Who's Defending U.S. Military Networks if the NSA and FIS are Breaking Them?

According to Der Spiegel, the NSA has been developing tools to compromise software, hardware, and firmware made by multinational corporations in the U.S. and overseas. U.S. companies affected include Juniper Networks, Cisco, Dell, Western Digital, Seagate, Maxtor plus many others. Unless the company has offered to work with the NSA to create backdoors in their own products, you have a situation where the agency with the primary responsibility of defending U.S. Department of Defense networks from digital attack is also engaged in weakening the very technology used by the DOD on those networks such as Jupiter Network firewalls, Cisco routers, Seagate hard drives, etc.

Perhaps this wouldn't be a problem if foreign intelligence services (FIS) didn't also have the technical capability of finding those same vulnerabilities or others. For example, Xidian University in Xi'an, Shaanxi, China is one of China's top engineering universities. It's State Key Laboratory of Integrated Services Networks conducts research for military-specific and dual use systems including cryptography, offensive network attacks, and systems to be used in confrontational environments.

Here's another example taken from our data base on adversary R&D research. The Chinese Academy of Sciences' State Key Lab of Information Security reports directly to the Ministry of Public Security, among other government agencies. In addition to their primary research area of information security, they develop network attack systems.

Russia has similar educational institutions which focus on information security and electronic warfare for the Ministry of Defense, the FSB, and other relevant agencies. One example is the Voronezh Military Radio-electronics Insititute which is part of the Voronezh Aviation Engineering School. Part of their information warfare research includes breaking the security of automated systems.

Since Dell, Cisco, Juniper, etc. build hardware, firmware, and software that's broadly used around the world and especially on U.S. government networks, it's only logical to conclude that those companies' products are being examined for exploitable vulnerabilities by Russian and Chinese scientists who are at least equal if not superior to those employed by the NSA. Let's remember that unlike the NSA, scientists at Russian and Chinese foreign research laboratories don't have to compete with their respective versions of a Silicon Valley for high paying tech jobs. They can attract and keep their nation's brightest scientists focused on these high priority government military and civilian projects.

Bottom line - if the NSA has found or developed backdoors in critical U.S. technology, so have our adversaries, and by "adversaries", I don't mean Mandiant's version of the bored PLA hacker with sloppy OPSEC. We need as an industry to have more respect for our opponents. And there needs to be a serious discussion about whether the NSA can really defend U.S. military networks while also engaged in exploiting weaknesses in the very technology that those networks rely upon.

UPDATE (JAN 02 2014): Bruce Schneier has begun posting one NSA exploit per day at his blog. The first one called DEITYBOUNCE exploits the motherboard on Dell PowerEdge servers.

Add to Cart View detail

Huawei Claims Transparency But These Facts Say Otherwise

"(A)s the Deputy Chairman of the Board of Huawei and the Chairman of the Global Cyber Security Committee of Huawei, I would like to make our company’s position clear. We can confirm that we have never received any instructions or requests from any Government or their agencies to change our positions, policies, procedures, hardware, software or employment practices or anything else, other than suggestions to improve our end-to-end cyber security capability. We can confirm that we have never been asked to provide access to our technology, or provide any data or information on any citizen or organization to any Government, or their agencies. 

"Huawei will continue our open and transparent approach and responsible position to its operations and everything we do." 

- Ken Hu (Deputy Chairman of the Board of Huawei and Chairman of the Huawei Global Cyber Security Committee)

 Mr. Hu wrote the above statement in a web posting which announced Huawei's Cyber Security white paper "Cyber Security Perspectives: Making Cyber Security a part of a Company's DNA" (October, 2013).

This PR campaign is clearly mean't to take advantage of the Snowden leaks regarding NSA activities and data collection. Mr. Hu wants to paint a picture that Huawei, unlike U.S. companies named with supporting legal NSA requests, has not received any such requests from the Chinese government.

That's disingenuous at best, and purposefully misleading at worst.

The government of China is one of Huawei's biggest customers; primarily the State-owned telecommunications companies - China Telecom, China Unicom, and China Mobile. Those companies engage in State-mandated monitoring of all telecommunications inside the PRC using in part Huawei's equipment. In fact, China's State Security Law requires that companies and individuals comply with any request for assistance by the MSS or other state security organs up to and including technological means of surveillance.

If the MSS hasn't asked Huawei to provide access, it's because Huawei has already built that access in so that China Telecom can do its job of lawful intercept. And that's not just for telecommunications services. The law was updated in 2010 to include Internet traffic.

Regardless of how Mr. Plummer, Mr. Purdy, Mr. Hu and other Huawei executives try to spin their company's dedication to transparency and security, they work for a company whose equipment is used to surveil the communications of a country of 1.3 billion people, including all of the foreign-owned companies which have offices in China. Their white paper doesn't talk about that, nor does it reveal how Huawei hardware supports MSS collection efforts.

That's not being transparent, gentlemen.

Add to Cart View detail

Who's Spear-Phishing the CEO of Mandiant?

According to this Foreign Policy article, someone spear-phished Kevin Mandia, CEO of the information security firm Mandiant, using one or more fake invoices from the company which provides his limo service. According to Mandia the name of his limousine service has never been publicly announced so the question is, how did the attacker know it?

