Thursday, August 25, 2011

The Case Against The Case Against China

This blog post is in response to Jamie Metzl's article "China and Cyberespionage" which, in turn, contains the source material for his Wall Street Journal Op-Ed "China's Threat To World Order" which unfortunately you have to pay Rupert Murdoch in order to read. I learned about this article when Mr. Metzl sent me a tweet asking if I agreed with him. Since I couldn't convey my answer in 140 characters or less, here's my critique of the article.

Mr. Metzl wrote that "China is one of the world's worst state perpetrators of cyber-espionage and malicious computer hacking". In order for that statement to be considered true, Mr. Metzl needed to identify at least some of the nation states who engage in that activity (i.e., Russia, France, Israel, U.S., etc.) and then demonstrate some kind of rating system which puts China at the top. He didn't do that. He merely listed a few reports that tell us what we already know: China engages in cyberespionage on a wide-spread and pervasive basis. The ones that talk about China's cyber warfare operations technically shouldn't be included in Metzl's article since warfare and espionage fall into distinctly separate legal categories and this field is sloppy enough already.

After "Reports" comes "Officials". This entire section should be shit-canned because many (not all) officials operate at the 50,000 foot level and really don't have a grasp of the subject matter. They have legislative aides who in turn ask other so-called experts for their opinion and then give a 5 minute briefing to their boss who reads from a statement. The officials that you want to listen to are the ones like General Hayden who limit their remarks to what they actually know. The others who pretend to know what they're talking about, but really don't (like Richard Clarke on China), do more harm than good despite their past laudable public service.

Moving on to Shady Rat, Night Dragon, Operation Aurora, et al. They all rely on Chinese IP addresses and/or Chinese toolmarks in the code; neither of which means that it came from China. Mr. Metzl and I could lease time on a Chinese server and send Richard Clarke a love letter and he'd no doubt be convinced that it came from Chinese intelligence because the IP address of our email account resolved to Beijing. Malicious software programs like the Ghost Remote Access Tool (RAT) are widely available on the Net so I could have added a malicious link to such a program for good measure.

Listing RSA as a Chinese operation is an insult to China. RSA's own security was astoundingly poor - disgraceful, in fact. So was EMC's handling of the incident. Apart from Joe Stewart's claims which rely on the fatally flawed IP address argument, I've seen no evidence to support a finding of attribution by any nation state for the RSA breach.

In conclusion Mr. Metzl, thanks for encouraging a discussion on this topic. China does engage in cyber espionage on a massive scale, but so does another half-dozen or more countries; most of whom apparently do it much better than China because no one seems to have caught them at it. Therefore my opinion on your article is that you've failed to make the case that the Chinese government is to blame for everything that you and so many others are claiming. Bad analysis relying on faulty evidence or sheer ignorance doesn't become good analysis because it's been repeated a hundred gazillion times. 

Tuesday, August 23, 2011

Dinner with RJ Hillhouse and Marc Ambinder at Suits and Spooks

I'm very happy to announce that RJ Hillhouse, the author of "Outsourced" and blogger at The Spy Who Billed Me has agreed to a moderated question and answer session during the Suits and Spooks 2011 Friday evening dinner on September 23.

Dr. Hillhouse has received international attention after her breaking story that the Osama bin Laden assassination was not all that the White House claimed it to be. Since we're inviting members of the U.S. Intelligence Community to participate in the Suits and Spooks conference, I thought that this would be a perfect opportunity to dig a little deeper into the facts behind the story. Respected journalist Marc Ambinder of The Atlantic will be the commentator and the attendees will be invited to ask questions after RJ makes her opening remarks.

Dr. Hillhouse has also kindly agreed to act as a resource for our attendees during the all-day social media red team exercise on Sep 24th along with individuals from the IC, the DoD, our sponsors (Microsoft, Palantir, Kapow Technologies, PaRaBaL), and various social network startups. If you haven't already requested an invitation to attend Suits and Spooks 2011, please contact me as soon as possible. We're limiting attendance to no more than 100 people and we're more than half-way there already.

Thursday, August 18, 2011

Attribution: Vital For Offense; Irrelevant For Defense

Traditional models of deterrence require that an attacker knows that there is a price to pay for engaging in a hostile act against another party. For this model to work, attribution is critical. Unfortunately, attribution is very hard to achieve when it comes to cyber attacks. When we speak about taking offensive action against another nation state, attribution correctly applied is VITAL. Correct attribution makes the attack justified. False attribution makes the attacking state an international pariah.

When we speak about how to defend our valuable assets from cyber attacks, we don't need to know attribution because the best defensive strategies don't rely upon knowing who your attacker is or even stopping the attack at the perimeter. The very best strategy today is one that is data-centric, not network-centric. When we consult with companies that have been victims of a breach, we do our best to identify who may have been responsible but we stress that regardless of who did it, the company should re-design its security framework to be data-centric, not network-centric. Then it won't matter who attacks you because regardless of who it is they most likely won't be leaving with what they came for.

So is attribution necessary? Yes and No. If you want to strike back, yes. If you want to stop an attack from being successful, no. 

Sunday, August 14, 2011

Rick Perry Welcomes Huawei To Texas - Security Be Damned

This is what happens when a politician's knowledge about nation state cyber capabilities and operations is only as deep as a headline or a sound bite. Governor and Republican Presidential hopeful Rick Perry was courted by Huawei for months, up to and including a trip to China where he dined with Huawei's founder and CEO Ren Zhengfei. 

