cause more irritation) but it is only getting started.
It really does show a couple of things: (1) the Chinese will steal almost anything they want and think they need and (2) even when they get caught and have to go to court, they can settle their way out of any criminal charges.
If it looks like piling on (a term used in football when a player is tackled and other players fall on him - mostly to cause more irritation) but it is only getting started.
Promises, Promises
Before we accept any statements from China that it will not attempt to steal intellectual property from commercial vendors, I want to show you what the Chinese said in 2015 in the agreement with the US to not steal intellectual property:
"The statement contained in the Cyber Agreement that neither government will knowingly support cyber-enabled theft of intellectual property for commercial gain appeared to signal Chinese acceptance, for the first time, of the distinction the U.S. government draws between cyber intrusions for national security purposes and activities pursued for commercial benefit. President Xi lent his personal imprimatur to the pledge not to support commercial cyber espionage by stating
that "... both government[s] will not be engaged in or knowingly support online theft of intellectual properties," and by declaring in a speech in Seattle three days earlier that "the Chinese government will not, in whatever form, engage in commercial theft or encourage or support such attempts by anyone." Some observers have noted that a troublesome aspect of the Cyber Agreement, however, is that it may not reflect the intentions of the People's Liberation Army.
In response to a question about whether he was satisfied with China's steps on cybersecurity, President Obama said that the United States has traditional law enforcement tools available to "go after those who are attacking our companies or trying to extract trade secrets and data," and, through an executive order issued in April 2015, also has the ability to impose sanctions."
To make any agreement work with China, there has to be more than just a written statement by two sides that says it will not happen again. China violates sanctions it has agreed to in the UN, violates international agreements on behavior on the seas, ignores patent infringement on patents held outside China, and behaves more like a criminal enterprise than a sovereign country. It is like entering into an agreement with a known liar.
Wednesday, January 16, 2019
Boeing's Little Satellite Deal with China
Few of you are old enough to remember the Chinese getting involved in some contracts in 2000 that allowed them to figure out why some of their kick orbital rocket motors, which put satellites in orbit once they get close to the right velocity. Lockheed Martin was involved in that one and they squirmed a lot, by my recollection, paid a fine and denied doing anything wrong. Nobody in the missile business thought this was a good thing. There was always the belief that Lockheed gave the technology to China knowing they shouldn't have, but the Clinton Administration let them off the hook through this deal.
Now comes the Boeing deal with China. The Wall Street Journal describes part of that story this way: "The court filing was part of litigation against defendants including a China Orient unit that corporate records show provided financing for a satellite that Global IP was buying from Boeing. Under U.S. export laws, American companies are effectively barred from selling satellites to China."
The SEC is now looking into the mess of money and company control that was built around Global IP. A company, China Orient unit that corporate records show provided financing for a satellite that Global IP was buying from Boeing, is also being investigated. Yes, it is confusing, and that is the Chinese way. The more layers of companies and cut-outs, the better. Boeing is said to have been apprised of the financing, though there may be second thoughts about how much advising they got, now the SEC is involved.
Big corporate aerospace companies have no business getting into the kind of deals described in both of these investigations. They know better; they wink; they nod; they use the rationalization that it is "just business" and not anything against the US interests. They need to get kicked really hard by SEC to get them to pay attention. They will be more careful, though they may not stop the behavior unless the kick is well directed. These are our defense contractors and they have rules they are supposed to be following. They know what those rules are and they think they are above them. Time after time, they decide what is best for the country on the basis of what is best for their bottom line or schedule. The kick needs to come from the core and land in a place that hurts. Fine them too.
Now comes the Boeing deal with China. The Wall Street Journal describes part of that story this way: "The court filing was part of litigation against defendants including a China Orient unit that corporate records show provided financing for a satellite that Global IP was buying from Boeing. Under U.S. export laws, American companies are effectively barred from selling satellites to China."
