China: Our Incompetent Master Adversary?

According to an article in today's Guardian, State Department and Pentagon officials with their Chinese counterparts have engaged in at least two cyber war games in 2011 and have another planned for next month. These war games are coordinated by two think tanks: Center for Strategic and International Studies for the U.S. and the China Institute of Contemporary International Relations. The goal is to try to manage escalating hostilities between the two nations over China's perceived massive cyber espionage campaign against U.S. companies.

It's distressing to see that the tensions have risen to this point because its based on a seriously flawed evaluation of the facts by well-known companies plus former and present U.S. government officials. For example:

U.S. information security companies like RSA, McAfee, Mandiant, and others routinely issue reports blaming China and ONLY China for intrusions that they've encountered. It's incredible to me that in spite of the 30+ countries actively engaging in acts of cyber espionage, these security giants have only caught China in the act.

Secretary of State Hilary Clinton has been quick to blame China for cyber attacks that targeted Google but for no other reason then because Google said so. And the Secretary has never once warned other countries to cease their cyber attacks against the U.S.

The U.S. China Economic and Security Review Commission routinely puts out alarmist reports about China's military cyber buildup while deliberately refusing to hear testimony by experts who have contrary views to the commission's anti-China agenda.

Richard Clarke's sinophobic, alarmist op-eds routinely get published in the Wall Street Journal and elsewhere even though Mr. Clarke has no standing as a cyber security expert.

No wonder that the Chinese government's irritation with the U.S. has risen to the point where we need CSIS and its Chinese counterpart to conduct a mediation. Beijing is getting tired of being blamed for every attack against every company everywhere in the world, and they're right to be mad. As I've said many times before, it's not that China doesn't do it; they absolutely do, but so do many other countries and just as frequently yet we almost never hear about a major breach being blamed on any country other than China. Either China is the greatest and dumbest adversary that we've ever had, or the real dummies are those in the InfoSec industry who can't be bothered to question the obvious when doing incident response, or who choose to cater to the rising tide of Sinophobia in the U.S. in order to boost their sales; or to politicians and journalists who parrot back the faulty claims of those same companies thereby perpetuating a bad cycle that has resulted in real-world tensions that could have been handled in a more constructive way all along.

While the marketing of anti-China sentiment by some in the InfoSec industry is clearly one part of this disaster in foreign relations, Media deserves its share for opting to print stories that cater to China FUD because it results in higher readership which means more advertising revenue. Since the American public is generally naive about cyber operations by nation states, they believe what they hear about China in the media and cast their votes for the politician who will save them from the menacing red dragon who's sopping up their brain waves and living inside their electric wires. Politicians being what they are cater to that fear and make pronouncements and threats accordingly in order to win votes.

The solution to this problem is simple. As a nation, we need to ask more questions. Accept nothing at face value no matter which "authority" tells it to you, including me. Good intelligence analysts uses negative analysis to test their findings before sending it on to their customers. A little more negative analysis by all parties involved may be what's needed to reduce U.S.-China tensions and improve U.S. security. And it doesn't cost any money to do it. 

Add to Cart View detail

Richard Clarke: A Little Knowledge Is A Dangerous Thing

Richard Clarke's editorial in today's New York Times underscores what I've written before about Mr. Clarke. He's not well-informed about the scale and scope of cyber espionage or any other cyber-related threat. And when you combine that lack of depth with his "name" power, then you have the dangerous combination of ignorance informing policy. Here's a quick survey of what's wrong with Clarke's editorial.

While China does engage in cyber espionage against U.S. companies, so do many other nation states. In my ebook, A Traveler's Guide to Cyber Security, I created an Appendix which lists multiple examples of cyber espionage by Brazil, China, France, Germany, Greece, Iran, Israel, Nigeria, Russia, Turkey, and Venezuela. The reality is that acts of espionage - cyber or other-wise - is very wide spread. You would never know that fact by reading Clarke's sinophobic writings.

