China's harmonious counterplay to US hacking accusations.
Dakota Cary: What is behind China's push into this space? Is it novel? When -- when did it begin? Why are they doing this? And so the content of this report reflects my attempt to describe and demonstrate why China decided to proceed with this media campaign. What caused its behavior to change? And the way in which that campaign has or has not been successful.
Dave Bittner: Hello, everyone, and welcome to "Caveat," N2K CyberWire's privacy, surveillance, law and policy podcast. I'm Dave Bittner, and joining me is my co-host, Ben Yelin, from the University of Maryland Center for Health and Homeland Security. Hey, Ben!
Ben Yelin: Hello, Dave.
Dave Bittner: Ben has the latest on a TikTok bill making its way through Congress. I've got the EFF's brief to the Ninth Circuit Court on software copyright limits. And later in the show, my conversation with Dakota Cary from SentinelLabs. We're talking about China's cyber-focused media campaign. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. All right, Ben. Let's kick things off here. I don't want to ding you for choosing the obvious story this week, but you chose the obvious story this week.
Ben Yelin: It's just too good not to talk about is basically what it comes down to.
Dave Bittner: Okay. Fair enough.
Ben Yelin: So our members of Congress are considering a piece of legislation that's making its way through the House of Representatives, at least, at a very rapid pace --
Dave Bittner: Yeah.
Ben Yelin: -- that would force the parent company, ByteDance, to sell TikTok to an American investor within 165 days. If they fail to do so, TikTok could be removed from the Apple and Google app stores.
Dave Bittner: Mm-hmm.
Ben Yelin: So there are a lot of really interesting, funny, important angles to the story. The first is -- this bill showed up on a House Committee calendar. They were going to vote for it last Thursday, and TikTok put a little pop-up alert on everybody's account, based on their zip code, to call your member of Congress and tell them not to pass this piece of legislation.
Dave Bittner: Right.
Ben Yelin: That backfired big time. All these members of Congress got hundreds -- hundreds of thousands of calls from angry teenagers saying you're going to shut down my business. You're going to, you know, shut down my ability to engage in social media and make short video clips. I'm an influencer.
Dave Bittner: I wonder how many of them were too young to vote?
Ben Yelin: Probably a lot of them, given the demographics of TikTok users.
Dave Bittner: Right.
Ben Yelin: But it made all of these offices extremely angry and I do not doubt that that contributed to what was really a remarkable 50 to zero vote in the House Committee to advance this bill.
Dave Bittner: Wh-wh-what??
Ben Yelin: Yeah. So when you get members from the far left of the Democratic caucus to the far right of the Republican caucus --
Dave Bittner: There's usually one crank in there somewhere. Right?
Ben Yelin: There is almost always one crank. This was crank-proof.
Dave Bittner: Oh, wow!
Ben Yelin: And, beyond that, it has the support of House Leadership, so it is coming to the floor of the House of Representatives as we're speaking here -- this week.
Dave Bittner: Hmm.
Ben Yelin: It's going to be voted on by the full House, and President Biden, in extemporaneous remarks that he made, I think, deboarding or boarding Air Force One --
Dave Bittner: Yeah.
Ben Yelin: -- said that he supports this bill, so that he would sign it into law.
Dave Bittner: Okay.
Ben Yelin: There are a few obstacles remaining here. The first is the great deliberative body known as the United States Senate -- the cooling saucer of the passions of our House of Representatives.
Dave Bittner: Which has its own collection of cranks.
Ben Yelin: Yes. One of them is Rand Paul.
Dave Bittner: Okay.
Ben Yelin: And Rand Paul has said -- I have a lot of concerns about this bill. I might hold it up.
Dave Bittner: Huh!
Ben Yelin: And individual senators have a lot of power to hold up bills for a long time if they want to. Now if you have sixty votes to advance a bill in the Senate, eventually it will pass. You can file cloture on the bill after the requisite time period has passed, and that's a period of days, maybe about a week, then you can have a vote on the legislation. But perhaps that buys Rand Paul and his allies some time to conjure up 39 other members or 40 other members of the Senate from both parties who might be concerned about the potential constitutional issues here or might just think this is plainly bad policy.
Dave Bittner: Mm-hmm.
Ben Yelin: So it might be defeated. But it -- right now, it seems like it's really on a glide path. So I thought it would be a good idea to talk about some of the constitutional issues here.
Dave Bittner: Right.
Ben Yelin: First is the First Amendment issue. There was a TikTok ban that passed the State Legislature in Montana that we talked about --
Dave Bittner: Mm-hmm.
Ben Yelin: -- and a federal judge said this was a huge inhibition on the First Amendment. This is the expressive mode for a lot of people. They communicate important political, artistic ideas over TikTok. It's not all just junk -- although it's maybe mostly junk.