The SEC is now looking into the mess of money and company control that was built around Global IP. A company, China Orient unit that corporate records show provided financing for a satellite that Global IP was buying from Boeing, is also being investigated. Yes, it is confusing, and that is the Chinese way. The more layers of companies and cut-outs, the better. Boeing is said to have been apprised of the financing, though there may be second thoughts about how much advising they got, now the SEC is involved.
Big corporate aerospace companies have no business getting into the kind of deals described in both of these investigations. They know better; they wink; they nod; they use the rationalization that it is "just business" and not anything against the US interests. They need to get kicked really hard by SEC to get them to pay attention. They will be more careful, though they may not stop the behavior unless the kick is well directed. These are our defense contractors and they have rules they are supposed to be following. They know what those rules are and they think they are above them. Time after time, they decide what is best for the country on the basis of what is best for their bottom line or schedule. The kick needs to come from the core and land in a place that hurts. Fine them too.
Poland Has All the Fun
Well, if you want to be confused by an espionage case, Poland has the most exciting one in a long time. It involves a Huawei official, something everybody in the world knows now, but it also involves a Polish official working now for a French telecom, Orange SA. Before that, this official was a Polish Intelligence officer who apparently had access to Polish and other intelligence services information. Not good. Intelligence officers, like Edward Snowden, always make the most damaging spies.
Huawei has fired its representative who is now going to be disavowed by everyone. Last week Huawei's President Ren Zhengfei started an aggressive "We didn't do anything like that" campaign which included a specific denial of planting devices in any of their network components that provided back doors to a customer's data. AP carried a story yesterday that said Huawei's President had also said his company would not turn over information on clients that might be requested by the Chinese government. His customers might be concerned that there was ever a thought about that being done, but they should have thought about that a long time ago.
His daughter is under house arrest in Canada for something unrelated to putting back doors in equipment. Huawei was apparently the other company that was identified by ZTE documents describing how the sanctions against Iran could be done without discovery using front companies and shell corporations.
We will be hearing about this case for years by the time all the information gets out, but it would make a great spy novel.
Huawei has fired its representative who is now going to be disavowed by everyone. Last week Huawei's President Ren Zhengfei started an aggressive "We didn't do anything like that" campaign which included a specific denial of planting devices in any of their network components that provided back doors to a customer's data. AP carried a story yesterday that said Huawei's President had also said his company would not turn over information on clients that might be requested by the Chinese government. His customers might be concerned that there was ever a thought about that being done, but they should have thought about that a long time ago.
His daughter is under house arrest in Canada for something unrelated to putting back doors in equipment. Huawei was apparently the other company that was identified by ZTE documents describing how the sanctions against Iran could be done without discovery using front companies and shell corporations.
We will be hearing about this case for years by the time all the information gets out, but it would make a great spy novel.
Non-Discriminatory Hacking
When the Chinese hack, they don't discriminate. It is one thing you have to admire them for. So, when the Wall Street Journal says that a state-sponsored hack was looking for medical records of Singapore's Prime Minister Lee Hsien Loong, it brought me back to an analysis I did for my first book. The Chinese were hacking telecoms at that time, and they hacked their own telecoms while they were about it. So, we had the Army hacking state-owned enterprises that provide the backbone of China's telecommunications infrastructure.
The Prime Minister has cancer so we might guess the Chinese, and lots of other countries too, might want to know how bad it is and what the prognosis is. That allows them to work on support of a replacement, if one is needed, and to find one suitable that they can support. It is just planning ahead, though a morbid use of intelligence collection. While they were at it they took about one quarter of the records of the rest of Singapore's citizens. Though nobody said China out loud, I point the finger at China because they have done the same thing in the U.S. Insurance and medical records seem to be very popular sources of intelligence. Some of the biggest hacks of medical and insurance records point to them.
The Prime Minister has cancer so we might guess the Chinese, and lots of other countries too, might want to know how bad it is and what the prognosis is. That allows them to work on support of a replacement, if one is needed, and to find one suitable that they can support. It is just planning ahead, though a morbid use of intelligence collection. While they were at it they took about one quarter of the records of the rest of Singapore's citizens. Though nobody said China out loud, I point the finger at China because they have done the same thing in the U.S. Insurance and medical records seem to be very popular sources of intelligence. Some of the biggest hacks of medical and insurance records point to them.
