U.S. mulls blocking Chinese hackers from Defcon event

U.S. officials are considering using visa restrictions to prevent Chinese hackers from attending popular summer hacker conferences in Las Vegas as part of a broad effort to curb Chinese cyber espionage, a senior administration official said on Saturday.

The official said the U.S. government could use such visa restrictions and other measures to keep Chinese nationals from attending the Def Con and Black Hat conferences in August to help maintain pressure on China after the United States this week charged five Chinese military officers with hacking into U.S. nuclear, metal and solar companies to steal trade secrets.

China has denied the charges, saying the U.S. grand jury indictment was "made up" and would damage trust between the two nations.

Organizers of the two conferences said they knew nothing about the efforts under consideration by Washington, but that they believed limiting participation from China was a bad idea.

Jeff Moss, founder of both the Def Con and Black Hat conferences posted his thoughts on Twitter late Saturday morning: "First I have heard of it, boarding flight to D.C. now. I don't think it helps build positive community. More later."

Chris Wysopal, a member of the Black Hat board that reviews presentations, said restricting access to that conference would have little impact because all talks are videotaped and sold.

"It seems symbolic to me," said Wysopal, chief technology officer of the software security firm Veracode.

Black Hat's website lists several speakers who may be Chinese nationals. An employee of the Chinese security software maker Qihoo 360 is due to present a technical talk on vulnerabilities in font scalers. Two researchers with the Chinese University of Hong Kong are scheduled to talk about a new approach for hacking social networks.

Def Con does not have any Chinese nationals on its speaker roster this year. It would be tough to prevent them from attending because the privacy-conscious organizers only accept cash, do not ask for IDs, and badges have no names on them.

U.S. agencies are weighing a range of options if China does not acknowledge and curb its corporate cyber espionage, said the official, who was not authorized to speak publicly.

"We've tried to have a constructive dialogue. The State Department and the Defense Department have traveled to China to share evidence of hacking by the (People's Liberation Army), but those types of interchanges have not sparked a lot of progress or reciprocity," said the official.

Monday's indictment was the first criminal hacking charge that the United States has filed against specific foreign officials, and follows a steady increase in public criticism and private confrontation, including at a summit last year between U.S. President Barack Obama and Chinese President Xi Jinping.

Dmitri Alperovitch, chief technology officer of Crowdstrike, a cybersecurity firm, welcomed the tougher U.S. stance, and said the next step was to go after the Chinese companies that received the stolen corporate data.

The U.S. indictments did not name the firms involved, but Crowdstrike had identified them as the State Nuclear Power Technology corp, Baosteel and Aluminum Corp of China, he said.

He said banning Chinese nationals from the conferences could be counter-productive because it would eliminate the possibility of arresting known hackers, or recruiting them for U.S. work.

Federal prosecutors said the suspects targeted companies including Alcoa Inc, Allegheny Technologies Inc, United States Steel Corp, Toshiba Corp unit Westinghouse Electric Co, the U.S. subsidiary of SolarWorld AG, and a steel workers' union.

The Wall Street Journal reported late on Friday that U.S. options could include releasing additional evidence about how the hackers conducted their alleged operations, and imposing other business and financial restrictions on those indicted or people or organizations associated with them.

Some FBI officials also advocated working with companies facing cyber attacks to feed bad data to hackers, which could complicate and slow Chinese espionage efforts, the Journal said.

The Def Con hacking convention, which every year draws more than 15,000 hackers, researchers, corporate security experts and others to Las Vegas, last year asked U.S. officials to stay away after former contractor Edward Snowden revealed details of extensive surveillance by the National Security Agency.

Reuters