By SIOBHAN GORMAN with Jason Dean in Beijing
The Wall Street Journal
July 17, 2008
http://online.wsj.com/article_email/SB121625646058760485-lMyQjAxMDI4MTE2NzIxNTc2Wj.html
WASHINGTON -- A debate is brewing in the U.S. government over whether to publicly warn businesspeople and other travelers heading to the Beijing Olympics about the dangers posed by Chinese computer hackers.
According to US government officials and security consultants, U.S. intelligence agencies are worried about the potential threat to U.S. laptops and cellphones. But others, including the State and Commerce departments and some companies, are trying to quiet the issue for fear of offending the Chinese, these people say.
U.S. intelligence and security officials are concerned by the frequency with which spies in China and other countries are targeting traveling U.S. corporate and government officials. The Department of Homeland Security issued a warning last month to certain government and private-sector officials stating that business and government travelers' electronic devices are often targeted by foreign governments. The warning wasn't available to the public.
The spy tactics include copying information contained in laptop computers at airport checkpoints or hotel rooms, wirelessly inserting spyware on BlackBerry devices, and a new technique dubbed "slurping" that uses Bluetooth technology to steal data from electronic devices.
In addition to cybersecurity threats in other countries, "so many people are going to the Olympics and are going to get electronically undressed," said Joel Brenner, the government's top counterintelligence officer. He tells of one computer-security expert who powered up a new Treo hand-held computer when his plane landed in China. By the time he got to his hotel, a handful of software programs had been wirelessly inserted.
Mr. Brenner says he doesn't take a laptop to China and uses disposable cellphones while there.
Asked about potential electronic surveillance during the Olympics, a spokesman for China's Ministry of Foreign Affairs said: "Allegations that China supports hacker attacks against U.S. computer networks ... are entirely fabricated, and seriously misleading."
Some companies are taking steps to increase security. General Electric Co. encourages traveling employees to leave laptops behind or use a stripped-down travel laptop and encrypted hard drives, said spokesman Jeff DeMarrais. Pfizer Inc. is evaluating a policy that would require employees to take travel laptops to a number of countries, including China, said spokesman Chris Loder.
Despite the risks, many government and corporate officials are leery of discussing the security risks and singling out countries, such as China, for fear of damaging diplomatic and business relationships. One member of a task force at the Office of the Director of National Intelligence, the U.S.'s top spy agency, said the prospect of an Olympics warning comes up repeatedly, but is never resolved, with technology experts advocating a warning and government officials arguing against it.
One credit-card company executive said many in his industry "are becoming almost afraid of the security issue." Lawyers at credit-card companies have advised against taking some security measures, fearing the company could be liable if they fail, this person said.
Western companies' responses to the problem have ranged from "very concerned to positively ostrich-like," said Mr. Brenner.
The government has no established system for telling travelers about cybersecurity risks. The State Department issues alerts for terrorism and health risks, but not for cybersecurity. That's inconsistent with the government's position on terrorism alerts, says Paul Kurtz, a former National Security Council official who is now a cybersecurity consultant. The government is prohibited from withholding terrorist threats from the public, but that's effectively what it's doing with cyberthreats, he says.
The State Department mentions Chinese cyberthreats briefly on its Web site, noting that computers in hotel rooms may be searched. That information "is basically the extent of any concerns," a department official said.
Mr. Kurtz suggests that the government develop a warning system assigning countries a threat level. Intelligence agencies already produce an annual classified country-by-country report on cyberspying abilities.
Homeland Security's nonpublic assessment, issued last month, doesn't single out any countries. It was issued less than two months before the Olympics and shortly after reports that a U.S. government laptop may have been hacked during a December trip to China by the U.S. Commerce secretary.
This unclassified document wasn't made public. Department spokesman Russ Knocke said the assessment was shared with the department's "state, local, and private-sector partners" but not with the public because such notices are usually the State Department's responsibility and the assessment didn't point to a specific threat. The department tries to avoid inundating the public with nonspecific information, he said.
No comments:
Post a Comment