Why I disagree with Scott Sumner on China

U.S. government investigators increasingly believe that Chinese state hackers were most likely responsible for the massive intrusion reported last month into Marriott’s Starwood chain hotel reservation system, a breach that exposed the private information and travel details of as many as 500 million people

Story here.  And:

Armed with a rich array of personal data, an intelligence agency can also tailor an approach to a person to see whether the individual can be recruited as a spy or blackmailed for information. The passport data, which is not often collected in data breaches, probably was a particularly valuable find for the hackers.

You will note that no one is trying to sell the data.  And this:

The report, citing two people briefed on the investigation, reported China had launched an intelligence-gathering campaign which included hacking into health insurance companies and hacking security clearance files of millions of people living in the U.S. The New York Times reported the hackers are believed to be employed by the Ministry of State Security, which is China’s spy agency. The paper noted that the revelation that China was behind the Marriott hack comes as the U.S. government is gearing up to launch actions against China’s trade that include indicting Chinese hackers that work for the government. The New York Times noted the Marriott hacking isn’t expected to be part of the indictments but does add a sense of urgency to the moves the White House was mulling.

The Trump administration is also planning on declassifying intelligence reports that show China had been trying to create a database of American executives and government officials that have security clearances, reported The New York Times.

I could go on.  I am genuinely unsure what are the economic costs of these mischievous activities, but would note simply that it is sometimes necessary to punch back.  The choice is not free trade vs. protectionism (I strongly suspect Scott and I agree on the economics of trade), but rather a partial return punch now vs. a worse situation much later on.


>You will note that no one is trying to sell the data.

Right. And you know this because.... you haven't seen an Ebay listing for it?

Note that this is a WaPo story, and therefore almost entirely fact-free, with crappy sentences like this:

>U.S. government investigators increasingly believe that Chinese state hackers were most likely responsible

"US government investigators," huh? Who the hell are they? WaPo clearly wants you to think FBI, but you should note that if it was the FBI, they would say FBI. There is absolutely no reason to think these people are anyone of consequence.

>"increasingly believe"

And what the hell does this mean? These irrelevant people thought there was a 5% chance, but now it's up to 7%? Again -- WaPo wants you to think that some news has occurred, and that some major development has taken place, or some major evidence has been found. But no, none of that is true.

>were most likely responsible

Jesus Christ. Turns out we're not even talking about who did this, but just those were "most likely" to have done this (and even worse, not done this, but "been responsible" for this). Mere probabilities is all that is being discussed here.

WaPo wants you to think that "the FBI is now pretty sure China did this" but absolutely nothing like that is factual. Only people like Tyler fall for this.

WaPo == unapologetic piece of shit Fake News.

DO you doubt that the Chinese government has a force of hackers breaking into computer systems all over the world to steal data classified and private??? If that is what you are trying to claim you really shouldn't accuse WaPo of being dishonest in the same post.

Sometimes anonymous "informants" in government agencies will only say things like "most likely responsible" simply because revealing how they know something would lead to exposing the informant.

China definitely has means, motive, and opportunity.

But attribution is difficult. There are strong incentives to peddle whichever threat is prominent, as any review of the WMD push will tell you.

It is also possible to mislead attribution. Any APT could make their attack look like any other APT if they wanted to. Once a tool is used, it is public (at least to the APTs who would monitor that) and can be re-used by other APTs.

I don't like the idea of sitting on our thumbs while China attacks the US, but just go with the things we already know they do, like pirate billions of our IP.

'Any APT could make their attack look like any other APT if they wanted to.'

Not precisely, but misdirection is certainly a part of how state actors work.

Chinese hackers huh? Got all that juicy SPG intel, an attack on SPG is an attack on American sovereignty! The millionth hack on Experian is minor compared with the important secrets SPG has.

Sounds like Chinese hackers are the new Russians. They are responsible for everything and you are stupid for believing otherwise.

Sounds like a shitty excuse from their IT and PR department considering the difficulty of attribution in hacking attacks.

"Government Investigators" also were very certain Saddam Hussein worked with Bin Laden and had WMDs.

These "unnamed government" official news leaks are proven ways to rile dumb neocons into dumb action, "we have to do SOMETHING!"