Friday, January 11, 2019
Infrastructure Attacks that Hurt
There are two stories today about infrastructure attacks that do not bode well for the people responsible for protecting US infrastructure. The first is a Wall Street Journal report on hacking the US power grid, something the Russians have been doing for some time, but has now been reinvestigated since new attacks have been discovered. There is a good map of where these targets are in this article. The second is a FireEye report on Iran's DNS hacking on a very broad scale. Both of these are not making anyone happy who cares about protection of national interests. [ If you don't know very much about DNS attacks, you might try reading Security Issues at DNS a paper published on SANS. It is long but worth reading. For a less technical paper on this, try DNS Security: Defending the Domain Name System]
These kinds of attacks are not new, although the Iranian attacks on DNS certainly are more innovative than the brute force attacks of the past. They are also broader, taking in the Middle East and North Africa, Europe and North America. They are almost attributed to Iran, though FireEye says "an Iran nexus" which is not exactly the same thing. It is obvious that someone is working hard to use DNS to hack businesses and specific individuals by something totally out of the victim's control. It is effective, and should be getting much more attention that it does now.
The Russians seem to have gone after some of the smaller infrastructure companies that are more vulnerable to state-sponsored attacks. The Journal alludes to this being preparation of the battlefield, suggesting they are laying the groundwork for larger attacks and making a capability to do real damage to the power grid in conjunction with other types of war. In general, that part is true. They are partly that and partly a warning of what is possible if we want to fight them. We know what they are capable of and have to take that into consideration before engaging them. The problem for any country that does that is not the known types of things that have been identified. It is the unknown things that have been done. This particular series of attacks went unknown for a year.
A good bit of the world has to start coordination between countries on these kinds of attacks. They are targeting large grids that cross international boundaries and have multiple jurisdictions. Nobody wants this kind of attack undermining the confidence in power and computer infrastructure yet neither Congress and other state legislative bodies seem to have the ability to identify and do something about it. Focus a little on this area and start thinking about what is required to get a grip on large scale attacks on big infrastructures. Russia and Iran are working on it. Maybe we should too. This is Homeland Security territory and they are mostly missing.
These kinds of attacks are not new, although the Iranian attacks on DNS certainly are more innovative than the brute force attacks of the past. They are also broader, taking in the Middle East and North Africa, Europe and North America. They are almost attributed to Iran, though FireEye says "an Iran nexus" which is not exactly the same thing. It is obvious that someone is working hard to use DNS to hack businesses and specific individuals by something totally out of the victim's control. It is effective, and should be getting much more attention that it does now.
The Russians seem to have gone after some of the smaller infrastructure companies that are more vulnerable to state-sponsored attacks. The Journal alludes to this being preparation of the battlefield, suggesting they are laying the groundwork for larger attacks and making a capability to do real damage to the power grid in conjunction with other types of war. In general, that part is true. They are partly that and partly a warning of what is possible if we want to fight them. We know what they are capable of and have to take that into consideration before engaging them. The problem for any country that does that is not the known types of things that have been identified. It is the unknown things that have been done. This particular series of attacks went unknown for a year.
A good bit of the world has to start coordination between countries on these kinds of attacks. They are targeting large grids that cross international boundaries and have multiple jurisdictions. Nobody wants this kind of attack undermining the confidence in power and computer infrastructure yet neither Congress and other state legislative bodies seem to have the ability to identify and do something about it. Focus a little on this area and start thinking about what is required to get a grip on large scale attacks on big infrastructures. Russia and Iran are working on it. Maybe we should too. This is Homeland Security territory and they are mostly missing.
