What will Obama say to Xi?

With help from Joseph Marks and David Perera

TODAY: XI’S AT THE WHITE HOUSE — Chinese President Xi Jinping has a morning of meetings with administration officials before an 11 a.m. joint press conference with President Barack Obama and a state dinner this evening. Xi will also meet with members of Congress this afternoon, mostly for a photo op.


Three big cyber questions that we all want answered:

— What’s the deal? The New York Times reported last weekend that the U.S. and China were working on inking a cyber arms control agreement pledging no first strikes against each other’s critical infrastructure. Later reports said they might just generally embrace a report by United Nations experts that outlined a peacetime norm that nations should not strike each other’s critical infrastructure with destructive cyberattacks. Even if a deal is reached somehow, words alone might not do the trick. “I think this will be a situation where we will pay particular attention to China’s behavior and their conduct, that we put more stock in their actions than their words,” White House press secretary Josh Earnest said Thursday.

— What’ll Obama say? Early Thursday, the two presidents were friendly. “As the Chinese leader exited his vehicle, POTUS smiled and said, 'Ni hao,' Chinese for ‘hello,’” and they “appeared to be chatting amiably as they ambled toward dinner,” according to White House pool reports. But Obama has criticized Chinese economic espionage during joint press conferences with Xi in the past, and he has said cyber will be a major topic of discussion during this round of talks. So will the president say something more today than he has before? And will Obama repeat his threat of “countervailing actions” if economic hacking isn’t reduced with Xi standing next to him?

— What about sanctions? White House officials have said targeted sanctions against beneficiaries of Chinese cybertheft are still on the table if there’s no consistent reduction in Chinese economic hacking. If the White House tries sanctions, though, it better be prepared to deal with a painful Chinese response, one cyber policy scholar told MC. “People seem to think things are as bad now as possible and no situation could make it worse,” said Herbert Lin of Stanford University’s Center for International Security and Cooperation. “But the Chinese can do all kinds of things to us. … You think they’re interfering with American companies doing business in China now? If they want to, they can really put the screws to us.”

HAPPY FRIDAY and welcome to Morning Cybersecurity! As a native Hoosier, your MC host is more than a little worried about this Pacers plan to play Paul George at power forward. After all, he is coming off one of the nastiest injuries you’ll ever see: http://es.pn/1Kyc8PJ (Don’t worry, the link is to the plan, not the injury. Subjecting you to the latter would be very poor form.) Send your thoughts, feedback and especially your tips to [email protected] and follow @timstarks, @POLITICOPro and @MorningCybersec. Full team info is below.

THE 2016 ANGLES ON THE SENATE INTEL HEARING — Almost all of the headlines (including one of ours at POLITICO) about Thursday’s Senate Intelligence Committee hearing were focused on NSA chief Adm. Mike Rogers discussing Hillary Clinton’s private email server. To be sure, Rogers didn’t want to talk about it; at first when Sen. Tom Cotton began asking, he quipped, “You really want to drag me into this?” But when Cotton asked how he would respond if he found out foreign ministers in Russia or Iran had a private email server, Rogers answered, “From a foreign intelligence standpoint, that represents opportunity.” http://politico.pro/1L9Tv85

At the same hearing, GOP presidential candidate and committee member Marco Rubio made three recommendations as a remedy to Chinese hacking: remove sensitive databases from the Internet, drum out Chinese spies on U.S. soil, and go on offense. http://politico.pro/1QC6CNA

THE INTELLIGENCE ANGLES ON THE SENATE INTEL HEARING — There was plenty more interesting about the hearing besides presidential politics:

NSA restructuring with cyber in mind: Rogers said he’s looking at reorganizing the NSA broadly, but one of the major motivators is cyber. He said he asked the NSA workforce: “How do we optimize ourselves for cyber? My argument is that cyber for the next 15 years will be like counterterrorism for the last 15 years, a mission that drives us as an organization. It will require us to do things on a scale we’ve never done before. To do that in a declining resource environment, you’ve got to be more efficient.” The workforce came back with several recommendations for the overall reorganization, and Rogers found the cyber area needed some work. “I want you to think a little more broadly about cyber. I don’t think we’re being far-reaching enough with the recommendations you’re giving me,” he said.

Encryption woes: “There is increasingly a limit on what NSA will be able to contribute” due to encrypted tech products, Sen. Dianne Feinstein said. Rogers acknowledged those difficulties but said the NSA would find a way to deal with the challenge, same as it has before. It’s the nature of the fight to “gain advantage and lose advantage over time,” and “technology and the opponents’ behavior always change,” he said. During an exchange with Sen. Ron Wyden, Rogers also acknowledged the downside to multiple encryption keys when asked whether they would generally give more opportunities to hackers. “It depends on the circumstances, but if you want to paint it very broadly like that, then senator, the answer is yes,” Rogers said.

