Critique of IP Commission's Cyber Security Recommendations

The National Bureau of Asian Research published (and assisted in writing) "The IP Commission Report: The report of the Commission on the theft of American intellectual property" (.pdf). The Commission members along with its purposes are as follows:

• Dennis C. Blair (co-chair), former Director of National Intelligence and Commander in Chief of the U.S. Pacific Command 
• Jon M. Huntsman, Jr. (co-chair), former Ambassador to China, Governor of the state of Utah, and Deputy U.S. Trade Representative 
• Craig R. Barrett, former Chairman and CEO of Intel Corporation 
• Slade Gorton, former U.S. Senator from the state of Washington, Washington Attorney General, and member of the 9-11 Commission 
• William J. Lynn III, CEO of DRS Technologies and former Deputy Secretary of Defense 
• Deborah Wince-Smith, President and CEO of the Council on Competitiveness 
• Michael K. Young, President of the University of Washington and former Deputy Under Secretary of State 

The three purposes of the Commission are to:

• Document and assess the causes, scale, and other major dimensions of international intellectual property theft as they affect the United States 
• Document and assess the role of China in international intellectual property theft 
• Propose appropriate U.S. policy responses that would mitigate ongoing and future damage and obtain greater enforcement of intellectual property rights by China and other infringers 

IP and trade secret theft is a rapidly growing and very critical problem for U.S. companies. The IP Commission estimates the value of stolen IP from U.S. companies and government agencies at over $300 billion, which is about 75% of what the U.S. spends on R&D research each year.

While the report takes a deep and heavily annotated dive into the scale and scope of this problem, chapters 13 and 14 that detail the Commission's cyber security recommendations, have absolutely no footnotes whatsoever. In other words, there's no way to know who provided the commission with some very risky and questionable cyber security advice. So I called them.

I was told by the person who took my call that the cyber security experts wanted to remain anonymous, however she recommended that I speak with someone at the NBR. I sent a message via the NBR's information email account, read receipt requested, and watched it work its way up to Roy Kamphausen who confirmed that they spoke with "a wide array of cyber experts" but didn't mention any names.

Unfortunately, while much of the report is quite good, the cyber security advice ranges from problematic to potentially damaging. Here's my critique of that content. I'd be happy to debate it with anyone that the Commission spoke with.

1. No where in this report is mentioned the critical importance of first identifying a company's critical data or "crown jewels". It's a huge problem because most companies have no idea how to do this and the Commission never once mentions it.
2. Locking down a person's computer with a booby-trapped file has questionable legality but even worse, may result in the threat actor coming back to take more aggressive action against the targeted company. Remember Saudi Aramco? SA had to replace 2,000 servers thanks to a Wiper virus that only half worked due to some amateur coding mistakes. Remember HBGary Federal when its CEO threatened to "out" some members of Anonymous? There is no more HBGary Federal but Anonymous is alive and well. 
3. Recommending the passage of CISPA is both bad security advice and inserts a political agenda to an otherwise apolitical report.  
4. Threat-based deterrence is advocated for without being adequately defined. There are numerous ways that such a deterrence plan can have negative and unexpected consequences. And just like it's stupid to pick a fight with a stranger,  it's never a sound strategy to threaten an unknown adversary who can operate anonymously and holds the advantage.
5. Chapter 14 contains a back-handed recommendation to pursue three measures that constitute aggressive offensive action. The commissioners couched it in a bizarre manner by effectively saying that while we don't recommend these things at this time, if the situation doesn't improve, then they should be considered. The measures were for what's commonly called hacking-back, cutting funding to the World Health Organization, and raising tariffs on Chinese goods 150% higher than the amount of IP theft stolen by China. 

Considering how potentially bad if not operationally ludicrous some of these recommendations are, it's not surprising that none of the commission's cyber security experts wanted their names attached to the report. The topic of "active defense" or "hacking back" or "offense as defense" is an important one that needs broad discussion. In fact, I made it the focus of last February's Suits and Spooks DC conference and we'll address it again in La Jolla in two weeks. But it is rife with pitfalls and needs much more informed discussion and debate. The Commission really failed its audience in terms of the content of these last two chapters.

Add to Cart View detail

Who Are The Players in China's Targeting of Foreign Technology IP?