Poland Arrests Huawei Employee for Espionage
In case anyone is thinking Huawei is being persecuted, this case may be enlightening. A Wall Street Journal article starts this way, but not all the facts are known yet: "Polish authorities detained and charged the sales director of Huawei Technologies Co.’s local office, a Chinese national, for allegedly conducting high-level espionage on behalf of a Chinese spy agency, amid widening global scrutiny by Washington and its allies of the technology giant." The person detained is not named, but that won't be long coming since his position is identified. The article also says he was "a graduate of one of China’s top intelligence schools." That makes him a probable spy.
Two Polish officials have also been detained and the interesting thing about them is one has an association with the encrypted network used by Poland's leadership. What a nice thing to have access to.
Huawei is in for a lot of trouble on this one. Whatever they are doing is Poland is about to be identified in court documents and soon become fodder for all kinds of other speculation about what else these guys are up to. Wait for the other shoe to drop.
Two Polish officials have also been detained and the interesting thing about them is one has an association with the encrypted network used by Poland's leadership. What a nice thing to have access to.
Huawei is in for a lot of trouble on this one. Whatever they are doing is Poland is about to be identified in court documents and soon become fodder for all kinds of other speculation about what else these guys are up to. Wait for the other shoe to drop.
Thursday, January 10, 2019
Iran Assassinations Draw Sanctions from Europe
Well, it is no wonder the EU is upset with Iran over planning assassinations of people opposed to the Iran regime in Denmark and France. Iran was accused of carrying out one of those in the Netherlands in 2015 and that is being brought up again in light of these new events. Still, it is not anything like the trouble it caused Russia to try to do an assassination in the UK. I guess it does matter if you shoot someone rather than use a chemical weapon on them. The victim cannot see the distinction so clearly.
The EU is leveling some sanctions, but hardly enough to get the Iranian's attention.
At the same time we are concerned about this, Iran is proceeding with the launch of a satellite which Europe has largely ignored. The Iranians learned that from North Korea. Practice with satellites until you get the orbital speeds up, then they can substitute a weapon in its place, should they choose to do so. Everyone criticized the US President for pulling out of the Iran accords, when it now looks like he was right to do that. The Iranians have not stopped assassinations, meddling in Yemen and other countries, or development of launch vehicles for space.
The EU is leveling some sanctions, but hardly enough to get the Iranian's attention.
At the same time we are concerned about this, Iran is proceeding with the launch of a satellite which Europe has largely ignored. The Iranians learned that from North Korea. Practice with satellites until you get the orbital speeds up, then they can substitute a weapon in its place, should they choose to do so. Everyone criticized the US President for pulling out of the Iran accords, when it now looks like he was right to do that. The Iranians have not stopped assassinations, meddling in Yemen and other countries, or development of launch vehicles for space.
EB-5 Visa Fraud
Houston Texas is the latest to cite a large EB-5 visa program for diversion of funds. In case you have forgotten, almost all of the EB-5 visas ever applied for are by Chinese citizens. This article does not say what the nationality of the people involved was, but the national statistics don't cover that up. This one is a little different because the participants are all Chinese:
"The project in Pearland, Texas, also had an unusual twist: Both the developers and Crown Point Regional Center, the firm that marketed the green cards abroad, are owned by the same listed Hong Kong company, Modern Land (China) Co. Ltd., according to documents reviewed by The Wall Street Journal."
So, it looks like the SEC will be investigating a Chinese company for defrauding Chinese investors. I doubt that is the only category of investors but that is harder to know for sure.
The good thing is that the abuses of the EB-5 have slowed down the issue of visas for the Chinese to the point that they find it less attractive. That will be true for a little while, but the 2020 elections are coming up and you can bet it will pick up again soon. EB-5 visa holders are allowed to donate to US political parties as if they were US citizens, and they do. The Chinese are good about following the laws that benefit them. This gives them cover for the funneling of political influence money that doesn't show up as foreign contributions. In Virginia, Terry McAuliffe was facilitating that distribution to the Clinton campaign and was cited for direct interference in the visa process by the Homeland Security IG. But, don't think it is only Democrats getting this money. The Chinese are equal opportunity employers.
