Defense, security and the real enemies

When I was a kid, I used to read National Geographic magazines. They were 25 cents each at the local library. The August 1974 issue had an article in it titled “Rare Look at North Korea,” by H. Edward Kim, who visited North Korea (DPRK) and provided a detailed report. In that article, he spoke of how North Koreans figured out how to build their own tractors by reverse engineering one. They spoke about the tractor running backwards at first, but they eventually were able to build running tractors better than the presumably Soviet ones they took apart to learn how to build them. They have since applied their ingenuity to technology.

They are guided by the Juche ideology authored by their first leader, Kim Il Sung, which is based on the tenets of independence, self-reliance, and self-defense. Under their second leader, Kim Jong Il, the Songun, or “military first” policy was added. Kim Jong Un, the third and current leader, has extended these with a focus on nuclear weapons development, empowering companies, and providing incentives for economic development called the “Socialist Corporate Responsible Management System.” Their system is focused on enriching their military, the DPRK and then their people, in that order. They have become an extremely adept force in technology, as Sony Pictures unfortunately learned, and have utilized their skills learned from reverse engineering our technology to bolster their economy. The recent thefts of $571 million in cryptocurrencies, according to CCN, done on behalf of a country with a $28.5 billion GDP in 2016, shows that a significant portion of their income now comes from their technology skills.

North Korea is one of five countries and one region, which are Cuba, Iran, Syria, Sudan and the Crimea region of Ukraine that the U.S. Government explicitly prohibits exports to without permission. This means that they can’t get the latest versions of Windows or other American software legitimately. They have developed their own version of Linux, Red Star Linux, which has all the surveillance tools you would expect from a platform developed by a totalitarian state.

Russia and China

In 1983, an unnamed intelligence agency had given DEC the wording “VAX: For When you Care to Steal the Very Best,” which was taken from a VAX-11/780 running in the Soviet Union. DEC decided to put that on their CVAX chip, released in 1987, for the Soviet engineers who were tasked with reverse engineering American technologies.

The Soviets tried every approach, including using Romania, who inexplicably had Most Favored Nation status with the U.S. despite having one of the most brutal despots in world history, Nicolae Ceausescu, in charge, to import restricted technologies. They also reverse-engineered the Sinclair Spectrum and made their own versions of it to sell behind the Iron Curtain, among many other examples. This is nothing new and is something they have been doing for years.

In the South China Morning Post International Edition article, ”China Never Really Stopped Being a Copycat, and That’s Why its Tech Companies Aren’t Changing the World,” Peter Guy makes the statement that Chinese companies consider it OK to rip off foreign corporations. A visit to the Computer Crimes and Intellectual Property Section of the U.S. Department of Justice shows that a number of Chinese nationals have been successfully prosecuted for trying to exfiltrate data from the United States to China.

The biggest threats

The three nations that are the largest cyber threats to the United States are, in no particular order, North Korea, Russia and China. They have been reverse-engineering our technology for a number of years, dating back to the beginning of the Cold War. The originators of some of the most devastating cyber-attacks have been based in these three countries, such as WannaCry and mass cryptocurrency theft (North Korea), Petya/NotPetya (Russia), and multiple data breaches (China). Their governments actively sponsor attempts to reverse engineer our technology and learn from it. 

What has happened since the Cold War?

When Aaron Gregg’s article in the Washington Post, Defense Industry Grapples with Cybersecurity Flays in new Weapons Systems, was published on October 14, it caused an uproar. It should not have. The truth is that we have been under active attack from multiple countries, starting with these three, for a number of years. They have it as part of their nationalistic ideology to take from others, reverse engineer it, make it better, and use it against others to improve their standing. Letting our guard down and letting vulnerabilities persist in our hardware and software that can be taken advantage of by hostile parties such as Iran (unencrypted drones anyone?) has let down our national defense and the Warfighters we need to support.