As we have seen with the Trump conspiracy theorists and MSM fails, all it takes is innuendo, "putting it out there," seeing if how long Trump denies being a Russian agent after an "unnamed government official" or online "National Security Expert" says so.
It's easy for elements of the MSM to publish such sensational headlines due to clickbait incentives. To walk back from being proved wrong is low cost considering the "fake news" is already baked in by the non-viewers. Those that are actually consuming these media really don't care if they issue a convoluted retraction (or any at all). And I always wonder if CNN is getting an artificial boost of viewership since many major US airports force it on everyone.

Am I wrong to guess that comments like these are paid for by a foreign government?

Probably - but then, apparently every comment anyone has ever disagreed with has been paid for by somebody.

If they are paid for by a foreign government, they likely are using some sort of AI to make them sound like they are coming from someone who grew up speaking English.

Let me guess: "Everyone that disagrees with me is a Russian troll!"

Eye on the ball, Tyler. It's the Russians, and if we don't do something soon the Cossacks will be razing the Upper West Side, just like they did with Anatevka.

Is TC a double Russian fake? Is this a false flag attack? He is married to a RUSSIAN after all...

And Scott Sumner is married to a China-woman!! Who is the Manchurian Candidate here ??

I know several women that claim to be Eskimos. But they look just like Chinese. Could it be that Alaska has been infiltrated by Chinese women in fur parkas?

"China had been trying to create a database of American executives and government officials that have security clearances"

Like the CIA did up through Obama but stopped on orders of Trump because 1) Obama did it, 2) Trump is smarter and knows more than the CIA ???

" Trump is smarter and knows more than the CIA ???"

Their industry being partly in my wheelhouse, and having worked with some of their people, my response is that's entirely plausible.

Siloed intelligence (as part of a capability) is part of their selection criteria certainly, but not as much as where they fall on scales of sociopathology.

People need to stop thinking of people in the intelligence community as smarter and start thinking of whether or not they are more effective...this also happens many times by mistake.

China had about four copies f my stuff already from a dozen other thefts, Yahoo, Equifax, DHS and so on. I use the black market to find out who I am.

Remember the hack of the security clearance data from OPM? They already have this info. I have clearance, and the data stolen from OPM includes every piece of personal identification info, job history, address history, list of friends and former roommates. This was at least 3 years ago.

And what did the feckless, incompetent, "scandal free" Obama administration do about it?

I'm sure there was a line drawn somewhere

Armed with a rich array of personal data, an intelligence agency can also tailor an approach to a person to see whether the individual can be recruited as a spy or blackmailed for information.

The best data would be the bar bill. Or maybe the record of the channels watched on the room television. But 500 million records? That's over twice the population of the US that can get an hotel room. I feel sorry for the Mandarins that have to comb through all that BS in order to find something that will impress the boss.

They have the computers, and even the raw manpower if necessary, to do it.

More likely it all goes into a big file and when they identify a target, this just lets them access another piece of the puzzle about their mark.

'That's over twice the population of the US that can get an hotel room. '

You do know that many non-Americans stay in hotels that are not in America, though the corporate owner of the hotel is American, right?

And you do know that the Chinese are likely at least as interested in data concerning other nations as they are in the U.S.

corporate owners

have no nationality

Our problem with China is that they have a productive base about equal to ours, 4x as many people, unknown future ambitions, and resentments derived from historical mythology. Very anxiety provoking.

" resentments derived from historical mythology. Very anxiety provoking."

Yikes----Trump Voters!

I don't know if I would really classify Chinese hacking and intelligence gathering operations as "IP theft". Aren't you kind of moving the goalposts here?

Marriott initially blamed Starwood IT. However it's clear that the data warehouse was hacked, which has been managed by Marriott since the merger. Marriott has been pushing the China narrative, it deflects blame even better, if it was a nation state that did it you really can't blame them, what chance did they have?

Even if the tools used in the hack bear similarity to those used in hacks in which China has been implicated, those tools may also be in use by non-nation state hackers -- especially as time has passed.

Moreover we do not even know that there was only intrusion by a single hacker! The truth is that Marriott has been less than forthcoming with customers and with the media about this, we're mostly reading between the lines of public statements that have been designed to deflect blame.

It's likely that the NSA knows more than we do at this point, but should we believe the conclusions that filter out of their bureaucracy which may be in service of myriad agendas?

There's too much uncertainty here for a reasonably intelligent layperson to support 'hitting back'.

Besides haven't we been hacking China even more than they've been hacking us already and for many years??

In regards to your last sentence, maybe.