"The project in Pearland, Texas, also had an unusual twist: Both the developers and Crown Point Regional Center, the firm that marketed the green cards abroad, are owned by the same listed Hong Kong company, Modern Land (China) Co. Ltd., according to documents reviewed by The Wall Street Journal."
So, it looks like the SEC will be investigating a Chinese company for defrauding Chinese investors. I doubt that is the only category of investors but that is harder to know for sure.
The good thing is that the abuses of the EB-5 have slowed down the issue of visas for the Chinese to the point that they find it less attractive. That will be true for a little while, but the 2020 elections are coming up and you can bet it will pick up again soon. EB-5 visa holders are allowed to donate to US political parties as if they were US citizens, and they do. The Chinese are good about following the laws that benefit them. This gives them cover for the funneling of political influence money that doesn't show up as foreign contributions. In Virginia, Terry McAuliffe was facilitating that distribution to the Clinton campaign and was cited for direct interference in the visa process by the Homeland Security IG. But, don't think it is only Democrats getting this money. The Chinese are equal opportunity employers.
Wednesday, January 9, 2019
Selling Data to Third Parties
I used to deal with large quantities of data that was given to different agencies as part of data sharing for intelligence purposes. Seldom did the people receiving that data protect it as well as the originator, even though there were requirements to do so. We could complain; we could encourage better safeguards. But, a common theme was a response somewhat like this: "When you gave that data to me, it became mine, and I decide how to protect it." As a practical matter, the owner of the data has to enforce requirements for protection or that statement becomes true.
Now comes a Motherboard story that describes how a third party vendor was able to track a phone using data it got from a national carrier. The data had been sold twice and was in the hands of companies violating the privacy policy of the carrier. It could have been sold 10 times for all the carrier knew, each time to another vendor who had no data protection requirements or the understanding of who owned that data.
The Federal government and the business community have allowed data protection policies to erode by sharing data under currently authorized procedures that are, in the words of Motherboard, unregulated. I'm wondering why it took a warrant to get this kind of data to track a terrorist and a third-party vendor can just buy the data and do the same thing. The carriers are playing both ends against the middle on this, requiring warrants before sharing data, but selling that data to third parties. Somehow, we can see the flaw in allowing that kind of policy to survive.
Now comes a Motherboard story that describes how a third party vendor was able to track a phone using data it got from a national carrier. The data had been sold twice and was in the hands of companies violating the privacy policy of the carrier. It could have been sold 10 times for all the carrier knew, each time to another vendor who had no data protection requirements or the understanding of who owned that data.
The Federal government and the business community have allowed data protection policies to erode by sharing data under currently authorized procedures that are, in the words of Motherboard, unregulated. I'm wondering why it took a warrant to get this kind of data to track a terrorist and a third-party vendor can just buy the data and do the same thing. The carriers are playing both ends against the middle on this, requiring warrants before sharing data, but selling that data to third parties. Somehow, we can see the flaw in allowing that kind of policy to survive.
Tuesday, January 8, 2019
Be Careful What you Download?
When I used to teach users about security of their own systems I had a rule that expresses a problem with today's phone apps: If you can't do anything about a particular vulnerability, there is not much point in identifying it to most users. I know that sounds strange to some of you, but let me explain.
There was an article from Cult of Mac on some 14 apps (mostly games) that were found to be open to communications with a malware server. That is not usually a problem on Macs, yet anyone in security knows it can be one. It is just one a user can do very little about. Yes, they can be told to download apps from the App Store and not from third parties, but even that doesn't always work, as this example shows. Still, it is not a problem users can do anything about. The article ends with this: "Still, it’s yet another illustration of why you need to be careful with what you choose to download." Really? How does a user be careful about what they download?
Phishing is popular, and effective, because it is not a problem a user can do much about. The typical user in an office gets 80-90 emails a day. It is true they can look at the address to see if it is someone they know, but they cannot know everyone in a big company. They are being told not to open email attachments from anyone they don't know. That is pretty unrealistic, even if it is good advice. The solution is to do something about attachments, not educate users on what not to open.
