There have been reports about military and industrial secrets and what ought
to be secrets
being sent to China for decades now. It has been clear (at least in these
reports) that
US companies were required to have their technology built within China inorder
to have access
to Chinese markets, and the US Government has approved such technology
transfers time and again,
regardless of concerns for what it does in the long term.I seem to recall this
at least as far back as
Clinton's time, maybe further.
So we are seeing a continuation of a pattern which has been accepted for many
years of transfer
of knowhow and of aggressive Chinese state support of that transfer.
While arguable the time to lock the barn door started decades ago, and
continues now, this report
should surprise nobody. The economic espionage (and other espionage possibly)
is old news and
might be better handled by measures to perhaps make some of their take be
designed to be dangerous
to use. (If for example you steal my avionics, might I not be justified in
seeing that what you steal
is jiggered so the planes crash now and then? Or happen to hit some unpleasant
resonances once in
a while?) Such things would make it dangerous to steal...
Also is there no counter-espionage going on?
At any rate, treating this as a surprise and a reason to prepare for war seems
useful only to those
who want to create emergencies, perhaps to further diminish our civil liberties.
When I was young there was lots of fear about impending nuclear war, but nobody
treated spy scandals on
either side as reasons for conflict. They did try to reduce exposure.
That can be done here too. One thing that might be looked at is whether the air
gap that was supposed
to protect many SCADA systems could not be made to exist in reality, as an
alternative to replacing
all the old gear in use. New mandates are not needed so much as something like
pointing out that
the uninsured liability risk of not having such gaps can be rather large, and
some public monitoring
to find vulnerable sites.
As for the worries even DoD has about hidden functions in ICs sourced from
abroad, the more such sourcing is
domestic only, and enforced so, the more such seems real.
Securing infrastructure from spying or outside influence is a huge job, made
harder by decades
of use of systems not designed to resist attacks (so that only the civilian
losses due to untrustworthy
actions seem to drive fixes) and failure to use software designed for stronger
protection. There are
measures that can be taken, but many are not general practice, but are lab
work. (Ever consider how
much mischief occurs because we don't design our interpreters (hardware or
software) to reliably tell
data apart from code? This permeates whole classes of attacks. While language
purists will point
out that type enforcement should imply this, the basic code/data confusion
problem alone causes
most of the flaws I read about. That ought to suggest generic approaches to
anyone who considers
it awhile.)
On the other hand, if the point of all the sabre rattling is to give excuses
for increasing
government pervasiveness, and perhaps ventures into wishful thinking that
fighting another
war like, say, the Korean War, will allow the problems to be solved, it won't
do anything
useful and is likely to cause great damage, domestically and otherwise.
The political folks here really need to be dealing with experts outside their
set of Usual Suspects
to devise honest fixes, and let those fixes be visible. Talk about how the
government in its wisdom
will fix things, given how thoroughly it has NOT fixed things over decades now,
sounds like
subscribing to a 19th century snake-oil salesman to treat a modern epidemic.
Maybe some of the above might suggest some other ways...
Glenn Everhart
On 02/20/2013 09:34 AM, Gary McGraw wrote:
hi sc-l,
No doubt all of you have seen the NY Times article about the Mandiant report that
pervades the news this week. I believe it is important to understand the difference
between cyber espionage and cyber war. Because espionage unfolds over months or years in
realtime, we can triangulate the origin of an exfiltration attack with some certainty.
During the fog of a real cyber war attack, which is more likely to happen in
milliseconds, the kind of forensic work that Mandiant did would not be possible. (In
fact, we might just well be Gandalfed and pin the attack on the wrong enemy
as explained here:
http://searchsecurity.techtarget.com/news/2240169976/Gary-McGraw-Proactive-defense-prudent-alternative-to-cyberwarfare.)
Sadly, policymakers seem to think we have completely solved the attribution
problem. We have not. This article published in Computerworld does an
adequate job of stating my position:
http://news.idg.no/cw/art.cfm?id=94AB4F98-9BBD-1370-154D49FAA7706BE9
Those of us who work on security engineering and software security can help
educate policymakers and