DNI NOTES CONCERN ABOUT LOST OPM FINGERPRINT DATA — Director of National Intelligence James Clapper said Thursday that it is a major concern that there was a fivefold increase in the number of fingerprints known to be compromised as part of the Office of Personnel Management breach. “For those in the Intel community, it obviously poses a potential risk, particularly for employees who may be undercover when this data is out there,” he said during a Q&A session at a conference sponsored by the National Geospatial-Intelligence Agency.

OPM raised its estimate of compromised fingerprints to 5.6 million on Wednesday, but noted that “federal experts believe that, as of now, the ability to misuse fingerprint data is limited.” Clapper repeated that there’s no evidence yet that any of the identifying information from the OPM breach has been sold on the Dark Web (a fact experts say increases the likelihood China was behind the attack).

** A message from Northrop Grumman: Today’s enemy threats have taken on forms like never before. That’s why our full-spectrum cyber capabilities enable our military to tackle challenges at the push of a button. See how at http://bit.ly/1IM0OAJ **

ONE YEAR OF SHELLSHOCK — This week is the one-year anniversary of the Shellshock bug (also known as Bash Bug), one in a series of vulnerabilities found in open source utilities that plagued the Internet during 2014. For those who need a refresher, Shellshock is the vulnerability hidden since 1989 in a ubiquitous free software command line program used in things like Web servers that suddenly became public, to much consternation. “One year after, the panic has subsided, but the threat goes on living,” notes TrendMicro, in an anniversary blog post. While there’s no proof of major attacks exploiting the Shellshock vulnerability, it remains a widespread and unpatched flaw that hackers still use to spread malware and launch DDoS attacks. More from TrendMicro: http://bit.ly/1JsFdbj

TAKING A BITE OUT OF ONLINE CRIME — The underground criminal economy hinges on a number of fragile dependencies ripe for outside disruption, concludes Google and a handful of academics in research posted online Thursday. But formal law-enforcement intervention or traditional, reactive cybersecurity practices by themselves won’t fundamentally change the war against for-profit digital abuse, they warn. Instead, the authors urge a deeper and real-time understanding of the criminal ecosystem that can be used to take proactive steps to curb online criminals. More from Google: http://bit.ly/1L9B8Aa

GAO: DOD SHOULD DO MORE TO HELP SMALL BUSINESS’ CYBERSECURITY — The Defense Department’s Office of Small Business Programs should help the small businesses it works with improve their cybersecurity, according to a Government Accountability Office report out Thursday. The office “has explored some options, such as online training videos, to integrate cybersecurity into its existing efforts [but], as of July 2015, the office had not identified and disseminated cybersecurity resources in its outreach and education efforts to defense small businesses,” the auditor noted. The office concurred with the report. The report: http://1.usa.gov/1KxXVlH

REPORT WATCH

Chris Valasek and Charlie Miller detail how they hacked that Jeep Cherokee in a report published by IOActive and the Institute for Critical Infrastructure Technology: http://bit.ly/1JsyA92

QUICK BYTES

— The Obama administration looked at some options for dealing with encryption and wasn’t thrilled by any of them. Washington Post: http://wapo.st/1R2rjTv

— “No data has been stolen from HealthCare.gov or its supporting systems, says the Department of Health and Human Services after a critical report from federal auditors.” POLITICO Pro: http://politico.pro/1KFrvDG

— Global cybercrime cost businesses $315 billion over the past year, estimates Grant Thornton International. Infosecurity Magazine: http://bit.ly/1R2J5Gh

— Cisco is forming a joint-venture with Chinese server-maker Inspur to sell networking and cloud-computing products in China. Reuters: http://reut.rs/1LAUWv3

— The stock has run out on new IPv4 addresses in the U.S. and Canada. PANIC! American Registry for Internet Numbers: http://bit.ly/1Ky2lZR

— The email exchange that led a New Hampshire library to pull its Tor node, via Motherboard: http://bit.ly/1gT3Xmi

That’s all for today. Wanna get all this back: http://bit.ly/1NXHUJG

Stay in touch with the whole team: Joseph Marks ([email protected] , @Joseph_Marks_ ); David Perera ([email protected] , @daveperera ); and Tim Starks ([email protected] , @timstarks ).

** A message from Northrop Grumman: To meet today’s most advanced enemy threats, our military needs to be able to eliminate them — without putting troops in harm’s way. That’s why we’re the leader in full-spectrum cyber. Learn more at http://bit.ly/1IM0OAJ **



Follow us on Twitter Heidi Vogt @HeidiVogt



Eric Geller @ericgeller



Martin Matishak @martinmatishak



Tim Starks @timstarks