Dave Bittner: A lot of junk, sure.
Ben Yelin: So I think the first amendment aspects of this are rather significant.
Dave Bittner: Okay.
Ben Yelin: Now the legislation, as drafted, wouldn't directly inhibit anybody's first amendment rights. Even if TikTok were banned in the United States, people could post reels on Facebook or, you know, the equivalent short videos on Instagram. I think that's what the government would argue if this case came in front of a federal court.
Dave Bittner: Hmm.
Ben Yelin: The other issue is something called a bill of attainder. Have you ever heard of a bill of attainder?
Dave Bittner: I -- I've heard of it, but I -- I would not be able to tell you what it means.
Ben Yelin: It's like a -- it's a term that gets thrown around, partly because it's in our Constitution. And basically a bill of attainder means a bill that directly targets an individual or an entity and criminalizes something that that individual either is doing or has done.
Dave Bittner: Mm.
Ben Yelin: So historical examples have been congressional efforts to zero out the salaries of individual members of a President's cabinet --
Dave Bittner: Hmm.
Ben Yelin: -- because it's targeted at one individual and it's punishing that person individually for their actions. There's some mixed case law on whether the bill of attainder would apply not just to an individual but to a company, and what actually counts as a sufficient punishment that would trigger the protections of the constitution in terms of bills of attainder.
Dave Bittner: Hmm.
Ben Yelin: So that's unknown.
Dave Bittner: Okay.
Ben Yelin: So we have those two major constitutional issues that are -- I think are hanging over us. And then there's the political angle. And this really fascinates me. Like, what do you do if you're Joe Biden? You get this bill presented to you. He said he's going to sign it. He's having problems with young voters for a variety of reasons. Is it a good idea to be the President who shut down TikTok?
Dave Bittner: Well, is TikTok going to be shut down, though? I mean, what -- help me understand here. What they're saying is that TikTok has to have stateside ownership. Right? That -- that's what they're asking for.
Ben Yelin: That's what they're asking for. Yeah.
Dave Bittner: So what's the problem there?
Ben Yelin: Well, we don't know how much influence the Chinese government has on ByteDance that may be a key part of their business model.
Dave Bittner: Yeah.
Ben Yelin: And they might not be able to operate without the watchful eye of the Chinese Communist Party. We don't really know if that's actually the case. The CEO of TikTok is going in to meet with members of Congress this week, and he's obviously lobbying against this legislation.
Dave Bittner: Right.
Ben Yelin: I think maybe that gives some indication that if the legislation passed there would be concerns about selling it to US investors. It just might be that they're not interested in it or they're trying to hold fast to their principles and not give in to the congressional mob. But at least the way I interpret it is there's a chance that TikTok could be banned. And even if it weren't, this bill could be seen politically as an effort to shut down TikTok because of maligned foreign influence.
Dave Bittner: Yeah. And I guess you would -- if -- if the -- if the owners of TikTok are against this, which it makes sense that they would be, they certainly have a megaphone to get in front of their users to say that that's what's happening here --
Ben Yelin: Right.
Dave Bittner: -- that they're trying to ban this thing that you love.
Ben Yelin: And that's exactly what they've tried to do. So that's what they're putting in that push alert to all of the app's users. It said Congress is trying to shut down TikTok. It didn't say Congress is trying to make us sell our app to US investors so we're not controlled by maligned foreign influencers like the Chinese Communist Party.
Dave Bittner: So at least that's what they're claiming. And I think we have to take them at their word, at least for now. Now -- maybe it's all a big bluff. Congress passes this bill. They sell it to, you know, who -- whomever obnoxious, rich person you can think of. Personal bias? I hope it's not Elon Musk. I was going to say, don't -- don't summon his name.
Ben Yelin: Yes.
Dave Bittner: It's he who -- it's, like --
Ben Yelin: He who shall -- he's like --
Dave Bittner: -- Voldemort.
Ben Yelin: -- Voldemort, yeah. I -- I do not want his hands on another -- another beloved application after he already ruined Twitter slash X.
Dave Bittner: Hmm.
Ben Yelin: So maybe it is that they're bluffing and they really do intend to sell it, but I just don't think we can be sure of that. They are, at least, representing this as it could lead to an actual ban on the app in the United States. But the other thing is, like, long term it would probably be good for Joe Biden slash the Democratic Party slash people on the center left and center right to not have TikTok be as influential as it is.
Dave Bittner: Mm-hmm.
Ben Yelin: I mean, there is a lot of what I would call "smut" that goes around on TikTok in terms of misinformation.
Dave Bittner: Hmm.