One possibility according to Kevin Mandia is that Chinese foreign nationals have followed him to speaking engagements and observed which car service he used. Personally, I've never seen a limo with a billboard mounted to it or the name painted on the side. When I use Uber, for example, I'm given the license plate number of the driver so that I can tell which black town car is the one I'm waiting for. Usually limos and SUVs that belong to private transportation services are pretty discrete, unlike taxi cabs.

Another possibility is that the someone is targeting CEOs at companies based in MD/DC/VA metroplex with a spear phishing attack that assumes they use a particular high end car service. There's probably not more than a few dozen reputable car services, if that.

Yet another possibility is that the attack came from a disgruntled former employee or competitor with inside knowledge of the Mandiant CEO's travel preferences. I've heard that thanks to Mandiant's rapid growth, it's been actively recruiting security engineers from other companies. That's probably left a bad taste in more than one person's mouth and this might be someone's idea of getting a small measure of revenge.

Or it could be that despite Mandiant's best efforts, an attacker was able to access inside information on the company's network and he sent the email just to stir the pot.

Mandiant's security team believes that they've identified the attacker as an "advanced hacking group back in China". Such groups focus on stealing intellectual property. China, like many states, is investing money in information security research and development. Would Mandiant's intellectual property match and/or accelerate China's own InfoSec R&D priorities? If so, that would be yet another explanation for this attack.

The bottom line is that no one is immune from a motivated attacker; not even a leading information security company.

UPDATE (10/15/13): A reader reminded me of this article which described a Chinese group engaged in espionage-as-a-service via a significant foothold in the travel and tourism industry.

Add to Cart View detail

Russian Institute Solicits Foreign Companies But Masks Ties with Russia's Defense Ministry

My company recently published a report which discovered that aerospace companies with joint ventures in Russia and China are hacked 2.4 times more often than those companies who don't. However, hacking a network is small potatoes when compared with the amount of intellectual property that is transferred in other ways.

One of the more surprising discoveries that we made while researching that report had to do with a Russian institute that was set up primarily to engage foreign companies with various types of assistance: the Research Institute of Mathematic Modeling and Intelligent Control Systems. This institute is a part of St. Petersburg State Polytechnical University's Institute of International Educational Programs. The website is in English and is not listed on SPSPU's Russian home page so it's entire focus is foreign-based. 

It conducts applied research in the following areas:

• Distributed industrial controllers networks for decentralized control of distributed objects and technological processes
• Intelligent multi-agent based control of android robots and cooperative behavior of robots network 
• Numerical modeling of external and internal flows aimed at dragand noise reduction
• Computation of vortical flows and wakes aimed at enhancement of safety in air and ground transportation 
• Numerical analysis of stress/strain distributions in the real world industrial objects, in particular for those working in the extreme conditions
• Numerical non-linear analysis of visco-elasticity, contact interaction, large deformations
• Seismic analysis, simulation of crash-tests, modeling of nucleation and propagation of damage
• Computation of cooling of electronic devices, heating and air-conditioning systems >> Development of graphic user interface to control virtual objects 
• Polygonal and NURBS-modeling

A few of the U.S. companies who work with RIMMICS include Boeing and GE. Foreign companies include EADS, Airbus, SAP, LG electronics and Bombardier. I wonder how many of those companies know that RIMMICS also provides avionics services, among others, for the Russian Ministry of Defense because it's not disclosed anywhere on the website.

More information on RIMMICS and other surprises that we've uncovered when investigating foreign vendors who service key U.S. enterprises will be disclosed at our upcoming Suits and Spooks luncheon at the Ritz Carlton Tysons Corner on Sept 10, 2013. Seats are extremely limited so register today. 

Add to Cart View detail

High Speed. Low Drag: Attack Efficiencies against U.S. Aerospace Joint Ventures (REPORT)

My team and I have completed a report (High Speed. Low Drag: Attack Efficiencies against U.S. Aerospace Joint Ventures) on how much more vulnerable U.S. companies are to being hacked if they engage in joint ventures in Russia and China. Everyone's first response to that is probably - of course! However, our findings might surprise you.

Key Findings:

An aerospace company that has a joint venture in Russia and/or China is 2.4 times more likely to experience a cyber attack than a non-JV company.

Of the study’s control group of 12 aerospace companies that have joint ventures in China and Russia, 8 experienced a cyber attack (67%), including Alcoa, Boeing, General Electric, Honeywell, Pratt & Whitney, Rockwell Collins, Rolls Royce North America and Sikorsky. The other 4 aerospace companies, Eaton, Goodrich, Hamilton Sundstrand, and Parker Aerospace, have not publicly disclosed any cyber attacks.

Of the 21 aerospace companies in the study’s random group, only 6 reported or were claimed to have been the victim of a cyber attack (28%), including General Dynamics, Gulfstream, Lockheed Martin, Northrup Grumman, Orbital Sciences Corporation, and Raytheon.

U.S. companies engaged in joint ventures represent a profit
center for international hacker groups.

This study shows that it is highly likely that the intellectual property owned by U.S. companies with Russian and Chinese JVs also represent high value targets for a variety of state and non-state actors worldwide.

It's unlikely that the Chinese or Russian government will utilize spear phishing or other low-level attacks against a U.S. company with a joint venture in their respective states when other superior means are available to them. 

While official and non-official sources frequently assign attribution to a state military or foreign intelligence organization rather than a mercenary hacker group, the host governments of joint venture companies do not need to craft spear phishing attacks against U.S. companies who operate within their borders; who are required to employ their citizens who are technically PRC government employees; and whose communications networks are supervised and monitored by the State.

Download the full report here

Add to Cart View detail

$6,000 Virtual Jewelry

Games don't make money in China if you try to charge users up front. Sixty bucks for the latest Call of Duty? Chinese gamers aren't having it. But that doesn't mean they don't spend money — lots of money — on games. Last week alone, one Chinese gamer spent more than $6,000 on a jewelry set. The top ten transactions on 5173, China's largest platform for buying and selling in-game virtual items, added up to more than $24,000 that week.
More at Mashable.com

Related articles

• Would You Buy This Ring For $6000? Inside China's Biggest E-Commerce Platform for Virtual Items
• Oculus Rift; Novelty or The Future of Gaming?

Add to Cart View detail

Aviation companies twice as likely to be hacked if they do business in China

The COMAC C919 Passenger Jet

In anticipation of speaking at the AIAA conference in Los Angeles on August 12-14, I've been researching aviation companies with joint ventures in China and how many of them have reported being the victim of a cyber attack (successful or not). I identified 11 U.S. companies who were working with Chinese partners on the COMAC C919 aircraft and of those 11, 7 (64%) have publicly acknowledged being the victim of a cyber attack at some point in the last few years. No aggressors were named and some of the acknowledgments had to do with unsuccessful attempts only.

That percentage, in itself, didn't seem too surprising so I decided to look at 11 more randomly selected U.S. aviation companies and of those, only 3 (27%) publicly acknowledged being the victim of a cyber attack. However, after digging a little further, I learned that of those 3 companies, 2 (67%) also had joint ventures in China! Our sample suggests that aerospace companies who have joint ventures in China are being attacked more than twice as often as aerospace companies who don't have joint ventures in the PRC.

We aren't suggesting that China is behind the attacks. Rather, that technology which is valuable to China is also valuable to international hacker groups who believe that they can find a buyer for the stolen data.

As far as I know, this is the first study of its kind to demonstrate that a specific industrial sector (Aerospace) of high value to the Chinese government yields an increased risk of cyber attack to U.S. aerospace companies who are doing business in China. I'll be discussing the implications of this study during my presentation at the AIAA conference on August 12th and will be taking a deep dive into our research at a Suits and Spooks luncheon event in McLean, VA on Sept 10th. Our venue in McLean has limited seating so register early. 

Add to Cart View detail

Taking a Deep Dive into China's Cyber Threat Landscape

The cyber threat landscape is so much more complex than is commonly reported by the media, the government, and especially by information security vendors. China is no different. The goal of the Suits and Spooks conference in New York City is to begin the process of diagramming the most complete cyber threat landscape that has ever been done by bringing together 15 international authorities on different geographical regions to discuss and debate the issues.

One of our panels is "Cyber Attacks and China: Who Should Be Held Responsible", and includes:

• Joel Brenner (moderator): former National Counterintelligence Executive at the Office of the Director of National Intelligence and former Senior Counsel at the NSA
• Peiran Wang: Ph.D. candidate, The Center for Economic Law and Governance, Faculty of Law and Criminology, Vrije Universiteit Brussel 
• Peter Mattis: Editor, Jamestown Foundation China Brief 
• Mihoko Matsubara: Cybersecurity analyst at Hitachi Systems and Adjunct Fellow at Pacific CSIS
• Tom Creedon: Chief Researcher, East Asia Cyber Threat Intelligence, Verisign-iDefense
• Sheena Chestnut Greitens, Ph.D.: Fellow, Harvard’s Fairbank Center for Chinese Studies
• Roel Schouwenberg: Sr. researcher, Kaspersky Labs' Global Research and Analysis Team

In addition to serving on this panel, each of the above panel members will be giving their own talks on related subjects. A full agenda for this two day event will be published soon. In the meantime, you may want to register for this unique and important conference before it sells out.

Add to Cart View detail

Chinese and Russian Information Security and Aeronautics R&D Luncheon

Announcing the first Suits and Spooks Adversary R&D luncheon at the Ritz Carlton Tysons Corner in McLean, VA on Sept 10, 2013 from 11:30am – 1:30pm. A limited number of attendees will enjoy a delicious lunch and receive a briefing on Chinese and Russian R&D priorities in the areas of Information Security and Aerospace.

Focus and Methodology:

In order to fully understand today’s threat landscape, Taia Global created the world’s first database on adversary state R&D called Chimera. Taia’s researchers collected intelligence on fifty State Key Laboratories (SKLs) in China and ten research centers and institutes in the Russian Federation. These laboratories are top-tier R&D centers that receive funding from the private sector and government-sponsored entities, including the People’s Liberation Army and IT firms such as Huawei and ZTE in China, and the Federal Security Service in Russia. SKLs focus their R&D efforts on strategic research priorities as defined by the central government of the PRC. These priorities range from geosciences to molecular chemistry. However, Taia’s researchers focused their initial collection efforts on laboratories researching and developing Information and Telecommunications Systems and aerospace capabilities.

After collection and translation, the team categorized the data into broad research areas (space systems, quantum cryptography, microelectronics, etc.) before then addressing specific projects, such as ground-based satellite telemetry encryption platforms or field-programmable gate arrays. This type of categorization allowed Taia Global to effectively identify Chinese and Russian research on U.S. export controlled technologies and systems as defined by the International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR).

