Unlike the United States, the European Union and other Western nations, Russian and Chinese military writers generally do not use the term “Cyber Warfare”, preferring “Information Warfare” or “Informatized Warfare” instead. This is a significant difference; understanding it may better inform those who are still struggling to fit the round peg of Cyber Warfare into the square hole of the Western way of war.
Steve Tornio and Brian Martin just published a 5,000 word rant against anyone who dares utter the name Sun Tzu in connection with information security. According to Tornio and Martin, Sun Tzu – the principal strategic authority who’s seminal work has served to guide China’s military and civilian leadership for 2500 years, is “not relevant to modern day InfoSec” because “information security is not warfare (leaving aside actual warfare, of course”.
The Lieberman-Collins bill S 3480 “Protecting Cyberspace as a National Asset Act of 2010″, if passed into law as-is, will not succeed in protecting U.S. critical infrastructure from being compromised by an adversary State or Non-State actor for the following reasons:
1. Section 248 leaves the responsibility of securing the Power Grid in the hands of the same owner-operators who have failed to harden their networks up to this point. As long as the private sector gets to define what in their network is “critical” and then gets to write their own requirements to protect it, we will remain as vulnerable after this Bill gets passed as we are now.
2. Section 249 authorizes the President to declare a state of cyber emergency if critical infrastructure (CI) is deemed to be in serious jeopardy of a network-based attack and institute emergency measures to protect it. Well, assuming that the CI we’re talking about is the Grid, how will that work exactly? For example, let’s say we have a cascading failure of the Western interconnect – the type of failure which a couple of Chinese researchers recently published a paper about. What does Senators Lieberman and Collins possibly think can be fixed by Presidential authority once the lights go out across the western U.S.? Surely in all of their staff’s research, plus testimony given before their committee, someone must have raised this point. Did they just gloss over it? The time for emergency measures is now, BEFORE a major attack occurs, not afterwards.
3. Section 244 gives additional authority to US CERT, however according to a recent DHS Inspector General report (.pdf), US CERT is struggling to meet its current responsibilities. This bill should first provide for changes to be made in the environment under which US CERT is forced to operate today so that it’s capable of implementing these additional authorities.
4. Section 251 allows energy company owner operators to continue to hide the fact from the public that their networks have been “owned”. In turn, this allows them to deny the scope of the problem, to delay having to fix the problem, and to maintain the illusion that they are keeping our critical infrastructure safe and secure WITHOUT further government intervention.
5. This bill doesn’t address the multitude of attack vectors that threaten our critical infrastructure. For example, it ignores the fact that much of our Smart Grid design and manufacture occurs in China, the very nation whose military leadership envisions an anti-access strategy against the United States which would impede or negate our ability to operate in overseas theaters. It has no provision for mitigating insider threats in U.S. companies that support or provide our CI. It doesn’t require that Smart Grid devices be made secure BEFORE they are purchased and installed by U.S. energy companies.
Apart from these 5 flaws, and there are many others, there’s a much more complex problem that we need a national discussion about. I’ll use Symantec as an example, but it is certainly not unique to them. Symantec’s CTO Mark Bregman issued a statement (.pdf) in support of the Lieberman-Collins bill which said in part “This important legislation will enhance and modernize our nation’s overall cyber security posture in order to safeguard our critical infrastructure from attack.”
However, in 2008 Symantec formed a joint venture with Huawei, a Chinese company which has strong historical ties to China’s military and is led by a former PLA officer. Considering that Huawei-Symantec Technologies Ltd is developing and manufacturing “security and storage products for telecommunications and enterprises worldwide”, how concerned should we be about access by Huawei employees to Symantec’s source code or other intellectual property? In my opinion, we should be VERY concerned. At the very least, we should recognize that there is the potential for serious compromises wherever these products are used. But Symantec, like many U.S. companies which are global in scale, increasingly rely on international partners and markets for their economic health. I’d like to know how Senators Lieberman and Collins will address this conflict of interest that represents one more threat vector not covered by their bill.
Jonathan E: What do you know about the corporate wars?
Cletus: Oh, they were naaaasty… Woooh.
- Rollerball (1975)
In the movie Rollerball, the world of 2018 had evolved to the point where nation states were nothing more than points on a map. Power had shifted to global corporations, and therefore, so did one’s allegiance. Patriotism to one’s country had been replaced by patriotism to one’s employer. I’m old enough to remember going to see that movie when it first came out, and I walked out of the theater thinking how far-fetched that scenario was. Now, in light of the following recent events, I don’t think its far-fetched at all. In fact, it’s damn close to being prophetic. Here are just three examples, but there are many more involving lots of U.S. companies:
AOL: Were AOL executives clueless about ICQ’s use as a communications channel for bad guys or what that would mean for U.S. law enforcement if its servers were moved to the Russian Federation?
GOOGLE: Did Google executives know that the company to whom they’ve licensed to sell their Android tablet is a spin-off from a Peoples Liberation Army (PLA) R&D lab? Did they consider the national security implications of that licensing, particularly if Android phones are increasingly used by active duty members of the U.S. military?
MICROSOFT: On December 23, 2009, IKS Media (iks-media.ru) reported that Director of Information Security at Microsoft Russia spent 25 years working for Russia’s Federal Security Service (FSB). Even my Russian friends find this incomprehensible. Can you imagine what would happen if a Russian company with an office in Washington DC hired a retired FBI Supervisory Special Agent to run it’s InfoSec division? I can tell you that it wouldn’t be pretty.
This trend is by no means limited to the actions of these three companies. In fact, the problem is far worse at technology giants like Intel, Cisco, and others who know how bad the problem is and still choose their duty to their shareholders over their duty to their country, which brings me to the questions driving this post; questions that I’d appreciate hearing from Forbes readers about:
- Has our relentless quest for profits and growth combined with outsourcing and globalization made patriotism an anachronism for U.S. companies?
- How many U.S. executives have turned down lucrative deals with Russian or Chinese companies because they might harm U.S. national security interests?
- How many U.S.-based corporations with a global presence have a national security advisor on staff or retainer to help them make these kinds of decisions?
I think its time for U.S. corporate executives to have a discussion about how they can balance national security with corporate growth. In fact, it’s past time, but better late than never.