Ben Yelin: And out-of-context political attacks, and just, like, political commentary that becomes a fad among young people. Like, there was this phenomenon maybe a month or two ago of people praising Osama bin Laden's letter where he justified 9/11 in the United States.
Dave Bittner: Yuck.
Ben Yelin: And there was this, like, TikTok mime of young people saying how, oh, this -- you know, this is super compelling. So it is smut and, maybe in the long term, it would be useful as a policy of this country to get rid of the application, although the market for it is still there. So I'm sure Facebook would pick up the pieces. Last angle, though --
Dave Bittner: Yeah, yeah. Go ahead.
Ben Yelin: -- is the Donald Trump angle.
Dave Bittner: Oh!
Ben Yelin: So he tried to ban TikTok when he was President. It got tied up in the court system. Now he's flip-flopped. He is claiming that he is against this legislation banning TikTok because that would give more power to Mark Zuckerberg, who he dislikes. The claim that he's alleged against Mark Zuckerberg, which is frankly B.S., is that Zuckerberg rigged the 2020 election on Facebook to get people to vote for Joe Biden.
Dave Bittner: Oh, that old thing?
Ben Yelin: That old thing.
Dave Bittner: Okay.
Ben Yelin: When, really, it was Zuckerberg had -- had a voter registration program running on Facebook during the election.
Dave Bittner: Hmm.
Ben Yelin: That's basically what it amounts to.
Dave Bittner: Okay.
Ben Yelin: And I'm not going to get into the details of that.
Dave Bittner: Yeah.
Ben Yelin: The other Trump angle here is there is a long-time Republican donor who was Trump-skeptical. He happens to be a major investor in TikTok --
Dave Bittner: Oh!
Ben Yelin: -- and he recently had a meeting with Donald Trump. So I think there's some understanding out there that this might be Realpolitik, as they say, where he's trying not to piss off a new investor into his campaign, which might struggle for money, especially as he has to pay some of his legal bills. So that's a possible angle as well. Now we know Donald Trump has a lot of influence among Republican members of Congress --
Dave Bittner: Mm-hmm.
Ben Yelin: -- so either before this makes it to the House floor, or in the United States Senate, the fact that Donald Trump is in opposition -- maybe that conjures up 40 -- 40, 41 votes to defeat this.
Dave Bittner: I'm trying to unpack China's interest here. If you're China and you own TikTok -- you run TikTok, right? It strikes me that their interest in TikTok is not one of making a profit on TikTok. That their --
Ben Yelin: No, it is not.
Dave Bittner: -- their primar -- primary interest is influence.
Ben Yelin: Yes.
Dave Bittner: Right. So --
Ben Yelin: And information.
Dave Bittner: -- so, to me, it would make sense that if China were forced to sell TikTok to a -- to an independent US interest, that China could just as well say, that's fine, shut it down because we don't care about it anymore. It has -- it's of no use to us. If we cannot control it, it's -- it's of no use to us and it's probably politically better for us for the US administration to take the hit of shutting it down. So we'll choose -- we'll choose option B. Go ahead -- shut it down.
Ben Yelin: Well, why haven't they done that so far? I mean, this has already caused a big PR backlash. There have been efforts to shut down TikTok at the executive level among members of Congress. Why hasn't China already said, you know what. F- it. Like --
Dave Bittner: Well, I would -- I mean, I -- I would guess that every day that they have control over it is a day where they have opportunity to influence. So -- keep it running.
Ben Yelin: And so that might be of some un-determinative use to them. I don't want to imply anything but, like, they might be getting more out of this interaction than we even know about.
Dave Bittner: Right.
Ben Yelin: It might be --
Dave Bittner: Would that come to an end if they -- if they were forced to sell? If it were still running, but theoretically there would be some oversight to make sure that it was independent of Chinese influence --
Ben Yelin: I mean, that's why I think they're so resistant to this legislation passing --
Dave Bittner: Okay.
Ben Yelin: -- 'cause they might lose whatever influence they do have. I don't know how much of that is being foisted on the CEO of TikTok as he lobbies member of Congress -- members of Congress. I don't know what the true motivation is, but obviously everybody is fighting this. I mean, I don't think there would be such an outcry against this legislation. I don't think there would have been push alerts to TikTok users if somebody out there wasn't very concerned about this legislation passing, forcing TikTok to sell the company to a United States person.
Dave Bittner: Right. I guess what I'm saying is that the -- the forcing them to sell could be the option they don't choose. They could just say we're going to burn it down.
Ben Yelin: Let's burn this --
Dave Bittner: Yeah.
Ben Yelin: -- let's burn this whole thing to the ground?
Dave Bittner: Yeah.
