May

28

Hackers Are Exporters Too

Posted by at 5:50 pm on May 28, 2013
Category: DDTCDeemed Exports

By Poa Mosyuen (Own work) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia Commons http://commons.wikimedia.org/wiki/File:HK_%E7%9F%B3%E5%A1%98%E5%92%80%E5%B8%82%E6%94%BF%E5%A4%A7%E5%BB%88_Shek_Tong_Tsui_Municipal_Services_Building_%E9%9B%BB%E8%85%A6%E9%8D%B5%E7%9B%A4_Chinese_input_keyboard_Jan-2012.jpgThe Washington Post reported today that a confidential report from a Pentagon advisory group indicated that Chinese hackers had obtained sensitive military plans for a number of defense systems, including the Patriot Missile PAC-3, the F/A-18 fighter jet, the V-22 Osprey, the Black Hawk helicopter and the Navy’s new Littoral Combat Ship. The report did not specify whether these plans had been obtained by hackers from computers operated by the U.S. government or by the defense contractors involved.

So with this blockbuster revelation in hand, think for a moment about the ITAR-controlled technical data sitting on your computer system. You’ve gone to all the trouble to secure these files and prevent access by persons in your company who aren’t U.S. nationals. Then you’re hacked and this data is exfiltrated to China. What now?

Well, for starters, consider this: the definition of “export” in section 120.17 of the International Traffic in Arms regulations does not have a carve out for data hacked out of your system by foreign nationals. In fact, it covers “transferring technical data to a foreign person, whether in the United States or abroad,” without specifying how that transfer occurs. And make no mistake about it: when your system has been hacked by the People’s Liberation Army, it has transferred technical data to foreign nationals.

“But I didn’t mean for that data to be shipped to China!” you protest. Well, that may mean you lack the necessary scienter for a criminal prosecution, but civil penalties do not require intent. That also means it is probably time to think about a voluntary disclosure. And of course, one of the mitigating factors will be that you did not intentionally transfer the data to the PRC.

But here is the rub. Maybe you did not send the PLA an engraved invitation asking them to come hack your system, but maybe you also did not really have robust systems in place to prevent hacking. Often hackers get control of systems by sending infected links to employees. What protections do you have in place to prevent employees from clicking links in emails from outside the system? What systems do you have in place to monitor outbound traffic from your computers? And if you say, well, we have X or Y antivirus installed, you are going to hear the sad trombone because hackers can get around commercial antivirus software faster than Lindsey Lohan can sneak out of rehab.

Consider the Washington Post story a warning. It’s time to take a hard look at your security systems so that you either do not have to file a voluntary disclosure that you’ve been hacked or,  if you do have to make such a disclosure, you can honestly say you took every reasonable precaution.

Permalink

Bookmark and Share

Copyright © 2013 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

6 Comments:

Isn’t attribution difficult in most cases of ‘hacking’? How would you know whether the person who hacked is a foreign national or not?

Comment by jstults on June 2nd, 2013 @ 8:10 am

You can’t know by the IP address. Hackers never direct connect and will have jumped through 5 or more different systems and all you are getting is the last one in the chain, not the source. It is normally some poor home user with no clue they are compromised.

Comment by Alex on June 7th, 2013 @ 9:59 am

    If the final person in the chain is foreign, even if it isn’t the hacker, then you’ll have an export issue, even if the hacker is in the U.S. In the cases of most concern, state-sponsored Chinese hacking, the forensics have all pointed back to the Chinese IP addresses involved. Still, you are correct that there can be instances where you might not be able to tell that the data has been exfiltrated to a foreign party.

    Comment by Clif Burns on June 7th, 2013 @ 11:21 am

Isn’t this a bit of a stretch to say it is an export to which you would have responsibility? It was a theft that happened in the US. So, if someone steals a gun and takes it into another country and commits a crime, have you exported even though the theft happened in the US? If you leave your door unlocked and someone enters your house and steals something is it still theft?

Comment by Alex on June 7th, 2013 @ 11:40 am

    There is no question that the data has been exported in many of these cases and the affected parties have usually filed voluntary disclosures of the export with State and Commerce as appropriate. Although intent to export is required for a criminal prosecution, it isn’t required for civil penalties under the AECA, IEEPA or TWEA. Certainly the agencies consider the culpability of the hacked party as a mitigating factor. But, to use your example, if a company left a computer system “unlocked” (i.e. without adequate security) and a foreign hacker downloaded controlled data, that would potentially be a case for civil penalties. That’s why I encourage companies to encrypt export-controlled technical data on their systems.

    Comment by Clif Burns on June 7th, 2013 @ 2:29 pm