Further, Richard Clarke attempts to provide a solution to this problem that is (a) impossible to implement and (b) reveals his lack of understanding of how data flows between networks. When sensitive data is located within a network, an attacker will encrypt those files and extract them in a way that doesn't draw attention. There's no way for any agency to see into those files and say "Hey - that's our secret sauce!".

Clearly Mr. Clarke is in the business of selling his time to clients who are worried about cyber attacks, and his background as a government bureaucrat is helping him do that - at least in the United Arab Emirates. However, if he's truly interested in contributing solutions to this very serious problem he needs to start by learning enough information about what's actually happening at a substantive level and then formulate an appropriate solution. 

Add to Cart View detail

Words Matter: Why Derek Bambauer's Wrong on Cyber Terrorism

Derek Bambauer is an associate professor of Law at Brooklyn Law School. He specializes in Internet law and is one of the authors of the Info/Law blog. I just finished reading his post from yesterday "Cyber-Terror: Still Nothing To See Here" and decided to post a quick response.

Like Professor Bambauer, I don't believe that we've seen any acts of cyber terrorism yet however unlike Bambauer, I'm convinced that we will see them in the next few years. His rationale behind his argument that cyber-terrorism won't happen now or in the future is an example of how "cyber hyphenated" language is fueling wrong thinking in this area. Cyber-terrorism (and cyberterrorism), because of its construction, is interpreted to be a cyber form of terrorism but like cyber-war (and cyberwar) that's not what we see in real life. Cyber operations are a subset of a variety of hostile actions - warfare, espionage, crime, and terrorism. None of them exist purely in cyberspace. All rely on a kinetic component. The one that we see the least of today are terrorists exploiting vulnerabilities through cyberspace, however I can't imagine how anyone can deny that terrorists won't one day find a way to take advantage of the many vulnerabilities that exist in that sphere. Yet that's precisely what Bambauer argues in his post, with no evidence to support it.

Bambauer clearly hasn't spoken with any Industrial Control System (ICS) experts or he'd know precisely how easy it is to cause serious problems at any facility running SCADA systems. He doesn't evaluate what's possible and weigh it against the present actors (state and non-state) motivations and capabilities, now and in the future, to arrive at an informed conclusion. Instead he argues that the supporters of cyber terrorism are in it for the money or suffer from cognitive bias. Two cheap shots which hurt, not help, Bambauer's argument especially when both could be turned against him.

Personally, I agree with Shawn Henry's assessment that acts of cyber terror are on the horizon. The only reason why we haven't seen it yet is because old guys like me are still running the show in most terrorist groups. It's just a matter of time before someone from the Internet generation assumes the reins of power.  Someone who knows precisely how vulnerable the world has become thanks to our reliance upon cyberspace for every aspect of our lives, and decides to leverage that reliance into a weapon of mass destruction in the name of a God or a Cause or just pure Anarchy. You don't need a college degree to understand that. You just need to have lived long enough to know what people are capable of doing, and expect it.

Add to Cart View detail

Why DARPA Is Clueless About Securing Cyberspace

If DARPA's Director Regina Dugan hadn't already admitted that the agency is clueless about how to secure cyberspace, the choice of Richard Clarke as a speaker certainly made that clear. Of all the experts out there, Mr. Clarke has provided some of the worst advice that I've ever heard when it comes to specific cyber-based threats and remediations.

Director Dugan won't find a solution to her problem by speaking to more of the same people that the agency always speaks with. Einstein's oft-repeated definition of insanity is doing the same thing over and over again and expecting different results. The director should stop speaking to hackers, crackers, grey hats, black hats, white hats, and the cyber industrial complex in general. DARPA has done that for years without success. If the director wants a different result, she needs to approach the problem in a completely different way. In fact, I recommend that this problem be completely re-framed. Just like money problems are never about money, and obesity problems are never about food (they both stem from negative belief systems that we've learned as children and reinforced as adults), protecting data is not about cyber security. It's about understanding how we take care of our valuable possessions in the physical world and transferring that understanding to comparable models in the virtual world.

