Even today there are some still blank stares when I suggest to an audience of C-level executives or security professionals that they should all read the front pages of the Financial Times, the Yomiuri Shimbun, etc., as well as the technology news, if they want to know what cyber risks and threats to prepare for.
Oh, the battle might be waged in bits and bytes, and bloodied patch bulletins that arrive six months too late; but the war will be won by those who could read between lines of the lead stories in politics and business, and it will most certainly be lost by those who disregard the world beyond the imaginary perimeters of their "network defenses."
Fifteen years ago, ten years, even five years ago, this recommendation was met with almost unanimous incredulity.
And even today, although the validity of the exhortation is beginning to sink in many, the full scope of its implications still eludes most.
Likewise my suggestion that the conventional wisdom about industrial espionage, or economic espionage, should not be so heavily relied on as we moved forward into the 21st Century, because it would undoubtedly be supplanted with information age espionage, which would demand an entirely different mind-set.
Year after year since 1994, I said that sooner than later, the turning of insiders, whether through bribery or blackmail, and the dropping of intruders with cameras, Ninja-style from the ceiling, would in many cases by completely supplanted by stealthy cyber attacks, and in other cases by rolled up into hybrid attack strategies combining the best of both centuries.
Well, here we are. The global economy, geopolitics and cyberspace interpenetrate in new ways, and our world will never be the same. Of course, we have been here for a while. Now it is simply harder to deny. Consider to recent blockbusters: "Climategate" and China-Google. Both stories have received tremendous coverage, but much of that coverage is still missing the big picture, and the big takeaways.
One of the most fascinating aspects of the "Climategate" story is that the thrust of the news coverage has been about the content of the hacked e-mails (which, by the way, was largely misrepresented in most reports), rather than inquiring into the much more telling issue of who did this, and why.
Months after the caper, some truth has started to bubble up."A highly sophisticated hacking operation that led to the leaking of hundreds of emails from the Climatic Research Unit in East Anglia was probably carried out by a foreign intelligence agency, according to the Government's former chief scientist. Sir David King, who was Tony Blair's chief scientific adviser for seven years until 2007, said that the hacking and selective leaking of the unit's emails, going back 13 years, bore all the hallmarks of a coordinated intelligence operation—especially given their release just before the Copenhagen climate conference in December." (Independent, 2-1-10)
I suggest that if the full story is ever known is will indeed be proven to be an intelligence operation, perhaps utilizing intelligence resources of some government or another, but instigated by something much more larger and much more powerful than any government, e.g., some entity within the global fossil fuel industry. Remember, the stakes are planetary, macroeconomic, geopolitical and millennial.
And then there is the China-Google affair.
The shock waves will be reverberating through the vast expanse of cyberspace for some time to come, but whatever else comes of it, this is certainly a teachable moment.
It has led my friend and co-author, Christopher Burgess and I to reflect on the message and contents of our 2008 collaboration, Secrets Stolen, Fortunes Lost: Preventing Economic Espionage and Intellectual Property Theft in the 21st Century, and how prescient it was in regard to the China-Google story, and the need to address such threats by proactively strengthening the enterprise's security posture to a level commensurate with the realities of a 21ST Century environment in which the global economy, geopolitics and cyberspace interpenetrate seamlessly. In it, we introduced the concept of Holistic Security; in other words, a security program, in which all the elements (e.g., personnel security, physical security, and information security) are integrated (i.e., responsive to and reflective of each other), and which also benefits from a serious commitment to both awareness and education (to engage and empower the work force) and intelligence (to enlighten decision-making).
(Editor's note: Power and Burgess published an indepth excerpt from Secrets Stolen, Fortunes Lost on csoonline.)
So what does this teachable moment offer us?
Well, let me start with a big question, within the context of the China-Google affair, secrets were certainly stolen, but were fortunes lost? Perhaps a rephrasing of the question reveals another dimension, and a better framing, of this teachable moment, if your secrets are stolen, and part of your fortune is lost before you have even made it, was it ever yours and did you lose anything?
You realize, of course, it wasn't just Google that was compromised in this operation; it was also those individuals and enterprises using Google's infrastructure and resources to conduct their on-line activities.
Three weeks after the attacks on Google were disclosed, Kim Zetter, writing for Wired, contributed a story on some deeper insights into the nature of the attacks:What the information indicates is that the attack that hit Google is identical to publicly undisclosed attacks that have quietly plagued thousands of other U.S. companies and government agencies since 2002 and are rapidly growing. They represent a sea change from the kinds of attacks that have commonly hit networks and made headlines. "The scope of this is much larger than anybody has every conveyed," says Kevin Mandia, CEO and president of Virginia-based computer security and forensic firm Mandiant. "There [are] not 50 companies compromised. There are thousands of companies compromised. Actively, right now." (Kim Zetter, Wired, 2-3-10)
For some sage analysis from a serious student of Sun Tzu, I turned to my friend and colleague, Lawrence D. Dietz, Managing Director of TAL Global, and Adjunct Professor at American Military University. Over the years, I have been discussing the nature and evolution of the cyber dimensions of warfare with Dietz, who served with distinction in the U.S. Army as an expert in psychological operations and strategic communications,
"I am frankly overwhelmed with the reactions concerning the recent activity with regard to Google and China. Apparently naivete is abundant and there is a general lack of historical knowledge. It is certainly a well-known fact that the government of the People's Republic of China is inextricably intertwined with the economy. It is also pretty much common knowledge that the concept of intellectual property in China is quite different than it is in the Western World.
