An ambiguous FBI cyber alert raises more questions than it answers


Warning about malware aimed at U.S. business travelers abroad fails to provide critical information, including where the attacks have occurred.

A vague FBI warning about bad actors infecting U.S. computers in foreign hotels is raising questions about whether authorities are withholding information to avoid rattling relations with a foreign country, possibly China.

The bureau’s Internet Crime Complaint Center on May 8 issued an alert about pop-up messages “targeting travelers abroad” that prompt users to download an update for a “widely used software product” that then installs a virus when clicked. The warning does not say American vacationers are at risk -- just people conducting business. “The FBI recommends that all government, private industry and academic personnel who travel abroad take extra caution before updating software products on their hotel Internet connection,” the notice states.

One cybersecurity researcher suggested the FBI omitted certain details that could more effectively protect computer users, but such information might unsettle U.S.-China diplomacy. In October 2011, the Office of the Director of National Intelligence issued a report calling “Chinese actors” the “world's most active and persistent perpetrators of economic espionage.” The study added U.S. corporations and cybersecurity specialists have reported an onslaught of intrusions traced back to computer addresses in China, with some alleging Chinese government sponsorship, but the intelligence community has not been able to link many of the breaches to a state sponsor.

“By coincidence, earlier this week, for the first time in almost 10 years, a Chinese defense minister visited the United States,” Graham Cluley, senior technology consultant at antivirus firm Sophos, wrote in a May 10 post on the blog NakedSecurity. “The day before the FBI's warning was issued, U.S. Defense Secretary Leon Panetta met his Chinese counterpart, Liang Guanglie, in Washington D.C., and told the world's press that the two countries must work together to avoid cyber war and emphasized the importance of the relationship between China and the USA. Maybe there was more that the authorities could have said about this hotel malware threat, but thought it undiplomatic to publicize.”

The FBI release does not cite the brand of software that is involved in the scam or the countries where the incidents are occurring. Nor does it inform potential victims of what the “malicious software” does to a computer.

While the FBI alert does list steps for safeguarding computers, Cluley said some of them might not be widely understood, such as: “Checking the author or digital certificate of any prompted update to see if it corresponds to the software vendor may reveal an attempted attack.”

Other suggestions might not be possible, depending on a business traveler’s schedule: “The FBI also recommends that travelers perform software updates on laptops immediately before traveling.”

Late last week, Cluley told Nextgov he publicly blogged about the matter after noticing media reports of the “advice” were missing critical details about the threat.

“Without more information it's easy to feel like someone is telling you to be careful crossing the road whilst simultaneously putting a bag over your head,” Cluley, who is based in the United Kingdom, said in an email. “Only the FBI will know for certain why it hasn't shared more details . . . but if, say, the alert had warned that it was people who were traveling to China who were being affected, or that the malware was sending information back to Chinese servers, then people might view the FBI's warning as an indication the attacks were somehow supported or perpetrated by the Chinese authorities. And that wouldn't be something that they'd probably want to say while the Chinese defense chief is in town.”

He stressed that he has no direct knowledge of whether China is involved, a different country is to blame, or there is no government sponsor at all.

“All I know is the FBI's advisory is lacking lots of useful information. I find it very strange that the advisory doesn't give more examples of what people should look out for, the name of the malware, what the malware is trying to do, name some countries where this has occurred, etc.,” Cluley said.

FBI officials said in an interview that the alert stemmed from the bureau’s own continuing probe so it could not be as explicit as observations received by the Internet Crime Complaint Center, a partnership organization between the FBI and the nonprofit National White Collar Crime Center.

“The reason the FBI provided the warning information was to give the public a better understanding of the techniques that are being used to infect computers,” bureau spokeswoman Jenny Shearer said Friday. “I can’t provide you with name of specific countries . . . We don’t typically name names in that arena. Doing so could compromise the investigation.”

She said the FBI is not able to comment on foreign relations because diplomacy falls outside its jurisdiction.

“The way that the alert was crafted, it needed to be general” about the description of the commercially available product and other discoveries “because they are ongoing matters,” Shearer added.

Before the warning was issued, a senior Pentagon official on May 7 said the Defense Department had concerns about certain behaviors in the cyber realm that appear to originate in China. “One is the question of norms and another is the question of intrusions,” the official said. “These are all important issues that we need to be able to talk about with the Chinese.”

That day, during a joint press briefing with Panetta, Guanglie, China’s minister of defense, disputed the notion that cyberattacks against the United States emanate only from China. “I can hardly agree with the proposition that the cyberattacks directed to the United States are directly coming from China,” he said. “We cannot attribute all the cyberattacks to United States to China.”

Panetta stressed the criticality of joining forces to prevent cyber incidents from escalating into more serious conflicts.

“Because the United States and China have developed technological capabilities in this arena, it's extremely important that we work together to develop ways to avoid any miscalculation or misperception that could lead to crisis in this area,” he said. “And I appreciate the general's willingness to see if we can develop an approach to having exchanges in this arena in order to develop better cooperation when it comes to cyber.”