Oh, Another Incident of Chinese Industrial Espionage

Posted on May 23, 2017May 23, 2017 by Denise Simon

There is no denying Russia is using cyber warfare against the West. Little is ever mentioned about China’s industrial espionage, something this site attempts to publish as often as possible. Further, the owner of this site participated in two key hearings today in Congress, one with former CIA Director John Brennan and the other included ODNI Dan Coats and DIA Director General Stewart.

Clearly both hearings revealed just how pervasive and common cyber warfare is at the hands of China and Russia. Here is just another example.

China’s theft of IBM’s intellectual property

A former employee of IBM pleaded guilty to theft of source code on behalf of China

Image result for Xu Jiaqiang ibm And you think the FBI has easy work? Further, we are trusting China to deal with North Korea’s nuclear program and missile systems aimed against Western interests.

CSO: China continues to view the theft of intellectual property as a viable means of technology transfer. Global private sector entities are finding their insiders are being used by China to purloin the proprietary information for use by Chinese state-owned-enterprises or national entities with ever increasing regularity.

On 19 May 2017, Xu Jiaqiang, a PRC national, pleaded guilty to economic espionage and trade secret theft. Xu stole source code from his employer, IBM, and attempted to share it with the National Health and Family Planning Commission in the PRC. According to the Department of Justice, Xu pleaded guilty to all six of the counts included in his indictment.

A review of Xu’s Linked-In profile shows only his employment with IBM from November 2010 through July 2014 (date is different from that which is contained in the indictment) as a “General Parallel File System Developer at IBM”

Xu was a trusted insider within IBM. According to the DOJ advisory, which contained content from both the criminal complaint and superseding indictment, Xu worked for IBM from 2010-14, with unencumbered access to the “proprietary source code.” DOJ advises, Xu voluntarily resigned from IBM in May 2014.

In late 2014, the Federal Bureau of Investigation (FBI) was informed (source unidentified) that Xu claimed to have access (unauthorized) to the source code and was using the source code in various business ventures. Undercover law enforcement officers subsequently contacted Xu to affirm Xu’s possession of the source code

The criminal complaint describes undercover officers posing as investors engaged in a multi-month email exchanges with Xu which culminated in his sharing portions of the source code as bonafides of his knowledge of “operating systems and parallel file systems.” At that time, the victim company, IBM, identified the shared code as identical to their proprietary source code.

In late-2015, Xu had a face-to-face meeting with undercover law enforcement officers. At the meeting, Xu noted the code was his former employer’ s(IBM) code. Xu also confirmed to his interlocutors how he had purloined the code prior to his May 2014 employment separation and had made modification so as to obscure the point of origin, IBM.

In June 2016, Xu was indicted and charged with three counts of economic espionage, one count each of theft of trade secrets, possession of trade secrets, and distribution of trade secrets. He will be sentenced in October 2017.

Though IBM has declined comment to media regarding this theft of their intellectual property, reading between the lines, it would appear IBM had deduced (correctly) that Xu absconded with a copy of their GPFS proprietary source code, and was attempting to use it commercially. They then brought the theft to the attention of the FBI.

Illicit technology transfer

China has not slowed down in their acquisition of technology utilizing the access afforded to trusted insiders. The US Director of National Intelligence made it clear in his May 2017 presentation to the Senate Select Committee on Intelligence on the worldwide threat to the United States as to the threat posed by China.

In April 2017, we saw the arrest of a Dutch employee of Siemens, working within the energy arm of Siemens, charged with stealing the intellectual property of his employer and attempting to share it with China.

From the FBI perspective, this was the perfect economic espionage case. Theft of proprietary information for provision to a foreign government. The theft was from a company with an insider threat program in place and who was cooperative (providing technical expertise during the investigation), and of sufficient size to withstand any blow-back from China which may occur.

There is no need to be xenophobic. Multinational companies employee individuals from a great variety of nationalities. The reality is, few employees break trust with their employer.

That said, having your paper trail on agreements which safeguard intellectual property is mandatory. As is a review of all activities of all departing employees for break from pattern, be it a voluntary separation or for cause. If a deeper dive into the employees activities is warranted, make sure to look for any sudden increase in 403 errors – or similar (caused by attempts to access unauthorized data). Verify the complete inventory of all storage devices which the employee may have accessed, and have each returned and or data on the devices destroyed, and review email and uploads for any inappropriate usage.

