Risk
6/10/2013
06:41 PM
Connect Directly
RSS
E-Mail
50%
50%

U.S.-Chinese Summit: 4 Information Security Takeaways

What did the summit accomplish with regard to cyber spying and cyber attacks -- and what's left undone?

The Syrian Electronic Army: 9 Things We Know
(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
Don't expect advanced persistent threat (APT) attacks emanating from China to stop anytime soon.

During a historic, two-day summit last week, President Barack Obama and Chinese president Xi Jinping spent eight hours discussing numerous issues of mutual concern. Results included new agreements on greenhouse gas emissions and North Korea; plans to run a joint naval exercise next summer; and, for Xi, the gift of a bench made of redwood.

But absent from the summit was any resolution regarding U.S. government allegations that APT groups operating from China have been waging a sustained and successful online industrial espionage campaign against U.S. government agencies and businesses, including defense contractors.

[ China accuses the U.S. of the same cyber intrusions. Read China To America: You Hack Us, Too. ]

The White House did, however, address information security concerns during the summit. Here are the takeaways:

1. Chinese Now More Aware, Says White House

Simply put, the White House had little to show on the information security front after the two-day talks in California, which began Friday. "The President made clear the threat posed to our economic and national security by cyber-enabled economic espionage," said the President's national security adviser, Tom Donilon, in a press briefing Saturday. "The President underscored that resolving this issue is really key to the future of U.S.-China economic relations."

2. White House Continues To Pursue Diplomacy

Still, some progress has been made. Donilon said that a three-part diplomatic strategy, hammered out in March 2013, had to begin by first getting China to even discuss cybersecurity, which it previously hadn't done. "I think this concern is acknowledged at this point," he said.

Second, the White House has asked China to investigate industrial espionage operations being run from inside its borders, "and the Chinese have agreed to look at this," Donilon said. Finally, he said that China agreed "to engage in a dialogue with the United States on norms and rules -- that is what is acceptable and what's not acceptable in the realm of cyber." The presidents also agreed to the creation of a cybersecurity working group that will begin meeting in July, and meet regularly thereafter.

3. China Talks Cybercrime Generalities

China has previously responded to allegations leveled by the U.S. government -- that the Chinese government supports a number of APT attack groups -- by saying that China gets hacked too, and President Xi reportedly emphasized that again during the summit.

But Donilon said the White House has been attempting to push beyond bland generalities about global cybercrime. "The discussion that we're having with China with respect to this topic is really not focused on cyber hacking and cybercrime," he said. "These are problems that we've faced and we've faced jointly."

"The specific issue that President Obama talked to President Xi about today is the issue of cyber-enabled economic theft -- theft of intellectual property and other kinds of property in the public and private realm in the United States by entities based in China," he said Saturday.

4. Chinese Media Downplays Cyber Angle

Diplomatically speaking, China is now striking a more conciliatory cybersecurity note, with government officials at least mentioning the word publicly. "At this summit, Xi told Obama that cybersecurity should be a new highlight of bilateral cooperation instead of a source of suspicion and friction," said China's official Xinhua News Agency. "They agreed to strengthen dialogue, coordination and cooperation through the already-established cyber working group."

But in recent days, multiple official Chinese press outlets have suggested that the U.S. media has been obsessing over information security. For example, political science professor Zhu Zhiqun at Bucknell University in Lewisburg, Pa., told the state-owned China Daily that many Western media outlets had focused on cybersecurity "without a proper understanding of the complex relationship between the two great powers."

"Cybersecurity is hardly a major issue between the two countries," claimed Zhu.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0640
Published: 2014-08-20
EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote authenticated users to bypass intended restrictions on resource access via unspecified vectors.

CVE-2014-0641
Published: 2014-08-20
Cross-site request forgery (CSRF) vulnerability in EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote attackers to hijack the authentication of arbitrary users.

CVE-2014-2505
Published: 2014-08-20
EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote attackers to trigger the download of arbitrary code, and consequently change the product's functionality, via unspecified vectors.

CVE-2014-2511
Published: 2014-08-20
Multiple cross-site scripting (XSS) vulnerabilities in EMC Documentum WebTop before 6.7 SP1 P28 and 6.7 SP2 before P14 allow remote attackers to inject arbitrary web script or HTML via the (1) startat or (2) entryId parameter.

CVE-2014-2515
Published: 2014-08-20
EMC Documentum D2 3.1 before P24, 3.1SP1 before P02, 4.0 before P11, 4.1 before P16, and 4.2 before P05 does not properly restrict tickets provided by D2GetAdminTicketMethod and D2RefreshCacheMethod, which allows remote authenticated users to gain privileges via a request for a superuser ticket.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.