Critique of IP Commission's Cyber Security Recommendations

The National Bureau of Asian Research published (and assisted in writing) "The IP Commission Report: The report of the Commission on the theft of American intellectual property" (.pdf). The Commission members along with its purposes are as follows:
  • Dennis C. Blair (co-chair), former Director of National Intelligence and Commander in Chief of the U.S. Pacific Command 
  • Jon M. Huntsman, Jr. (co-chair), former Ambassador to China, Governor of the state of Utah, and Deputy U.S. Trade Representative 
  • Craig R. Barrett, former Chairman and CEO of Intel Corporation 
  • Slade Gorton, former U.S. Senator from the state of Washington, Washington Attorney General, and member of the 9-11 Commission 
  • William J. Lynn III, CEO of DRS Technologies and former Deputy Secretary of Defense 
  • Deborah Wince-Smith, President and CEO of the Council on Competitiveness 
  • Michael K. Young, President of the University of Washington and former Deputy Under Secretary of State 
The three purposes of the Commission are to:
  • Document and assess the causes, scale, and other major dimensions of international intellectual property theft as they affect the United States 
  • Document and assess the role of China in international intellectual property theft 
  • Propose appropriate U.S. policy responses that would mitigate ongoing and future damage and obtain greater enforcement of intellectual property rights by China and other infringers 
IP and trade secret theft is a rapidly growing and very critical problem for U.S. companies. The IP Commission estimates the value of stolen IP from U.S. companies and government agencies at over $300 billion, which is about 75% of what the U.S. spends on R&D research each year.

While the report takes a deep and heavily annotated dive into the scale and scope of this problem, chapters 13 and 14 that detail the Commission's cyber security recommendations, have absolutely no footnotes whatsoever. In other words, there's no way to know who provided the commission with some very risky and questionable cyber security advice. So I called them.

I was told by the person who took my call that the cyber security experts wanted to remain anonymous, however she recommended that I speak with someone at the NBR. I sent a message via the NBR's information email account, read receipt requested, and watched it work its way up to Roy Kamphausen who confirmed that they spoke with "a wide array of cyber experts" but didn't mention any names.

Unfortunately, while much of the report is quite good, the cyber security advice ranges from problematic to potentially damaging. Here's my critique of that content. I'd be happy to debate it with anyone that the Commission spoke with.
  1. No where in this report is mentioned the critical importance of first identifying a company's critical data or "crown jewels". It's a huge problem because most companies have no idea how to do this and the Commission never once mentions it.
  2. Locking down a person's computer with a booby-trapped file has questionable legality but even worse, may result in the threat actor coming back to take more aggressive action against the targeted company. Remember Saudi Aramco? SA had to replace 2,000 servers thanks to a Wiper virus that only half worked due to some amateur coding mistakes. Remember HBGary Federal when its CEO threatened to "out" some members of Anonymous? There is no more HBGary Federal but Anonymous is alive and well. 
  3. Recommending the passage of CISPA is both bad security advice and inserts a political agenda to an otherwise apolitical report.  
  4. Threat-based deterrence is advocated for without being adequately defined. There are numerous ways that such a deterrence plan can have negative and unexpected consequences. And just like it's stupid to pick a fight with a stranger,  it's never a sound strategy to threaten an unknown adversary who can operate anonymously and holds the advantage.
  5. Chapter 14 contains a back-handed recommendation to pursue three measures that constitute aggressive offensive action. The commissioners couched it in a bizarre manner by effectively saying that while we don't recommend these things at this time, if the situation doesn't improve, then they should be considered. The measures were for what's commonly called hacking-back, cutting funding to the World Health Organization, and raising tariffs on Chinese goods 150% higher than the amount of IP theft stolen by China. 
Considering how potentially bad if not operationally ludicrous some of these recommendations are, it's not surprising that none of the commission's cyber security experts wanted their names attached to the report. The topic of "active defense" or "hacking back" or "offense as defense" is an important one that needs broad discussion. In fact, I made it the focus of last February's Suits and Spooks DC conference and we'll address it again in La Jolla in two weeks. But it is rife with pitfalls and needs much more informed discussion and debate. The Commission really failed its audience in terms of the content of these last two chapters.