Furthermore it would seem that most people have lost sight of the long haul nature of the Chinese and the strength of their loyalty to their country. Putting things into perspective, any organization operating overseas must realize that their indigenous work force will put loyalty to their country over loyalty to most businesses. It also follows that industry leaders such as Google would be regarded as prime targets for economic espionage if not regarded as a threat outright. In Google's case, there are two aspects of why the Chinese government would pay special attention to Google: first of all open access to information is contra to the philosophy of the government of the People's Republic of China and secondly Google as a business offers lessons to be learned. Consequently it should be no surprise that Google has been attacked from inside and outside. Organizations operating outside their native countries need to redouble their efforts to adopt a holistic approach to security that safeguards employees and assets from attack and collection threats."
OK, so what does it mean to you and yours? What can I offer you of a practical nature, so that this is something more than another exercise in "I told you so..."
Well, not to belabor the point, but I refer you again to Secrets Stolen, Fortunes Lost.
Yes, two years ago, two years before the Google-China affair that is dominating one cybernews cycle after another here in the first weeks of 2010.
On pages 27 through 29, we told the stories of SigmaTel and Citroen, "two situations of alleged IP theft involving companies from two separate industries—automotive and audio entertainment devices & Both companies allege that their patented methodologies were copied by a competitor located within China and then marketed within the Chinese market &"
On page 32, we referenced "Special 301 Report" for 2007, from the Office of the U.S. Trade Representative, which ranked China and Russia as number one and two on a the list of 43 countries that exhibit a "lack of enforcement and/or engagement in the protection of intellectual property within their jurisdictional areas of responsibility" that "leads one to conclude that this silent collusion is as damaging as the blatant or covert activities."
On page 38, we examined the case of TsNIIMASH-Export, in which the Russian FSB "charged three senior executives of the state-owned-and-run space technology company, with embezzlement and the selling of secret Russian space technology to China."
On page 43, writing on Current and Future Threats to Economic Security, we cited "the FBI estimates that more than 3,000 Chinese 'front companies' operate in the U.S. with the express purpose of gathering intelligence and technology."
On page 50, writing on Technology Counterfeiting, we cited the November 2005 incident, in which "four current and former Samsung employees pilfered the blueprints and documents for a new mobile phone design and were caught by Korea's National Intelligence Service (Korea's Counterespionage organization), who discovered the group attempting to spirit the files to China mobile phone manufacturers," noting that Samsung's "investment in the design project was 25 billion RMB (approximately $25 million)." And followed up on page 53 with a 2007 report that "Italy's domestic intelligence service, SISDE (Servizio per le Informazioni e la Sicurezza Democratica, Italian for Service for Information and Democratic Security) accused Chinese hackers, apparently operating with the acquiescence of the government of China, of the wholesale theft of industrial methodologies associated with the apparel and fashion goods industry."
We included an extensive chapter on Social Engineering methods and counter-measures, which would prove relevant to any enterprise wondering how to proactively address the possibilities of being targeted in the way that Google was targeted in and around China.
On page 141, writing on Personnel Security, we mentioned that "intelligence files reportedly suggest that an estimated 1,000 Chinese agents and informants operate in Canada," and that "many of them are visiting students, scientists and business people, told to steal cutting-edge technology," and provide examples such as "China's Redberry—an imitation of the Blackberry portable e-mail device, created by Waterloo, Ont.-based Research in Motion Ltd. "We didn't want to piss off or annoy the Chinese,' said Juneau-Katsuya, who headed the agency's Asian desk. '[They're] too much of an important market.' However, he argued that industrial espionage affects Canada's employment levels. 'For every $1 million that we lose in intellectual property or business, we lose about 1,000 jobs in Canada,' he said." (Robert Fife, Government "concerned" about Chinese espionage, CTV.ca News, 4-14-06)
On page 250 through 254, writing on How to Sell Your Intellectual Property Protection Program, we articulated several questions to address:
1. What is your business differentiation from your competitors?
2. Whom Do You Have to Protect These Differentiators From?
3. What Are the Probabilities in Terms of Likely Attackers, Targets, and Objectives?
4. If the Competition Obtained or Tampered with Your Intellectual Property, What Harm Would Be Done?
5. What Security Measures Would Be Cost-Effective and Business-Enabling?
Google can take care of itself; and has made its own determinations about its risk and security in the past, and will do so moving forward. But if your enterprise is doing business in the global economy (and honestly, today, if you are doing business at all, you are likely doing it in the global economy one way or another), or if the government you serve is charged with protecting your nation's economic interests in the global economy, pointedly asking and substantively answering these questions, and following security-related best practices such as those outlined in Secrets Stolen, Fortunes Lost should be a high priority.
Remember that old Chinese curse, "May you live in exciting times."
Richard Power is a Distinguished Fellow at Carnegie Mellon CyLab and a frequent contributor to CSO Magazine. He writes, speaks and consults on security, risk and intelligence issues. He has conducted executive briefings and led professional training in forty countries. Power is the author of six books. Prior to joining Carnegie Mellon, Power served as Director of Security Management and Security Intelligence for the Global Security Office (GSO) of Deloitte Touche Tomatsu and Editorial Director of the Computer Security Institute.