Instead of inviting hackers, Director Dugan should invite experts in personal security like Gavin De Becker or my friend Roderick Jones who understand how to protect high value individuals against multiple unknown attackers. She should invite farmers who have to defend their crops against an unpredictable weather system. Or corner a few MDs at the Centers for Disease Control to learn how virulent bacteria consistently beat the body's immune system. The bottom line here is that we must MUST find a way to break free of the grip that the information security industry has on all things cyber because it is a failure from top to bottom.

I doubt that anyone from DARPA will take this post to heart but I'm convinced that it's the right way to proceed. We're planning a second Suits and Spooks conference for Washington DC this Spring. Perhaps that will be the time to bring farmers, doctors, and personal security specialists together to find some common sense solutions and apply an entirely different mindset to the current cyber-security insanity.

Add to Cart View detail

Richard Clarke Should Get His Facts Straight On Cybersecurity and China

Richard Clarke's inflammatory article for the Wall Street Journal "China's Cyberassault On America" overflows with incorrect facts, logical inconsistencies and a serious lack of understanding of how targeted cyber attacks work at a granular level.

Clarke tries to draw a parallel between Obama's protection of Libyan dissidents from Gaddafi and his lack of protection for U.S. citizens from cyber attacks from China when he knows perfectly well that the President's authority over military actions as Commander-in-Chief is completely different from his authority over U.S. corporations, which is ZERO; that would be the totalitarian governments of the world, not the U.S. government, Mr. Clarke.
Later he argues that "cyber criminals don't hack defense contractors - they go after banks and credit cards". In fact, the Zeus and Hilary Kneber hacker crews have been conducting cyberespionage attacks against government and military employees using the same malware that they use in financial crime since at least February 2010. Brian Krebs and I both wrote about it back then and we were both were attacked by those same crews because of it. The use of these gangs is the modus operandi of the Russian and Ukranian governments. I delve into this process in detail in my book and will expand on it in the second edition.

The most recent example of these gangs running cyberespionage operations occurred in January, 2011 with the White House eCard spear phishing attack. Governments around the world have informal relationships with criminal hackers which allow them a safe harbor to conduct cybercrime as long as they also conduct cyberespionage or other types of cyber ops for their host government as needed. The Russian Federation has been conducting cyberespionage against foreign firms for years and yet their name is almost never mentioned in conjunction with attacks from which they would clearly benefit. They even use the same M.O. (spear phishing) and have a Prime Minister who has stated publicly that he used to run industrial espionage operations when he was with KGB and wishes that the Kremlin had made better use of his team's efforts back then.

Clarke mentions the Congressional log-jam on cybersecurity legislation but fails to mention that there are over 60 competing bills. He complains about lack of action by a President who has no power over Congress, no power over the companies that own 90% of the U.S. grid, and who's cybersecurity coordinator, Howard Schmidt, is doing the best he can with lots of responsibility and no authority. Richard Clarke has a lengthy career with the federal government at the highest levels so there's no reason that I can think of for him not to know that "responsibility with no authority" is the biggest reason that NSA, US-CERT, USCYBERCOM, DHS, FBI and the Executive Office of the President (EOP) can advise but not order companies to harden their networks. I consult with corporations whose CEOs have been visited by one or more three-letter agencies who inform them that their corporate networks are beaconing data to a foreign country and the exectutives' responses are mixed. Some take the hint and make radical changes. Others blow it off entirely as a cost of doing business. That's the nature of our system of government as well as the nature of business and Clarke surely knows it as well as anyone; which makes me wonder what his motives were for writing this OpEd to begin with.

This is not to say that China isn't vacuuming huge amounts intellectual property and sensitive data from around the world. Of course it is, but so are many other countries; all of whom have the technical capability of crafting a targeted spear phishing letter that delivers a malicious payload and gives entree' to an extended corporate network breach by bad actors leading to the discovery and exfiltration of valuable data. Further, if the only evidence pointing to China is the use of a Chinese IP address, then you have no evidence at all (see The Chinese IP Address Fallacy In Cyber Attribution). Anyone, regardless of their background, who says that only the Peoples Republic of China is conducting these types of attacks couldn't be more wrong and is harming, not helping, the cybersecurity posture of the United States.

Add to Cart View detail