Logo

American Security Council Foundation

Back to main site

Alan W. Dowd is a Senior Fellow with the American Security Council Foundation, where he writes on the full range of topics relating to national defense, foreign policy and international security. Dowd’s commentaries and essays have appeared in Policy Review, Parameters, Military Officer, The American Legion Magazine, The Journal of Diplomacy and International Relations, The Claremont Review of Books, World Politics Review, The Wall Street Journal Europe, The Jerusalem Post, The Financial Times Deutschland, The Washington Times, The Baltimore Sun, The Washington Examiner, The Detroit News, The Sacramento Bee, The Vancouver Sun, The National Post, The Landing Zone, Current, The World & I, The American Enterprise, Fraser Forum, American Outlook, The American and the online editions of Weekly Standard, National Review and American Interest. Beyond his work in opinion journalism, Dowd has served as an adjunct professor and university lecturer; congressional aide; and administrator, researcher and writer at leading think tanks, including the Hudson Institute, Sagamore Institute and Fraser Institute. An award-winning writer, Dowd has been interviewed by Fox News Channel, Cox News Service, The Washington Times, The National Post, the Australian Broadcasting Corporation and numerous radio programs across North America. In addition, his work has been quoted by and/or reprinted in The Guardian, CBS News, BBC News and the Council on Foreign Relations. Dowd holds degrees from Butler University and Indiana University. Follow him at twitter.com/alanwdowd.

ASCF News

Scott Tilley is a Senior Fellow at the American Security Council Foundation, where he writes the “Technical Power” column, focusing on the societal and national security implications of advanced technology in cybersecurity, space, and foreign relations.

He is an emeritus professor at the Florida Institute of Technology. Previously, he was with the University of California, Riverside, Carnegie Mellon University’s Software Engineering Institute, and IBM. His research and teaching were in the areas of computer science, software & systems engineering, educational technology, the design of communication, and business information systems.

He is president and founder of the Center for Technology & Society, president and co-founder of Big Data Florida, past president of INCOSE Space Coast, and a Space Coast Writers’ Guild Fellow.

He has authored over 150 academic papers and has published 28 books (technical and non-technical), most recently Systems Analysis & Design (Cengage, 2020), SPACE (Anthology Alliance, 2019), and Technical Justice (CTS Press, 2019). He wrote the “Technology Today” column for FLORIDA TODAY from 2010 to 2018.

He is a popular public speaker, having delivered numerous keynote presentations and “Tech Talks” for a general audience. Recent examples include the role of big data in the space program, a four-part series on machine learning, and a four-part series on fake news.

He holds a Ph.D. in computer science from the University of Victoria (1995).

Contact him at stilley@cts.today.

China Could Be Exploiting Internet Security Process to Steal Data, Cyber Experts Warn

Tuesday, October 19, 2021

Categories: ASCF News Cyber Security

Comments: 0

Source: https://www.theepochtimes.com/china-could-be-exploiting-internet-security-process-to-steal-data-cyber-experts-warn_4052641.html

A man using a computer in Dongguan, Guangdong Province, China, on Aug. 4, 2020. (Nicolas Asfouri/AFP via Getty Images)

To access data from unsuspecting users, the Chinese Communist Party (CCP) could be exploiting a universal authentication process that’s thought to be secure, but in reality may not be, cybersecurity experts have warned.

While encryption remains the preferred method to secure digital data and protect computers, in some cases, the very digital certificates used for authentication on the internet are allowing the Chinese regime to infiltrate various computer networks and wreak havoc, they said.

Bodies around the world, known as “certificate authorities” (CA), issue digital certificates that verify a digital entity’s identity on the internet.

A digital certificate can be compared to a passport or a driver’s license, according to Andrew Jenkinson, CEO of cybersecurity firm Cybersec Innovation Partners (CIP) and author of the book “Stuxnet to Sunburst: 20 Years of Digital Exploitation and Cyberwarfare.”

“Without it, the person or device they are using cannot be according to industry standards, and vital data encryption could be bypassed, leaving what was assumed to be encrypted in plain text form,” Jenkinson told The Epoch Times.

Through cryptography, digital certificates are used to encrypt internal and external communications that prevent a hacker, for example, from intercepting and stealing data. But invalid or “rogue certificates” can manipulate the entire encryption process, and as a result, “millions of users have been given a false sense of security,” Jenkinson said.

