But the move reflects a long-term trend in China, Russia, Iran and other U.S. adversary nations where criminal hackers frequently aid state intelligence services when asked, and government and military employees often moonlight by hacking for profit.
“China has now taken its place, alongside Russia, Iran and North Korea, in that shameful club of nations that provide a safe haven for cybercriminals in exchange for those criminals being ‘on call’ to work for the benefit of the state, here to feed the Chinese Communist Party’s insatiable hunger for American and other non-Chinese companies’ hard-earned intellectual property, including covid-19 research,” said John C. Demers, head of the Justice Department’s National Security Division.
Demers accused Chinese officials of being “willing to turn a blind eye to prolific criminal hackers operating within its borders." The indictments came the same day U.S. officials ordered China to close a consulate in Houston and amid a roiling conflict between the nations over intellectual property theft, the coronavirus and China's recent crackdown in Hong Kong.
Enlisting criminals to do government hacking work has long been common in Russia.
That has resulted in a cadre of Russian cybercriminals who operate with relative impunity and often have strong links to the government. One prominent example was Roman Seleznev, the son of a high-ranking Russian parliamentarian who stole millions from Americans in credit card hacking schemes.
Seleznev was sentenced to 27 years in U.S. prison in 2017 after he was arrested during a vacation in the Maldives and extradited to the United States.
It’s long been common in China for military hackers to hack for profit during their off hours. But inviting criminals to help do state business is somewhat more novel.
“This is a system that’s been used by Russia for years and it’s being emulated by other adversaries,” Tom Kellermann, head of cybersecurity strategy at the software company VMWare, told me.
He compared it to narcotics traffickers acting with impunity in Latin America.
“This is a protection racket we’ve seen before,” Kellermann said. “Russia pioneered this [scenario] where cybercriminals understand that if they act like cyber militias, they’ll be untouched and untouchable by Western law enforcement.”
While the systems function similarly in Russia and China, China probably retains greater control over the sort of cybercrime that happens inside its territory.
“Russia’s essentially a haven where you can be a [cyber]criminal and if you work out a deal with the [state intelligence services] and do them favors, they leave you alone,” Jim Lewis, a cybersecurity expert at the Center for Strategic and International Studies, told me. “In China it’s more complicated. They treat you more like a contractor.”
The Chinese government also has an extensive system to monitor and censor Internet traffic — often called the “great firewall of China” — which gives officials much greater insight into what criminal hackers are doing and how they can best be pressed into service.
Dong and Li’s hacking targets displayed a mix of Chinese state targets and their own financial interests.
In addition to coronavirus research, the pair targeted high-tech manufacturing, pharmaceuticals and gaming software development companies. They also targeted human rights activists, Hong Kong protesters and the office of the Dalai Lama.
The pair stole terabytes of trade secrets and other data from Western companies over more than a decade. The victim list includes companies in California, Maryland, Washington state, Texas, Virginia and Massachusetts, according to the indictment, which didn’t share the companies’ names.
More recently they “researched vulnerabilities in the networks of biotech and other firms publicly known for work on covid-19 vaccines, treatments, and testing technology.” The Justice Department did not say whether they successfully stole any vaccine data.
The pair was also willing to resort to criminal shakedown techniques. In at least one case they threatened to release source code they’d stolen unless the victim they filched it from paid them off with cryptocurrency, the indictment states.
They’re facing 11 counts of conspiring to access computers without authorization, conspiring to steal trade secrets and aggravated identity theft, among other charges.
“China steals intellectual property and research which bolsters its economy, and then they use that illicit gain as a weapon to silence any country that would dare challenge their illegal actions,” FBI Deputy Director David Bowdich said. “This type of economic coercion is not what we expect from a trusted world leader. It is what we expect from an organized criminal syndicate.”
The porous border between government and criminal hackers also makes it far tougher to combat global cybercrime.
It's effectively guaranteed, for example, that China will never extradite Dong and Li, to the United States to face charges.
“What would you call a game where one side plays by the rule and the other side says it won’t? That’s the game we’re in,” Lewis said. “The Chinese and Russians won’t respect international law unless it’s enforced.”
It’s also more difficult for countries to reliably agree about anything that’s off limits for hacking because governments can claim not to be responsible for what cybercriminals in their territory are doing.
“It definitely makes it difficult to be optimistic that you’re going to get to a set of cyber norms,” Adam Segal, a cybersecurity and China expert at the Council on Foreign Relations, told me. “Even if state representatives agree to them, they can just say, ‘These are criminal hackers and we just can’t rein them in.’ ”
With four months to go, state and county election officials are still behind on basic cybersecurity.