Ben Yelin: It's possible. But then they'd also -- you know, you'd be -- it's a Catch 22 because they'd lose out on whatever they're gaining from TikTok's current ownership and its user base which is a lot of people, especially in Generation Z. Their minds are being shaped -- you know, they're being influenced by the voices they see on TikTok. So I think China fears losing that.
Dave Bittner: Right.
Ben Yelin: Maybe they would just shut it down 'cause it would be the better of two bad options from their perspective if this bill were to pass.
Dave Bittner: Yeah, that's my point.
Ben Yelin: Yeah! So maybe they will. I just -- I guess what I'm saying is there's a reason they're trying so hard or somebody is -- is pulling the strings in order to stop this bill from passing in the first place --
Dave Bittner: Yeah.
Ben Yelin: -- to maintain the status quo.
Dave Bittner: Okay. Yeah. I -- I -- I -- I -- yes, I understand what you're saying. I think your -- I think your argument is a good one. I just -- it's going to be interesting to see how this plays out.
Ben Yelin: Yeah. I mean, unlike a lot of the things we talk about, I think we're going to get a resolution relatively soon.
Dave Bittner: Hmm.
Ben Yelin: By the time we next record, we'll at least have an idea of the dispensation of this legislation in the House, and then it will get to the Senate. All we know so far is that Rand Paul seems very skeptical. And when he's skeptical of something, he can make life a living hell for other Senators for a period of weeks if he wants to delay this. Yeah. And he's proud of it.
Dave Bittner: Right.
Ben Yelin: You know, I think he -- he would put that on his epitaph.
Dave Bittner: Okay. All right. Well, yeah, I mean, that has a -- it's a really interesting story here because I think -- like, even, you know, the -- the -- the back and forth you and I are having about it, I think points out how -- how nonobvious, you know, some of the potential pathways are for this.
Ben Yelin: Right! Right.
Dave Bittner: Yeah. All right. We'll have a link to that in the show notes. My story this week is a -- a little bit in the weeds here, but I think worth talking about. This is from the EFF -- the Electronic Frontier Foundation. They sent an amicus brief to the Ninth Circuit Court in response to a ruling that the court handed down which the EFF believes expands copyright. And what's going on here is Oracle, who I think we all know is a big software company, they came after another company called Rimini whose software was -- had an interoperability with Oracle's software. And Oracle said that this interoperability violated copyright, that Rimini's software's ability to function alongside of and intertwined with Oracle was too much, that without Oracle's permission or blessing this was copyright violation. The Ninth Circuit agreed with that. And --
Ben Yelin: A District Court agreed with that. Right? Not the Ninth Circuit.
Dave Bittner: I'm sorry -- yes, you are correct. Keep me straight. District court --
Ben Yelin: Legal [inaudible 00:17:54] end with a procedural --
Dave Bittner: No, no, no. Thank you. I -- I appreciate it. And so I guess what that means is that this is going to the Ninth Circuit because Rimini has appealed. Yes? That would be --
Ben Yelin: That is correct. Yeah.
Dave Bittner: All right. Thank you. So the EFF has chimed in here and they're saying that the District Court ruling was bad policy and bad law. They're saying that interoperability doesn't fall under this copyright problem and that the way the law defines this is that software needs to be of substantial similarity in order to be a violation of copyright. And what they're saying is basically Rimini didn't make something that is similar to Oracle's software. They made something that merely interops -- interops with it.
Ben Yelin: Is interoperable.
Dave Bittner: Thank you. Yes.
Ben Yelin: It's interoperable with?
Dave Bittner: Right. And what they're saying is that this is a -- a dangerous, unacceptable expansion of copyright and that it gives the bigger company -- in this case, Oracle -- too much control over how the users use their product, and too much control over what independent third party software developers would be able to do. So imagine, for example, if you're Adobe and you have Photoshop, and Photoshop has a plugin functionality. Right? What they're saying is that if Photo -- if Adobe were able to pick and choose who could make plugins and what those plugins would do, that that's not good for -- the users because they'll have less choice over the type of --
Ben Yelin: Stifles innovation.
Dave Bittner: Right. The things that interopt -- basically, what they're saying is -- here -- the -- the top level software provider should not have ultimate say over how things interact with their software. Do -- do -- do - do I have that right? Is my -- do -- do -- is my description of what's going on here adequate, Ben, from your point of view?
Ben Yelin: I think it's exactly right.
Dave Bittner: Okay.
Ben Yelin: And, I mean, this is a very widespread phenomenon. I mean, think of any tech platform, whether it's software or a social media site.
Dave Bittner: Yeah.
Ben Yelin: Everybody wants a piece of the action, so they create a plugin that is interoperable with that software or that site.
