Tuesday, March 13, 2012

USCC Commission Report On China Misses the Boat on Cyber Espionage

The US China Economic and Security Review Commission report “Occupying the Information High Ground: Chinese Capabilities for Computer Network Operations (CNO) and Cyber Espionage” only delivered the goods on the CNO side. It's severely lacking on the cyber espionage side; especially regarding corporate cyber espionage, which is the main reason that Washington is putting pressure on China. Part of the problem might be that there's a lot more information available about China's CNO and Electronic Warfare buildup then there is about cyber espionage. While the report authors did a great job surveying China's military writings for this area, is that really news? Of course China is building up its cyber warfare capabilities. So are 30+ other countries around the world. There's nothing new there.

On the other hand, the report failed to document the cyber espionage risk associated with over 1200 foreign R&D labs operating in China. It barely mentioned the Ministry of State Security except as the former employer of Huawei Chairwoman Sun YaFang. MSS plays a major role as both a foreign and sometimes domestic intelligence service and deserves a lot more attention in any report purporting to be about Chinese cyber espionage.

The report did a good job exploring part of the Supply Chain problem but only insofar as it had to do with chip development. It didn't cover the more common problem of U.S. companies who out-source their development work to Chinese firms or U.S. companies like Dell who do all of their manufacturing and R&D in China. This is as much a supply chain issue as the possibility of someone corrupting a microchip or selling counterfeit hardware. It's actually a worse problem because Dell is a large and trusted U.S. corporation which acquired the InfoSec firm SecureWorks last year. If anyone should write a report on the supply chain problems that come with buying Dell products (for example), it should be a U.S. government commission. Too bad that didn't happen this time around.

No comments:

Post a Comment