Remember, though it is the FBI and DOJ success which brought Xu to our collective attention, it was not the FBI who initially discovered Xu’s intellectual property theft. The FBI pursued the lead brought to them by an unidentified third party (presumably IBM).

You are your company’s first line of defense in the protection of intellectual property, not the FBI.

DoJ, AG Sessions, Effectively Immediately

Posted on May 12, 2017May 12, 2017 by Denise Simon

Read the 2 page memo here.

Sessions ends Obama-era leniency on sentencing, infuriating civil rights groups

FNC: Attorney General Jeff Sessions announced Friday that he has told prosecutors to pursue the most serious charges possible against criminal suspects – a stunning reversal of Obama-era policies, and a move that infuriated civil rights groups.

“We will enforce the laws passed by Congress pure and simple,” he said at an awards ceremony in Washington D.C, adding that prosecutors deserved to be “unhandcuffed and not micro-managed from Washington.”

“This is a key part of President Trump’s promise to keep America safe,” Sessions said. “We’re seeing an increase in violent crime in our cities – in Baltimore, Chicago, Memphis, Milwaukee, St. Louis and many others. The murder rate has surged 10 percent nationwide – the largest increase since 1968.”

In a letter to 94 U.S. attorneys Thursday night, Sessions called it a “core principle” that prosecutors charge and pursue “the most serious and readily provable offense.” Sessions defined the most serious offenses as those that carry the most substantial guidelines sentence.

Sessions noted that “there will be circumstances in which good judgment would lead a prosecutor to conclude that a strict application” of the policy is not warranted, but that any exceptions must first be approved by a U.S. attorney, assistant attorney general, or a designated supervisor.

The move, which will send more criminals to jail and for longer terms by triggering mandatory minimum sentences, explicitly reverses policies set in motion by President Obama’s former Attorney General Eric Holder – who implemented the “Smart on Crime” drug sentencing policy that focused on not incarcerating people who committed low level, non-violent crimes. DOJ officials call it a “false narrative” and say unless a gun is involved, most of those cases aren’t charged period.

Officials say Holder’s “Smart on Crime” policy “convoluted the process,” and left prosecutors applying the law unevenly, which they said “is not Justice.”

But civil rights groups blasted the process, with the American Civil Liberties Union describing the move as a move that will “reverse progress” and repeat the War on Drugs, which it called a “failed experiment.”

“With overall crime rates at historic lows, it is clear that this type of one-dimensional criminal justice system that directs prosecutors to give unnecessarily long and unfairly harsh sentences to people whose behavior does not call for it did not work,” Udi Ofer, director of the American Civil Liberties Union’s Campaign for Smart Justice.

The policy was also criticized by Sen. Rand Paul, R-Ky., who said mandatory minimums have “unfairly and disproportionately incarcerated too many minorities for too long.”

“Attorney General Sessions new policy will accentuate that injustice. Instead we should treat our nation’s drug epidemic as a health crisis and less as a lock ‘em up and throw away the key problem,” he said.

However, the National Association of Assistant United States Attorneys backed the move, saying it would make the public safer and give prosecutors to “tools that Congress intended” to lock up drug dealers and dismantle gangs.

Wait for it…nah never mind…former DOJ AG, Eric Holder has already responded.

Former Attorney General Eric Holder blasts Sessions memo as ‘dumb on crime’

Former Attorney General Eric Holder blasted a new Justice Department policy on prosecutions and sentencing, calling it “dumb on crime.”

“The policy announced today is not tough on crime. It is dumb on crime. It is an ideologically motivated, cookie-cutter approach that has only been proven to generate unfairly long sentences that are often applied indiscriminately and do little to achieve long-term public safety,” Holder said in a statement Friday shortly after the new department memo.

Attorney General Jeff Sessions released a memo early Friday directing prosecutors to “charge and pursue the most serious, readily provable offense” in all cases going forward.

The Sessions memo reverses one issued by Holder in 2013 that encouraged federal prosecutors to seek the most harsh punishment for only “serious, high-level, or violent drug traffickers” instead of lower-level offenders.

Holder cited department data showing that since the implementation of his memo — the Smart on Crime directive — prosecutors have been able to successfully focus more resources on higher level drug offenders such as kingpins and cartel leaders.

“The data showed that while they brought fewer indictments carrying a mandatory minimum sentence, the prosecutions of high-level drug defendants had risen and that cooperation and plea rates remained effectively the same,” Holder said. “These reversals will be both substantively and financially ruinous, setting the Department back on track to again spending one-third of its budget on incarcerating people, rather than preventing, detecting, or investigating crime.”