Yesterday's Washington Post article described the history of Huawei in Texas, dating back to 2001. In June, 2010 the State of Texas sent Perry and a delegation to the Shanghai Expo to court Huawei, ultimately resulting in Perry's announcement in October that Huawei would base its U.S. headquarters in Plano bringing hundreds of jobs and tax dollars. The fact that Huawei has been viewed as a national security threat by the U.S. government for many years apparently mean't nothing to Perry or the State of Texas legislature. There's an almost willful ignorance on the part of Perry's campaign to this fact. According to the WaPo article, Perry campaign spokesman Mark Miner said that “if there are national security issues surrounding this company, they should be fully looked at.” 

Oh, really? "If" there are issues? If Perry is this ignorant about China in general and Huawei in particular, he has no business running for the office of President of the United States. 

And if the State of Texas has a Chief Information Officer*, here's a bit of free advice. If you're doing business with China, China is in your network. If Governor Perry and his staff took laptops with them to the Shanghai Expo and re-connected to their office networks when they returned, you've got a compromised network. 

* The State of Texas CIO appears to be Karen W. Robinson and, as of July 25, 2011, she appears to be looking for a Chief Information Security Officer. The job posting can be read here

Related Posts:

Premier Hu Jintao: It's 2011. Stop Torturing Bears For Their Bile

Chinese "Moon Bear"
A murder-suicide happens with unfortunate regularity in the United States but this news item describes a horrific event that involved a mother bear and her cub and the life of torture that regularly takes place on Chinese bear farms where the bears have their gall bladders "milked" daily for bile and then sold at high prices for use in Traditional Chinese Medicine.

In January, 2006, the EU demanded that China stop the inhumane practice. According to the article, Wang Wei, deputy director-general of the Department of Wildlife Conservation, said: “We have introduced painless practices for extracting bear bile. Until we can find a good substitute we cannot accept the EU resolution that urges the elimination of bear farming.” He further said that China had closed most of its 480 bear farms and now keeps about 7,000 animals in 68 farms that meet new standards.

Obviously, that's bullshit, and hopefully Premier Hu Jintao will introduce Wang Wei to the inside of one of those crushing cages where the bears are held or at least fire him for sustaining these types of practices that keep the Peoples Republic of China in the dark ages instead of helping it move forward to attain true superpower status. With all due respect, Premier Hu, your country's national symbol - the giant Panda - is a member of the bear family. Why should the rest of the world respect China when it tolerates the torture of animals related to its national symbol?

If you're like me and feel compelled to do something to help, I recommend that you make a monthly commitment to this organization Animals Asia, based in Hong Kong. They've been engaged in bear rescue for many years and deserve your support. 

Monday, August 8, 2011

Interest In Suits And Spooks 2011 From ... Energy Companies?

Our new poster by Adam Howard
One of the biggest surprises that I've received since announcing the Suits and Spooks 2011 anti-conference is that our attendees will include folks from the energy sector - both government and private. We've also picked up a few former Special Operations Forces operators who will help our attendees formulate a more cohesive attack and defense plan in our day-long red team exercise.

These additions from the energy sector and the SpecOps community in concert with our speakers, panelists, and attendees from the Intelligence Community, social network analysis startups, and some of the largest social networks in the world will certainly provide the basis for some breakthrough attack and defense scenarios leveraging the social web as the attack platform.

We are still accepting applications from prospective attendees as well as social media startups who want to participate. The early bird registration rate of $300 will end on August 15th, one week from today, so please contact me as soon as possible before we hit our attendance maximum of 100 participants.

Thursday, August 4, 2011

With Shady Rat, McAfee Indicts Itself As A Failed Company

Shady Rat is not about China, even though Dmitri Alperovitch and McAfee want it to be. Instead it is an indictment of McAfee as an Information Security company; utterly impotent to protect its clients against the very serious, ongoing theft of Intellectual Property by multiple state and non-state actors around the world. Regardless of what the billion dollar APT marketing machine wants you to believe, the Peoples Republic of China is not the only nation state that is leveraging cyberspace to acquire key technology. I can name at least a dozen, and that number will double by this time next year. The problem isn't with China or any other government involved in illegal technology transfer. Espionage must be the world's third oldest profession. The problem is that many of the targeted corporations at one point believe in the snake oil remedy sold to them by McAfee and others like them. But not any more. Bloomberg just posted an article about an hour ago - "Hacker ‘Armageddon’ Forces Symantec, McAfee to Seek Fixes".

There's no easy fix to this because it isn't a simple problem. Companies that fall victim to low level attacks like spear phishing and SQL injection have to shoulder some of the blame themselves. That's just poor security management on their part. In addition, all companies need to re-calibrate their security configuration from network-centric to data-centric. Here's the 50,000 foot view of what I recommend to Taia Global clients:

Identify - Isolate - Monitor - Terminate

1. Identify your most critical data, then isolate it from the rest of your network.
2. Identify who is permitted to access that data, establish norms of access for each individual, then monitor that access in real-time. 
3. When an authorized person breaks their norm of access, or when an un-authorized person gains access, it alerts to a security dashboard and the connection is temporarily terminated until verification can be made.

With this level of protection, it doesn't matter how the bad guys got in or where they're from. All that matters is that they aren't leaving with your data. Additionally, companies have to understand and have a strategy to mitigate the risks that they face from their overseas offices and vendors; particularly in those countries whose laws permit the government to monitor communications and review source code. 

Big InfoSec continues to push a failed model of information security and the Shady Rat report graphically displays why. Dmitry Alperovich neglected to mention that part in his white paper; probably because it's a lot easier to blame China than to acknowledge how you and your company have been profiting from a failed security model for all these years while hiding that fact from your customers.

UPDATE (06 AUG 11): Symantec and Kaspersky both took McAfee to task about its Shady Rat report. Symantec researchers actually found the same data that McAfee did and published it in greater detail and less hyperbole. Kaspersky basically called it a publicity stunt timed to take advantage of Black Hat 2011.