In the case of apps, a user can be educated on where to get apps, but if you trust Apple's review of apps, the App store is the place to go. I trust Apple. I don't trust Android apps because they don't get the same level of review. If there is a problem with Apple's apps, then report it to Apple, and users demand tighter controls during the review process. Don't tell users to be more careful about which Apple apps they download. The users should be able to trust Apple too.
We are way past the days when a user could do much about the security of their own phone or computer. Yes, they can buy virus and web protection. They can know why to download from the App Store and not some third party sites. They can get a VPN and a few other things that reduce the typical vulnerabilities, without eliminating them.
I want the hard problems solved, not waved away by blaming users. Somebody get me a tool that will open those attachments, examine them and release them to the user. Demand better reviews of apps from the vendors. When we get a vendor with a product that connects to China and transmits data back there I want to know what vendor that was so I can avoid apps from that company. Apple has to tell me that, or stop the app from downloading until it is patched, neither of which they seem to be doing. We shouldn't have to rely on third-party security companies to identify this kind of problem. It is not sufficient to be better than Android. That doesn't protect us anymore.
There was an article from Cult of Mac on some 14 apps (mostly games) that were found to be open to communications with a malware server. That is not usually a problem on Macs, yet anyone in security knows it can be one. It is just one a user can do very little about. Yes, they can be told to download apps from the App Store and not from third parties, but even that doesn't always work, as this example shows. Still, it is not a problem users can do anything about. The article ends with this: "Still, it’s yet another illustration of why you need to be careful with what you choose to download." Really? How does a user be careful about what they download?
Phishing is popular, and effective, because it is not a problem a user can do much about. The typical user in an office gets 80-90 emails a day. It is true they can look at the address to see if it is someone they know, but they cannot know everyone in a big company. They are being told not to open email attachments from anyone they don't know. That is pretty unrealistic, even if it is good advice. The solution is to do something about attachments, not educate users on what not to open.
In the case of apps, a user can be educated on where to get apps, but if you trust Apple's review of apps, the App store is the place to go. I trust Apple. I don't trust Android apps because they don't get the same level of review. If there is a problem with Apple's apps, then report it to Apple, and users demand tighter controls during the review process. Don't tell users to be more careful about which Apple apps they download. The users should be able to trust Apple too.
We are way past the days when a user could do much about the security of their own phone or computer. Yes, they can buy virus and web protection. They can know why to download from the App Store and not some third party sites. They can get a VPN and a few other things that reduce the typical vulnerabilities, without eliminating them.
I want the hard problems solved, not waved away by blaming users. Somebody get me a tool that will open those attachments, examine them and release them to the user. Demand better reviews of apps from the vendors. When we get a vendor with a product that connects to China and transmits data back there I want to know what vendor that was so I can avoid apps from that company. Apple has to tell me that, or stop the app from downloading until it is patched, neither of which they seem to be doing. We shouldn't have to rely on third-party security companies to identify this kind of problem. It is not sufficient to be better than Android. That doesn't protect us anymore.
Monday, January 7, 2019
Bizarre Twist in Turkey
Somehow, Turkey has decided it needs considerable logistics and air strike capabilities to fight in Syria against ISIS, and that should come from the US. Now we might be able to speculate about how this came to be because it comes very close behind the ill-advised announcement of a withdrawal by US forces from Syria. That came after the two presidents talked, though about what nobody seems to know.
So it seems that neither the president of the US or Turkey has a good grasp of what was required to be done to meet the objectives. Their respective staffs have huddled and briefed their chains of command on what the Presidents should have known before they agreed to whatever it was they agreed to. So, now the US is not going to withdraw all of its support forces in Syria, and Turkey is not going to invade Syria without a lot of additional help from the US. Neither of the Presidents looks good on this.
Turkey was up to the brink of invading the North of Syria again, which appeared to be a bad situation for US troops there, and a worse one for the Kurds. Turkey said it was fighting terrorists, which is what they call all Kurds whether they are or not. The Russians helped Turkey win over some territory around Russian bases in the northwest of Syria. That seemed to have gone well, but either the Russians were not doing it again, or Turkey never asked. They did ask the US - finally. All that should have been done before any announcements about what either country was going to do.
