Many of the details in the article are the result of court records, interviews, and assessments of Chinese media. It remains to be seen whether Chinese agents’ abilities to conduct ‘fox hunts’ will be impeded now that the US government is more aware of these operations. Given the attention and suspicion now cast towards citizens of China, however, there is also a risk that FBI agents may become overzealous in their investigations to the detriment of law-abiding Chinese-Americans or visitors from China.
In an ideal world there would be equivalent analyses or publications on the extent to which these operations are also undertaken in Canada. To date, however, there is no equivalent to ProPublica’s piece in the Canadian media landscape and given the Canadian media’s contraction we can’t realistically expect anything, anytime soon. However, even a short piece which assessed whether individuals from China who’ve run operations in the United States, and who are now barred from entering the US or would face charges upon crossing the US border, are similarly barred or under an extradition order in Canada would be a positive addition to what we know of how the Canadian government is responding to these kinds of Chinese operations.
Lotus Ruan and Gabrielle Lim have a terrific piece in Just Security which strongly makes the case that, “fears of Chinese disinformation are often exaggerated by overblown assessments of the effects of China’s propaganda campaigns and casually drawn attributions.”
The two make clear that there are serious issues with how some Western policy analysts and politicians are suggesting that their governments respond to foreign influence operations that are associated with Chinese public and private parties. To begin, the very efficacy of influence operations remains mired in questions. While this is an area that is seeing more research of late, academics and policy analysts alike cannot assert with significant accuracy whether foreign influence operations have any real impact on domestic opinions or feelings. This should call for conservatism in the policies which are advanced but, instead, we often see calls for Western nations to adopt the internet ‘sovereignty’ positions championed by Russia and China themselves. These analysts and politicians are, in other words, asserting that they only way to be safe from China (and Russia) is to adopt those countries’ own policies.
Even were such (bad) policies adopted, it’s unclear that they would resolve the worst challenges facing countries such as the United States today. Anti-vaxxers, pro-coup supporters, and Big Lie advocates have all been affected by domestic influence operations that were (and are) championed by legitimately elected politicians, celebrities, and major media personalities. Building a sovereign internet ecosystem will do nothing to protect from the threats that are inside the continental United States and which are clearly having a deleterious effect on American society.
What I think I most appreciated in the piece by Ruan and Lim is that they frankly and directly called out many of the so-called solutions to disinformation and influence operations as racist. As just one example, there are those who call for ‘clean’ technologies that juxtapose Western against non-Western technologies. These kinds of arguments often directly perpetuate racist policies; they will not only do nothing to mitigate the spread of misinformation but will simultaneously cast suspicion and violence towards non-Caucasian members of society. Such proposals must be resisted and the authors are to be congratulated for directly and forcefully calling out the policies for what they are instead of carefully critiquing the proposals without actually calling them as racist as they are.
Jonathan Zittrain, in remarks prepared a few weeks ago, framed Internet protocol standards in a novel way. Specifically, he stated:
Second, it’s entirely fitting for a government to actively subsidize public goods like a common defense, a highway system, and, throughout the Internet’s evolution, the public interest development of standards and protocols to interlink otherwise-disparate systems. These subsidies for the development of Internet protocols, often expressed as grants to individual networking researchers at universities by such organizations as the National Science Foundation, were absolutely instrumental in the coalescence of Internet standards and the leasing of wholesale commercial networks on which to test them. (They also inspired some legislators to advertise their own foresight in having facilitated such strategic funding.) Alongside other basic science research support, this was perhaps some of the best bang for the buck that the American taxpayer has received in the history of the country. Government support in the tens of millions over a course of decades resulted in a flourishing of a networked economy measured in trillions.
Zittrain’s framing of this issue builds on some writing I’ve published around standards. In the executive summary of a report I wrote a few months ago, I stated that,
… the Government of Canada could more prominently engage with standards bodies to, at least in part, guarantee that such standards have security principles baked in and enabled by default; such efforts could include allocating tax relief to corporations, as well as funding to non-governmental organizations or charities, so that Canadians and Canadian interests are more deeply embedded in standards development processes.
To date I haven’t heard of this position being adopted by the Government of Canada, or even debated in public. However, framing this as a new kind of roadway could be the kind of rhetorical framing that would help it gain traction.
Matt Tait, as normal, has good insights into just why the Kaseya ransomware attack1 was such a big deal:
In short, software supply chain security breaches don’t look like other categories of breaches. A lot of this comes down to the central conundrum of system security: it’s not possible to defend the edges of a system without centralization so that we can pool defensive resources. But this same centralization concentrates offensive action against a few single points of failure that, if breached, cause all of the edges to fall at once. And the more edges that central failure point controls, the more likely the collateral real-world consequences of any breach, but especially a ransomware breach will be catastrophic, and cause overwhelm the defensive cybersecurity industry’s ability to respond.
Managed Service Providers (MSPs) are becoming increasingly common targets. It’s worth noting that the Canadian Centre for Cybersecurity‘s National Cyber Threat Assessment 2020 listed ransomware as well as the exploitation of MSPs as two of the seven key threats to Canadian financial and economic health. The Centre went so far as to state that it expected,
… that over the next two years ransomware campaigns will very likely increasingly target MSPs for the purpose of targeting their clients as a means of scaling targeted ransomware campaigns.
Sadly, if not surprisingly, this assessment has been entirely correct. It remains to be seen what impact the 2020 threats assessment has, or will have, on Canadian organizations and their security postures. Based on conversations I’ve had over the past few months the results are not inspiring and the threat assessment has generally been less effective than hoped in driving change in Canada.
As discussed by Steven Bellovin, part of the broader challenge for the security community in preparing for MSP operations has been that defenders are routinely behind the times; operators modify what and who their campaigns will target and defenders are forced to scramble to catch up. He specifically, and depressingly, recognizes that, “…when it comes to target selection, the attackers have outmaneuvered defenders for almost 30 years.”
These failures are that much more noteworthy given that the United States has trumpeted for years that the NSA will ‘defend forward‘ to identify and hunt threats, and respond to them before they reach ‘American cybershores’.2 The seemingly now routine targeting of both system update mechanisms as well as vendors which provide security or operational controls for wide swathes of organizations demonstrates that things are going to get a lot worse before they’re likely to improve.
A course correction could follow from Western nations developing effective and meaningful cyber-deterrence processes that encourage nations such as Russia, China, Iran, and North Korea to punish computer operators who are behind some of the worst kinds of operations that have emerged in public view. However, this would in part require the American government (and its allies) to actually figure out how they can deter adversaries. It’s been 12 years or so, and counting, and it’s not apparent that any American administration has figured out how to implement a deterrence regime that exceeds issuing toothless threats. The same goes for most of their allies.
Absent an actual deterrence response, such as one which takes action in sovereign states that host malicious operators, Western nations have slowly joined together to issue group attributions of foreign operations. They’ve also come together to recognize certain classes of cyber operations as particularly problematic, including ransomware. Must nations build this shared capacity, first, before they can actually undertake deterrence activities? Should that be the case then it would strongly underscore the need to develop shared norms in advance of sovereign states exercising their latent capacities in cyber and other domains and lend credence to the importance of the Tallinn manual process . If, however, this capacity is built and nothing is still undertaken to deter, then what will the capacity actually be worth? While this is a fascinating scholarly exercise–it’s basically an opportunity to test competing scholarly hypotheses–it’s one that has significant real-world consequences and the danger is that once we recognize which hypothesis is correct, years of time and effort could have been wasted for little apparent gain.
What’s worse is that this even is a scholarly exercise. Given that more than a decade has passed, and that ‘cyber’ is not truly new anymore, why must hypotheses be spun instead of states having developed sufficient capacity to deter? Where are Western states’ muscles after so much time working this problem?
