Who's Defending U.S. Military Networks if the NSA and FIS are Breaking Them?

According to Der Spiegel, the NSA has been developing tools to compromise software, hardware, and firmware made by multinational corporations in the U.S. and overseas. U.S. companies affected include Juniper Networks, Cisco, Dell, Western Digital, Seagate, Maxtor plus many others. Unless the company has offered to work with the NSA to create backdoors in their own products, you have a situation where the agency with the primary responsibility of defending U.S. Department of Defense networks from digital attack is also engaged in weakening the very technology used by the DOD on those networks such as Jupiter Network firewalls, Cisco routers, Seagate hard drives, etc.

Perhaps this wouldn't be a problem if foreign intelligence services (FIS) didn't also have the technical capability of finding those same vulnerabilities or others. For example, Xidian University in Xi'an, Shaanxi, China is one of China's top engineering universities. It's State Key Laboratory of Integrated Services Networks conducts research for military-specific and dual use systems including cryptography, offensive network attacks, and systems to be used in confrontational environments.

Here's another example taken from our data base on adversary R&D research. The Chinese Academy of Sciences' State Key Lab of Information Security reports directly to the Ministry of Public Security, among other government agencies. In addition to their primary research area of information security, they develop network attack systems.

Russia has similar educational institutions which focus on information security and electronic warfare for the Ministry of Defense, the FSB, and other relevant agencies. One example is the Voronezh Military Radio-electronics Insititute which is part of the Voronezh Aviation Engineering School. Part of their information warfare research includes breaking the security of automated systems.

Since Dell, Cisco, Juniper, etc. build hardware, firmware, and software that's broadly used around the world and especially on U.S. government networks, it's only logical to conclude that those companies' products are being examined for exploitable vulnerabilities by Russian and Chinese scientists who are at least equal if not superior to those employed by the NSA. Let's remember that unlike the NSA, scientists at Russian and Chinese foreign research laboratories don't have to compete with their respective versions of a Silicon Valley for high paying tech jobs. They can attract and keep their nation's brightest scientists focused on these high priority government military and civilian projects.

Bottom line - if the NSA has found or developed backdoors in critical U.S. technology, so have our adversaries, and by "adversaries", I don't mean Mandiant's version of the bored PLA hacker with sloppy OPSEC. We need as an industry to have more respect for our opponents. And there needs to be a serious discussion about whether the NSA can really defend U.S. military networks while also engaged in exploiting weaknesses in the very technology that those networks rely upon.

UPDATE (JAN 02 2014): Bruce Schneier has begun posting one NSA exploit per day at his blog. The first one called DEITYBOUNCE exploits the motherboard on Dell PowerEdge servers.

Add to Cart View detail

Aviation companies twice as likely to be hacked if they do business in China

The COMAC C919 Passenger Jet

In anticipation of speaking at the AIAA conference in Los Angeles on August 12-14, I've been researching aviation companies with joint ventures in China and how many of them have reported being the victim of a cyber attack (successful or not). I identified 11 U.S. companies who were working with Chinese partners on the COMAC C919 aircraft and of those 11, 7 (64%) have publicly acknowledged being the victim of a cyber attack at some point in the last few years. No aggressors were named and some of the acknowledgments had to do with unsuccessful attempts only.

That percentage, in itself, didn't seem too surprising so I decided to look at 11 more randomly selected U.S. aviation companies and of those, only 3 (27%) publicly acknowledged being the victim of a cyber attack. However, after digging a little further, I learned that of those 3 companies, 2 (67%) also had joint ventures in China! Our sample suggests that aerospace companies who have joint ventures in China are being attacked more than twice as often as aerospace companies who don't have joint ventures in the PRC.

We aren't suggesting that China is behind the attacks. Rather, that technology which is valuable to China is also valuable to international hacker groups who believe that they can find a buyer for the stolen data.

As far as I know, this is the first study of its kind to demonstrate that a specific industrial sector (Aerospace) of high value to the Chinese government yields an increased risk of cyber attack to U.S. aerospace companies who are doing business in China. I'll be discussing the implications of this study during my presentation at the AIAA conference on August 12th and will be taking a deep dive into our research at a Suits and Spooks luncheon event in McLean, VA on Sept 10th. Our venue in McLean has limited seating so register early. 

Add to Cart View detail

Open letter to President Obama on the eve of his Summit with President Xi

Dear President Obama,

I've spent the last five years working exclusively in the identification and cataloging of threat actors in cyberspace. I've participated in incident response investigations for some of the world's largest companies and have briefed both U.S. intelligence agencies and those of five foreign countries on the complexity of the cyber threat landscape as well as information warfare planning, research & development, and execution of strategy by both Russia and China. I host three highly regarded executive cyber security conferences each year, and my book Inside Cyber Warfare (in its 2nd edition) is used as a text by the U.S. Air Force Institute of Technology in its cyber warfare certification program.

While I'm enthusiastic about your upcoming meeting with President Xi on mutual cyber security concerns, I'm worried that the strong anti-China sentiment on the Hill and in print by the New York Times, Bloomberg and the Washington Post will have a polarizing effect on your talks. Much of the evidence being touted as pointing to China's acts of cyber espionage is a conflation of multi-state and non-state actors engaging with the same target companies that China is interested in. I personally know of Russian hackers who prefer to attack their targets in different countries via a compromised Chinese computer because there are so many of them and they're so easy to exploit.

While there is a propensity among government officials and infosec experts to blame China first for any attack involving U.S. intellectual property, they often do so without any hard evidence. Chinese IP addresses don't qualify as evidence anymore than U.S. IP addresses do. Open source hacker tools written by Chinese developers and posted on the Web for anyone to download and use cannot be considered evidence of Chinese government involvement. And President Xi will certainly make the same point. While there's no question that the Chinese government engages in cyber espionage, it is not the only nation that does so and it is certainly not solely responsible for the estimated $300 billion in stolen U.S. IP.

Rather than accusing China of something that cannot be proved, I believe that U.S. interests can best be served by cooperating with China on the identification and prosecution of non-state actors who operate in Chinese and U.S. IP space. Media stories and self-serving infosec reports to the contrary, not all Chinese hackers work for the PLA. There are many independent hackers in China, Ukraine, Russia, Romania, Bulgaria, Pakistan, Taiwan and other countries who make money stealing IP and selling it to whomever is willing to pay. Some of these same hackers may be involved in attacking Chinese government websites; particularly those in India, Tibet, and Taiwan. While conventional wisdom groups hackers into silos (Russians rob banks; Chinese steal IP; Iranians attack power companies), that's not a realistic nor fact-based portrayal of the international cyber threat landscape.

There are many ways that China is benefiting from U.S. technology transfer such as their successful campaign to provide monetary incentives for U.S. multinationals to open R&D labs in Shanghai and Beijing (which now number over 1200). These labs employ Chinese engineers who learn U.S. technological secrets and then leave to work for Chinese companies; taking that proprietary knowledge with them. Those same employees have trusted access on their respective corporate intranets. There's no reason for the Chinese government to execute sloppy hacking operations against a U.S. company when that company has offices in Bejing or Shanghai. Access to their IP is a given.

If you and President Xi could reach an agreement to cooperate on reducing the activities of independent  non-state actors that have attacked both the U.S. and Chinese businesses and government organizations, it would benefit the U.S. in the following ways:

1. Chinese threat data is of great interest to U.S. law enforcement organizations.
2. A reduction of non-state actors currently cluttering up the threat landscape would make it easier to identify state-run cyber espionage operations.
3. The biggest threat to both Chinese and U.S. critical infrastructure is from non-state actors and, in the future, those may include terrorist groups. 

Mr. President, in my opinion, attempting to shame or threaten China over its hacking activities when the available evidence is so easily dismissed makes the U.S. look weak and ineffective. Enlisting China as an ally to identify and interdict the activities of independent threat actors would result in a win for both nations.

I hope this open letter finds it's way to your desk and that it helps inform your strategy.

Warm Regards,

Mr. Jeffrey Carr
CEO, Taia Global, Inc.
Author, Inside Cyber Warfare
Founder, Suits and Spooks conference

Add to Cart View detail

Mandiant APT1 Report Has Critical Analytic Flaws

Mandiant's APT1 report is the latest infosec company document to accuse the Chinese government of running cyber espionage operations. In fact, according to Mandiant, if a company experiences an APT attack, then it is a victim of the Chinese government because in Mandiant-speak, APT equals China.

"We tend to perceive what we expect to perceive" 

- Richard J. Heuer, "The Psychology of Intelligence Analysis

The fact that Mandiant refuses to acknowledge that other nation states engage in cyber espionage when the facts show otherwise demonstrates what Heuer calls an "expectation bias", but it's much worse than that.

Mandiant's alleged proof is summarized in Table 12 (pp. 59-60): "Matching characteristics between APT1 and Unit 61398". Mandiant's entire premise that APT1 is PLA Unit 61398 rests on the connections made in that table and that no other conclusion is possible:

"Combining our direct observations with carefully researched and correlated findings; we believe the facts dictate only two possibilities: Either a secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multi-year, enterprise scale computer espionage campaign right outside of Unit 61398’s gates, performing tasks similar to Unit 61398’s known mission or APT1 is Unit 61398." (APT1, p. 60)

If this report were written by a professional intelligence analyst at CIA, it would most likely undergo a vetting process known as ACH (Analysis of Competing Hypotheses):

"Analysis of competing hypotheses, sometimes abbreviated ACH, is a tool to aid judgment on important issues requiring careful weighing of alternative explanations or conclusions. It helps an analyst overcome, or at least minimize, some of the cognitive limitations that make prescient intelligence analysis so difficult to achieve."

In other words, ACH forces the intelligence analyst to look for all alternative hypotheses and assess them one at a time to see which best fits the data collected. This is rarely if ever done by information security companies, and it's the single biggest objection that I have when it comes to individuals making claims of attribution to nation states. Heuer's iconic "Psychology of Intelligence Analysis" explains why ACH is so important:

"The way most analysts go about their business is to pick out what they suspect intuitively is the most likely answer, then look at the available information from the point of view of whether or not it supports this answer. If the evidence seems to support the favorite hypothesis, analysts pat themselves on the back ("See, I knew it all along!") and look no further. If it does not, they either reject the evidence as misleading or develop another hypothesis and go through the same procedure again. Decision analysts call this a satisficing strategy. (See Chapter 4, Strategies for Analytical Judgment.) Satisficing means picking the first solution that seems satisfactory, rather than going through all the possibilities to identify the very best solution. There may be several seemingly satisfactory solutions, but there is only one best solution." 

"Chapter 4 discussed the weaknesses in this approach. The principal concern is that if analysts focus mainly on trying to confirm one hypothesis they think is probably true, they can easily be led astray by the fact that there is so much evidence to support their point of view. They fail to recognize that most of this evidence is also consistent with other explanations or conclusions, and that these other alternatives have not been refuted."

If Mandiant or another organization were to use ACH on this evidence, here's how Heuer recommends it be done. It's an 8-step process:

1. Identify the possible hypotheses to be considered. Use a group of analysts with different perspectives to brainstorm the possibilities.
2. Make a list of significant evidence and arguments for and against each hypothesis.
3. Prepare a matrix with hypotheses across the top and evidence down the side. Analyze the "diagnosticity" of the evidence and arguments--that is, identify which items are most helpful in judging the relative likelihood of the hypotheses.
4. Refine the matrix. Reconsider the hypotheses and delete evidence and arguments that have no diagnostic value.
5. Draw tentative conclusions about the relative likelihood of each hypothesis. Proceed by trying to disprove the hypotheses rather than prove them.
6. Analyze how sensitive your conclusion is to a few critical items of evidence. Consider the consequences for your analysis if that evidence were wrong, misleading, or subject to a different interpretation.
7. Report conclusions. Discuss the relative likelihood of all the hypotheses, not just the most likely one.
8. Identify milestones for future observation that may indicate events are taking a different course than expected.

I don't have the time to run Mandiant's evidence through an ACH process but I'd like to propose that a volunteer group of intelligence students at Mercyhurst Institute of Intelligence Studies do that very thing. My friend Professor Kris Wheaton who teaches there and writes the outstanding Sources and Methods blog is an expert in this area and I'm hopeful that he'll pick up the challenge.

In the meantime, the following table has four columns. The first three are from Mandiant's table 12. The "Other" column contains a partial group of alternatives that I've provided for each of Mandiant's "characteristics". These alternatives need to be analyzed and ruled out using a rigorous analytic process like ACH before Mandiant or anyone else can claim that APT1 is a part of China's Peoples Liberation Army.

In summary, my problem with this report is not that I don't believe that China engages in massive amounts of cyber espionage. I know that they do - especially when an executive that we worked with traveled to Beijing to meet with government officials with a clean laptop and came back with one that had been breached while he was asleep in his hotel room.

My problem is that Mandiant refuses to consider what everyone that I know in the Intelligence Community acknowledges - that there are multiple states engaging in this activity; not just China. And that if you're going to make a claim for attribution, then you must be both fair and thorough in your analysis and, through the application of a scientific method like ACH, rule out competing hypotheses and then use estimative language in your finding. Mandiant simply did not succeed in proving that Unit 61398 is their designated APT1 aka Comment Crew.

UPDATE (22 FEB 2013): I've published a follow up to this article: "More on Mandiant's APT1 Report: Guilt by Proximity and Wright-Patterson AFB"

Add to Cart View detail

China: Our Incompetent Master Adversary?

According to an article in today's Guardian, State Department and Pentagon officials with their Chinese counterparts have engaged in at least two cyber war games in 2011 and have another planned for next month. These war games are coordinated by two think tanks: Center for Strategic and International Studies for the U.S. and the China Institute of Contemporary International Relations. The goal is to try to manage escalating hostilities between the two nations over China's perceived massive cyber espionage campaign against U.S. companies.

It's distressing to see that the tensions have risen to this point because its based on a seriously flawed evaluation of the facts by well-known companies plus former and present U.S. government officials. For example:

U.S. information security companies like RSA, McAfee, Mandiant, and others routinely issue reports blaming China and ONLY China for intrusions that they've encountered. It's incredible to me that in spite of the 30+ countries actively engaging in acts of cyber espionage, these security giants have only caught China in the act.

Secretary of State Hilary Clinton has been quick to blame China for cyber attacks that targeted Google but for no other reason then because Google said so. And the Secretary has never once warned other countries to cease their cyber attacks against the U.S.

The U.S. China Economic and Security Review Commission routinely puts out alarmist reports about China's military cyber buildup while deliberately refusing to hear testimony by experts who have contrary views to the commission's anti-China agenda.

Richard Clarke's sinophobic, alarmist op-eds routinely get published in the Wall Street Journal and elsewhere even though Mr. Clarke has no standing as a cyber security expert.

No wonder that the Chinese government's irritation with the U.S. has risen to the point where we need CSIS and its Chinese counterpart to conduct a mediation. Beijing is getting tired of being blamed for every attack against every company everywhere in the world, and they're right to be mad. As I've said many times before, it's not that China doesn't do it; they absolutely do, but so do many other countries and just as frequently yet we almost never hear about a major breach being blamed on any country other than China. Either China is the greatest and dumbest adversary that we've ever had, or the real dummies are those in the InfoSec industry who can't be bothered to question the obvious when doing incident response, or who choose to cater to the rising tide of Sinophobia in the U.S. in order to boost their sales; or to politicians and journalists who parrot back the faulty claims of those same companies thereby perpetuating a bad cycle that has resulted in real-world tensions that could have been handled in a more constructive way all along.

While the marketing of anti-China sentiment by some in the InfoSec industry is clearly one part of this disaster in foreign relations, Media deserves its share for opting to print stories that cater to China FUD because it results in higher readership which means more advertising revenue. Since the American public is generally naive about cyber operations by nation states, they believe what they hear about China in the media and cast their votes for the politician who will save them from the menacing red dragon who's sopping up their brain waves and living inside their electric wires. Politicians being what they are cater to that fear and make pronouncements and threats accordingly in order to win votes.

The solution to this problem is simple. As a nation, we need to ask more questions. Accept nothing at face value no matter which "authority" tells it to you, including me. Good intelligence analysts uses negative analysis to test their findings before sending it on to their customers. A little more negative analysis by all parties involved may be what's needed to reduce U.S.-China tensions and improve U.S. security. And it doesn't cost any money to do it. 

Add to Cart View detail