20 September 2018

China may be copying Facebook to build an intelligence weapon

BY MORGAN WRIGHT

China’s social networking extends far beyond what the public sees. It’s what you don’t see that is a significant national security issue for the United States. While Chinese state-sponsored network intrusions have been going on for years, 2015 is a key time frame in the development of an intelligence-based version of Facebook. Some of the more notable reported data breaches in 2015 include the Office of Personnel and Management (OPM), Anthem Inc., Premera Blue Cross, United Airlines, Marriott, Hyatt, Hilton, Starwood Hotels and some lesser known names. The following year added recognizable names, like Yahoo (3 billion and 500 million records in separate events), LinkedIn and MySpace. In 2017 Equifax topped the list in notoriety.


Not every data breach listed was perpetrated by China, that we know of. But several were linked including OPM, United Airlines and Anthem. Other breaches, likely committed by criminal groups, still supply critical information easily available on the dark web for purchase. A recent Huazhu Group hack, China’s largest hotel chain, compromised up to 130 million people. This data was posted on a dark web site, offering to sell the 520 terabytes of data for about 8 bitcoin.

Underlying these stories is a very real concern about US national security and our ability to run intelligence operations in one of the most tightly controlled societies on earth. Since 2010, 18 to 20 U.S. sources have been killed or captured in one of the biggest blows to spying operations since Aldrich Ames and Robert Hanssen. What happened is still a mystery, according to intelligence sources.

What is not a mystery is China’s zeal to collect as many types of information as it can. China’s patience in collecting information is usually referred to as the “thousand grains of sand” approach. When enough grains of sand are collected, an information mosaic will appear. This mosaic has recently been accentuated by digital information. The picture it paints has become very alarming.

China has apparently taken a page from Mark Zuckerberg’s book on connecting people, places and events. Facebook works by linking users across a variety of factors including date, location, time, demographics, interests, events and relationships. China may now be doing the same thing with their pilfered data.

One can easily see how the OPM data is a treasure trove of dots waiting to be connected. As a victim of the breach as well, I have no doubt the details on my SF-86 (Standard Form 86) are in the hands of the Chinese security services. The SF-86 is a 136-page “Questionnaire for National Security Positions” designed to collect every intimate detail of your life so our government can decide whether they trust you or not.

All prior jobs, schools, relatives, friends, neighbors, passport information, places you’ve lived in the last ten years, military service, spouses and their family, and more. One section calls for the applicant to “Complete the following if the relative listed is your Mother, Father, Stepmother, Stepfather, Child (including adopted/foster), Stepchild, Brother, Sister, Stepbrother, Stepsister, Half-brother, Half-sister.” No stone unturned unfortunately provides multiple targets for contact, recruitment and tracking.

Imagine marrying that data up with flight log information. Now I can figure out where you’ve been, where you travel consistently, and who else (that’s connected to you a-la ‘Facebook’) is going as well. That’s why United was such an inviting target. As the world’s third-largest airline, flying about 143 million passengers a year (with a lot of direct flight to China), and one of eight Government Services Administration (GSA) contract carriers for the federal government, it was a no-brainer for Chinese intelligence.

And, of course, if you fly somewhere you have to stay somewhere – quite likely in a Hilton, Hyatt, Marriott or Starwood Hotel. These weren’t the only targets, but their international presence makes them a logical target if one wants to track global travelers. With enough grains of sand, it becomes easier to see which people seem to be in the same place at the same time.

Once a ‘person of interest’ appears on the radar of the Chinese intelligence organs, the data from the SF-86, social media sites, airlines and hotels could connect the dots without actually having to know exactly where the target is. If they know where your family is (Mother, Father, Stepmother, Stepfather, etc.), they have a pretty good shot at knowing where you are.

China’s projects to collect facial recognition data on all their citizens (as I detailed in a previous column) is only the start of a global surveillance system underpinned by lessons learned from social media. The loss of 18 deeply-placed sources inside China was a tremendous setback for the United States. It was a massive wake-up call for China.

As a result, China has made it far more difficult for recruitment through the use of tactics like their ‘Social Credit’ system. It’s designed to monitor the actions and behaviors of its population, making it easier to see who isn’t conforming. Unlike the General Data Protection Regulation—GDPR—there is no opting out of this system.

Already, the price for non-conformity has caused one prominent actress to disappear. Fan Bingbing might not be a well-known name in the United States, but she has appeared in blockbuster franchises like “X-Men” and “Iron Man.” In China she is an A-lister with 62 million online followers. She hasn’t been seen since June.

If an A-list celebrity can disappear so easily, it doesn’t bode well for the common man… or for the men and women of our clandestine services seeking to penetrate the leadership of, arguably, our biggest adversary.

Morgan Wright is an expert on cybersecurity strategy, cyberterrorism, identity theft and privacy. He previously worked as a senior advisor in the U.S. State Department Antiterrorism Assistance Program and as senior law enforcement advisor for the 2012 Republican National Convention. Follow him on Twitter @morganwright_us.

No comments: