That recent Senate Homeland Security and Governmental Affairs Committee report on federal cybersecurity has cyber experts worried. It found that seven departments hadn’t fixed serious deficiencies the same committee identified two years earlier. For what it means in terms of spying, Federal Drive with Tom Temin talked with Weifeng Zhong, a senior fellow at the Mercatus Center at George Mason University.
Insight by Verizon: Learn about the progress that the Pentagon is making in finding real value out of 5G and its future across DoD.
Weifeng Zhong: You reference the report that came out two years ago, which shows that all agencies are failing, and this time it’s seven. So it’s very marginally better. But there’s actually another report produced by the Government Accountability Office, GAO, so they did an audit in 2010, in which they found out over 3,000 items that they said federal agencies need to fix, guess how many are still there? 10 years later, they’re still over 7000 that are not fixed. So the progress is very slow. But on the other hand, what we have seen on the China side is that not long after China joined the WTO. China has been in a process of institutionalizing some of the bad practices into the core of their industrial strategy, including cyber espionage. For example, when they hack American federal agencies, the purposes are often to benefit their own industrial policy, which was to steal intellectual properties. And so all these behaviors that we saw in the past, but they were more or less passively allowed, but now it’s more to work being sponsored by the government and to benefit the entire Chinese economy. So that’s the approach that’s very concerning.
Tom Temin: It’s not unlike what we suspect of Russia too for that matter.
Weifeng Zhong: Right. But I think there’s some key difference between Russian hacks and Chinese hacks, in the sense that the Russian economies, the power is just not there, but the Chinese economy has the possibility even with or without the intention, at least it has the possibility to threaten the US led liberal world order. So that’s the difference I see between Russian and Chinese hacks.
Tom Temin: Sure, yeah. 100 million people versus a billion people makes a big difference on the world stage. And what is the general methodology of this type of espionage? Because they could simply use phishing, which no cybersecurity measures can help necessarily, if someone voluntarily gives information or passwords, thinking that the emails coming from a trusted source, then there’s old fashioned hacking, getting through the network and getting into the system and giving yourself administrative rights and so forth. How do they generally do it, those types of attacks that originate in China?
Weifeng Zhong: I think the techniques so far that we have seen in reporting seems to be quite diverse. For example, the Chinese state sponsor hackers, they went up to NASA. And the way they did is actually through one employee who, obviously violating copyright laws, right. So they tried to use computers at NASA to mine Bitcoin. And so that gave an opening for the Chinese hackers. So I think there are various types and various techniques. And it’s hard to say, which actually makes it very important for federal agencies to share information among them to learn about the patterns of Chinese hex.
Tom Temin: Plus, it doesn’t give them any room to leave any part of cybersecurity unattended to, if the attacks have all this diversity, then you’ve got to be ready on all fronts.
Weifeng Zhong: Right. And it has to be the norm Anyway, why? because technology is always evolving. And there are loopholes in the cyber security world where it just comes up. And then it provides new opportunities or bad actors. It’s a very constantly dynamically changing world.
Tom Temin: We’re speaking with Weifeng Zhong, he’s senior fellow at the Mercatus Center at George Mason University. And so the senate committee recently, in the past couple of weeks made some recommendations for an oversight structure, and for reporting structure. But of course, it can’t prescribe people to do your patches on Tuesday, and fix your buffer overflows on Thursday, this kind of prescriptive stuff. So what should agencies actually be doing at this point?
Weifeng Zhong: I think there’s one effort that comes out from the new Biden administration that’s promising, which is that the newly named office, the National Cyber Director, now that office is not funded yet, it’s part of the infrastructure bill, and we’ll see what happens. But at least that effort, it’s going toward the direction of coordinating among federal agencies. And so that I assume, will include, for example, prescribing rules regarding whether you should retire your legacy systems and by when you should install security patches, those efforts, I think would be low hanging fruit, and that will fix a lot of problems.
Tom Temin: Now, the idea of the patches and so forth, and keeping up with what’s on your network and your routers that seems to perpetrate the old model of computing or every agency had a data center and it had a network and it had terminals and PCs, etc. The cloud now is really where so much more work is going on. These are commercial entities that have their own interest in being cybersecure. But it does complicate the picture for the customer agency.
Weifeng Zhong: Right. And it’s very important to know that because different federal agencies, they have information about American citizens in different dimensions, right? So maybe HSS has some part of information about you, Tom, something that concerns the HSS, right, and then do do it may have something else. And so it started that to make sense that they have their own cybersecurity system to guard their own part of the data about American citizens. But then from the hackers perspective, if you could get your hands on, say, a couple of agencies, you could potentially triangulate and learn a lot more about American people. And you don’t necessarily need to have all the agencies. And so that calls for ever more important in, you know, coordinating these agencies and make sure that we have a uniform standard, because it doesn’t take all of them to lose the American’s information.
Tom Temin: Does your research or your sense of things tell you that the United States is also spying on China, or should it?
Weifeng Zhong: That I do not know, it’s not a part of my research. I guess it’s part of the toolbox of the US government because one of the responses that were being discussed in terms of like, how do we get back at China was the weather we have them back, right. So I think, technically speaking, the US government has the capabilities. Now, the US policymakers seem more reluctant to hack back at China than they would have back at Russians, which I suspect is mainly driven by economic considerations, right, because we are more engaged economically with China. And the stakes are just much higher than with the Russian economy. And all of this raises the importance of supply chain security, because so much of defense work and other spy craft is done by contractors. And they have a lot of information that is simply that of the federal government, and would be strategically important in the wrong hands.
Tom Temin: So the CMMC program is on pause for review. But in general, it seems like that’s a well placed concern is for the government to really put some pressure on the suppliers to keep themselves secure.
Weifeng Zhong: Absolutely. I think this points to a much larger problem, in my opinion, about the US China economic engagement in the past 20 years, especially since China joined the WTO. Because the way we have been dealing with China was that you remember when China first joined the WTO, but people have the belief that it might not only reform the economy in a more pro market way, but it might at some point turn into a liberal democracy in the future, right. So it will no longer be a communist threat to the rest of the world. So what we didn’t see actually was that it didn’t go that way. Right. So it’s surprising to us policymakers, it’s surprising to many people in China to where I grew up. And I’ve seen people back in the early 2000s, being very optimistic about the country going into a more open direction. It didn’t turn out that way for those people in China either. And the problem now I see about us policymaking is that because we have been dealing with China with too much trust that’s not warranted. So it’s as if you’re owning a house without a home insurance, and all of a sudden the house catches on fire, right? And all of a sudden, you realize that you don’t have remedies. So all these supply chain security issues is in my view, the realization that all of a sudden we need a home insurance plan. So let’s get our plan together in case something goes wrong again in the future, we have remedies.