High Speed. Low Drag: Attack Efficiencies against U.S. Aerospace Joint Ventures (REPORT)

My team and I have completed a report (High Speed. Low Drag: Attack Efficiencies against U.S. Aerospace Joint Ventures) on how much more vulnerable U.S. companies are to being hacked if they engage in joint ventures in Russia and China. Everyone's first response to that is probably - of course! However, our findings might surprise you.

Key Findings:

An aerospace company that has a joint venture in Russia and/or China is 2.4 times more likely to experience a cyber attack than a non-JV company.

Of the study’s control group of 12 aerospace companies that have joint ventures in China and Russia, 8 experienced a cyber attack (67%), including Alcoa, Boeing, General Electric, Honeywell, Pratt & Whitney, Rockwell Collins, Rolls Royce North America and Sikorsky. The other 4 aerospace companies, Eaton, Goodrich, Hamilton Sundstrand, and Parker Aerospace, have not publicly disclosed any cyber attacks.

Of the 21 aerospace companies in the study’s random group, only 6 reported or were claimed to have been the victim of a cyber attack (28%), including General Dynamics, Gulfstream, Lockheed Martin, Northrup Grumman, Orbital Sciences Corporation, and Raytheon.

U.S. companies engaged in joint ventures represent a profit
center for international hacker groups.

This study shows that it is highly likely that the intellectual property owned by U.S. companies with Russian and Chinese JVs also represent high value targets for a variety of state and non-state actors worldwide.

It's unlikely that the Chinese or Russian government will utilize spear phishing or other low-level attacks against a U.S. company with a joint venture in their respective states when other superior means are available to them. 

While official and non-official sources frequently assign attribution to a state military or foreign intelligence organization rather than a mercenary hacker group, the host governments of joint venture companies do not need to craft spear phishing attacks against U.S. companies who operate within their borders; who are required to employ their citizens who are technically PRC government employees; and whose communications networks are supervised and monitored by the State.

Download the full report here

Add to Cart View detail

My First-hand Experience with China's Most Successful Technology Transfer Campaign (better than hacking)

There's no doubt that China is on an aggressive technology acquisition track and has been for 20+ years. Way too much emphasis has been placed on the vacuuming of data from U.S. companies through targeted attacks (otherwise known by the marketing buzzword "APT"). That's actually a terribly inefficient way to conduct the scale of tech transfer that China needs and a lot of the data that gets scooped up has low value, which is partly why I believe that hacker groups from many different countries (including China) are the main instigators behind those attacks rather than the PLA or a Foreign Intelligence Service. Small scale hacker groups are like burglars breaking into peoples' houses. They take as much as they can carry and then try to fence the goods for whatever they can get.

The Chinese government has crafted a much more elegant, legal, and precise way to obtain the exact type of technology that they need. They offer tax incentives and access to the biggest market in the world to U.S. companies who open their Research and Development centers in China. To date, over 1200 companies have taken China up on that offer including Boeing, Microsoft, Dell, Cisco, Intel, GE and many, many more. Part of the deal is that these U.S. companies must hire a percentage of Chinese engineers, who stay for a year or two; learn everything they can about the technology of interest, and then leave to work for a Chinese national champion firm or state-owned enterprise.

Here's a recap of my own first-hand experience with this process. As I've mentioned before, Taia Global has a product in development called Chimera. We are building the world's first and largest commercial database of adversary states' research and development priorities, focusing on technologies that are U.S. export-controlled. These represent the creme de la creme of targets for acts of industrial and cyber espionage. I've been searching for a data scientist with a background in document-matching. Being an ex-Microsoft employee, I started with the Microsoft Research website and learned that almost all of the researchers working on NLP and Search topics are at Microsoft Asia (in Beijing). I identified a couple of researchers in the precise field that I was looking for and sent email introductions to both. It turned out that both had left Microsoft Research and went to work for Huawei's internal R&D lab.

The U.S. government fueled by testimony from InfoSec industry experts can complain about Spear Phishing, APT, and Chinese hackers day-in and day-out but that won't begin to address the much more serious problem of how so many top U.S. firms willingly give their intellectual property away for the promise of cheap research costs and lucrative access to a massive Chinese market. What complaining about the Chinese government hacking U.S. corporations will do is keep the conversation in a politically advantageous zone and away from the political minefield that represents US companies exporting their R&D overseas. If you're looking to blame someone for the estimated $300 billion in IP loss that the U.S. suffered last year, start by taking a hard, honest look at what U.S. companies are willing to risk in order to do business in China.

Related

"China Operates the World's Most Successful Honey Pot"

Add to Cart View detail

China Operates the World's Most Successful HoneyPot

The Chinese government has been on a focused mission to increase its technological development for many years. One of the best and most efficient ways that it has of doing this is by making it attractive for foreign high tech companies to open R&D centers in China. In 2000 there were about 100 foreign R&D labs in China. By 2007 there were 1200. Today, Shanghai alone has over 300. In fact, many of the same companies that believe that China is responsible for the vast majority of APT attacks have helpfully delivered some of their own "crown jewels" (i.e., their R&D) inside China's borders including GE, Dell, Microsoft, HP, Intel, Boeing, and EADS to name just a few:

"General Electric Co. plans to invest more than $2 billion in China in technology and financial service ventures and research, adding 1,000 jobs in a country Chief Executive Officer Jeffrey Immelt is targeting for growth. (source)"

UPDATE 30 March 2013: General Electric Co's (NYSE: GE) healthcare unit, the world's biggest maker of medical imaging machines, plans to double its production capacity in China in the years through 2015, GE Healthcare Greater China CEO Duan Xiaoyin told Yicai.com (source via paid subscription).

"The Chicago-based aerospace giant (Boeing) recently partnered with Commercial Aircraft Corporation of China -- or Comac -- to invest in a research project aimed at energy conservation and fuel reduction. (source)" 

 "Dell will likely spend $250 billion in China on procurement and other investments over the next 10 years as it expands in the world's No 2 personal computer (PC) market, the head of its China operations said on Tuesday. (source)"

"Intel Corp. INTC -0.63%  said Tuesday it will form a joint innovation center with Chinese internet giant Tencent Holdings Ltd. (0700.HK) that will focus on developing new mobile computing products. (source)" 

"Hewlett-Packard (HPQ.NYSE) is tapping into China's engineering talent to develop global storage and networking products, as the computer maker prepares to open a research center in Beijing, Bloomberg reported. HP's CEO Leo Apotheker said the company wants to utilize China's R&D capabilities as it seeks to boost sales in other emerging markets. (source)" 

And this is just a tiny sampling. If you're wondering why companies are so willing to open research centers in China, it's because the Chinese government is making them an offer that's hard to refuse.

• A 50 percent R&D "super deduction" in addition to the actual expense deduction for R&D spending. So if a company spends 10 million yuan ($1.6 million; 1.26 million euros) on eligible R&D it will receive a net benefit of 1.25 million yuan (12.5 percent benefit for every eligible cost);
• A preferential corporate income tax rate of 15 percent (the standard rate is 25 percent) for companies recognized as a High New Technology Enterprise;
• A preferential corporate income tax rate of 15 percent for companies recognized as an Advanced Technology Service Enterprise, with qualified incomes exempt from business tax;
• Exemption from import customs duty and value-added tax on qualified R&D equipment imported by R&D centers.

Here are the industrial sectors that qualify for the above incentives:

• New techniques or methodologies to extract minerals from complex ore bodies.
• Improvements to water use and irrigation technologies.
• Development of innovative functionality and improved approaches to solving software problems.
• Application of engineering principles, previously developed in the aerospace industry, in, for example, the automotive industry.
• Computer-aided engineering and simulation software developed as part of a larger R&D project in any industry.
• Development of new processes and technologies to minimize adverse environmental impacts across all industries.
• Development of new compounds with improved therapeutic properties.
• Development of non-destructive testing techniques to analyze material fatigue with pharmaceutical products.
• Application of off-the-shelf software products in new and previously unproven ways.

Who Needs APT?

Basically China has successfully created the world's largest honeypot for acquiring foreign trade secrets and intellectual property. It's so successful at it that even companies who know better like GE (close ties with Mandiant), Dell (owns SecureWorks), and HP (owns McAfee Fortify) are still running R&D labs there. 

Legal Technology Transfer

Foreign companies who open offices in China hire Chinese engineers and other skilled employees who learn and work on their technologies and thenthey  take that knowledge with them when they leave to work at Chinese firms after a year or two. Additionally, these foreign companies must use China's telecommunications infrastructure for all of their communications (satellite, VoIP, landline, mobile, etc.), which means that all of their confidential communications traffic are subject to collection and monitoring under Chinese law. So while China certainly engages in other espionage-related activities, that isn't it's only means or even its best means to acquire high technology secrets. 

If Not China, Who?

There are many other nations who want the same technology that China wants but who don't have the same drawing power in terms of population density or cheap engineering labor to attract foreign R&D investment. For those countries, cyber espionage is a much more important option and one for which resources are available (i.e., indigenous hacker populations and freely available Chinese-made hacking tools). If companies really want to know who may be targeting their trade secrets, then they should demand to know how incident responders and/or Law Enforcement Organizations are distinguishing between the activities of different nation states; all of whom want to accelerate their technological development by raiding U.S. companies' networks.

Add to Cart View detail

Symantec Still Selling Huawei Equipment - to the Dept of Defense

A November 17, 2011 article in Channelnomics states that "Symantec may have ended its experiment as a hardware manufacturer by selling its stake in its joint venture with Huawei Technologies, but Big Yellow remains committed to developing appliance-based backup solutions and will continue to contract with Huawei and Huawei Symantec as a hardware supplier (emphasis added). In a letter to partners, North America channel chief Randy Cochran says the contract manufacturing relationship between Symantec and Huawei will remain unaffected, as will Symantec’s commitment to marketing and developing appliance-based solutions."

So one of the world's largest security companies continues to partner with the very Chinese company that most of Symantec's customers are buying their systems to protect against. That displays a level of hypocrisy that I have no tolerance for.

Even worse, as General James Cartwright and others in the U.S. government rail against China, the Department of Defense, Boeing, Lockheed Martin and CSC are all buying Huawei Symantec hardware according to one Huawei Symantec channel partner that I spoke with privately. If Rep. Rogers makes good on his promise to hold hearings on Huawei and ZTE, I hope that he investigates who in the U.S. government and the Defense Industrial Base are buying Huawei Symantec products, which are all made by Huawei in China.

Add to Cart View detail

Just How Vulnerable To Attack Are U.S. Drone Operations?

GAO Reports Ongoing U.S. Air Force Vulnerabilities 

The alleged downing of an RQ-170 by Iran has raised a lot of public attention to existing problems in how the Air Force is managing its Unmanned Aerial Systems. As I reported earlier, an unknown person with FOUO access uploaded an Air Force report to the Public Intelligence website that detailed some of those vulnerabilities one day after Iran announced its capture.  On Saturday another FOUO document appeared on PublicIntelligence.net regarding Afghan drone operations by the US Marine Corps. The Government Accountability Office (GAO) has produced quite a few reports that delineate numerous problems with Unmanned Aerial Systems over the past few years. Some as far back as 2008. Some of the problems identified back then have yet to be fixed, such as the lack of a redundant satellite relay site (GAO report 10-331).

The above graphic illustrates the command and control framework that's in place for Predator, Reaper and Global Hawk UAS missions that support contingency operations in Iraq and Afghanistan. A ground control station in the U.S. takes control of the aircraft. A satellite relay site at a fixed location outside of CONUS relays signals from the ground control station to the UAS. Any disruptions at the satellite relay site would impair the operation of the aircraft. While the Air Force has told that GAO that they're working on implementing a redundant system to solve this problem, as of March, 2010 they "had not conducted a detailed analysis of these options to determine the extent to which they would provide for the continuity of UAS operations, or established a specific milestone to formalize a plan that could be implemented quickly in the event of a disruption." Furthermore, the Air Force didn't anticipate bringing a redundant Satellite system online until fiscal year 2012 at the earliest.

Two other detailed examinations of vulnerabilities present in the Air Force's UAS operations are in the following GAO reports (FOUO):

• GAO, Defense Critical Infrastructure: DOD’s Evolving Assurance Program Has Made Progress but Leaves Critical Space, Intelligence, and Global Communications Assets at Risk, GAO-08-828NI (Washington, D.C.: Aug. 22, 2008)
• GAO, Defense Critical Infrastructure: Additional Air Force Actions Needed at Creech Air Force Base to Ensure Protection and Continuity of UAS Operations, GAO-08-469RNI (Washington, D.C.: Apr. 23, 2008)

Cyber Attacks Against Unmanned Aerial System Producers and Developers

The above table of U.S. UAS Producers and Developers comes from the Department of Commerce' Flight Plan 2011 (.pdf). Of the 11 companies listed, the following have acknowledged that they have been the victim of cyber attacks: Boeing, Lockheed Martin, Northrup Grumman, and Raytheon. Most likely all 11 of these companies as members of the Defense Industrial Base would fall into that category, but the above four have gone publicly on record that they are constantly defending against malicious network attacks. However this reflects only a tiny portion of the attack surface for an adversary who's looking to acquire intelligence on operations or R&D. Globalization has extended an adversary's ability to compromise UAS company networks by attacking affiliates or sub-contractors. For example, Japan's UAV association membership includes Mistsubishi Heavy and Kawasaki Heavy, both of whom were hit with simultaneous cyber attacks last summer and both of whom regularly engage with U.S. defense contractors on various projects such as Boeing.

Europe has 153 UAS producers and developers, some of whom are giant companies like EADS and BAE. BAE was implicated in the massive theft of data from the F-35 Joint Strike Fighter program in 2009 when it was believed that access to the data was gained by breaching BAE's network. It's impossible to know how many of those 153 companies have suffered attacks against their network but considering the value of this technology and the rapidly growing demand for drone aircraft world-wide, it would be naive to believe that any of their networks could withstand a targeted attack.

The most important outcome from Iran's capture of the RQ-170 should be an indepth vulnerability assessment of both U.S. intellectual property and operational vulnerabilities of our Unmanned Aerial System aircraft. This must include an international analysis of partnering companies like Boeing - Mitsubishi, Lockheed Martin-BAE, Insitu-ADASI, and many others. The worst outcome is blind denial that Iran or other U.S. adversaries is capable of compromising U.S. drone operations. 

Add to Cart View detail