The release of Mandiant's APT1 report claimed that the PLA's Third Directorate (3PLA) is the responsible State organization behind Comment Crew (aka APT1). One of the things that the report's authors didn't do was demonstrate how the other State agencies who engage in this type of activity were excluded in their analysis. For future reference, here's a more complete list of the possible organizations who conduct intelligence activities (including cyber) to consider or rule out in terms of possible Chinese attribution.

Traditional Channels

Civilian

• The Ministry of State Security (MSS) - Counterespionage and Counterintelligence; Foreign Intelligence; Domestic Intelligence
• Ministry of Public Security (MPS) - National Police; Domestic Intelligence

Military

• Second Department of the People's Liberation Army (PLA) General Staff Department (2PLA): engages in foreign intelligence, imagery intelligence, and tactical reconnaissance
• Third Department of the PLA General Staff Department (3PLA); engages in signals intelligence
• Fourth Department of the PLA General Staff Department (4PLA); engages in computer network operations
• Liaison Office of the PLA General Political Department
• Intelligence departments of the PLA Navy, PLA Air Force, and Second Artillery
• State Secrecy Bureau

Non-Traditional Channels

• Commission of Science, Technology and Industry for National Defense (COSTIND)
• Research Institutes
• PRC Military-Industrial Companies
• Organized Chinese hacker groups

Guidelines:

Failed operations. In Amy Elizabeth Brown's paper "Directed or diffuse?: Chinese human intelligence targeting of US defense technology", she makes the same point that I have made multiple times; e.g., that much of the information we have about Chinese espionage cases (cyber and otherwise) comes solely from failed operations - meaning covert operations that have been discovered. Therefore, we have to acknowledge the possibility that China also runs successful covert operations using more effective tradecraft but we don't know the scope or scale.
3PLA's distributed offices. It's important to note that 3PLA, which was identified in the Mandiant APT1 report has, according to Mattis, offices and technical reconnaissance bureaus in each of China’s seven military regions and several major cities (not only Shanghai).
OSINT is insufficient. Another important statement in Mattis' conclusions is that open sources are insufficient to understand the inner workings of these various intelligence agencies.
Lack of sound tradecraft. "One of the defining characteristics of China’s non-traditional techniques for obtaining technology, as observed in many of the cases noted here, is the lack of clandestine tradecraft, or even the most basic elements of operational security, involved in obtaining the information.  In general, it appears that little or no care is used to ensure that the operation goes undetected." - Amy Brown's "Directed or Diffuse" paper as referenced below.
Giving amateur operatives too much credit. "A belief that the Chinese rely on amateur operatives risks leading CI professionals to dismiss or be inattentive to the threat posed by China’s professional services." - Peter Mattis "The Analytic Challenge" paper as referenced below.
Distinguishing economic espionage from Chinese intelligence. "When economic espionage with no connection to the Chinese intelligence services is interpreted as “Chinese intelligence,” less attention will be paid to what those organizations actually do. The Chinese intelligence services and the Chinese defense industries are distinct entities, although they may sometimes work for mutual benefit." - Peter Mattis (Ibid)

Readers of the Mandiant report or any report that purports to reveal the inner workings of Chinese cyber espionage cases are encouraged to familiarize themselves with the papers referenced below as well as the above guidelines that I've extracted from them. 

For example, the lack of tradecraft by the three individuals mentioned in the Mandiant report is palpable, and was pointed out by the report's authors: "These actors have made poor operational security choices, facilitating our research and allowing us to track their activities. They are some of the authors of APT1's digital weapons and the registrants of APT1 FQDNs and email accounts. These actors have expressed interest in China's cyber warfare efforts, disclosed their locations to be the Pudong New Area of Shanghai, and have even used a Shanghai mobile phone number to register email accounts used in spear phishing campaigns." - Mandiant APT1 report, p. 51

Even if one assumes that the Chinese government is the customer for APT1's cyber espionage activities, it's important to consider all of the options before attempting to assign attribution. Such a lack of tradecraft involved deserves at least a mention in the report that non-traditional channels as defined above were considered. As this article points out, those options are plentiful within China, but also include other foreign intelligence services and professional hacker crews who run their operations from China and/or from Chinese servers in order to confound any efforts at attribution.

Reference Material:

The Analytic Challenge of Understanding Chinese Intelligence Services

Directed or diffuse?: Chinese human intelligence targeting of US defense technology

PRC Intelligence Apparatus - Implications for Foreign Firms

Related Posts:

"Mandiant APT1 Report has critical analytic flaws"

Add to Cart View detail