Dave Bittner: Right.
Ben Yelin: If that were deemed, as the District Court has said, to be a copyright infringement, a derivation, and only Facebook or Oracle got to choose which plugin could be interoperable with that site, that would really stifle a market of innovation in terms of making these sites better. Beyond that, it seems that, at least what EFF is alleging -- this is compelling to me -- is that this is a misapplication of a key precedent to the Ninth Circuit.
Dave Bittner: Hmm.
Ben Yelin: So there's this case called Micro Star. The plaintiff in that case, FormGen, had published a video game following the adventures of an action hero named -- this is incredible -- Duke Nukem.
Dave Bittner: Oh, yeah! Duke Nukem. Sure.
Ben Yelin: Yeah.
Dave Bittner: Everybody knows -- well, my generation knows and loves Duke Nukem.
Ben Yelin: I'm -- I'm a -- I guess I'm a little young for the Duke Nukem era.
Dave Bittner: You weren't around for the Duke Nukem era? Okay.
Ben Yelin: I'm just loving that that was the action hero's name.
Dave Bittner: Yeah.
Ben Yelin: So -- and this is all written in the EFF summary here. The game included a software tool that allowed players themselves to build new levels of the game and share them with others. Micro Star downloaded hundreds of those user-created files and sold them as a collection. And the District Court in that case said that this was a derivation. The key difference here is that the reason those user files were substantially similar is that they were basically sequel to the video game itself.
Dave Bittner: Hmm.
Ben Yelin: If the user files had told a different story with different characters, they wouldn't be derivative works. This was basically adding a level to the video games that didn't already exist, but it wasn't substantially changing or adding a new functionality to the video games.
Dave Bittner: Right.
Ben Yelin: I think that's a really important distinction.
Dave Bittner: Hmm.
Ben Yelin: And even EFF claims in that case that the District Court might not have been correct, that they might have been too restrictive of Micro Star in that case.
Dave Bittner: So they were saying that the copyright was being applied in -- for the sake of the legal argument, the copyright was being applied to the characters and story elements, not the underlying engine of the video game.
Ben Yelin: Exactly.
Dave Bittner: Okay.
Ben Yelin: And I think that's the key -- that's the key distinction with the case at bar here --
Dave Bittner: Okay.
Ben Yelin: -- is it has nothing to do with the creative works or the, you know, key defining features of Oracle's software. It's an add-on.
Dave Bittner: Mm-hmm.
Ben Yelin: It's a way to interface directly with the product. So, yeah, I mean, as a -- without getting into the nitty gritty of copyright law -- which I try to avoid in all of my everyday interactions --
Dave Bittner: Yeah.
Ben Yelin: -- I do think this would have bad public policy consequences if the District Court's decision were to stand, and I think that's why EFF is weighing in and just saying, you know, this would be bad for the industry and this would really hurt innovation and small companies that are trying to make big software better.
Dave Bittner: Yeah. I've thought for -- for quite a while now that copyright law here in the US needs a fresh look. In my mind, it has not at all kept up with the changes in technology. And that was before we had all this stuff with OpenAI and -- and generative, things like that. And I wonder if this might be the thing that causes there to be a fresh look at copyright law.
Ben Yelin: This is one of your big hobby horses -- this and the NTSB for cyber incidents.
Dave Bittner: Yeah, I know.
Ben Yelin: I wholeheartedly agree with it. I don't know if this is going to be a high profile enough case to be the catalyst, but it -- it might --
Dave Bittner: No, I don't think --
Ben Yelin: -- it might start the movement.
Dave Bittner: Yeah, I don't -- no, I don't -- I don't -- I'm not -- no, I -- I don't think that this would be a catalyst for that. I think -- I think it's going to have to be something bigger. I think bigger things are going to have to be at stake here. And what I wonder is this notion that -- the courts have said already -- like, it's early days. Right? And -- but the courts have already said that AI-generated things cannot be copyrighted. I think that's a very interesting thing to say.
Ben Yelin: It sure is.
Dave Bittner: Right? Like --
Ben Yelin: Yeah.
Dave Bittner: -- so if the AI thing can't be copyrighted, can my prompt be copyrighted? Can the things that are generated by -- or -- or that are the work of humans be copyrighted? So there's -- there's all these things that -- that haven't been determined yet, and as these things become more and more important for people who want to make money from them, I think we're going to see lobbying efforts and we -- we might have to take a closer look at these things. Now, as you always point out, great, come back to me in a decade.
Ben Yelin: Right. Yeah.
Dave Bittner: You know? 'Cause that's how these things tend to -- to churn through the system.
Ben Yelin: I'm excited to see what the Bittner Commission comes up with on revising copyright law.
