Export Control Blog

Between helping my clients and this guy, I've found myself with very little time for blogging lately. But what to make of today's story in today's Washington Post about an attack on the computer system at the Bureau of Industry and Security? The first couple grafs from WaPo read:

Hackers operating through Chinese Internet servers have launched a debilitating attack on the computer system of a sensitive Commerce Department bureau, forcing it to replace hundreds of workstations and block employees from regular use of the Internet for more than a month, Commerce officials said yesterday.

The attack targeted the computers of the Bureau of Industry and Security, which is responsible for controlling U.S. exports of commodities, software and technology having both commercial and military uses. The bureau has stepped up its activity in regulating trade with China in recent years as the United States increased its exports of such dual-use items to the growing Chinese market.

A few initial reactions:

• I'm no IT guru, but an attack on a level that BIS "cannot salvage the workstations that employees had been using and instead will build an entirely new system for the bureau" sounds either extraordinarily severe or the government is being extremely cautious in pulling out their entire system root-and-branch. Or both.
• This could well explain the licensing and classification disruptions and delays I've heard lately from folks.
• It might also explain why the BIS IT group seems to have let some of its more routine duties (like STELA and Update registration) slide lately as they focus on countering the hackers.
• Maybe I'm splitting hairs here, but a Commerce spokesman's assurance that "We have no evidence that BIS data has been lost or compromised" does not necessarily exclude the possibility that exporters' data normally protected under the confidentiality provision of section 12(c) of the EAA has been disclosed. (Same thought goes for the nine laptops BIS lost over the past few years.)
• All this is a good reason to encrypt reports submitted to BIS whenever possible (i.e. those made semi-annually under License Exception ENC). Send the password separately or just tell Commerce to call you for it.
• Could this incident prove to be more grist for the mill of the China hawks? Watch for someone to claim that this was an attempt by the Chinese military to gain access to sensitive American technologies in anticipation of the rollout of the proposed China military end-use rule, thereby making this proposal all the more vital. My vote's for Dana Rohrabacher, but other nominations are welcome. (Even if this were the intent of the hackers -- far from obvious that it was -- wouldn't it make more sense to wait for the rule to go final, triggering a big jump in license applications with detailed technical attachments?)

UPDATE: Rebecca MacKinnon passes on a plausible explanation of a tactic which may have been used by the people who attacked the BIS network:

This fits with something I recently heard from somebody who has long worked in Washington's China policy circles. A number of his contacts in various U.S. government agencies have recently been receiving e-mails that appeared to be sent from his e-mail address, including cleverly-labeled attachments with titles indicating subject matter that he might actually be inclined to share or discuss with these people. Except that they weren't from him - whoever sent them was spoofing his address, and the attachments contained malicious software that would enable somebody to take remote control of the computer of whoever was unfortunate enough to open the attachment....

LATE UPDATE: Bruce Schneier has a useful reminder:

...I have no way of knowing if this information was breached or if that's what the hackers were after, but it is interesting. On the other hand, any crypto product that relied on this information being secret doesn't deserve to be on the market anyway.