The Cipher Brief spoke with Justin Harvey, CSO of Fidelis Cybersecurity, about the cyber threats posed by both China and Russia. According to Harvey, although last year’s agreement between U.S. President Barack Obama and China’s President Xi Jinping has resulted in a decrease in China’s cyber espionage, “The fight is not over” and China is “always going to be doing cyberespionage.” Further, Harvey voiced concern over Russia’s potential hacking into the DNC and involvement in the U.S. election, saying the “For them to get involved in our democratic process, it’s almost an attack on our sovereignty.”
The Cipher Brief: FireEye recently released a report, which discussed how the cyber agreement between U.S. President Barack Obama and China’s President Xi Jinping last year seems to have resulted in a decrease in Chinese economic espionage in the cyber domain. How do you see patterns of cyberespionage changing moving forward?
Justin Harvey: I want to go on record and say I was wrong last year. I was skeptical whether the Xi Jinping-Obama agreement was going to be effective. I was wrong. However, I want to caution you and the readers that just because there is a small down turn, it does not mean it’s over.
I was with a firm called Mandiant several years ago. We released the Advanced Persistent Threats (APT) 1 report exposing China, and what we saw was that we had a large volume of threat intelligence, and that we only released 90 percent of it. We kept the remaining ten percent in reserve and the Chinese systematically, methodically went through the report and only shut down the infrastructure for the 90 percent they knew that we knew about. What they did not know was that we had kept some in reserve and we were still monitoring that.
That’s the first point. Just because we’re seeing a downturn doesn’t mean it’s over. The fight is not over. I liken the Chinese usage or theft of our commercial and intellectual property to crystal meth. They cannot stop. They have reached a point with technology and their economy where it’s been boosted and injected full of our commercial intellectual property, but to sustain that technological advancement requires a lot more infrastructure, education, and people that they don’t have yet.
I am waiting for the other foot to drop on this one. I also think the Xi Jinping-Obama agreement really only covers cyberespionage for commercial purposes. Do you know how much that leaves open? Let’s just take the last five years of suspected Chinese breaches. OPM (Office of Personnell Management)? Not covered under the agreement. Anthem? Not covered under the agreement. Additional healthcare breaches? Not covered under the agreement. Defense industrial base breaches? Lockheed Martin and all the other defense guys, the fighter jet that was cloned? Doesn’t count because it wasn’t for commercial purposes.
There’s still quite a bit that leaves the door open. As a company, we are seeing a marked downturn in cyberespionage from China, but that does not mean that we’re still not seeing them conduct cyberespionage operations.
TCB: You mentioned the wide area that’s not covered by the agreement. How do you see patterns there changing in light of the fact that these functional agreements now have a precedent? How do you see the process by which people try to prevent or preempt cyberespionage changing?
JH: I don’t think that we can ever prevent cyberespionage. We’re living in a world where we’re seeing a pattern. If we follow the Chinese-U.S. pattern, we see public shaming in the news, then we see indictments, and then we see threat of sanctions. If it ever progresses further, there could be actual sanctions, which, in my mind don’t make a lot of sense, since we’d be sanctioning our biggest trade partner. But at the end of all of that, there is nothing that we can do.
We are living in a cyber cold war. The same is true for Russia. If the U.S. government releases evidence or publicly names Russia as the attacker into the DNC (Democratic National Committee) and/or subsequent leaks, sure we can shame them, indict them, and even sanction Russia. We can find embarrassing information on their major political party, which Americans don’t really care about. There’s nothing really in our arsenal that we can do short of something that’s more physical.
What I mean by that is, certainly U.S. Cyber Command is probably conducting offensive operations against other nation states as we speak. But, to the response, “we should hack back,” we’re already doing that. Nation states do that all the time. But what we can’t do is have the response to a leak be a hack into a power station that turns it off or something that is kinetic. I really do believe that the foreign policy red line for the United States and many other nation states is, “You do something physical to us, it will invoke a physical response.”
And when I say physical attack it could be cyber starting out – say melting a nuclear plant or turning electricity off for 12 hours. That crosses the red line. So we need to be really careful about how we use that power.
TCB: How do you see the situation developing moving forward?
JH: To examine the threat from China, I see this as either returning to normal levels in the future or very targeted acquisitions of commercial intellectual property where it makes the highest amount of sense. We’ll never see the previous levels, but we’re going to get close, and it’s going to come back. They’re always going to be doing cyberespionage.
Russia, on the other hand, I have a big fear about their involvement in the 2016 U.S. election. What I am concerned about is any sort of impropriety and compromising of voting machines, voting processes, or advertising campaigns. For them to get involved in our democratic process, it’s almost an attack on our sovereignty. Nation states will always try to grab political information to influence behind the scenes, but we’re seeing something much more direct, much more focused in these leaks. If it gets to the election and more stuff comes out to influence, I think it’s going to cause an uproar with the American people. We’ll have to see where we go from there.