Dave Bittner: Right. I'm gonna become -- what was his name? The guy who tilted at windmills -- Don Quixote -- about --
Ben Yelin: Yes.
Dave Bittner: -- copyright law. That will be my thing. They'll -- oh, here -- here he comes again. Aahh!
Ben Yelin: I do think, like, I know everybody laughs at blue-ribbon commissions, but this is really the perfect circumstance for it. With the fact that we're having these challenges of artificial intelligence, it's such a novel problem that maybe we do need to get a bunch of experts in the room to issue a high-profile public report --
Dave Bittner: Mm-hmm.
Ben Yelin: -- with recommendations. That's rarely a good solution, but this might be one instance where this would be a good solution.
Dave Bittner: Look, Ben, Mickey Mouse is in the public domain. I mean, crazy things can -- have -- have happened. Right?
Ben Yelin: I know!
Dave Bittner: Whoever thought?!
Ben Yelin: We could just create our own Mickey Mouse show and nobody could sue us.
Dave Bittner: As long as he's Steamboat Willie Mickey Mouse, the -- I noticed that -- you know the t-shirt company, Life is Good?
Ben Yelin: Yes.
Dave Bittner: Yeah. So they have started making Steamboat Willie Mickey Mouse t-shirts.
Ben Yelin: They do it because they can.
Dave Bittner: I know! And good for them.
Ben Yelin: Yeah.
Dave Bittner: Good for them! Yes! Yes. All right. Well, we will have a link to the EFF's brief here for you to check out. Of course, we would love to hear from you if there's something you'd like us to consider for the show. You can email us. It's caveat@n2k.com. Ben, I recently had the pleasure of speaking with Dakota Cary from SentinelLabs. And we're talking about -- interesting thing here. This is China's cyber-focused media campaign. You know, China is trying to have some influence here on the way that people consider the information they put out in the cybersecurity domain. Here's my conversation with Dakota Cary.
Dakota Cary: You know, I -- multiple times in the last couple of years have -- I've read reporting on information and reports that had come out of China's cybersecurity industry about US hacking operations. And each time I had read through these reports and then talked with other security professionals about them, they had been generally derided for their lack of technical content. And so I was then talking with peers and particularly a friend from a conference in 2022 at LABScon whose main argument was, effectively, that China had, you know, been complaining that its own university had been hacked. And this person's presentation was actually on China hacking into universities in the United States. And so their point was, you know, you -- you're hypocritical and, in addition to being hypocritical, you're not even actually providing the data behind your claims. And so, kind of running with, you know, their analysis and the way that they were having to deal with Chinese attacks on US institutions, I decided to say -- okay. What is behind China's push into this space? Is it novel? When -- when did it begin? Why are they doing this? And so the content of this report reflects my attempt to describe and demonstrate why China decided to proceed with this media campaign. What caused its behavior to change? And the way in which that campaign has or has not been successful.
Dave Bittner: Well, let's dig into some of the details here together. I mean, first of all, how would you describe the campaign itself?
Dakota Cary: China's campaign to promote the narrative that the US is the empire of hacking revolves around past leaks of US intelligence documents. Its claims are frequently, if not always, unsubstantiated by actual technical details that analysts have come to expect from western cybersecurity firms. And we have to take on face value the claims that Chinese cybersecurity companies and the government are making. And I say "and the government" because, since the 2021 joint statement from the US, the EU, and the UK about China's actions in cyberspace, the Chinese government, through its media institutions like Global Times, has consistently put out English-language press coverage of these reports from Chinese cybersecurity companies. And the push is very clear that they are trying to move this information into English-language documentation, make it widely accessible, and then promote that narrative to a global audience, even if the underlying technical details can't be verified.
Dave Bittner: And to what degree do they have success here? I mean, do -- do these reports get picked up and covered?
Dakota Cary: There are a number of instances where cybersecurity companies reporting and, thus, you know, what the government says about US hacking operations gets picked up by foreign press. And I'm sympathetic to why these stories get picked up. This is, you know, the United States' largest near-pure competitor in international relations making allegations about US activity. And, in a lot of ways, it is newsworthy in and of itself that the Chinese government is lodging these allegations. Unfortunately, they are not substantiating those claims in the way that we have come to expect, particularly around cybersecurity.
Dave Bittner: To what degree are they substantiating the claims, if at all?
Dakota Cary: That's a good question. The allegations of hacking against Northwestern Polytechnical University in China that came out in the middle of 2022 are accompanied by what is ostensibly a technical validation of these claims. And the documents provided by the China Virus Emergency Response Center, which is a government agency of the PRC, includes dates that are partially blurred out, so you never know what year these events are occurring in. It may say, you know, November 1, two thousand and then the last two digits are cut off.