Some local election officials are still sharing passwords among multiple people, storing lists of passwords in unencrypted formats where hackers can scoop them up and using default passwords that came with their computer programs, Matt Masterson, a top election security official at the Department of Homeland Security, said during a meeting of the National Association of Secretaries of State.
It’s also taking state and local election offices 30 to 60 days to patch known computer bugs, Masterson said. That lag time is a vast improvement from just two years ago but it still gives hackers far too many opportunities to use those bugs to break into election systems and steal or corrupt data, he said. In many cases, local election officials want to patch those bugs more quickly but don’t have the necessary technology and cybersecurity staff to do it, he said.
Election officials aren’t doing much worse on cybersecurity than some other major industry sectors but the consequences could be particularly grave. “The difference is everyone's watching,” Masterson said.
On the positive side, most of the big problems can be fixed before November if local election offices buckle down. "There's still lots that can be done in the next several weeks" before the election, Masterson said.
Facebook is taking flak for putting the same label on posts about voting by both President Trump and Joe Biden.
The president's Facebook post was an attack on mail voting, which the president claims without evidence, enables widespread cheating. “Mail-In Voting, unless changed by the courts, will lead to the most CORRUPT ELECTION in our Nation’s History! #RIGGEDELECTION,” Trump posted.
Biden's post read, “We have to vote Donald Trump out this November,” and solicited donations.
The label links to the federal government's website about absentee voting. It's different from the one Facebook uses to flag content that's “newsworthy” but may violate its policies, Rachel Lerman reports.
Biden spokesman Bill Russo slammed the company for implying the posts were equivalent.
Facebook has pledged to remove posts that suppress voting in the days ahead of the election. But it's resisted calls to fact check the president's false and misleading claims, even as Twitter has proved more willing to do so.
Roger McNamee, author of “Zucked: Waking Up to the Facebook Catastrophe":
Twitter, which added fact-check labels to previous Trump tweets accusing mail-in ballots of being fraudulent, did not label a similar post, citing its policy not to take actions against “broad, nonspecific statements."
South Korea's coronavirus tracing app could have exposed the location of quarantined users.
The app exposed the names and locations of people in quarantine. It also could have allowed hackers to tamper with data to mislead the app about a quarantined individual's location, the New York Times reports.
Researcher Frédéric Rechtenstein also found that the app made it easy for hackers to steal user data. It kept receiving data from users after their quarantine ended, despite claims to the contrary.
South Korean officials fixed the app after the New York Times and Rechtenstein contacted them about the vulnerabilities. There's no evidence hackers actually penetrated the app, officials told The Times.
The incident highlights the ongoing risks as governments rush to deploy technology to combat the pandemic. South Korean officials justified rushing out the app by saying it was necessary to protect citizens' health.
"We could not afford a time-consuming security check on the app that would delay its deployment," said Jung Chan-hyun, an official at the Ministry of the Interior and Safety’s disaster response division.
Senate Republicans gave Biden's warning about Russian election interference an icy reception.
"I think to sound an alarm is to be ignorant of everything that we’ve done since 2016," said Sen. Richard Burr (R-N.C.), who chaired the Senate Intelligence Committee until recently.
Sen. Marco Rubio (R-Fla.), the acting chairman of that committee, agreed.
“It’s not new. It’s something we’re going to face for a long time, unfortunately,” said Rubio. He said he did not know what incidents Biden was citing.
The House passed a major defense bill with big cybersecurity reforms.
Those include creating a new cyber czar at the White House and banning the Chinese app TikTok from government phones. The bill also grants subsidies to help U.S. companies compete with China for semiconductor productions. It's not clear if those provisions will make it into the Senate version of the bill, which is being debated now.
The White House threatened to veto the bill over provisions that would rename some military bases named for Confederate leaders. The bill passed with a veto-proof majority.
More Hill news:
Twitter banned 7,000 accounts spreading the QAnon conspiracy theory and is now banning Internet addresses with the term. Here's Joan Donovan, research director at the Shorenstein Center on Media, Politics and Public Policy at Harvard University, on why it matters:
- Foreign Policy and Nokia will host an event on "5G Global Power Plays: Risks and Opportunities" today at 11 a.m.
- The Senate Rules Committee will hold a hearing on general-election preparations on Wednesday at 10:30 a.m.
- The Senate Commerce Committee will hold a hearing on The PACT Act and Section 230 on Tuesday at 10 a.m.
Secure log off
How are candidates making ads during the pandemic? This video explains: