There have been reports about military and industrial secrets and what "ought" to be secrets being sent to China for decades now. It has been clear (at least in these reports) that US companies were required to have their technology built within China inorder to have access to Chinese markets, and the US Government has approved such technology transfers time and again, regardless of concerns for what it does in the long term.I seem to recall this at least as far back as Clinton's time, maybe further.
So we are seeing a continuation of a pattern which has been accepted for many years of transfer of knowhow and of aggressive Chinese state support of that transfer. While arguable the time to lock the barn door started decades ago, and continues now, this report should surprise nobody. The economic espionage (and other espionage possibly) is old news and might be better handled by measures to perhaps make some of their take be designed to be dangerous to use. (If for example you steal my avionics, might I not be justified in seeing that what you steal is jiggered so the planes crash now and then? Or happen to hit some unpleasant resonances once in a while?) Such things would make it dangerous to steal... Also is there no counter-espionage going on? At any rate, treating this as a surprise and a reason to prepare for war seems useful only to those who want to create emergencies, perhaps to further diminish our civil liberties. When I was young there was lots of fear about impending nuclear war, but nobody treated spy scandals on either side as reasons for conflict. They did try to reduce exposure. That can be done here too. One thing that might be looked at is whether the "air gap" that was supposed to protect many SCADA systems could not be made to exist in reality, as an alternative to replacing all the old gear in use. New mandates are not needed so much as something like pointing out that the uninsured liability risk of not having such gaps can be rather large, and some public monitoring to find vulnerable sites. As for the worries even DoD has about hidden functions in ICs sourced from abroad, the more such sourcing is domestic only, and enforced so, the more such seems real. Securing infrastructure from spying or outside influence is a huge job, made harder by decades of use of systems not designed to resist attacks (so that only the civilian losses due to untrustworthy actions seem to drive fixes) and failure to use software designed for stronger protection. There are measures that can be taken, but many are not general practice, but are lab work. (Ever consider how much mischief occurs because we don't design our interpreters (hardware or software) to reliably tell data apart from code? This permeates whole classes of attacks. While language purists will point out that type enforcement should imply this, the basic code/data confusion problem alone causes most of the flaws I read about. That ought to suggest generic approaches to anyone who considers it awhile.) On the other hand, if the point of all the sabre rattling is to give excuses for increasing government pervasiveness, and perhaps ventures into wishful thinking that fighting another war like, say, the Korean War, will allow the problems to be solved, it won't do anything useful and is likely to cause great damage, domestically and otherwise. The political folks here really need to be dealing with experts outside their set of Usual Suspects to devise honest fixes, and let those fixes be visible. Talk about how the government in its wisdom will fix things, given how thoroughly it has NOT fixed things over decades now, sounds like subscribing to a 19th century snake-oil salesman to treat a modern epidemic. Maybe some of the above might suggest some other ways... Glenn Everhart On 02/20/2013 09:34 AM, Gary McGraw wrote:
hi sc-l, No doubt all of you have seen the NY Times article about the Mandiant report that pervades the news this week. I believe it is important to understand the difference between cyber espionage and cyber war. Because espionage unfolds over months or years in realtime, we can triangulate the origin of an exfiltration attack with some certainty. During the fog of a real cyber war attack, which is more likely to happen in milliseconds, the kind of forensic work that Mandiant did would not be possible. (In fact, we might just well be "Gandalfed" and pin the attack on the wrong enemy as explained here: http://searchsecurity.techtarget.com/news/2240169976/Gary-McGraw-Proactive-defense-prudent-alternative-to-cyberwarfare.) Sadly, policymakers seem to think we have completely solved the attribution problem. We have not. This article published in Computerworld does an adequate job of stating my position: http://news.idg.no/cw/art.cfm?id=94AB4F98-9BBD-1370-154D49FAA7706BE9 Those of us who work on security engineering and software security can help educate policymakers and others so that we don't end up pursuing the folly of active defense. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
