The second annual Sino–US High-Level Dialogue on Cybercrime and Related Issues was held last Wednesday in Beijing. According to a Department of Homeland Security press release the ministerial-level meeting agreed on several new initiatives including a second cybercrime table top exercise and implementation of the ‘US–China Cybercrime and Related Issues Hotline Mechanism’ before September 2016. The US and China also agreed to increase bilateral exchange of cybercrime information and further cooperation in several areas including the misuse of technology and communications for terrorist activities. In The Diplomat Franz-Stefan Gady noted that the countries’ cooperation on terrorism is particularly ‘striking’, given their very different understandings of what might be classified as terrorism.
Talks such as this are one part of the US strategy to address cyber incidents linked to China, a strategy that not all parts of the US establishment agree is effective. However, a new report from FireEye seems to indicate that something is working, as the activity of Chinese-linked Advanced Persistent Threats (APT) observed by FireEye s has declined significantly since 2013. FireEye believes that there are several probable causes including its own ‘APT1’ report, US legal action against PLA hackers, and reports that the US was considering sanctions against China before the visit of Xi Jinping in September 2015. In that time there has also been a complete reorganisation of China’s military, which included the establishment of the Strategic Support Force incorporating the PLA’s cyber personnel. This doesn’t mean China is no longer a threat, and the report notes China’s cyber operations have become ‘more focused, calculated, and still successful in compromising corporate networks’.
Russian cyber capability is also under an increasingly bright spotlight this week, as NATO considers its response to Russia’s increasing use of ‘grey zone’ strategies such as cyber operations before its summit in Warsaw next month. In The New York Times, David Sanger has critically reviewed NATO’s approach to cyberspace, specifically its passive approach to cyber threats and the hesitance of the US and UK to share cyber capability with other members. Sanger quotes RAND’s Martin Libicki who said that Russia’s cyber activities are part of a broader Russian strategy to spread misinformation to keep NATO partners off-balance and intimidate the smaller members of the alliance.
Over at DefenseOne Jarno Limnell from Finland has also called for a stronger response to Russian cyber activity. Limnell emphasises the threat the complexity of Russian cyber operations poses to security and the muted response of the west so far noting that, ‘Russia is at the forefront of the global move toward a greater strategic use of cyber capabilities to persuade adversaries to change their behaviour’. That goes some way towards explaining the news in Der Spiegel this week that German security agencies have concluded that Daesh’s ‘Cyber Caliphate’ is more likely a Russian enterprise with no connection to Daesh. Russia’s cyber expertise extends to the criminal sphere also, with Kaspersky Lab researchers releasing information this week on a Russian cybercrime forum that sells access to compromised servers, pre-loaded with all the software required for a plethora of malicious cyber activities for as low as AU$8.
In the UK, the Parliamentary Inquiry by the Culture, Media and Sport Committee into last year’s hack at telco TalkTalk has produced its first report. The report made 17 recommendations to improve cyber security practice and protection of personal data. Among the recommendations was the suggestion that ‘CEO compensation should be linked to effective cybersecurity’ and that companies be fined for cyber security breaches. It was also proposed that fines increase in severity if the breach is the result of the exploitation of well-known vulnerabilities. The Committee noted its surprise that developers of major new major new IT systems and applications aren’t required to incorporate security considerations, and recommended that ‘security by design’ become a core principle for new systems.
Export controls for cyber security and encryption products are on the agenda at the next round of Wassenaar Arrangement talks in Vienna this week. The US is seeking to reverse the previously agreed restrictions that it believes restricts the export of legitimate cyber security software and technology. The restrictions—which Australia has incorporated into its Defence and Strategic Goods List of export controlled items—are intended to prevent technology such as cyber intrusion software being provided to authoritarian regimes. Meanwhile, major cyber security exporter Israel has just finalised a review of its cyber export requirements to try and balance the Wassenaar requirements and the health of its cyber security industry. Israel’s National Cyber Directorate and Ministry of Economy will establish a new agency to manage the export of cyber technologies. This does, however, exclude the technologies being supplied to security agencies and military users, which will remain under the oversight of the Defence Ministry’s Defence Export Controls Agency.
And finally— if dystopian visions of a looming cyber apocalypse are your preferred bed time reading— check out this annotated account of a future cyber-attack from New York Magazine.