Who Can be Fired at the VA for Cause? No One

Posted on May 11, 2017May 11, 2017 by Denise Simon

Bipartisan Senate Group Unveils New Bill to Speed Up VA Firing, Bonus Recoupment

The new bill comes just days after a federal appeals court ruled Congress’ previous attempt at hastening VA’s disciplinary process — through the 2014 Veterans Access, Choice and Accountability Act — was unconstitutional. The measure stripped Senior Executive Service employees of their right to a second-level appeal before the Merit Systems Protection Board’s presidentially-appointed, Senate-confirmed panel. VA had already stopped using the new authority after its constitutionality was questioned in court and the Obama administration declined to defend it.

The senators have been working on their new bill for weeks, but they said the court ruling reinforced the need for reform. “This legislation would improve on the law we enacted in 2014,” Rubio said.

The bill would allow the department’s secretary to fire, suspend or demote an employee with only 15 days notice. Affected workers would then have seven days to issue a response before a final decision is made. Any employee facing removal, suspension of at least 14 days or a demotion would have 10 days to appeal the action to the Merit Systems Protection Board. MSPB would then have 180 days to issue a decision, a much longer period than the 45-day timeline set up in the House bill. Employees would maintain the right to appeal an MSPB decision to federal court.

Employees covered by a collective bargaining agreement would also maintain the right to appeal a negative personnel action through the grievance process, though it would have to be resolved within 21 days. Read more here.

Meanwhile, there is that blasted union problem at the VA:

An estimated 346 employees in the Department of Veterans Affairs do no actual work for taxpayers. Instead, they spend all of their time doing work on behalf of their union while drawing a federal salary, a practice known as “official time.”

That’s according to a report by the nonpartisan Government Accountability Office. But exactly what those VA workers are doing and why so many are doing it is not clear. The VA doesn’t track that, and the GAO report offers no clue.

Rep. Jody Arrington, R-Texas, a member of the House Veterans’ Affairs Committee, thinks the number on 100 percent official time may be much higher. He also notes that the 346 workers don’t include those who spend most, not all, of their time doing union work.

“The lack of accountability at the VA when it comes to monitoring official time suggests it might be worse,” said Arrington, who has introduced legislation that would require the department to track the use of official time, among other reforms.

Pointing to the waiting list scandals at the department, Arrington said the official time situation is reflective of the “broken culture at the heart of the VA” and adds, “I haven’t heard one good, acceptable reason why the practice has continued.”

The VA was not eager to discuss the matter with the Washington Examiner. After several days of inquiries, it responded with the following statement: “VA believes that the appropriate use of official time can be beneficial and in the public interest as stated in the Federal Service Labor-Relations Statute, which governs how executive branch agencies treat official time. VA takes the position that labor and management have a shared responsibility to ensure that official time is authorized and used appropriately. VA practices are in compliance with the Federal Service Labor-Relations Statute.”

Official time is allowed under the 1978 Civil Service Reform Act. The idea behind it is to ensure that a federal employee who is also a union official won’t be penalized for being away from work if he or she is negotiating a contract or addressing a worker grievance, for example. It is essentially a trade-off for the limitations put on federal unions, such as prohibitions on striking.

At least 700 federal workers do nothing but work on official time, according to the GAO and data obtained from various Freedom of Information Act requests. The VA uses official time far more than any other agency.

“Employees spent approximately 1,057,00 hours on official time for union representation activities … In addition, the data show that 346 employees spent 100 percent of their time on official time,” the GAO found in a January report.

It is possible that even those figures are conservative. The GAO said the said the VA’s poor monitoring meant the data was “inconsistent and not reliable.”

The GAO didn’t know what the employees are doing with all of that time. “We just didn’t get into that in that particular study,” said Cindy Barnes, the GAO’s director of education, workforce and income security issues and author of the report.

Part of the explanation is that the VA is one of the largest federal agencies with 373,000 workers, making it second only to the Pentagon in the sheer size of its workforce. About 250,000 VA workers are covered by collective bargaining agreements, according to the GAO, citing 2012 data. Arrington puts the covered figure at 285,000.

By comparison, the Department of Homeland Security has 240,000 workers and the Department of Commerce has just under 44,000 workers. But those departments get by with proportionately far fewer people working exclusively on official time. DHS has 39, while Commerce has just four.