As a point of order, when is an act of ransomware an attack versus an operation? ↩︎
I just made that one up. No, I’m not proud of it. ↩︎
Roland Paris and Jennifer Walsh have an excellent, and thought-provoking, column in the Globe and Mail where they argue that Western democracies need to adopt a ‘democratic support’ agenda. Such an agenda has multiple points comprising:
States getting their own democratic houses in order;
States defending themselves and other democracies against authoritarian states’ attempts to disrupt democracies or coerce residents of democracies;
States assisting other democracies which are at risk of slipping toward authoritarianism.
In principle, each of these points make sense and can interoperate with one another. The vision is not to inject democracy into states but, instead, to protect existing systems and demonstrate their utility as a way of weaning nations towards adopting and establishing democratic institutions. The authors also assert that countries like Canada should learn from non-Western democracies, such as Korea or Taiwan, to appreciate how they have maintained their institutions in the face of the pandemic as a way to showcase how ‘peer nations’ also implement democratic norms and principles.
While I agree with the positions the authors suggest, far towards the end of the article they delicately slip in what is the biggest challenge to any such agenda. Namely, they write:
Time is short for Canada to articulate its vision for democracy support. The countdown to the 2024 U.S. presidential election is already under way, and no one can predict its outcome. Meanwhile, two of Canada’s closest democratic partners in Europe, Germany and France, may soon turn inward, preoccupied by pivotal national elections that will feature their own brands of populist politics.1
In warning that the United States may be an unreliable promoter of democracy (and, by extension, human rights and international rules and order which have backstopped Western-dominated world governance for the past 50 years) the authors reveal the real threat. What does it mean when the United States is regarded as likely to become more deeply mired in internecine ideological conflicts that absorbs its own attention, limits its productive global engagements, and is used by competitor and authoritarian nations to warn of the consequences of “American-style” democracy?
I raise these questions because if the authors’ concerns are fair (and I think they are) then any democracy support agenda may need to proceed with the presumption that the USA may be a wavering or episodic partner in associated activities. To some extent, assuming this position would speak more broadly to a recognition that the great power has significantly fallen. To even take this as possible–to the extent that contingency planning is needed to address potential episodic American commitment to the agenda of buttressing democracies–should make clear that the American wavering is the key issue: in a world where the USA is regarded as unreliable, what does this mean for other democracies and how they support fellow democratic states? Do countries, such as Canada and others with high rule-of-law democratic governments, focus first and foremost on ‘supporting’ US democracy? And, if so, what does this entail? How do you support a flailing and (arguably) failing global hegemon?
I don’t pretend to have the answers. But it seems that when we talk about supporting democracies, and can’t rely on the USA to show up in five years, then the metaphorical fire isn’t approaching our house but a chunk of the house is on fire. And that has to absolutely be our first concern: can we put out the fire and save the house, or do we need to retreat with our children and most precious objects and relocate? And, if we must retreat…to where do we retreat?
… in the long term, agriculture presents perhaps the most significant illustration of how a warming world might erode America’s position. Right now the U.S. agricultural industry serves as a significant, if low-key, instrument of leverage in America’s own foreign affairs. The U.S. provides roughly a third of soy traded globally, nearly 40 percent of corn and 13 percent of wheat. By recent count, American staple crops are shipped to 174 countries, and democratic influence and power comes with them, all by design. And yet climate data analyzed for this project suggest that the U.S. farming industry is in danger. Crop yields from Texas north to Nebraska could fall by up to 90 percent by as soon as 2040 as the ideal growing region slips toward the Dakotas and the Canadian border. And unlike in Russia or Canada, that border hinders the U.S.’s ability to shift north along with the optimal conditions.
Now, the advantages faced by Canada might be eroded by a militant America, and those of Russia similarly threatened by a belligerent and desperate China (and desperate Southeast Asia more generally). Regardless, food and arable land are generally likely to determine which countries take the longest to most suffer from climate change. Though, in the end, it’s almost a forgone conclusion that we are all ultimately going to suffer horribly for the errors of our ways.
“Hu Xijin, the editor of the Chinese state media outlet the Global Times, weighed in recently on the most recent merger proposal. “The US restructuring of TikTok’s stake and actual control should be used as a model and promoted globally,” remarked Hu on Twitter. “Overseas operation of companies such as Google, Facebook shall all undergo such restructure and be under actual control of local companies for security concerns.”
