Richard Clarke Should Get His Facts Straight On Cybersecurity and China

Richard Clarke's inflammatory article for the Wall Street Journal "China's Cyberassault On America" overflows with incorrect facts, logical inconsistencies and a serious lack of understanding of how targeted cyber attacks work at a granular level.

Clarke tries to draw a parallel between Obama's protection of Libyan dissidents from Gaddafi and his lack of protection for U.S. citizens from cyber attacks from China when he knows perfectly well that the President's authority over military actions as Commander-in-Chief is completely different from his authority over U.S. corporations, which is ZERO; that would be the totalitarian governments of the world, not the U.S. government, Mr. Clarke.
Later he argues that "cyber criminals don't hack defense contractors - they go after banks and credit cards". In fact, the Zeus and Hilary Kneber hacker crews have been conducting cyberespionage attacks against government and military employees using the same malware that they use in financial crime since at least February 2010. Brian Krebs and I both wrote about it back then and we were both were attacked by those same crews because of it. The use of these gangs is the modus operandi of the Russian and Ukranian governments. I delve into this process in detail in my book and will expand on it in the second edition.

The most recent example of these gangs running cyberespionage operations occurred in January, 2011 with the White House eCard spear phishing attack. Governments around the world have informal relationships with criminal hackers which allow them a safe harbor to conduct cybercrime as long as they also conduct cyberespionage or other types of cyber ops for their host government as needed. The Russian Federation has been conducting cyberespionage against foreign firms for years and yet their name is almost never mentioned in conjunction with attacks from which they would clearly benefit. They even use the same M.O. (spear phishing) and have a Prime Minister who has stated publicly that he used to run industrial espionage operations when he was with KGB and wishes that the Kremlin had made better use of his team's efforts back then.

Clarke mentions the Congressional log-jam on cybersecurity legislation but fails to mention that there are over 60 competing bills. He complains about lack of action by a President who has no power over Congress, no power over the companies that own 90% of the U.S. grid, and who's cybersecurity coordinator, Howard Schmidt, is doing the best he can with lots of responsibility and no authority. Richard Clarke has a lengthy career with the federal government at the highest levels so there's no reason that I can think of for him not to know that "responsibility with no authority" is the biggest reason that NSA, US-CERT, USCYBERCOM, DHS, FBI and the Executive Office of the President (EOP) can advise but not order companies to harden their networks. I consult with corporations whose CEOs have been visited by one or more three-letter agencies who inform them that their corporate networks are beaconing data to a foreign country and the exectutives' responses are mixed. Some take the hint and make radical changes. Others blow it off entirely as a cost of doing business. That's the nature of our system of government as well as the nature of business and Clarke surely knows it as well as anyone; which makes me wonder what his motives were for writing this OpEd to begin with.

This is not to say that China isn't vacuuming huge amounts intellectual property and sensitive data from around the world. Of course it is, but so are many other countries; all of whom have the technical capability of crafting a targeted spear phishing letter that delivers a malicious payload and gives entree' to an extended corporate network breach by bad actors leading to the discovery and exfiltration of valuable data. Further, if the only evidence pointing to China is the use of a Chinese IP address, then you have no evidence at all (see The Chinese IP Address Fallacy In Cyber Attribution). Anyone, regardless of their background, who says that only the Peoples Republic of China is conducting these types of attacks couldn't be more wrong and is harming, not helping, the cybersecurity posture of the United States.

Comments