But the intent matters here because it informs how a nation state uses the information.

A trumplike “well, we kill (or hack) people too” false moral equivalency is not particularly enlightening.

One country has a million Muslims in concentration camps and uses its surveillance apparatus to crush dissidents.

One doesn’t.

I agree, pretty much, below.

@Gary Leff - I think TC's analysis is sound, regardless of the facts, since he's not advocating publicly hacking China and telling them about it.

@Hmmm - I bet however if the USA had militant Muslims who wanted to break away from the American way of life and set up a caliphate, the American public would favor deportation or concentration camps, as they did with the JP-Americans in WWII.

Bonus trivia: they had concentration camps in WWII in south Texas, for Germans, Italians and Japanese-Americans, not just California. I visited one. It was called "Crystal City", not to be confused with "National Landing" in Virginia. And Fredericksburg, Texas! Not to be confused with Fredericksburg, Virginia.

"There's too much uncertainty here for a reasonably intelligent layperson to support 'hitting back'."

Okay, well there's also too much uncertainty here for a layperson to oppose it then, right? The people deciding whether to hit back have way more knowledge than we do.

"The settlement of the Czechoslovakian problem, which has now been achieved is, in my view, only the prelude to a larger settlement in which all Europe may find peace. This morning I had another talk with the German Chancellor, Herr Hitler, and here is the paper which bears his name upon it as well as mine. Some of you, perhaps, have already heard what it contains but I would just like to read it to you: ' ... We regard the agreement signed last night and the Anglo-German Naval Agreement as symbolic of the desire of our two peoples never to go to war with one another again'."


My good friends, for the second time in our history, a British Prime Minister has returned from Germany bringing peace with honour. I believe it is peace for our time. We thank you from the bottom of our hearts. Go home and get a nice quiet sleep."

@TR - there is a minority school of thought, some UK historians included, who think Chamberlain's temporizing with Hitler, his "wait and see" attitude was sound, and I tend to agree with them. Hindsight makes it look like Chamberlain was foolish but we're doing the same thing with Kim in North Korea today. Stalin also temporized with Hitler, but was outsmarted. And note Hitler did not stop invading other countries just because England came to the defense of Poland, so you can't really say drawing a line in the sand earlier than 1939 would have done anything to stop Germany.

I'm not saying I disagree with your primary point -- temporizing is often best policy -- but with regards to the last sentence there are captured historical documents that say otherwise.

England slept.

And Brazil had to shoulder the weight of defending Europe alone.

Not alone. We had allies and we value them. Here, Brazilian President Vargas and American President Roosevelt meet to devise a plan to liberate Europe from Hitler's forces.


Being facetious with Thag doesn't work as you have just seen.

Yes, are are doing the same with DPRK. Guess what. It's also a big failure. We needed to make clear 20 years ago that a DPRK with WMD was a dead state.

The cost of controlling that has now increased exponentially.

Dito for China.

Dito for Russia.

Yes, punching back is now required -- particularly now the a senior PLA officer has called for ramming any ships that refuse to accept China's silly claims in the South China Sea.

Scott Summer has TDS, and probably would prefer Xi's leadership to Trump's. I, on the other hand, have been upset with all presidents worse than Ike, which means all presidents since Ike.

I like Ike, too. President Capitain's Bolsonaro can be considered an Eisenhower Republican. He was in the Army, too.

I agree that it makes sense to "punch back". But here's some considerations:

Trump came into office with a set of ideas about using a trade war with China to address our trade deficit.

At some point, Trump and/or his advisers probably realized this would not work.

How likely is it that an across the board 25% tariff, that was wrongly expected to be able to reduce our trade deficit, would be the appropriate response for spying?

How do other countries respond to spying? As far as I know, the responses tend to be more targeted. I.e., arrests of the guilty parties (if possible). Expulsion of diplomats. The sale of arms to Taiwan. Embargo on certain sensitive tech exports. I've never seen a country respond to spying with an across the board 25% import tariff, which would also badly hurt the economy of the country imposing the tariff.

This seems like a solution in search of a problem.

And note that I am assuming the problem is as bad as advertised. Wasn't the recent Bloomberg story on Chinese spying (involving Apple products) recently discredited? I don't doubt there is Chinese spying, but am uncertain how much damage is done.

I have a feeling Tyler doesn't believe that a 25% tariff is the appropriate "punch back" in this, or any, case.

That said, we might start with simply not permitting China to dictate our public thoughts as a condition of trading with them. How about, for instance, our freely expressing our opinion that Taiwan, notwithstanding the "one China" policy (perhaps policy should be in quotes here), it is nevertheless a de facto sovereign state, now, and, without major change in China, for the foreseeable future. I'm sure it would infuriate the Chinese (i.e., the Chinese government principally, but also, sadly, many Chinese as well) if we just routinely said what we believed about it: to wit, that it is an authoritarian state where the people serve the government, rather than the other way round, which would be better for everyone.

Why not start there?

Speaking our mind is much preferable to a trade war.

Barking up the wrong tree there.

Sumner has explicitly stated his views on Taiwan. I suspect his wife is from the mainland, but that’s a completely unfair, biased, and shitty thing to say. So, with apologies to Scott, His views Summarized below:

Based on the one China policy, and the absurdity that the RoC officially claims mainland China as a matter of policy, the PRoC (communist china) is justified in its reciprocal claim to the island of Taiwan.

The fact that Taiwan is now a flourishing human rights based nation is not particularly relevant. Since Taiwan theoretically claims mainland China in a farcical attempt at delegitimizing communist China, the PRoC has a legitimate right to inflict severe violence on the population of Taiwan if said population were to declare independence from a government that runs concentration camps and runs peaceful democracy protesters over with tanks.

Scott categorically rejects the right of populations to secede from governments. Unless they’re of a different ethnicity.

Sure, China has literal concentration camps of Muslims whose population numbers over a million innocent people, the government crushes dissent with everything from indirect pressure tactics, “un-personing” dissidents, restricting free communication or even access to literal facts like Wikipedia pages, and of course imprisonment and murder of those who question the regime, but you see It’s morally equal. The vast majority of young people in Taiwan consider themselves Taiwanese and not Chinese. Traitors.

So if they decide to abandon the one China policy, then Scott agrees: with enough violence, they will come to heel. And that’s morally neutral.

Oh and he’s a libertarianish dude because throwing pot smokers in prison is bad. Potential mass murder and war against innocents is cool because like, they’re of the same race and stuff.

A brilliant man whom I admire, with severe moral shortcomings.

And don't forget, in Scott world, secessions don't make sense economically in terms of increasing GDP and profits to shareholders (unless it's capitalists or libertarians seceding from some less free market-oriented government), therefore there's no rational basis to do it. And on top of that, he can now claim on the basis of Tyler's "future persons" argument, that there in fact *is* a moral basis for avoiding things which reduce potential GDP growth, because think of the all the good that those future "citizens of the world" will derive after all the currently existing Taiwanese people who favor secession or resist integration are slaughtered?

Actually, you and Hmmm know nothing about my views on secession, and your description here is completely inaccurate. You may be confusing my description of the current state of international law, as accepted by most countries, and my personal views on secession, which are quite different. Better to stick to topics you know something about.

I can only base it off of your writings on the subject. I did not take your “no right to secede” as a one of your metaphors about bad law, akin to “no right to smoke marijuana”. Which you have made several times in your explanation to your readers about how illegality and immorality are not equivalent. Which I agree to.

But I will apologize immediately if you will simply acknowledge:

Taiwanese have the right to continue enjoying their sovereignty, under a government that respects human rights and is not currently throwing over a million ethnic minorities in literal concentration camps. They also have the right to engage in foreign policy, call themselves Taiwan, and declare their independence to the world.

Also, that the reason that they do not do this is the literal threat of a massive violent response akin to mass murder.

I never expected to disagree with a libertarianish person on Taiwan.

I have no idea what Scott Sumner's views on Brexit are, but thinking that Brexit is a bad idea and thinking that populations don't have a right to secede are two different things. The EU is not some sort of totalitarian dictatorship, it's a loose federation that establishes a common market and currency. Notwithstanding the fact that it's common market policies aren't perfect it's generally better to be in one than not. I'm pretty agnostic on the subject myself, but seceding from the EU because you are terrified of Syrian refugees is a pretty stupid reason. (I kind of suspect most of the UK's immigrant population is NOT attributable to EU membership anyway, but more likely British Commonwealth affiliations ).

Apologies if you weren't talk about Brexit at all. I was taking a wild stab at whatever you meant by not having the right to secede.

"it's a loose federation that establishes a common market and currency. "

That's how it started out, but since then it has morphed into an entity with large regulatory and taxation powers. The EU you describe was useful.