Another factor is that the VA’s workforce is represented by no less than five unions: The American Federation of Government Employees, the National Association of Government Employees, National Nurses United, the National Federation of Federal Employees and the Service Employees International Union.

National Nurses United representative Irma Westmoreland was the only union official willing to talk about the practice with the Washington Examiner. She is one of five nurses union members who work exclusively on union time at the VA. The union has another nine who spent 80 percent of their time at the VA on official time, she said.

Westmoreland said her work was necessary because nurses can’t simply stop taking care of a patient to do something like address a worker grievance. People such as her do the union work and make it possible for the other nurses to focus on providing care.

“I have to travel across the country working with 23 VA facilities in four time zones,” she said. “The management teams want somebody at 100 percent official time so they don’t have to pull somebody out of care.”

But not everyone at the VA is involved in care. So what are the other 341 exclusive official time workers doing? Westmoreland had no insight.

“I don’t know how the other people do it,” she said.

American Federation of Government Employees President J. David Cox told Arrington’s subcommittee in February that official time involved activities such as “designing and delivering joint training of employees on work-related subjects and introduction of new programs and work methods that are initiated by the agency or by the union.”

He added that “in no way did the [February GAO] report suggest that the use of official time presents problems for the department.” The report sought only to quantify the amount of time used.

Arrington argues that the practice has to change if the VA is ever to be truly reformed. He has sponsored the Veterans, Employees and Taxpayer Protection Act, which would require the VA to track the use of official time. It also would prohibit employees involved with direct patient care from spending more than a quarter of their work hours on union activities and bar any VA employee from spending more than half of their time on official time.

The legislation would effectively put VA employees under right-to-work protection. The VA would be prohibited from agreeing to union contracts that force workers to join or otherwise support a union as a condition of employment.

Westmoreland said she has no trouble with better tracking the use of official time but warns against putting any limitations on its use.

“It makes it very difficult if you cannot have set official time,” she said.

Trump’s EO on Voter Fraud Commission

Posted on May 11, 2017May 11, 2017 by Denise Simon

Read the text here. The ‘voting rights’ division at the Justice Department may just have an issue with this, but the commission should happen along with a technology fix going into the future. We cannot forget that DHS contacted several states prior to the voting season last Fall concerning registration databases and voting machines. Some states cooperated while others frankly did not only not trust government intrusion but DHS.

Image result for voter fraud

Trump signs executive order launching voter fraud commission

President Trump signed an executive order on Thursday to launch a commission to review alleged voter fraud, a White House official confirmed to Fox News, after months of claiming voter fraud in the 2016 presidential election.

The order, titled “Presidential Commission on Election Integrity,” would establish a bipartisan commission, chaired by Vice President Mike Pence, to review alleged voter fraud and suppression. Kansas Secretary of State Kris Kobach, who has investigated voter fraud in Kansas, will serve as vice chair.

“The commission will also include individuals with knowledge and experience in election management and voter integrity,” White House Deputy Press Secretary Sarah Huckabee-Sanders said on Thursday at the White House daily press briefing. “The commission will review policies and practices that enhance or undermine confidence in elections and identify system vulnerabilities.”

Huckabee-Sanders announced five members to the commission on Thursday: Indiana Secretary of State Connie Lawson (R), New Hampshire Secretary of State Bill Gardner (D), Maine Secretary of State Matthew Dunlap (D), Christie McCormick, commissioner of the election assistance commission, and former Ohio Secretary of State Ken Blackwell(R).

The White House said the commission will review practices that affect the integrity of federal elections–spanning improper registrations, improper voting, fraudulent registrations, fraudulent voting and voting suppression.

“We expect the report to be complete by 2018,” Huckabee-Sanders said. “The experts will follow the facts where they lead–we’ll share updates as we have them.”

Trump originally vowed to create such a commission in January. Days after his inauguration, Trump took to Twitter calling for a “major investigation into VOTER FRAUD,” saying that depending on the results of the investigation, “we will strengthen up voting procedures!” He cited “illegal” voters and “those registered to vote who are dead (and many for a long time)” which he claimed cost him the popular vote, which Hillary Clinton won by 3 million votes.

But on Thursday, Senate Minority Leader Charles Schumer, D-N.Y., slammed the commission.

“Putting an extremist like Mr. Kobach at the helm of this commission is akin to putting an arsonist in charge of the fire department,” Schumer said. “President Trump has decided to waste taxpayer dollars chasing a unicorn and perpetuating the dangerous myth that widespread voter fraud exists.”

Voting experts and many lawmakers have said they haven’t seen anything to suggest that millions of people voted illegally, including House Oversight Committee Chairman Jason Chaffetz. The Utah Republican said his committee won’t be investigating voter fraud.

In a lunch meeting with senators in February, Trump said that he and former Republican Sen. Kelly Ayotte would have won in New Hampshire if not for voters bused in from out of state. New Hampshire officials have said there was no evidence of major voter fraud in the state.

In a February interview with Bill O’Reilly, Trump said the main issue of voter fraud was registration, and vowed to look at the situation “very, very carefully.”

“When you look at the registration and you see dead people that have voted, when you see people that are registered in two states, that have voted in two states, when you see other things, when you see illegals, people that are not citizens and they are on registration roles,” Trump said. “We can be babies, but you take a look at registration, you have illegals, you have dead people, you have this, it’s a really bad situation, it’s really bad.”

The decision to revisit the voter fraud issue comes during a tumultuous week, after Trump on Tuesday fired FBI Director James Comey. The administration cited Comey’s handling of the Clinton email probe, but Democrats also question what role his bureau investigation into Russian meddling in the 2016 race played.

In a House Intelligence Committee hearing on Russian election tampering in March, voter fraud became a topic of questioning — Committee Chairman Devin Nunes, R-Calif., asked Comey if the FBI had any evidence that votes were changed in states like Pennsylvania, North Carolina, Florida, and Ohio, to which Comey answered “No.”

After winning the election, Trump singled out several states and claimed fraud in their voting system, but officials in those states insisted that his claims were unfounded.

No Cyber Policy, Doctrine, Protection, Result of Senate Hearing

Posted on May 11, 2017May 11, 2017 by Denise Simon

President Trump signed another executive order today. This one is on cyber security and protecting infrastructure. Read it here.

Image result for trump signs executive order BusinessInsider

No one wants to participate in the hard debate regarding cyber, where it is noted to be the highest threat for the homeland. At least the Trump White House is taking note, yet this executive order may not be enough or engage the private sector. It is gratifying however that some inside and outside experts are in fact having talks on an international basis with cyber experts. That is always a good thing.

At issue on this topic is the path forward and the estimated costs. Cyber is a battlespace where it should be noted it could cost what conventional military operations costs against adversaries and could take as long if not forever. All government infrastructure is dated, unprotected and there are no measures to correct in a priority ranking.

The other item of note, there is no legal or case law condition where the cyber attackers are prosecuted. Exactly why did Sony not sue North Korea? If there is no consequence, even ceremoniously, then expect more hacks. Of note, to sue and or sanction North Korea, China would have to be included, as the internet connectivity to North Korea is provided by China and further, China trained the hackers in North Korea….sheesh right?

Politico reports: The directive is Trump’s first major action on cyber policy and sets the stage for the administration’s efforts to secure porous federal networks that have been repeatedly infiltrated by digital pranksters, cyber thieves and government-backed hackers from China and Russia.

“The trend is going in the wrong direction in cyberspace, and it’s time to stop that trend and reverse it on behalf of the American people,” White House Homeland Security Adviser Tom Bossert told reporters during a Thursday afternoon briefing.

Cyber specialists say the order breaks little new ground but is vastly improved over early drafts, which omitted input from key government policy specialists. The final version, cyber watchers say, essentially reaffirms the gradually emerging cyber policy path of the past two administrations.

As part of the executive order’s IT upgrade initiative, administration officials will study the feasibility of transitioning to shared IT services and networks across the government. An estimated 80 percent of the $80 billion federal IT budget goes toward taking care of aging systems.

Senior Trump adviser Jared Kushner’s Office of American Innovation will play a significant role in the federal IT modernization effort, multiple people tracking the efforts have told POLITICO. Earlier this month, Trump signed an executive order creating the American Technology Council, with Kushner as director, to help coordinate that effort. More here.

*** Personally, it must be mentioned there is a problem with this operating out of the White House and certainly out of Jared Kushner’s office, he is way too tasked to be effective. Other professionals in the cyber realm agree, the matter of a ‘net’ command and operations that collaborate with the private sector should be it’s own command and separated from NSA.

There was a significant hearing today on The Hill while the FBI hearing was going on. Those on the witness panel included James Clapper, Jim Stavridis and Michael Hayden. The Senate Armed Services Committee hosted this session and it included high rate discussions including why there is no cyber doctrine, why there are no offensive measures and what the highest cyber threats are for the homeland.