It’s not exactly a good sign for Chinese state media to tout a U.S. play designed to be “tough on China” as a model for global behavior. The United States may be bumbling its way into a precedent the consequences of which it has yet to anticipate. “
This was exactly the concern that was raised by experts in North America the second after the Trump administration proposed its bumblingly-stupid approach to TikTok. With the American policy in place it’s going to be that much harder for Western companies operating in China to have convincing arguments that they shouldn’t need to partner with Chinese organizations tans engage in manufacturing, technology, or intellectual property disclosures as a condition of doing business in China. And the issue won’t end in China: American (and other countries’) businesses are almost certain to have (now) US-framed arguments thrown at them when operating all around the world whenever there is even a marginal ‘national security’ concern linked to the foreign company’s operations.
American institutions have suffered significantly under Trump and, moreover, public polarization and the movement of parts of the USA electorate (and, to different extents, global electorates) into alternate reality bubbles mean that the supports which are meant to facilitate peaceful transitions of power such that the loser can believe in the outcomes of elections are badly wounded. Democracies don’t die in darkness, per se, but through neglect and an unwillingness of the electorate to engage because change tends to be hard, slow, and incremental. There are solutions to democratic decline, and focusing on the next electoral cycles matters, but we can’t focus on elections to the detriment of understanding how to rejuvenate democratic systems of governance more generally.
Welcome to this edition of The Roundup! Enjoy the collection of interesting, informative, and entertaining links. Brew a fresh cup of coffee or grab yourself a drink, find a comfortable place, and relax.
For the past several weeks I’ve been sorting through all of the hundreds of photographs I’ve taken during the current state of pandemic we’re all living within. My photography is often a reflection—often unbeknownst to myself—of my thoughts and attitudes. The earliest weeks of the pandemic saw me making images of the city as though it were empty, grey, or isolated. And while those moods still pervade through later photos, there are increasingly also bursts of colour and joy, though still mixed with an emptiness to the city that calls into question what things will be like in six, twelve, or twenty-four month’s time. Many of the shots I’m taking, now, still feel almost documentary in nature, but at what point does the documentation end, and it simply becomes contemporary street photography?
More simply, real change only happens when the thing that white supremacists fear becomes true: that the mainstream increasingly becomes rather than simply appropriates the “ethnic.”
Personal Photography Shots
I’ve been going out, once a week or so, to get a walk and make photos while walking around my city. Unlike past months, I’ve contributed a set of these rather than other artists’ images.
ZHU & Tinashe-Only (Single) // Beats by ZHU and vocals by him and Tinashe make for a very danceable track. I’m really hoping that they do more work together or, failing that, that we at least get more work from ZHU for the summer.
Yiruma-Room With A View (EP) // Without a doubt, Yiruma has created some of the most beautiful classical piano work that I’ve heard this year.
Kenlani-It Was Good Until It Wasn’t // The tracks “Can I” and “Everybody Business” are, for me, the real standouts on this album. I admit that I was hopeful that “Grieving”, with James Blake would be really awesome, but their styles just didn’t quite seem to come together. Her work with Tory Lanez, as well as Jhené Aiko, are far more balanced given how their styles compliment Kehlani’s own.
Barton Gellman—Dark Mirror // Gellman was one of three reporters who were directly entrusted with the Snowden archives, and spent years reporting out of the documents. His assessment of what it was like to report on what he learned, the nature of the surveillance apparatus, working with Ed Snowden, and his broader thoughts on the relationship between public government and national security are erudite and fantastically interesting. I’ve just devoured this book and cannot recommend it highly enough.
How Should Biden Handle China? // This piece is less useful, to be honest, in thinking through what policy the United States or its allies should adopt than is assessing engagement strategies that aren’t working. Setting aside the irregularities and chaos associated with the Trump administration’s approach, the assessment of how European efforts have been equally unhelpful are informative for guiding policy makers on what hasn’t worked even when policy activities have been carried out by governments with comparatively competent foreign policy bodies. While an understanding of what doesn’t work isn’t inherently useful in knowing what does work, it at least provides a set of strategies that seem to be unproductive to take up in a new administration.