Key Findings:

Chinese laboratories are centers of civil-military-corporate integration and nearly 40% of the labs are working on export-controlled technologies. A number of SKLs are working on classified military-specific R&D projects for the People’s Liberation Army. Not only do the SKLs work closely with the Chinese public and private sectors, they actively pursue joint-ventures and partnerships with foreign IT and aerospace companies.

Russian Federation institutes and research centers focus on civil and military developments and 50% of them are working on export-controlled technologies.

To Reserve Your Space

The luncheon and briefing will take place in the Plaza room of the Ritz Carlton Tysons Corner at 11:30am until 1:30pm. All attendees will receive a copy of the presentation along with recorded audio. Tickets are $128 and seating is limited to 48 people. Ensure your space by registering today.

Add to Cart View detail

My First-hand Experience with China's Most Successful Technology Transfer Campaign (better than hacking)

There's no doubt that China is on an aggressive technology acquisition track and has been for 20+ years. Way too much emphasis has been placed on the vacuuming of data from U.S. companies through targeted attacks (otherwise known by the marketing buzzword "APT"). That's actually a terribly inefficient way to conduct the scale of tech transfer that China needs and a lot of the data that gets scooped up has low value, which is partly why I believe that hacker groups from many different countries (including China) are the main instigators behind those attacks rather than the PLA or a Foreign Intelligence Service. Small scale hacker groups are like burglars breaking into peoples' houses. They take as much as they can carry and then try to fence the goods for whatever they can get.

The Chinese government has crafted a much more elegant, legal, and precise way to obtain the exact type of technology that they need. They offer tax incentives and access to the biggest market in the world to U.S. companies who open their Research and Development centers in China. To date, over 1200 companies have taken China up on that offer including Boeing, Microsoft, Dell, Cisco, Intel, GE and many, many more. Part of the deal is that these U.S. companies must hire a percentage of Chinese engineers, who stay for a year or two; learn everything they can about the technology of interest, and then leave to work for a Chinese national champion firm or state-owned enterprise.

Here's a recap of my own first-hand experience with this process. As I've mentioned before, Taia Global has a product in development called Chimera. We are building the world's first and largest commercial database of adversary states' research and development priorities, focusing on technologies that are U.S. export-controlled. These represent the creme de la creme of targets for acts of industrial and cyber espionage. I've been searching for a data scientist with a background in document-matching. Being an ex-Microsoft employee, I started with the Microsoft Research website and learned that almost all of the researchers working on NLP and Search topics are at Microsoft Asia (in Beijing). I identified a couple of researchers in the precise field that I was looking for and sent email introductions to both. It turned out that both had left Microsoft Research and went to work for Huawei's internal R&D lab.

The U.S. government fueled by testimony from InfoSec industry experts can complain about Spear Phishing, APT, and Chinese hackers day-in and day-out but that won't begin to address the much more serious problem of how so many top U.S. firms willingly give their intellectual property away for the promise of cheap research costs and lucrative access to a massive Chinese market. What complaining about the Chinese government hacking U.S. corporations will do is keep the conversation in a politically advantageous zone and away from the political minefield that represents US companies exporting their R&D overseas. If you're looking to blame someone for the estimated $300 billion in IP loss that the U.S. suffered last year, start by taking a hard, honest look at what U.S. companies are willing to risk in order to do business in China.

Related

"China Operates the World's Most Successful Honey Pot"

Add to Cart View detail

Note to U.S. Officials - Stop Whining over IP theft

Here's some un-solicited advice to pretty much everyone inside the Beltway. Please stop whining about China's hacking activities while rationalizing our own. No one else in the world has committed the scope or scale of cyber espionage that the NSA apparently has done against so many foreign states. No one else in the world has sabotaged another nation's uranium fuel enrichment facility. PRISM (and TIA before it) betrayed the same rights to privacy that China and Russia have done to their populations using similar technology and for the exact same reasons (to protect themselves from terrorists and threats to their respective governments).

For you to say that all of the above is OK for us to do but at least we don't steal other companies' intellectual property is utterly ridiculous and makes a distinction without a difference. While the U.S. government may not be interested in stealing a Russian company's IP, that's probably because we don't have any state-owned businesses. After all, U.S. companies certainly steal from others and have for many years. If those same CEOs ran businesses owned by the U.S. government (like EDF in France), I guarantee you that the U.S. government would be as eager to engage in "technology transfer" as China is or like the French government is, etc.

Moralist pronouncements from nation states almost always come across as hypocritical, heavy-handed, and pompous because the business of running a country and protecting its people and its assets is not a moral mission; it's a pragmatic mission. The federal government does what's necessary to keep the U.S. in a superior position in the world - as it should. Instead of whining about China's or any other nation's acts of cyber espionage, just suck it up and focus on incentivizing private companies to create an information security framework that actually works. 

Add to Cart View detail

Identifying Aggressors in the Global Cyber Threatscape

Independent hacker groups and cyber militias who conduct network attacks complicate international relations between governments. President Obama, at the conclusion of his historic talks with President Xi Jingping last Friday, acknowledged that the "theft of business, financial and military information ... are not issues that are unique to the U.S.-China relationship. Those are issues that are of international concern. Oftentimes it’s nonstate actors who are engaging in these issues as well.”

No nation state can be held responsible for all of the attacks emanating from their own IP addresses. Attribution remains a hard challenge, and the potential for serious miscalculations and misjudgments is high.