So it seems that neither the president of the US or Turkey has a good grasp of what was required to be done to meet the objectives. Their respective staffs have huddled and briefed their chains of command on what the Presidents should have known before they agreed to whatever it was they agreed to. So, now the US is not going to withdraw all of its support forces in Syria, and Turkey is not going to invade Syria without a lot of additional help from the US. Neither of the Presidents looks good on this.
Turkey was up to the brink of invading the North of Syria again, which appeared to be a bad situation for US troops there, and a worse one for the Kurds. Turkey said it was fighting terrorists, which is what they call all Kurds whether they are or not. The Russians helped Turkey win over some territory around Russian bases in the northwest of Syria. That seemed to have gone well, but either the Russians were not doing it again, or Turkey never asked. They did ask the US - finally. All that should have been done before any announcements about what either country was going to do.
China's Military Threat over Taiwan
It may look innocent enough on the surface, but it isn't. Chairman Xi is telling the Army to get prepared to wage war. It is easy enough to see that this threat is made over the inability to get Taiwan to agree to the Hong Kong approach to coming under Chinese rule. It didn't work well for Hong Kong, and it would work equally well for Taiwan, and they are smart enough to know it. This is the next step - to imply war can be the alternative to a "peaceful" takeover.
I have to say this is a little blunt force even for China. It is the kind of thing that Russia does now and again, but that China does not do very often. They must be getting frustrated at their inability to gain this territory. They are pressing a little too much as a result. It reduces the chance that Taiwan will even think about such a move, and it prepares China's enemies for the worst possible scenario.
This same thing happened years ago when I was in Ballistic Missile Defense. One of China's generals was replying to a question about a takeover of Taiwan and the resulting conflict that might result. The context was the US selling more aircraft to Taiwan, which we did. He said something like "We could denote a nuclear weapon in the skies over Los Angeles and even things up". It was the same kind of over-the-top reaction to a difficult political and military stance. At the time, nobody took him seriously, and the government quickly explained how hard it was to control their generals (which I found absurd). It was an image the Chinese were trying to put into peoples' minds. That is all Xi is trying to do here. He wants to plant an image of war if he doesn't get his way.
This is not some general gone off the reservation this time. Xi is the Chairman of the Party and the President of the country, the President for Life. This kind of rhetoric at that level is not something we should expect, or allow to go unchallenged. So, while we have all those delegations over in China discussing better trade relations, maybe somebody should asked him if he really meant what he said. There is not much sense in patching up trade relations if he intends to take Taiwan with military force. Cutting off all trade now is a better option.
I have to say this is a little blunt force even for China. It is the kind of thing that Russia does now and again, but that China does not do very often. They must be getting frustrated at their inability to gain this territory. They are pressing a little too much as a result. It reduces the chance that Taiwan will even think about such a move, and it prepares China's enemies for the worst possible scenario.
This same thing happened years ago when I was in Ballistic Missile Defense. One of China's generals was replying to a question about a takeover of Taiwan and the resulting conflict that might result. The context was the US selling more aircraft to Taiwan, which we did. He said something like "We could denote a nuclear weapon in the skies over Los Angeles and even things up". It was the same kind of over-the-top reaction to a difficult political and military stance. At the time, nobody took him seriously, and the government quickly explained how hard it was to control their generals (which I found absurd). It was an image the Chinese were trying to put into peoples' minds. That is all Xi is trying to do here. He wants to plant an image of war if he doesn't get his way.
This is not some general gone off the reservation this time. Xi is the Chairman of the Party and the President of the country, the President for Life. This kind of rhetoric at that level is not something we should expect, or allow to go unchallenged. So, while we have all those delegations over in China discussing better trade relations, maybe somebody should asked him if he really meant what he said. There is not much sense in patching up trade relations if he intends to take Taiwan with military force. Cutting off all trade now is a better option.