Just tive me a few warheads and I will show them an appropriate response to Red China.

There is no trade war, and there never was.

So we should make the perfect the enemy of the good?

The question is not so much will this "work" directly, but will the Xi and company see this an opening move or a sign that as long as Trump is in office they are have a free hand?

Signals only have real value if they have a real cost attached, if anything the fact that such a tariff would indeed hurt us raises its usefulness as a signal.

Because, rankly, all of the examples you cite have already been done by Trump and they do not appear to be credibly signalling to China that they need to change. He's authorized over a $1 billion in arms sales. As has every president since Carter. His administration has gone after two mid-profile spies since September; and I believe every president since Carter has prosecuted several. He destroyed ZTE through a technology embargo, which might actually be a first. But it also was not particularly harmful to the US.

The truth is China has not responded to the sanctions you seem to put stock into. And why should it? Is it short spies? Will expelling diplomats impact its standing in the world these days? Even technology bans seem unlikely to offer heavy inducement.

Signalling that China must stop certain behaviors can only be done through real sacrifices. Signals without cost are just noise and history shows will be ignored in the main. Maybe a 25% tariff is a bad idea, but if nothing else placing it and enduring the pain would show a much greater commitment than all the penny ante things we have been doing for literally decades.

Scott, pretty straight forward question.

Multiple sources across different countries estimate that 800k to 1m Uighur persons are detained in Concentration Camps, where up to 10% are dying due to wilful neglect by the CCP.

This is happening right now.

So say you are in the US in 1937, before Kristallnacht, but the German leadership made it clear it was going to do something terrible to Jews, what would you have liked the US administration to do?

Now, there are a 1m detained for simply being from a specific ethnic class, with indications they are rolling this program out to Christians and Protestants in the North East.

Is the answer in your rationale to always wait until its too late? Because it seems that way. Never punch back. Never make it clear that there is a line that cannot be crossed.

What is your red line? That is what everyone wants to know. If the camps start exterminations in the west, do you close off all access to US technical equipment to try and disrupt CCP rule?

@Rob - get off your high horse you hypocrite. Do you date or marry interracial like me and Sumner do? No. Do you have Muslim friends or know of some people that are fundamentalists, like I do? No. Do you live in a bubble, like I don't? Yes. And then you have the temerity as a keyboard warrior to preach to the Great Man himself? And that includes me? Pleeeze. Raise your game troll.

I nominate this for worst comment of the year.

Responding to a comment protesting literal, present-day concentration camps with accusations of being a troll... ok

Yeah I didn't see stating the now well documented concentration camp situation in Xinjiang as generating this response. That guy is not worthy of a response.

But for Scott, it is a genuine question to understand what kind of situation would have to evolve in China for him to consider a strong response. This is just out of curiosity. I have a lot of respect for Scott and have gone back and forth with him a few times during his time blogging on EconTalk about monetary policy. I am grateful to Scott in taking time to respond to questions when he gets them - I know he always engages honestly and fairly.

@Anonymous - good one troll! You and Bob deserve each other. I visited Tibet btw, and was told it was a garrison town, but found no evidence of this anymore so than Beijing (which also had solder forts all over the town). Get off your high-horse, anti-China $50/50 cent army trolls! Racists all. And China / Asia will rock your racist world when about 500M Asians show up in your neighborhood, fresh off the supertanker boat! Nuff said.


The accusation was hypocrisy, to which you responded with troll. Now about that hypocrisy.....

Surely the Chinese response to some amount of terrorism by some Uighurs is hugely, hugely disproportionate to the actual threat posed (as was the US response to 9/11). But if Rob is correct that the Chinese regime is starting to roll out the camps to Christians in China, that is quite ominous, because there are a hundred million or so Christians in China. I don't really see how it is hypocritical for people in the free world to be concerned about this. In living memory, the Chinese government took actions that directly led to the deaths of tens of millions of people. Now they have another ruler who is trying to destroy other centers of power within China who could oppose him. The rest of world should at least be formulating plans right now of what to do if the worst comes to pass, with the hope that they never need to employ those plans.

Also, on a side note, it would probably be a good idea for a number of countries to prepare to accept a lot of Chinese asylum seekers. It may be politically too tall of an order, but there are a lot of countries in Europe that would benefit economically from immigration, and the fact that the asylum seekers are Christian might help people feel more at ease in accepting them.

