Risk
6/10/2013
06:41 PM
50%
50%

U.S.-Chinese Summit: 4 Information Security Takeaways

What did the summit accomplish with regard to cyber spying and cyber attacks -- and what's left undone?

The Syrian Electronic Army: 9 Things We Know
(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
Don't expect advanced persistent threat (APT) attacks emanating from China to stop anytime soon.

During a historic, two-day summit last week, President Barack Obama and Chinese president Xi Jinping spent eight hours discussing numerous issues of mutual concern. Results included new agreements on greenhouse gas emissions and North Korea; plans to run a joint naval exercise next summer; and, for Xi, the gift of a bench made of redwood.

But absent from the summit was any resolution regarding U.S. government allegations that APT groups operating from China have been waging a sustained and successful online industrial espionage campaign against U.S. government agencies and businesses, including defense contractors.

[ China accuses the U.S. of the same cyber intrusions. Read China To America: You Hack Us, Too. ]

The White House did, however, address information security concerns during the summit. Here are the takeaways:

1. Chinese Now More Aware, Says White House

Simply put, the White House had little to show on the information security front after the two-day talks in California, which began Friday. "The President made clear the threat posed to our economic and national security by cyber-enabled economic espionage," said the President's national security adviser, Tom Donilon, in a press briefing Saturday. "The President underscored that resolving this issue is really key to the future of U.S.-China economic relations."

2. White House Continues To Pursue Diplomacy

Still, some progress has been made. Donilon said that a three-part diplomatic strategy, hammered out in March 2013, had to begin by first getting China to even discuss cybersecurity, which it previously hadn't done. "I think this concern is acknowledged at this point," he said.

Second, the White House has asked China to investigate industrial espionage operations being run from inside its borders, "and the Chinese have agreed to look at this," Donilon said. Finally, he said that China agreed "to engage in a dialogue with the United States on norms and rules -- that is what is acceptable and what's not acceptable in the realm of cyber." The presidents also agreed to the creation of a cybersecurity working group that will begin meeting in July, and meet regularly thereafter.

3. China Talks Cybercrime Generalities

China has previously responded to allegations leveled by the U.S. government -- that the Chinese government supports a number of APT attack groups -- by saying that China gets hacked too, and President Xi reportedly emphasized that again during the summit.

But Donilon said the White House has been attempting to push beyond bland generalities about global cybercrime. "The discussion that we're having with China with respect to this topic is really not focused on cyber hacking and cybercrime," he said. "These are problems that we've faced and we've faced jointly."

"The specific issue that President Obama talked to President Xi about today is the issue of cyber-enabled economic theft -- theft of intellectual property and other kinds of property in the public and private realm in the United States by entities based in China," he said Saturday.

4. Chinese Media Downplays Cyber Angle

Diplomatically speaking, China is now striking a more conciliatory cybersecurity note, with government officials at least mentioning the word publicly. "At this summit, Xi told Obama that cybersecurity should be a new highlight of bilateral cooperation instead of a source of suspicion and friction," said China's official Xinhua News Agency. "They agreed to strengthen dialogue, coordination and cooperation through the already-established cyber working group."

But in recent days, multiple official Chinese press outlets have suggested that the U.S. media has been obsessing over information security. For example, political science professor Zhu Zhiqun at Bucknell University in Lewisburg, Pa., told the state-owned China Daily that many Western media outlets had focused on cybersecurity "without a proper understanding of the complex relationship between the two great powers."

"Cybersecurity is hardly a major issue between the two countries," claimed Zhu.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
DNS Threats: What Every Enterprise Should Know
Domain Name System exploits could put your data at risk. Here's some advice on how to avoid them.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.