Thursday, January 3, 2019
Data Gathering by Chinese Apps
We have another case of Chinese excess in data gathering by its apps, this time a weather app. This time it is from TCL Communication Technology Holdings Ltd., of Shenzhen, China. "The app, called “Weather Forecast—World Weather Accurate Radar,” collects data including smartphone users’ geographic locations, email addresses and unique 15-digit International Mobile Equipment Identity (IMEI) numbers on TCL servers in China, according to Upstream Systems, the mobile commerce and security firm that found the activity."
We saw several cases of Chinese browsers collecting a lot more than this but a common theme seems to be the IMEI number which uniquely identifies a user to the Chinese intelligence services. Citizens Lab at the University of Toronto does some good work in this analysis and I have a couple of previous articles on those. I don't think there is any doubt that the Chinese government is requiring this kind of collection. There are too many instances of apps collecting similar types of information for this to be some company deciding to collect this kind of information on a user. Citizens Lab started with browsers and that demonstrated what was being collected. Once the Chinese get caught, they say they "correct" these apps, but don't believe that. They don't want to be caught collecting data outside of China, but they can route the collection storage to any country and get it in bulk when the time is right. Think about all the apps the Chinese control, many provided with the laptops and cell phones made there.
This calls for a good deal more testing of Chinese apps. A London based security company should not have to be the ones that discover this kind of activity. Our governments should find it and publish the hell out of the results, then ban these apps from use in any product sold in the US. The Chinese are using their software to spy on people outside China. We need to disrupt those kinds of operations and have the Chinese focus on their own country, where it is acceptable.
We saw several cases of Chinese browsers collecting a lot more than this but a common theme seems to be the IMEI number which uniquely identifies a user to the Chinese intelligence services. Citizens Lab at the University of Toronto does some good work in this analysis and I have a couple of previous articles on those. I don't think there is any doubt that the Chinese government is requiring this kind of collection. There are too many instances of apps collecting similar types of information for this to be some company deciding to collect this kind of information on a user. Citizens Lab started with browsers and that demonstrated what was being collected. Once the Chinese get caught, they say they "correct" these apps, but don't believe that. They don't want to be caught collecting data outside of China, but they can route the collection storage to any country and get it in bulk when the time is right. Think about all the apps the Chinese control, many provided with the laptops and cell phones made there.
This calls for a good deal more testing of Chinese apps. A London based security company should not have to be the ones that discover this kind of activity. Our governments should find it and publish the hell out of the results, then ban these apps from use in any product sold in the US. The Chinese are using their software to spy on people outside China. We need to disrupt those kinds of operations and have the Chinese focus on their own country, where it is acceptable.
Wednesday, January 2, 2019
China Threatens Taiwan Again
Chairman Xi can't seem to leave Taiwan alone. It might be a personality flaw, or just political pressure from folks at home. Again this week, he has threatened Taiwan with a forceful takeover, but talked out of both sides of his mouth by also saying it can be a peaceful takeover much like Hong Kong. That was probably not the best example he could have used, since the “one country, two systems” balancing act does not get very favorable reviews from people who live there. Just asked those booksellers who managed to get arrested and carted off to China how far that two systems approach goes. There are two systems only as long as Hong Kong follows China's lead. The political leadership is chosen from candidates approved by China, and Taiwan is not buying into that.
I'm more than a little curious as to why this issue is so important. One reason is certainly the lack of progress on bringing Taiwan into the fold. China did manage to get a number of countries to buy into the idea that Taiwan is really part of China, and got the airlines to list it as part of China in their flight destinations. People around the world saw that as absurd and petty, which pretty much sums things up.
I'm more than a little curious as to why this issue is so important. One reason is certainly the lack of progress on bringing Taiwan into the fold. China did manage to get a number of countries to buy into the idea that Taiwan is really part of China, and got the airlines to list it as part of China in their flight destinations. People around the world saw that as absurd and petty, which pretty much sums things up.
Subscribe to:
Posts (Atom)