Since the landscape is foggy, the threat actors numerous and hard to identify, and the attacks proliferating on a daily basis, the focus of the next Suits and Spooks conference will be to identify non-state aggressors in cyberspace. About twenty speakers will present briefings over two days on hackers, citizen militias, and other non-state entities operating in the Middle East, China, Russia, Pakistan, India, Iran, Africa, South America, the United States (yes - we have non-gov threat actors domestically), and other parts of the world.

A partial list of our country experts include:

• Peter Matthis (Editor, Jamestown Foundation China Brief): China
• Peiran Wang (Ph.D. candidate, The Center for Economic Law and Governance, Faculty of Law and Criminology, Vrije Universiteit Brussel): China
• John Scott-Railton (Research Fellow at Citizen Lab, University of Toronto): Syria, Libya
• A. Aaron Weisburd (Instructor, Combating Terrorism Center at West Point; Founder, Internet Haganah): Middle East
• Sheena Chestnut Greitens, Ph.D. (Fellow, Harvard's Fairbank Center for Chinese Studies): North Korea
• Jonathan Hutson (Communications Director - Satellite Sentinel Project and The Enough Project): Africa

The venue will be in New York City at SOHO House on October 5-6, 2013. Admission will be limited to no more than 80 people so register early. Lunch will be provided on both days. If you'd like to submit a proposal for a talk, please do so by July 15, 2013.

Companies interested in sponsorship options for this event can view our prospectus on Google Drive.

The SOHO House NY Library

Registration

Super Early Bird: (June 10 - July 10): $275
Early Bird (July 11 - Aug 31): $395
Standard (Sep 1 until sold out): $625

Select One

Super Early Bird $275.00 USD Early Bird $395.00 USD Standard $625.00 USD

Add to Cart View detail

Open letter to President Obama on the eve of his Summit with President Xi

Dear President Obama,

I've spent the last five years working exclusively in the identification and cataloging of threat actors in cyberspace. I've participated in incident response investigations for some of the world's largest companies and have briefed both U.S. intelligence agencies and those of five foreign countries on the complexity of the cyber threat landscape as well as information warfare planning, research & development, and execution of strategy by both Russia and China. I host three highly regarded executive cyber security conferences each year, and my book Inside Cyber Warfare (in its 2nd edition) is used as a text by the U.S. Air Force Institute of Technology in its cyber warfare certification program.

While I'm enthusiastic about your upcoming meeting with President Xi on mutual cyber security concerns, I'm worried that the strong anti-China sentiment on the Hill and in print by the New York Times, Bloomberg and the Washington Post will have a polarizing effect on your talks. Much of the evidence being touted as pointing to China's acts of cyber espionage is a conflation of multi-state and non-state actors engaging with the same target companies that China is interested in. I personally know of Russian hackers who prefer to attack their targets in different countries via a compromised Chinese computer because there are so many of them and they're so easy to exploit.

While there is a propensity among government officials and infosec experts to blame China first for any attack involving U.S. intellectual property, they often do so without any hard evidence. Chinese IP addresses don't qualify as evidence anymore than U.S. IP addresses do. Open source hacker tools written by Chinese developers and posted on the Web for anyone to download and use cannot be considered evidence of Chinese government involvement. And President Xi will certainly make the same point. While there's no question that the Chinese government engages in cyber espionage, it is not the only nation that does so and it is certainly not solely responsible for the estimated $300 billion in stolen U.S. IP.

Rather than accusing China of something that cannot be proved, I believe that U.S. interests can best be served by cooperating with China on the identification and prosecution of non-state actors who operate in Chinese and U.S. IP space. Media stories and self-serving infosec reports to the contrary, not all Chinese hackers work for the PLA. There are many independent hackers in China, Ukraine, Russia, Romania, Bulgaria, Pakistan, Taiwan and other countries who make money stealing IP and selling it to whomever is willing to pay. Some of these same hackers may be involved in attacking Chinese government websites; particularly those in India, Tibet, and Taiwan. While conventional wisdom groups hackers into silos (Russians rob banks; Chinese steal IP; Iranians attack power companies), that's not a realistic nor fact-based portrayal of the international cyber threat landscape.

There are many ways that China is benefiting from U.S. technology transfer such as their successful campaign to provide monetary incentives for U.S. multinationals to open R&D labs in Shanghai and Beijing (which now number over 1200). These labs employ Chinese engineers who learn U.S. technological secrets and then leave to work for Chinese companies; taking that proprietary knowledge with them. Those same employees have trusted access on their respective corporate intranets. There's no reason for the Chinese government to execute sloppy hacking operations against a U.S. company when that company has offices in Bejing or Shanghai. Access to their IP is a given.

If you and President Xi could reach an agreement to cooperate on reducing the activities of independent  non-state actors that have attacked both the U.S. and Chinese businesses and government organizations, it would benefit the U.S. in the following ways:

1. Chinese threat data is of great interest to U.S. law enforcement organizations.
2. A reduction of non-state actors currently cluttering up the threat landscape would make it easier to identify state-run cyber espionage operations.
3. The biggest threat to both Chinese and U.S. critical infrastructure is from non-state actors and, in the future, those may include terrorist groups. 

Mr. President, in my opinion, attempting to shame or threaten China over its hacking activities when the available evidence is so easily dismissed makes the U.S. look weak and ineffective. Enlisting China as an ally to identify and interdict the activities of independent threat actors would result in a win for both nations.

I hope this open letter finds it's way to your desk and that it helps inform your strategy.