Dave Bittner: Hmm.
Dakota Cary: Or the IP address is only half included, so you'll get the first -- the first two decimals and then the last half of the IP address is cut off. And so the things that researchers could use to verify the claims by looking at their own tooling are not provided. And, particularly in the case of the allegations of hacking this particular university, you know, a lot of those dates were probably cut off to hide the fact that this campaign was likely more than a decade old --
Dave Bittner: Hmm.
Dakota Cary: -- at the time that China decided to publish this report.
Dave Bittner: Is their audience their allies? In other words, is that who they're looking for amplification here from? The folks that they can count on to -- for support to amplify this message?
Dakota Cary: It's a -- it's a good question. Propaganda has as many audiences as are receptive to it, and as many audiences as the government is trying to convince. So we look to countries that have close or are prox -- you know, in proximity to the PRC and their relationship with China. And using these publications kind of as a tool to bludgeon the United States in a relationship with those countries is a useful outcome in the same way that the US government will absolutely be highlighting the leaks from the Ministry of Public Security contractor, I-Soon, that happened earlier in 2024 in a way that -- that we will be using that to underline how the Chinese government is hacking into those governments and using that data for, you know, foreign espionage or transnational oppression of political dissidents. These reports kind of fit into a, kind of, a larger campaign that's going on between these two countries in order to persuade people about the merits of, you know, the -- the other person's arguments.
Dave Bittner: So one of the things that your research points here is -- is kind of the escalation and shift in strategy from the Chinese here. That -- that, you know, there are some things that kind of shifted in 2021. Can you highlight what exactly happened then?
Dakota Cary: Yeah. Absolutely. So before 2021, Chinese cybersecurity companies and the government only ever recycled -- leaked US intelligence documents or threat intelligence from another cybersecurity company. And so, in the report, you can see there's a timeline very clearly of Kaspersky or another company publishing about alleged US operations. And until 2021, the -- there are no publications from PRC cybersecurity companies that definitively attribute hacking operations to the United States. They only ever provide additional analysis of tools or backdoors, sort of, had been leaked. And then in 2021, the US government, the EU, and the UK put out a joint statement saying that China has been behaving irresponsibly in cyberspace. The proximal cause for this is the abuse of four vulnerabilities in Microsoft Exchange servers in -- in 2021. And as these Chinese hacking teams -- it had previously been used by only a -- a small number of teams -- as these hacking teams find out that these vulnerabilities can be patched, they basically automate their exploitation of it and pass it off to a number of other teams. And so there is a dramatic spike in the abuse of these vulnerabilities against Microsoft Exchange servers before a patch becomes available for it. And it's this, like, automation and scaling that ultimately leaves these servers vulnerable to exploitation by both other Chinese groups and anyone else who is capable of finding the -- the web shells that have been left behind. That causes these governments to -- to kind of band together and call China out for its actions. And that joint statement really upsets the PRC. The Chinese government prefers to engage diplomatically with countries on a one-on-one basis. And that's because China sees itself as a self-described large country, and when it engages with smaller countries, it obviously has a significant bargaining and negotiating advantage over those countries in a one-on-one case. And so it is the combination of all of these countries coming together to call out China's behavior that causes Beijing to sit upright.
Dave Bittner: Hmm.
Dakota Cary: And it -- they suddenly realize the impact that western coverage of Chinese hacking operations has had on their global image. And after that 2021 statement is when the Chinese government starts to take action, trying to shape the global narrative around US hacking operations and to push the blame into the US court and -- and it rolls out this claim that the US is the empire of hacking.
Dave Bittner: It's really fascinating to me. I mean, in -- in, you know, my own experience with the coverage that we've done at the CyberWire, it's -- it seems as though -- and I'm going to exaggerate here for effect -- but, you know, the -- the US will say something, will highlight a piece of hacking or espionage that they feel is the responsibility of China, and the response from the Chinese Embassy will be to kind of point and say, "Neener, neener, no it was you." Or, you know, it's that sort of thing. I mean, and -- and it's -- it's predictable as -- as to almost be amusing. I guess what I wonder about is -- is the bar this low? Is -- is this a reflection of where we are in terms of international discourse where you can make these claims without substantial evidence and still have them, to a certain degree, be effective?
Dakota Cary: I think from China's perspective, the answer up until today has been yes.
Dave Bittner: Hmm.
