Monday, June 3, 2013

Open letter to President Obama on the eve of his Summit with President Xi

Dear President Obama,

I've spent the last five years working exclusively in the identification and cataloging of threat actors in cyberspace. I've participated in incident response investigations for some of the world's largest companies and have briefed both U.S. intelligence agencies and those of five foreign countries on the complexity of the cyber threat landscape as well as information warfare planning, research & development, and execution of strategy by both Russia and China. I host three highly regarded executive cyber security conferences each year, and my book Inside Cyber Warfare (in its 2nd edition) is used as a text by the U.S. Air Force Institute of Technology in its cyber warfare certification program.

While I'm enthusiastic about your upcoming meeting with President Xi on mutual cyber security concerns, I'm worried that the strong anti-China sentiment on the Hill and in print by the New York Times, Bloomberg and the Washington Post will have a polarizing effect on your talks. Much of the evidence being touted as pointing to China's acts of cyber espionage is a conflation of multi-state and non-state actors engaging with the same target companies that China is interested in. I personally know of Russian hackers who prefer to attack their targets in different countries via a compromised Chinese computer because there are so many of them and they're so easy to exploit.

While there is a propensity among government officials and infosec experts to blame China first for any attack involving U.S. intellectual property, they often do so without any hard evidence. Chinese IP addresses don't qualify as evidence anymore than U.S. IP addresses do. Open source hacker tools written by Chinese developers and posted on the Web for anyone to download and use cannot be considered evidence of Chinese government involvement. And President Xi will certainly make the same point. While there's no question that the Chinese government engages in cyber espionage, it is not the only nation that does so and it is certainly not solely responsible for the estimated $300 billion in stolen U.S. IP.

Rather than accusing China of something that cannot be proved, I believe that U.S. interests can best be served by cooperating with China on the identification and prosecution of non-state actors who operate in Chinese and U.S. IP space. Media stories and self-serving infosec reports to the contrary, not all Chinese hackers work for the PLA. There are many independent hackers in China, Ukraine, Russia, Romania, Bulgaria, Pakistan, Taiwan and other countries who make money stealing IP and selling it to whomever is willing to pay. Some of these same hackers may be involved in attacking Chinese government websites; particularly those in India, Tibet, and Taiwan. While conventional wisdom groups hackers into silos (Russians rob banks; Chinese steal IP; Iranians attack power companies), that's not a realistic nor fact-based portrayal of the international cyber threat landscape.

There are many ways that China is benefiting from U.S. technology transfer such as their successful campaign to provide monetary incentives for U.S. multinationals to open R&D labs in Shanghai and Beijing (which now number over 1200). These labs employ Chinese engineers who learn U.S. technological secrets and then leave to work for Chinese companies; taking that proprietary knowledge with them. Those same employees have trusted access on their respective corporate intranets. There's no reason for the Chinese government to execute sloppy hacking operations against a U.S. company when that company has offices in Bejing or Shanghai. Access to their IP is a given.

If you and President Xi could reach an agreement to cooperate on reducing the activities of independent  non-state actors that have attacked both the U.S. and Chinese businesses and government organizations, it would benefit the U.S. in the following ways:
  1. Chinese threat data is of great interest to U.S. law enforcement organizations.
  2. A reduction of non-state actors currently cluttering up the threat landscape would make it easier to identify state-run cyber espionage operations.
  3. The biggest threat to both Chinese and U.S. critical infrastructure is from non-state actors and, in the future, those may include terrorist groups. 
Mr. President, in my opinion, attempting to shame or threaten China over its hacking activities when the available evidence is so easily dismissed makes the U.S. look weak and ineffective. Enlisting China as an ally to identify and interdict the activities of independent threat actors would result in a win for both nations.

I hope this open letter finds it's way to your desk and that it helps inform your strategy.

Warm Regards,

Mr. Jeffrey Carr
CEO, Taia Global, Inc.
Author, Inside Cyber Warfare
Founder, Suits and Spooks conference

5 comments:

  1. Point 2 implies, from China's perspective, that the sponsorship of their attack will also be easier to identify, which they probably don't wish to be.

    Furthermore, assuming that China is using non-state actors as proxies for the attacks, why would they wish to cooperate in identifying and stopping these non-state actors? This would, again, not be in their interests -- a point raised By James Lewis (see http://csis.org/publication/private-retaliation-cyberspace)

    ReplyDelete
  2. Hi Clement, since China suffers from the actions of many non-state actors attacking Chinese government networks, and since they have multiple means of obtaining the IP that they're after from local foreign offices in China, making the IP space less cluttered is still in their interest.

    If China solely relied on the use of non-state actors for their cyber espionage, than James Lewis' point would be a valid one, however they have multiple ways of obtaining IP, which means that a collaborative action targeting non-state actors would be in everyone's best interest.

    ReplyDelete
  3. That is a fantastic letter, with salient points. Attempting to "shame" China seems to me like one of his "senior advisers" was giving him bad guidance. Especially in the wake of all the NSA scandals, I agree with you that the government must move forward and stop complaining and maybe try better defending their networks. Or at least putting into place penalties for those DIB organizations if they don't do a better job safeguarding R&D. Maybe if they wouldn't be able to compete for contracts for two years, they may try to improve their own security?

    ReplyDelete
  4. Isn't 300 billion just a little over exaggerated?

    ReplyDelete
  5. It's what the IP Commission reported.

    ReplyDelete