Wednesday, March 27, 2013

APT1, Shanghai Jiao Tong university, and Xenophobia

A few things have caught my attention recently which I'd like to share with you all in a somewhat abbreviated manner (meaning I'm swamped but this is important):

A Security Engineer's Forensic Review of Mandiant's APT1 report

Please read this security engineer's forensic review of the evidence contained in Mandiant's Appendix. He's discovered a lot more evidence which casts doubt on Mandiant's conclusions.

Shanghai Jiao Tong University's Collaboration with U.S. InfoSec Companies

Shanghai Jiao Tong University School of Information Security Engineering is just that - one of many Chinese universities that teaches information security. It is not a PLA school nor does it engage in hacking attacks. If it did, then I doubt that BreakingPoint Systems, a company that conducts "cyber warrior training" and does "cyber range deployments" for the U.S. government would have signed a "strategic cooperation agreement" with them.

Mandiant CSO Richard Bejtlich's view on Hiring Foreign Nationals

While I've disagreed often with Mandiant and Richard Bejtlich's views on China, I never heard him say anything remotely as awful as this quote from the Washington Examiner. I hope he was misquoted:
Bejtlich said he opposed placement of any foreign citizen of a suspect country like China in any sensitive government position.
"If you're considering them for a job at a national lab or a government agency, I think we're at the point now where it's recognized that's probably not a good idea," he said.
If that's an accurate quote, I can only hope that U.S. companies will ignore that incredibly poor advice. I think that most intelligent people in today's globalized economy have experienced working side by side with honest, talented, and skillful "foreigners" in many high technology settings including national labs and other environments. In fact, the U.S. would be hard-pressed to continue to innovate without them. The above quote is an example of xenophobia that's not far removed from McCarthyism and other witch-hunts and it has no place in the U.S. in 2013.


  1. Nice post Mr. Carr... The forensic review is quite compelling. I further believe that Mandiant rushed this report out to gain attention before their participation at the RSA conference.

  2. I'm sure you're right about that, but that's typical behavior for infosec companies to leverage RSA for big announcements.

  3. The trouble with not hiring foreign nationals is that then you have people like Qian Xuesheng. He was a US-trained rocket engineer. Because of the 1950's red scare he had his security clearances revoked. He was detained for several years but since he hadn't done anything illegal, he was finally deported back to China, where he basically led and created the Chinese ICBM program from scratch. Ooopssss....

    The other thing is that this isn't a friend/enemy thing. Israel and South Korea are some of the US closest allies, but there are people in jail for passing classified information to them.

    Also in the early 1990's, there was an interesting program specifically to have Russian nuclear scientists work in US national labs. If Russia benefited from their work, no problem. The big worry was that if they didn't end up on the US government payroll in Los Alamos, they'd end up in Iran, Pakistan, or North Korea.

    One final thing is that ideology plays a big difference. During the Cold War, the United States was able to get a lot of patriotic Chinese, Koreans, and Russians to work for the United States, because the important principle wasn't "USA!!!" but rather "anti-communism, pro-democracy, and pro-capitalism". If it's a fight between democracy and communism, then you'll get a lot of foreigners on the American-side because they aren't fighting for the United States, they are fighting for democracy.

    So it's actually worse than a McCarthy witch-hunt. During the red scare, if you were an anti-Communist Russian, Senator McCarthy would love you.

    The problem with the situation now is that it's not about democracy or any high ideals. If the goal is just about money and US world dominance, then there's no reason for people to fight for the US. Also, the cold war made things easy for corporations. In a fight between capitalism and communism, all of the corporations are going to line up in favor of capitalism. However, China is basically capitalist, so there is no reason for a corporation to side with the United States against China. There might be some good reasons for an American to side with the US government out of reflex, but not everyone that works in an MNC is an American. Oddly enough, there is no particular reason for someone that is not a US citizen to support the United States.

    And then there is the problem of when to wave the flag. China is just not planning to occupy California. All of the talk about cyber-spying is largely so that US corporations can maximize their profits. This isn't a bad thing, but it's not something to wave the flag over.

  4. One issue is that US companies aren't usually US companies. They are global companies headquartered in the US. One *big* advantage that the US has is that it's a very diverse place. For example, if you are ambitious person from Somalia, you can imagine yourself CEO of Apple or Microsoft or even Samsung. It's harder to imagine yourself CEO of Bank of China or China Mobile.

    Because the US is a nation of immigrants, the US just has a lot more experience dealing with diverse groups than China does, and this is a huge advantage. It also means that most countries "trust" the US to be in charge of the planet more so than they do another country. If go to Somalia, you will find someone that knows someone that knows someone that lives in the United States. This isn't the situation with most other countries.