Dakota Cary: And I think that the US and cybersecurity companies in Europe and the United States, Israel, and elsewhere have done a very good job at substantiating their claims of an attack, attribution of those attacks to particular groups and, thus, to particular governments. And it's actually become, you know, so professionalized that this information about which groups are -- are hacking which targets has become interoperable across cybersecurity companies. You know, we can say a threat actor's name and people at different companies can understand which cluster of activity we're talking about. And that's because there are technical indicators that all of those people have access to and they understand what they're referring to. And, unfortunately, the way that China is publishing these allegations and reports, that is not possible. We can't verify the claims that these companies in the PRC and that the -- the government of the PRC are producing. And that's -- it's unfortunate and it should be discounted when the Chinese government does make these claims. And, you know, part of the value of the timeline that I've put together in the report is showing that, after the 2021 statement, and China decides to go on the offensive, it doesn't have success immediately out the gate. In fact, the first handful of reports are not picked up by western press at all. It is just -- it is just publications that are getting kind of kicked around in the Chinese media space. And -- they respond to this lack of uptake. They try to tout reports at press conferences. The Ministry of Foreign Affairs spokesperson brings up a report that is two years old to try and talk about it.
Dave Bittner: Hmm.
Dakota Cary: And so they're pushing really hard and they find that actually what's missing is a victim. And that it is when an organization is identified as a victim that the allegations gain traction. And so that's how, in the middle of 2022, we get these allegations of hacking Northwestern Polytechnical University by the NSA is because China adds us in, and that's when coverage begins to pick up. And since then China has released a number of reports with victims, or alleged victim -- victims that are identified and still does not include the technical reporting. But what they've done is they've identified that thing that -- that's necessary to tell a good story, as it were.
Dave Bittner: Hmm.
Dakota Cary: And so they are -- they are altering and adjusting the reports to what will gain traction, and they are not at all adjusting the publication of the underlying technical details that would validate their claims.
Dave Bittner: And to be clear here, I mean, China has the technical capabilities so that if they chose to do so they -- they could include technical details.
Dakota Cary: I believe that they could include technical details for a number of threat actors if they so chose. I don't know the exact visibility that China has into any one particular actor's operations, but we do know that they make these publications of technical details for non-US threat actors. They are very happy to publish technical details of analysis of Blue Lotus operations which are thought to be associated with the Vietnamese government. So they're very happy to talk about and do talk about and track other -- other countries' behaviors in cyberspace. But when it comes to the US, they are not willing to publish that technical analysis.
Dave Bittner: What do you suppose this looks like in the long term? I mean, is -- is this a -- a strategy that China can stick with, or will this ultimately work against their interests?
Dakota Cary: Well, I -- I hope and -- and the intention behind this report was to draw attention to this issue by other analysts and people in the press to say that when -- the next time China makes a claim like this, as we know that they will, that it is met with an appropriate amount of scrutiny and that those claims are not echoed or published until there are supporting technical details provided that can validate what is being claimed. It is about raising the bar for reposting or republishing or considering the allegations that China is making. And I just think that that is an absolutely appropriate and necessary editorial standard in considering what it is the Chinese government says, because the Chinese government says a lot that is not true. And, you know, they continue to deny genocide against Uyghurs in Xinjiang and that has been validated time and again by countless sourcing -- UN Human Rights Counsel, etc. And so we let them get away with a lot more than we should. And the -- the point of this report is to say that they should stand on equal footing if they're going to make claims.
Dave Bittner: Ben, what do you think?
Ben Yelin: This is really fascinating. It's a lot I didn't really know about, and the contrasts with how the US and the UK and the EU talk about cyber incidents and the way it's reported on in the Chinese government.
Dave Bittner: Yeah.
Ben Yelin: The difference in terms of providing the tactical details. I mean, it's just something I -- I hadn't really learned much about. So I -- I thought it was just a really interesting conversation.
Dave Bittner: It's interesting to me, too, and kind of, I guess, I don't know, a statement on -- on where we are in the world today that the bar is so low when it comes to presenting your evidence.
Ben Yelin: Right.
Dave Bittner: Right? You can just say --
Ben Yelin: Say whatever you want. Nobody is going to stop you.
Dave Bittner: Right. Right. And that -- that being able to present your case without any evidence does not automatically result in you being mocked and dismissed.
Ben Yelin: Yeah. Laughed out of the proceeding. Yeah.
Dave Bittner: Right. That's where we are. All right. Well, our thanks to Dakota Cary from SentinelLabs for joining us. We do appreciate them taking the time. That is our show. We want to thank all of you for listening. N2K's strategic workforce intelligence optimizes the value of your biggest investment -- your people. We make you smarter about your team while making your team smarter. Learn more at N2K.com. Our Executive Producer is Jennifer Eiben. The show is edited by Tre Hester. Our Executive Editor is Peter Kilpe. I'm Dave Bittner.
Ben Yelin: And I'm Ben Yelin.
Dave Bittner: Thanks for listening.