Warm Regards,

Mr. Jeffrey Carr
CEO, Taia Global, Inc.
Author, Inside Cyber Warfare
Founder, Suits and Spooks conference

Add to Cart View detail

Critique of IP Commission's Cyber Security Recommendations

The National Bureau of Asian Research published (and assisted in writing) "The IP Commission Report: The report of the Commission on the theft of American intellectual property" (.pdf). The Commission members along with its purposes are as follows:

• Dennis C. Blair (co-chair), former Director of National Intelligence and Commander in Chief of the U.S. Pacific Command 
• Jon M. Huntsman, Jr. (co-chair), former Ambassador to China, Governor of the state of Utah, and Deputy U.S. Trade Representative 
• Craig R. Barrett, former Chairman and CEO of Intel Corporation 
• Slade Gorton, former U.S. Senator from the state of Washington, Washington Attorney General, and member of the 9-11 Commission 
• William J. Lynn III, CEO of DRS Technologies and former Deputy Secretary of Defense 
• Deborah Wince-Smith, President and CEO of the Council on Competitiveness 
• Michael K. Young, President of the University of Washington and former Deputy Under Secretary of State 

The three purposes of the Commission are to:

• Document and assess the causes, scale, and other major dimensions of international intellectual property theft as they affect the United States 
• Document and assess the role of China in international intellectual property theft 
• Propose appropriate U.S. policy responses that would mitigate ongoing and future damage and obtain greater enforcement of intellectual property rights by China and other infringers 

IP and trade secret theft is a rapidly growing and very critical problem for U.S. companies. The IP Commission estimates the value of stolen IP from U.S. companies and government agencies at over $300 billion, which is about 75% of what the U.S. spends on R&D research each year.

While the report takes a deep and heavily annotated dive into the scale and scope of this problem, chapters 13 and 14 that detail the Commission's cyber security recommendations, have absolutely no footnotes whatsoever. In other words, there's no way to know who provided the commission with some very risky and questionable cyber security advice. So I called them.

I was told by the person who took my call that the cyber security experts wanted to remain anonymous, however she recommended that I speak with someone at the NBR. I sent a message via the NBR's information email account, read receipt requested, and watched it work its way up to Roy Kamphausen who confirmed that they spoke with "a wide array of cyber experts" but didn't mention any names.

Unfortunately, while much of the report is quite good, the cyber security advice ranges from problematic to potentially damaging. Here's my critique of that content. I'd be happy to debate it with anyone that the Commission spoke with.

1. No where in this report is mentioned the critical importance of first identifying a company's critical data or "crown jewels". It's a huge problem because most companies have no idea how to do this and the Commission never once mentions it.
2. Locking down a person's computer with a booby-trapped file has questionable legality but even worse, may result in the threat actor coming back to take more aggressive action against the targeted company. Remember Saudi Aramco? SA had to replace 2,000 servers thanks to a Wiper virus that only half worked due to some amateur coding mistakes. Remember HBGary Federal when its CEO threatened to "out" some members of Anonymous? There is no more HBGary Federal but Anonymous is alive and well. 
3. Recommending the passage of CISPA is both bad security advice and inserts a political agenda to an otherwise apolitical report.  
4. Threat-based deterrence is advocated for without being adequately defined. There are numerous ways that such a deterrence plan can have negative and unexpected consequences. And just like it's stupid to pick a fight with a stranger,  it's never a sound strategy to threaten an unknown adversary who can operate anonymously and holds the advantage.
5. Chapter 14 contains a back-handed recommendation to pursue three measures that constitute aggressive offensive action. The commissioners couched it in a bizarre manner by effectively saying that while we don't recommend these things at this time, if the situation doesn't improve, then they should be considered. The measures were for what's commonly called hacking-back, cutting funding to the World Health Organization, and raising tariffs on Chinese goods 150% higher than the amount of IP theft stolen by China. 

Considering how potentially bad if not operationally ludicrous some of these recommendations are, it's not surprising that none of the commission's cyber security experts wanted their names attached to the report. The topic of "active defense" or "hacking back" or "offense as defense" is an important one that needs broad discussion. In fact, I made it the focus of last February's Suits and Spooks DC conference and we'll address it again in La Jolla in two weeks. But it is rife with pitfalls and needs much more informed discussion and debate. The Commission really failed its audience in terms of the content of these last two chapters.

Add to Cart View detail

The Focus Areas of 26 Chinese State Key Labs for Information Technology Research

This image is a tag cloud representing the Information Technology focus areas of 26 Chinese State Key Labs. It represents a fraction of the data that we're mining for our Chimera network defense product.

Know The Targets

Add to Cart View detail

DOD Using Chinese satellites underscores the need to negotiate a cyber strategy with China

On March 15, 2013 I wrote an article for Slate magazine ("The U.S. response to Chinese cyberespionage is going to backfire") wherein I said:

The anti-China sentiment on the Hill, in the Pentagon, and at the White House clashes with the pro-China business policies of major U.S. companies, including those with very active in-house security operation centers. Beijing surely knows about this disconnect—and that makes the U.S. strategy look weak or inferior.

That was underscored in a big way with yesterday's announcement via the Danger Room blog that the U.S. Department of Defense's need for satellite bandwidth is so great that they have no alternative but to buy satellite time from the China Satellite Communications company.