1989-1996 Canadian Housing Collapse Looks Eerily Similar to Today // Economists around the world have been warning of a Canadian housing bubble for a very long time. But Canadians have ignored the warning and dove into the market on the dual fear that they would otherwise never be able to buy a home, and the notion that renting amounts to throwing money away. The result has been a lot of Canadians owning homes they can’t afford. As the bubble pops, we’re going to see just how much economic havoc is going to follow from these decisions for the housing market as well as the economy more broadly (housing, in Canada, constitutes one of the largest sectors in the economy).
The Jungle Prince of Delhi // I’ve had this article open to read for months and months, but kept not getting to it. That’s a shame, as it is (and remains) a terrific story filled with past dynasties, the histories of British colonialism, the hard task of journalism, and the capability of truth to be creatively imagined into being. I can’t recommend this detective piece highly enough.
Zetter’s book engages in a heroic effort to summarize, describe, and explain the significance of the NSA’s and Israel’s first ‘cyber weapon’, named Stuxnet. This piece of malware was used to disrupt the production of nuclear material in Iran as part of broader covert efforts to delimit the country’s ability to construct a nuclear weapon.
Multiple versions of Stuxnet were created, as were a series of complementary or derivative malware species with names such as Duqu and Flame. In all cases the malware was unusually sophisticated and relied on chains of exploits or novel techniques that advanced certain capabilities from academic theory to implementable practice. The reliance on zero-day vulnerabilities, or those for which no patches are available, combined with deliberate efforts to subvert the Windows Update system as well as use fraudulently signed digital certificates, bear the hallmarks of developers being willing to compromise global security for the sake of a specific American-Israeli malware campaign. In effect, the decision to leave the world’s computers vulnerable to the exploits used in the creation of Stuxnet demonstrate that offence was prioritized over defence by the respective governments and their signals intelligence agencies which authored the malware.
The book regales the reader with any number of politically sensitive tidbits of information: the CIA was responsible for providing some information on Iran’s nuclear ambitions to the IAEA, Russian antivirus researchers were monitored by Israeli (and perhaps other nations’) spies, historically the CIA and renown physicists planted false stories in Nature, the formal recognition as cyberspace as the fifth domain of battle in 2010 was merely formal recognition of work that had been ongoing for a decade prior, the shift to a wildly propagating version of Stuxnet likely followed after close access operations were no longer possible and the flagrancy of the propagation was likely an error, amongst many other bits of information.
Zetter spends a significant amount of time unpacking the ways in which the United States government determines if a vulnerability should be secretly retained for government use as part of a vulnerabilities equities process. Representatives from the Department of Homeland Security who were quoted in the book noted that they had never received information from the National Security Agency of a vulnerability and, moreover, that in cases where the Agency was already exploiting a reported vulnerability it was unlikely that disclosure would happen after entering the vulnerability into the equities process. As noted by any number of people in the course of the book, the failure by the United States (and other Western governments) to clearly explain their vulnerabilities disclosure processes, or the manners in which they would respond to a cyber attack, leaves unsettled the norms of digital security as well as leaves unanswered the norms and policies concerning when (and how) a state will respond to cyber attacks. To date these issues remain as murky as when the book was published in 2014.
The Countdown to Zero Day, in many respects, serves to collate a large volume of information that has otherwise existed in the public sphere. It draws in interviews, past technical and policy reports, and a vast quantity of news reports. But more than just collating materials it also explains the meanings of them, draws links between them that had not previously been made in such clear or straightforward fashions, and explains the broader implications of the United States’ and Israel’s actions. Further, the details of the book render (more) transparent how anti-virus companies and malware researchers conduct their work, as well as the threats to that work in an era when a piece of malware could be used by a criminal enterprise or a major nation-state actor with a habit of proactively working to silence researchers. The book remains an important landmark in the history of security journalism, cybersecurity, and the politics of cybersecurity. I would heartily recommend it to a layperson and expert alike.