Layers of False Trust
Michael Duren, executive vice president of cybersecurity firm Global Cyber Risk LLC, said that digital certificates are typically issued by trusted CAs, and equal levels of trust are then passed on to intermediate providers. However, there are opportunities for a communist entity, a bad actor, or another untrustworthy entity to issue certificates to other “nefarious folks” that would appear to be trustworthy but aren’t, he said.

“When a certificate is issued from a trusted entity, it’s going to be trusted,” Duren said. “But what the issuer could actually be doing is passing that trust down to someone that shouldn’t be trusted.”

Duren said he would never trust a Chinese certificate authority for this reason, stating that he’s aware of a number of companies that have banned Chinese certificates because they’ve been issued to entities that can’t be trusted.

Jenkinson said that Chinese certificate authorities make up a small proportion of the overall sector, and the certificates they issue are typically confined to Chinese entities and products.

In 2015, certificates issued by the China Internet Network Information Center (CNNIC), the state-run agency that oversees China’s domain name registry, were called into question. Google and Mozilla banned CNNIC certificates upon learning of unauthorized digital certificates connected to several domains. Both internet firms objected to the CNNIC delegating its authority to issue certificates to an Egyptian company, which issued the unauthorized certificates.

According to Jenkinson, the CNNIC certificates were banned because “they had back doors in them.”

“A back door means [the Chinese certificate authority] could literally take over administration access and send data back to the mothership,” he said.

Since 2016, Mozilla, Google, Apple, and Microsoft have also banned Chinese Certificate Authorities WoSign and its subsidiary StartCom over unacceptable security practices.

Security Flaw
Despite these bans on Chinese digital certificates in recent years, the CCP hasn’t been deterred and is playing the long game, Jenkinson said.

He pointed to an alarming discovery made by his cybersecurity firm two years ago, affecting a multinational consulting company.

Typically, digital certificates are valid for a couple of years, depending on the certification authority, and renewal is required to keep them valid and the data they’re supposed to protect secure, he said.

“But in 2019, CIP Chinese discovered certificates that were in place for 999 years,” Jenkinson said.

His firm made this discovery when examining the laptops of a prominent global consulting company.

Jenkinson brought this security flaw to the firm’s attention and offered services to secure its computer and customer networks. But the company declined.

“Either they are incredibly complacent, or they are complicit,” he said, noting that the company’s clients include U.S. government entities.

This multi-billion-dollar company’s failure to remedy this issue means that hundreds of thousands of people could be exposed to Chinese infiltration via this firm’s lax security, Jenkinson said.

The firm is compromising its customers every time someone uses one of their laptops, he said. For example, companies or clients using the company’s services could be held to ransom, have their intellectual property stolen, or be the recipient of malicious codes planted for later use.

This company is “in breach of every regulation of privacy known to man—and they just want to dismiss it,” the cybersecurity professional said, particularly pointing to the EU’s strict data protection laws.

And if this information were made public, the repercussions would be extensive, Jenkinson said.

“Imagine a waterhole attack or a drive-by attack, one where a cybercriminal can just sit there and easily gain access to capture data without even thinking about it or having to decrypt it—because it’s all in plain text [due to a rogue certificate or configuration error],” he said.

For such a large reputable company to choose to not protect their clients is “madness,” Jenkinson said.

A ‘Slippery Slope’
Economic losses from cybercrimes are far from trending in the right direction, according to Jenkinson.

Global losses from cybercrime exceeded $1 trillion in 2020, according to a report from computer security company McAfee. In 2021, losses are expected to escalate to more than $6 trillion, research firm Cybersecurity Ventures said.

Jenkinson predicts that economic losses will exceed $10 trillion by 2025.

“This will impact every man, woman, and child,” he said. “The slippery slope we’re on, well, we’re greasing it ourselves.”

As a start to reversing this trend, “people should not be using CNNIC digital certificates,” Jenkinson said.

Duren of Global Cyber Risk agreed, saying, “Anything coming out of a state-controlled entity like communist China acting as a certificate authority should not be trusted.”

CAs need better controls and oversight, Jenkinson said. “Without this, nobody has any chance of knowing what digital certificates are being used, considering that a standard laptop contains hundreds of thousands of digital certificate instances.”

Jenkinson noted that Chinese computer products will predominately use Chinese digital certificates. Therefore, users of such products should be aware that their security could be compromised as a result.

Comments RSS feed for comments on this page

There are no comments yet. Be the first to add a comment by using the form below.