Leaving aside DOD's justification for it and the steps that they're taking to protect their data from Chinese collection. And also leaving aside the fact that DOD data WILL be collected despite the encryption and that Chinese researchers have compromised 5 of the world's top ten encryption algorithms, the key take-away here is my original point; that sinophobic cold war rhetoric coming from some information security firm officials, western media, and Congress while U.S. businesses and now the Pentagon NEED to work with China makes the U.S look ridiculous and weak. As I wrote for Slate:

A better approach might be for the federal government to quietly encourage U.S. companies to take steps to harden their networks against low-level attacks (which will shrink the attack surface); identify, segregate, and monitor their crown jewels (which will make it harder for any adversary, including China, to steal them); and engage with China and Russia against a mutual enemy (mercenary hacker crews). This eliminates the rhetoric and focuses on collaboration—a requirement, since the U.S. is never going to make good on threats against the single biggest holder of U.S. debt and a vital market for U.S. multinationals.

Add to Cart View detail

Rep. Wolf's Flawed Approach to Supply Chain Security

According to this article in today's Politico, Rep. Wolf has inserted language in a budget stopgap bill that is "meant to ensure Chinese companies certify their independence from official Beijing before they can sell their goods to the Commerce Department, among others, during the life of the continuing resolution." Furthermore, it excludes "American companies who do assembling in China".

This provision is stunning in terms of its utter uselessness as a cyber security measure. The problem that Rep. Wolf should be worried about is how easy U.S. companies who have offices in China can be compromised by the Chinese government in ways that go far beyond what is normally reported on by the press.

Yet another problem is how quickly U.S. companies open R&D labs in China which result in technology transfer and a rapid escalation of China's own technological innovation. As an example, I just tried to contact two Microsoft Asia researchers (both Chinese) whose work focused on a specific type of data analytics that my company is interested in. Both researchers had recently left Microsoft and are now continuing their research at Huawei. This revolving door happens all the time and represents just one small part of the vast threat landscape for U.S. companies and by extension the U.S. government that extends far beyond a spear phishing attack and the APT kill chain.

Not only is Rep. Wolf's language utterly useless from a security perspective, it's detrimental to U.S.-China relations which, like it or not, we depend on. We have the ability to handle this problem in a much smarter, more effective way if legislators would invite a broader base of experts in to testify and give guidance on this issue rather than the same anti-China cheerleaders time and again.

Add to Cart View detail

APT1, Shanghai Jiao Tong university, and Xenophobia

A few things have caught my attention recently which I'd like to share with you all in a somewhat abbreviated manner (meaning I'm swamped but this is important):

A Security Engineer's Forensic Review of Mandiant's APT1 report

Please read this security engineer's forensic review of the evidence contained in Mandiant's Appendix. He's discovered a lot more evidence which casts doubt on Mandiant's conclusions.

Shanghai Jiao Tong University's Collaboration with U.S. InfoSec Companies

Shanghai Jiao Tong University School of Information Security Engineering is just that - one of many Chinese universities that teaches information security. It is not a PLA school nor does it engage in hacking attacks. If it did, then I doubt that BreakingPoint Systems, a company that conducts "cyber warrior training" and does "cyber range deployments" for the U.S. government would have signed a "strategic cooperation agreement" with them.

Mandiant CSO Richard Bejtlich's view on Hiring Foreign Nationals

While I've disagreed often with Mandiant and Richard Bejtlich's views on China, I never heard him say anything remotely as awful as this quote from the Washington Examiner. I hope he was misquoted:

Bejtlich said he opposed placement of any foreign citizen of a suspect country like China in any sensitive government position.
"If you're considering them for a job at a national lab or a government agency, I think we're at the point now where it's recognized that's probably not a good idea," he said.

If that's an accurate quote, I can only hope that U.S. companies will ignore that incredibly poor advice. I think that most intelligent people in today's globalized economy have experienced working side by side with honest, talented, and skillful "foreigners" in many high technology settings including national labs and other environments. In fact, the U.S. would be hard-pressed to continue to innovate without them. The above quote is an example of xenophobia that's not far removed from McCarthyism and other witch-hunts and it has no place in the U.S. in 2013.

Add to Cart View detail

China Operates the World's Most Successful HoneyPot

The Chinese government has been on a focused mission to increase its technological development for many years. One of the best and most efficient ways that it has of doing this is by making it attractive for foreign high tech companies to open R&D centers in China. In 2000 there were about 100 foreign R&D labs in China. By 2007 there were 1200. Today, Shanghai alone has over 300. In fact, many of the same companies that believe that China is responsible for the vast majority of APT attacks have helpfully delivered some of their own "crown jewels" (i.e., their R&D) inside China's borders including GE, Dell, Microsoft, HP, Intel, Boeing, and EADS to name just a few:

"General Electric Co. plans to invest more than $2 billion in China in technology and financial service ventures and research, adding 1,000 jobs in a country Chief Executive Officer Jeffrey Immelt is targeting for growth. (source)"

UPDATE 30 March 2013: General Electric Co's (NYSE: GE) healthcare unit, the world's biggest maker of medical imaging machines, plans to double its production capacity in China in the years through 2015, GE Healthcare Greater China CEO Duan Xiaoyin told Yicai.com (source via paid subscription).