Absolutely agree on the asylum preparation. Australia has seen a c.300% increase in applications from China for political asylum this past year and can be accepting a lot more, particularly into a reasonably established Uighur migrant population.

Hopefully the worst doesn't come to pass.

The Uighurs could never take over China. Australia is a high bar but doable.

The point of accepting more Uyghers as asylum seekers would be mostly to figure out how help persecuted Chinese people more generally seek asylum in the West, given that Xi Jinping is giving every indication that his government will be actively seeking out people to make into enemies of the state (just look up his remarks on what communists need to learn from Stalin). So there are likely to be an awful lot of Chinese people persecuted by the government in the coming years, which (unfortunately) presents a golden opportunity to the rest of the world.

All of us here, including the more famous, are arguing from missing information.

The US Cyber Command is ten years old now, with predecessors older. We don't know what implicit or explicit rules they have developed with adversaries. We do know that the US has been up inside Iranian labs and the Russian troll factories. Where else?

As I've said, was surprised that Chinese government hackers did reported IP theft, but them doing simple theft-theft is even more of a head-scratcher.

You talk Trump and official responses, forget all that and think about what secret responses this begs.

Unless, all rules have broken down, we are already up in their stuff, and they are up in theirs.

(I used to think that our own security could be "good," before rowhammer. Now, I think no one is safe, including governments. Hacking has gotten too strange, almost magic.)

Wow, so the US Cyber Command is not even referenced in those articles?

A low standard of journalism, if you ask me.

"unless .. we are already up in their stuff, and they are up in *ours*"

FWIW, with a few minutes more thought, this looks like the logical deduction.

God you’re retarded. Or a Russian troll.

I’m comfortable in saying this:

You’re either a useful idiot with a degree in bullshit from a CSU, or you’re a foreigner trolling.

Let’s bet on this! You have all the cards. You can force me to pay 10-1.

I bet 10-1 odds you can’t submit your credentials to MR in a notarized document and be:

A graduate of any university that was selective, < 7%
Have a transcript that shows any real math at college level, maybe topology?
A SAT over 1500 pre change

You’re retarded and everyone should know it. Submit your information to the moderators and maybe we can take you seriously ?

We can both submit.

I have no idea why you went off there, other than just random instability ..

It is certainly not out of the mainstream to believe that the three remaining superpowers hack each other and others continuously.

Do you know what their agreed rules are?

And I guess because I have to explain the basics, I am making an argument based on game theory. It isn't about whether the Chinese share our values, it is about whether they can recognize very basic tit-for-tat response and escalation.

If they did target "as many as 500 million people" then why shouldn't we try to get into their billion person social value system?

Do they not care that we could? Or do they know that we have?

Dateline May 17, 2018

"All 133 of U.S. Cyber Command’s cyber mission force teams achieved full operational capability, Cybercom officials announced today.

Having Cybercom achieve full operational capability early is a testament to the commitment of the military services toward ensuring the nation’s cyber force is fully trained and equipped to defend the nation in cyberspace."

I post that with irony, but seriously - how Chinese hacking really *fits* depends on both the prior defensive and prior offensive actions of that command.

It's easier to assert the weaknesses of what one does not think, than to show the merits of what one does think. Therein lies The Great Stagnation, permanent 0% GDP growth due to zero-marginal product workers, etc.

At what point do we stop being shocked, panicked, and outraged by stories that are:

(1) Probably false, at least partially, and/or overblown, but may well be a complete fabrication.
(2) Peddled by known liars with well established private agendas.
(3) Describe activities that occur with some regularity.
(4) Described activities that we ourselves perpetrate on others.

A few questions from somebody not too well-versed in the world of IT security:
1. What is the burden of compliance, whether due to actual regulatory, or industry standards for security to protect against breaches like this (or at least create the illusion of protecting against them)? I imagine this must raise costs on some level, and that there will be services delayed or which go unoffered because they cannot afford to be compliant?
2. From the hackers' perspective, not being detected is maybe optimal, but is the "upside" to breaches being detected that, they essentially function as a sort of 'tax' on an industry (think the TSA after 9/11), in which they are forced to invest in higher security measures?
3. Given the comment that it's hard to measure the real economic impacts of a particular breach, and that repercussions to date seem to be light or non-existent (to my limited knowledge), will these sorts of interactions represent a new normal pattern of interaction between states? I assume that US intelligence likewise engages in this type of behavior?
4. Is the cost of not complying with security standards mostly a matter of consumer confidence/liability? For most consumers, data security is probably not foremost on their minds when conducting any single transaction, but may become leery of company x, rightly or wrongly after hearing about a breach, despite not really having a concept of how the beach harms them, beyond the obvious hassle of compromised credit card info, etc.

1. There are a lot of standards but lots of gaps.

a) Anyone doing work with the major credit cards are required to comply with PCI-DSS. The hard requirements here are very few. Most of it is making sure security procedures are in place but the procedures don't have to be very good. It's still better than what we had 20 years ago and is mostly aimed at stopping the worst practices. The standard is weak enough that anyone who cannot be PCI compliant honestly shouldn't be operating any servers let alone processing credit cards.
b) GDPR exists for any company with reach into Europe. This is relatively new and no one knows exactly how it will all shake out. (The US should eventually pass something like lots of parts of the GDPR, but let's let Europe be the guinea pigs for this one.)
c) Enough states have security breach disclosure laws that any American company is essentially ruled by them. You have to tell customers when their data has been breached which serves as notification.

2. The "tax" can work but requires that customers give a hoot. Note that Equifax's customers are the credit providers. You are not their customer. [You can technically buy credit reports from them but that is a side effect of their business, not their main business.] Even when customers are directly impacted, they often don't care enough to actually switch their business.

3. Dunno. The NSA's business statement is signals intelligence, so in a way they ought to be doing this, but we don't have much evidence of it. Directly attacking foreign civilians is a bit brazen so maybe not, but it would be naïve to assume the NSA just refuses because of that.

4. See #2. Getting dragged by or before Congress is the biggest worry but it didn't really seem to hurt Equifax. They are down about 20% in the stock market, but by normal rights this should have ended them so that's pretty minor.

There are precious few ramifications for lax security and hosting a breached database.

Consumers themselves dont feel it. The ramifications are usually delayed and diffuse if credit and basically impossible to prove who is at fault. If other data then the impact is generally invisible.

Everyone knows someone who’s had a disaster identity theft. Just as everyone knows someone who was screwed by a health insurance company company. In both cases the victims are diffuse and not organized.

As for equifax and their ilk, every breach is akin to the window repairman with a bag of rocks. This data and credit system structure is badly broken, the incentives are backwards and the consequences almost nil.

This is tangentially related, but good. Some time back, when talking about the the Chinese social rating system, I suggested that the free market might reach similar ends. To much booing.

Well, Amazon wants to connect doorbell cameras to facial recognition databases, with the ability to call the police if any “suspicious” people are detected.

ACLU link

Home security as a service?

That would be illegal on so many levels in Germany that it is hard to imagine explaining that to the feckless Amazon executive that would think introducing such a concept here would be a good idea.

But to use a now common German expression, the shitstorm would be fun to watch.

To be honest, I am split, home invasions are somewhat common in my girlfriend's neighborhood, and a surveillance state would probably reduce them.

Well, nobody in Germany ever argues that West Germany had less criminality than East Germany.

And as for home invasions? Basically never happens in a police state without official sanction, and plenty of surveillance to make sure that everybody seeing it happen behaves appropriately in the aftermath.

We don't know if it was done by China. What we know for sure is that the U.S. does not respect the privacy of no one, citizen or foreigner.

The problem with this analogy is that the Chinese don't punch. They grapple.

A very good boxer can beat a very good grappler, but a poor boxer who wildly and randomly throws punches will lose to a good grappler.

The only real end game of a grappler is submission, which China doesn't seem to be capable of at this point in time.

Boxers can do a lot of damage without achieving their goal of a knockout.

China may soon feel that they are in a standoff in which neither side can achieve ultimate victory, but that they are taking a lot more punched than they can tolerate.

My sincere guess is that it'd quite easy to get China, Russia, et al. to sign a cyber arms control treaty. They have a lot more to lose than the US, because of the sheer depth of the American tech industry and computer science academic community.

Of course this would never happen, because the US intelligence community loves its pervasive intrusion of privacy, both foreign and domestic. Why just think how many overpaid NSA contractors would be out of work.

You could apply that reasoning to the problems of poverty, ignorance and violence. They keep haranguing us without ever doing anything meaningful. They just want to tax us.

Harder than that.

Russia is former superpower where the powers that be gain much legitimacy and popularity through claims that they can obtain influence and power in excess of their now dwindled conventional military and economic productivity. Even if the US has more resources in absolute terms for cyber warfare, its a relative or comparative advantage for Russia.

China's a state that is desperately avoiding liberalisation in favour of a party controlled authoritarian society. To do this and keep their economic boom going, they believe they need massive ubiquitous surveillance and a panopticon society. Cyberwarfare regulation poses existential problems for the party if it presents limits there, as their interests and nationals extend abroad (Chinese power and economy being dependent on globalization and trade).

Proportionate or traditional responses allow the enemy to make calculations and look for cases where the expected response will be acceptable to their side. Otherwise very smart people repeatedly miss this basic point. You want crazy on your side.

500 million? It is a mind boggling notion that one hotel chain holds valuable information on 1/15 of the world's population. However the "valuable information" is mostly stuff that could have been looked up in a phonebook 40 years ago. Today we have the notion that if our true name is spoken out loud, demons will then have devastating power over us.

One assumes that it is 500 million records of those who stayed over 4 years, with many visitors having more than one record.

I think it's interesting that Israeli companies chose to go big into the worldwide market for communications metadata, such as who calls whom.

It would seem like useful data.

On a partially related topic, this article by Jeffery Sachs seems to be intentionally deceptive.


The opening sentence says "The arrest of Huawei chief financial officer Meng Wanzhou is a dangerous move by US President Donald Trump’s administration in its intensifying conflict with China." when it appears very clear than neither Trump nor his administration had anything to do with it.

Yes, it's worth throwing a few punches now.

One angle to the story that I don't see anyone covering is that the arrest of Meng Wanzhou seems to be a warning from some group within the US government (whether Trump was involved or not we don't know) directed at *US and Canadian executives.* The idea is to raise the risk of engagement with China to include their physical bodies, literally forcing them to have "skin in the game" in the trade war, because it seems obvious that dubious detention is going to be China's preferred retaliation against American and Canadian VIPs. Many people who have had business dealings with China for a while now have come to the conclusion that China is not sincere when it claims it is open for business; it is open to foreign companies so long as China has something yet to extract from their particular industry, such as Kawasaki, Bombardier, Alstom and Siemens trains over a decade ago. When China has what it needs, it closes the gate for foreign competitors in that industry, citing it "didn't understand the Chinese market" or some other excuse, and moves on to the next gullible industry to fleece. Made in China 2025 is just a grand version of this decades long strategy.

Once you believe the Chinese are pursuing a foreign corporate divide and conquer strategy, it's easy to extrapolate that there can be no productive engagement with China by single companies or individuals. It makes more sense to lump all of the US firms (maybe all Canadian and Western firms too) into a grand bargain to be struck between America and China. There is no use trying to win a public debate with intellectuals because the Scott Sumners and Jeff Sachs of the West will never view China as a civilizational adversary, rather than through their narrow lens of trade economics. So you do the rational thing which is to raise the stakes of the conflict so that the physical bodies of American VIPs are now fair game for China. This lowers the likelihood that Sundar Pichai and others will visit China or, more generally, even believe business with China is even a viable option on the table until the grand bargain is struck and the risk abates.

This seems obvious to me, how about you Tyler?

I will add the Canadians probably agreed to the arrest because it allows them to send a clear cut message to its VIPs and also Chinese Canadian community, which is: pick a side. Every Chinese immigrant knows China isn't above collective punishment against families or seizure of China-held assets, so consider severing your ties with China because they could compromise your loyalty to Canada.

There are only so many industries in the world that China can "fleece" like that, as you put it. Eventually they have fleeced them all, and every executive and every business school in the world teaches as conventional wisdom "China will fleece your company". So this is really a one time occurrence (happening over multiple decades). Eventually China has taken (whether by legal means or not) all the technology there is to take, but then after that China must rely on its own citizens and companies for innovation, while the rest of the world goes on with a rules based trade system that allows them to swap innovations.

And then China presumably takes those too. In your model why would China ever have to rely on its own companies for innovation?

There is a lot of know how that doesn't get written down. So a China that is closed off from the rest of the world, even if it can steal all the proprietary information in the world, is still at a competitive disadvantage to everyone else. Not to mention that eventually the rest of the world will retaliate against China if they continue with the same kind of industrial espionage.

We have to punch back before they start throwing babies out of incubators.

Poetry is no substitute for reasoning.

Comments for this post are closed