Ever since Glasnost occurred and Billy Joel performed in the USSR, we’ve been more relaxed in how we handle security. We haven’t thought as defensively or critically as we collectively once did. Even large data breaches such as Equifax, Anthem, OPM or Yahoo are greeted outside the Infosec or security communities with nary more than a shrug. We are no longer as wary as we were in the 1960s or 1970s.

Cybersecurity isn’t about just buying a product to fix a security issue and stop malware from getting in. The root cause of us having much of this malware in the first place is that we have enemy parties that are reverse-engineering everything we are developing to find holes and vulnerabilities and using them against us. This is not just with chips and operating systems. It has extended to media platforms and social media, starting with Facebook and Twitter and their repeated usage by Russia and other entities to manipulate millions into following fake supporters of politicians straight to the ballot box. We are being hacked in multiple ways by countries and cultures that are using our weaknesses to build their own nations’ strengths. We need to keep in mind that these are countries that want to make their own nations great again, not America.

This is not just an attack on our technology. It’s an attack on all of us. It divides us.  It is meant to keep us distracted, angry at each other, and fighting each other over wedge issues while our strengths are appropriated and used by others for their benefit. It has been astonishingly successful. While we are distracted by social media, we’re getting attacked by nation-states. Unlike many of the commercials we see on television or YouTube, this isn’t something we can buy or get prescribed a fix for.

What can we do about this?

Recognize the dangers presented by these countries at all levels of government. This is one of the times where party affiliation or stances on issues do not matter. We need to take the agencies and people we’ve empowered with H.R. 1616 – Strengthening State and Local Cyber Crime Fighting Act of 2017, and Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, both of which have been signed by President Trump, and make actual protection the national priority. The latter bill is very comprehensive and provides an excellent start as to what companies should be doing. 

We need to plan to protect what we deploy as part of how we implement technology and plan to keep the technology as current as possible and most importantly well-protected with an engaged team. We make it easy for Moscow, Beijing or Pyongyang when we don’t protect ourselves. Many of these successful attacks take advantage of long-standing security holes to devastating effect. They don’t have to be very good. The long-standing mantra of “we’re too small or not important” is no longer the case, with a large number of smaller businesses and state/local government agencies falling victim to ransomware originating from foreign countries. The Mirai botnet showed how a number of small businesses with the same type of vulnerability could overwhelm network protections of even the largest companies, and showed an existential threat to the Internet itself.

Where do we start?

This starts with leadership at the top. We need top leaders to admit that we need to improve, and to do so, we need to not worry about looking good to those above us.  One of the major failings of American corporate culture has been hubris, and the need to look good in front of the C-suite. We need to ignore that and focus on assessing and addressing risks in our environments using the people, processes, and technologies we have.  If we do not have those people in-house, we need to find partners invested on our futures who want to collaborate with us, not just vendors trying to sell the latest magic box. We need to put protecting ourselves and our environments ahead of meeting expectations for earnings per share while still conducting business. If we don’t protect ourselves and our businesses, the effects will negatively affect them more than the cost of protection.

The most critical item is that the C-suite and boards need to follow up on this. This is no longer a discretionary issue. This is survival of companies and the millions of people whose livelihoods depend upon them. This affects all of us, where we live, and who we associate with. Malware and cyberattacks do not discriminate. We need to be as relentless in assessing and addressing risk as our adversaries are in finding our weaknesses, and partnering with others, including our competitors. To do so means that we don’t focus on looking good, but where the risks really are, and empowering and educating people to be able to assess and address weaknesses without fear of retaliation. The cultures that begat this behavior will not change unless these new sets of rules start at the top and are continually facilitated, encouraged and enforced.

We have a culture where at many companies’ issues get hidden or buried because they will make someone look bad. These hidden issues are now capable of irreparably damaging companies with cyberattacks and won’t stay hidden. This needs to stop, and we need to have accountability and transparency. The example leaders should follow is that of former Defense Secretary Robert Gates, who ensured it at all levels after several embarrassing incidents. He is someone who has delivered this message successfully at the CIA, Department of Defense, Boy Scouts of America, Texas A&M, and to both Democratic and Republican Presidents.

