Re: Chinese Hacking, Mandiant and Cyber War

[Glenn Everhart <Everhart () gce com>]

There have been reports about military and industrial secrets and what "ought" to be secrets
being sent to China for decades now. It has been clear (at least in these reports) that
US companies were required to have their technology built within China inorder to have access
to Chinese markets, and the US Government has approved such technology transfers time and again,
regardless of concerns for what it does in the long term.I seem to recall this at least as far back as
Clinton's time, maybe further.

So we are seeing a continuation of a pattern which has been accepted for many years of transfer
of knowhow and of aggressive Chinese state support of that transfer.

While arguable the time to lock the barn door started decades ago, and continues now, this report
should surprise nobody. The economic espionage (and other espionage possibly) is old news and
might be better handled by measures to perhaps make some of their take be designed to be dangerous
to use. (If for example you steal my avionics, might I not be justified in seeing that what you steal
is jiggered so the planes crash now and then? Or happen to hit some unpleasant resonances once in
a while?) Such things would make it dangerous to steal...

Also is there no counter-espionage going on?

At any rate, treating this as a surprise and a reason to prepare for war seems useful only to those
who want to create emergencies, perhaps to further diminish our civil liberties.
When I was young there was lots of fear about impending nuclear war, but nobody treated spy scandals on
either side as reasons for conflict. They did try to reduce exposure.

That can be done here too. One thing that might be looked at is whether the "air gap" that was supposed
to protect many SCADA systems could not be made to exist in reality, as an alternative to replacing
all the old gear in use. New mandates are not needed so much as something like pointing out that
the uninsured liability risk of not having such gaps can be rather large, and some public monitoring
to find vulnerable sites.

As for the worries even DoD has about hidden functions in ICs sourced from abroad, the more such sourcing is
domestic only, and enforced so, the more such seems real.

Securing infrastructure from spying or outside influence is a huge job, made harder by decades
of use of systems not designed to resist attacks (so that only the civilian losses due to untrustworthy
actions seem to drive fixes) and failure to use software designed for stronger protection. There are
measures that can be taken, but many are not general practice, but are lab work. (Ever consider how
much mischief occurs because we don't design our interpreters (hardware or software) to reliably tell
data apart from code? This permeates whole classes of attacks. While language purists will point
out that type enforcement should imply this, the basic code/data confusion problem alone causes
most of the flaws I read about. That ought to suggest generic approaches to anyone who considers
it awhile.)

On the other hand, if the point of all the sabre rattling is to give excuses for increasing
government pervasiveness, and perhaps ventures into wishful thinking that fighting another
war like, say, the Korean War, will allow the problems to be solved, it won't do anything
useful and is likely to cause great damage, domestically and otherwise.

The political folks here really need to be dealing with experts outside their set of Usual Suspects
to devise honest fixes, and let those fixes be visible. Talk about how the government in its wisdom
will fix things, given how thoroughly it has NOT fixed things over decades now, sounds like
subscribing to a 19th century snake-oil salesman to treat a modern epidemic.

Maybe some of the above might suggest some other ways...
Glenn Everhart

On 02/20/2013 09:34 AM, Gary McGraw wrote:
> hi sc-l,
>
> No doubt all of you have seen the NY Times article about the Mandiant report that pervades the news this week.  I believe it is 
> important to understand the difference between cyber espionage and cyber war.  Because espionage unfolds over months or years in 
> realtime, we can triangulate the origin of an exfiltration attack with some certainty.  During the fog of a real cyber war 
> attack, which is more likely to happen in milliseconds,  the kind of forensic work that Mandiant did would not be possible.  (In 
> fact, we might just well be "Gandalfed" and pin the attack on the wrong enemy as explained here: 
> http://searchsecurity.techtarget.com/news/2240169976/Gary-McGraw-Proactive-defense-prudent-alternative-to-cyberwarfare.)
>
> Sadly, policymakers seem to think we have completely solved the attribution problem.  We have not.  This article 
> published in Computerworld does an adequate job of stating my position: 
> http://news.idg.no/cw/art.cfm?id=94AB4F98-9BBD-1370-154D49FAA7706BE9
>
> Those of us who work on security engineering and software security can help educate policymakers and others so that we 
> don't end up pursuing the folly of active defense.
>
> gem
>
> company www.cigital.com
> podcast www.cigital.com/silverbullet
> blog www.cigital.com/justiceleague
> book www.swsec.com
>
>
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L () securecoding org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
> _______________________________________________

_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________