"The Chicago-based aerospace giant (Boeing) recently partnered with Commercial Aircraft Corporation of China -- or Comac -- to invest in a research project aimed at energy conservation and fuel reduction. (source)" 

 "Dell will likely spend $250 billion in China on procurement and other investments over the next 10 years as it expands in the world's No 2 personal computer (PC) market, the head of its China operations said on Tuesday. (source)"

"Intel Corp. INTC -0.63%  said Tuesday it will form a joint innovation center with Chinese internet giant Tencent Holdings Ltd. (0700.HK) that will focus on developing new mobile computing products. (source)" 

"Hewlett-Packard (HPQ.NYSE) is tapping into China's engineering talent to develop global storage and networking products, as the computer maker prepares to open a research center in Beijing, Bloomberg reported. HP's CEO Leo Apotheker said the company wants to utilize China's R&D capabilities as it seeks to boost sales in other emerging markets. (source)" 

And this is just a tiny sampling. If you're wondering why companies are so willing to open research centers in China, it's because the Chinese government is making them an offer that's hard to refuse.

• A 50 percent R&D "super deduction" in addition to the actual expense deduction for R&D spending. So if a company spends 10 million yuan ($1.6 million; 1.26 million euros) on eligible R&D it will receive a net benefit of 1.25 million yuan (12.5 percent benefit for every eligible cost);
• A preferential corporate income tax rate of 15 percent (the standard rate is 25 percent) for companies recognized as a High New Technology Enterprise;
• A preferential corporate income tax rate of 15 percent for companies recognized as an Advanced Technology Service Enterprise, with qualified incomes exempt from business tax;
• Exemption from import customs duty and value-added tax on qualified R&D equipment imported by R&D centers.

Here are the industrial sectors that qualify for the above incentives:

• New techniques or methodologies to extract minerals from complex ore bodies.
• Improvements to water use and irrigation technologies.
• Development of innovative functionality and improved approaches to solving software problems.
• Application of engineering principles, previously developed in the aerospace industry, in, for example, the automotive industry.
• Computer-aided engineering and simulation software developed as part of a larger R&D project in any industry.
• Development of new processes and technologies to minimize adverse environmental impacts across all industries.
• Development of new compounds with improved therapeutic properties.
• Development of non-destructive testing techniques to analyze material fatigue with pharmaceutical products.
• Application of off-the-shelf software products in new and previously unproven ways.

Who Needs APT?

Basically China has successfully created the world's largest honeypot for acquiring foreign trade secrets and intellectual property. It's so successful at it that even companies who know better like GE (close ties with Mandiant), Dell (owns SecureWorks), and HP (owns McAfee Fortify) are still running R&D labs there. 

Legal Technology Transfer

Foreign companies who open offices in China hire Chinese engineers and other skilled employees who learn and work on their technologies and thenthey  take that knowledge with them when they leave to work at Chinese firms after a year or two. Additionally, these foreign companies must use China's telecommunications infrastructure for all of their communications (satellite, VoIP, landline, mobile, etc.), which means that all of their confidential communications traffic are subject to collection and monitoring under Chinese law. So while China certainly engages in other espionage-related activities, that isn't it's only means or even its best means to acquire high technology secrets. 

If Not China, Who?

There are many other nations who want the same technology that China wants but who don't have the same drawing power in terms of population density or cheap engineering labor to attract foreign R&D investment. For those countries, cyber espionage is a much more important option and one for which resources are available (i.e., indigenous hacker populations and freely available Chinese-made hacking tools). If companies really want to know who may be targeting their trade secrets, then they should demand to know how incident responders and/or Law Enforcement Organizations are distinguishing between the activities of different nation states; all of whom want to accelerate their technological development by raiding U.S. companies' networks.

Add to Cart View detail

Deputy Prime Minister of Russia is worried about backdoors in Western tech

In the course of writing this month's S&TI Flash Traffic report for our subscribers, I came across this interesting article which demonstrates that the U.S. isn't the only country worried about supply chain security.

I had one of our Russian-speaking contractors translate it for inclusion into our report. Here's the English version:

February 23rd – Finmarket – The first breakthrough in technologies that will be produced by the fund of advanced research will appear by the end of this year, declared deputy prime-minister Dmitry Rogozin. “I think that by the end of even this year we will have one or two new ideas, which will facilitate a breakthrough decisions for our science of warfare,” said Dmitry Rogozin at the celebratory event hosted on February 23rd in the Technology Museum. In his opinion, before the fund starts their work a few months for organizational procedures will be needed.  "We will then acquire unique innovations, among others student auditoriums and institute flexible testing stations, all of which will exist in 5-7 year, no more,” said Rogozin. Altogether, he mentioned, the fund will be powered by academic science centers, and the results of its work will be used by lead institutes of domestic industry.
In addition, appearing before members of the patriotic organization which gathered from the regions, Rogozin asserted that Russia is obligated to carefully use foreign micro-electronics and software, and better overall to develop their own technology.  “Actually, cyber security in the West is understood as bookmarks in chips and software, supplied to different countries, bookmarks, which activate at a defined moment,” – said Rogozin. “If Russia can’t product a quality electronic-component base and  supply their own satellites, buying microelectronics abroad, it’s impossible to be exactly sure how these satellites will react at hour “X” – mentioned deputy prime minister. “Who are they, and who will they transfer to? And will they work for us, or will they be worked into another group?” – questioned Rogozin. 

The Fund of Advanced Research is Russia's newly created version of the U.S. Defense Advanced Research Projects Agency (DARPA). This article demonstrates the Russian government's concern over supply chain security when it comes to their reliance upon foreign-made microchips and software. Ironically, while U.S. companies make these products, we often don't make them in the U.S. but in China; hence we have the same problem that Russia does.

Add to Cart View detail