What about social media?

When it comes to social media, we also need to be similarly vigilant. Many very well-meaning people who love America have been swayed by propaganda originating from Moscow.  We have been very trusting when it comes to Facebook and Twitter, and we have had a great many people who love and serve this country and its people who have inadvertently spread messages of division, anger and hatred toward others. This has contributed to some incredibly toxic dialogue. We all need to commit to stopping this and focusing on the greater good of protecting each other. You can only be angry for so long, and it doesn’t help address the root causes of issues.

I applaud the fact that thousands of people get together at rallies, Pledge Allegiance to our Flag, and salute Law Enforcement and the Veterans and Warfighters who have sacrificed to preserve this country and its ideals. However, we need to take out the divisive rhetoric and anger and focus on what we can do as a people to address the numerous threats that have negatively affected us in many ways. 

We need to focus

We need to focus that energy on protecting all of us. We need to not protect a subset.  One great thing about America is that people of all races, ethnicities, genders, preferences and their supporters are citizens, and have served and sacrificed for this country. The more we focus on excluding people, the less we focus on the objective of protecting ourselves. The more we are angry, the less effective we are at making good decisions. An eye for an eye really does make everyone blind. Excluding people leaves us vulnerable because we need to be working together to address issues and building dialogue.

We need not to be focused on our individual goals of winning or certitude. This isn’t about winning an argument on Facebook or attacking someone’s credibility because they quoted Stephen King as a source. This is about working together to address a threat that uses many channels to infiltrate. Unlike the shock that was Pearl Harbor that jolted America into action, this has been more gradual and invasive. We need to focus on what we can do to stop these threats and mitigate risks, not where we differ in thoughts or opinions. We need a cultural shift starting with our leaders to focus on accountability, transparency, risk identification, risk reduction plans, and to continually follow up and look for open issues. We need a culture of vigilance. We can’t just look to one leader all the time to set the tone. We need to look toward many and stay focused on our goals without letting anger blind us.

One of the CIOs I worked with once told me that he did not want to have a “security culture” at the company we worked at. With the evidence out there of continuing threats to our collective well-beings to the benefit of others at our expense, we need to recognize their gravity and not only have a culture that embraces security, but also vigilance, transparency and accountability to address the major issues cyberthreats have become. We need to embrace leaders that understand that, empower the ones that do, and set the example for others by being leaders ourselves and developing new ones.

We need to follow up from this by investing in technologies and processes that allow for strong authentication, verification and validation. We need to focus on the management of processes and technology with ourselves and trusted partners, not on buying technologies because they apparently fix our issues. One of the main reasons we are in the situation we are in is because of risk transference. We need to own the risks and address them, not pay someone to do so for us, and we need the leaders of companies to hold themselves and their teams accountable, even if the situation doesn’t look good. Only then will we have addressed the root causes of these issues, and possibly a few others.

Finally, we need to develop our people and teams. Education is paramount, and not just skills-based. Critical thinking skills are important to develop people who understand how to make educated decisions. We need to own the development of team members and make sure that we keep people interested and engaged by continually communicating the meaning of the work, and continually follow up on their development. We talk about how millennials constantly move jobs. Two of the major driving factors are engagement and continual learning. We can’t focus on skills-based development and expect engagement out of that. We need to make sure that we build the career path that people need to succeed, and make sure we start early to educate at all levels. When we did this in the 1950s and 1960s, we created a generation of engineers and scientists that built a strategic advantage for the U.S. due to the threats of the Soviets overtaking us. We need to continue that, and it needs to start with a good education that continues into career development and engagement, like the large defense contractors, military, government, IBM and GM had. That threat has not dissipated. It has only changed. We need to realize that and change before it’s too late.