Tag Archive for US-Russia-China triangle

That Office of Personnel Management (OPM) hack: the depth of the damage

The somewhat belated (just 7 months!) timid admission by the Federal Government that security clearance files of Government employees and contractors had been hacked was hardly a shocking surprise. Media discussion largely focused on the breadth of the security breach – the number hacked started with 4 million and pretty quickly grew to 21 million. But the depth of the security breach was not really addressed. It is, however, a major aspect of the loss.
Unbeknownst to most of the general public, and ironically even to many of those Government employees who are actually responsible for this security breach, all security files are not created equal. At one end of the spectrum are security clearance files of personnel whose proximity to Government secrets is very limited and often only symbolic, such as facilities maintenance workers. At the other end of the spectrum are people with security clearances well beyond the proverbial Top Secret level, those who are entrusted with the deepest and most sensitive Government secrets, such as nuclear arms and Government communications security experts.
Candidates who apply for a Government job are routinely asked to a sign privacy release allowing the Government to conduct an investigation into the applicant’s background that would otherwise be in violation of their privacy rights. Of course, applicants usually sign the form without looking at it too much. But even the lowest level of security clearance is far more invasive than your “thorough” bank investigation before granting you a loan. At the low end there’s a cursory search to make sure that the applicant has no significant criminal offences and is not involved in known criminal organizations. For a high-end clearance it’s a totally different story. Thorough investigation may include numerous connections, including relatives and present and past personal friends, hobbies, clubs affiliations, financial transactions over a significant period of time, and so on. Present and past spouses, “close friends” and partners are definitely of interest. Investigations may include interviews with neighbors and government informants, and maybe even one or another form of surveillance.
Many who are subjected to such investigation don’t realize how much of their personal privacy they surrender to the Government, but surrender they do, and some of them find that out only if things turn sour in their relations with the Government. However, they all at least implicitly rely on the Government to guarantee the security of their private information.
The OPM hack shattered that expectation. If the hack was done as alleged, by the Chinese, it is also most certain that the Russians had also done it before. Moreover, whichever intelligence service has the files, they may well trade some of them in exchange for other intelligence. Needless to say, among all those in supersensitive jobs are clandestine intelligence operatives, including the DEA, CIA, and Special Forces, and this situation puts their lives in real and immediate danger.
As a practical matter, those affected should demand to know exactly what information was stolen. Classified as it may be, it is not classified anymore. After all, if the Chinese know something about me, I am certainly entitled to know what they know too.
One more unanswered but very important question: do those files contain personal biometrics beyond fingerprints (leaking which is bad enough) — such as DNA, and retinal scans? I haven’t seen anyone asking that.

Power grid: when cyber lines cross

We have very little time to cure our stone age cyber defensive technology.
The CNN story citing testimony by Admiral Michael Rogers, head of U.S. Cyber Command, to a House Select Intelligence Committee November 20 sounded like shocking news. He stated that China can take down our power grid. http://www.cnn.com/2014/11/20/politics/nsa-china-power-grid/index.html

Shocking as it may be, if this is still “news,” surprise, surprise — it’s been known to everyone who was anyone in cyber security for over 25 years. First it was just the Russians, then the Chinese, then some vague criminals acting on behalf of “nation-states” were gradually added to the list.
Never mind the Russians and the Chinese – they also both have enough nuclear weapons to kill every squirrel in America. What is really troubling is the cyber security trend. Our cyber defensive capabilities have hardly improved for over a quarter-century. However, hackers’ attacking capabilities are improving constantly and dramatically. This is not a good equation — sooner or later these lines will cross. This means that a large number of unknown hackers will be able to take down our power grid and also decimate our power-intensive facilities, such as oil refineries, gas distribution stations, and chemical factories.
Now, think terrorists. They would be delighted to do exactly that, whether you kill them afterwards or not. This isn’t news, but it’s an increasingly troubling reality. We have very little time to cure our stone age cyber defensive technology. But that requires changing the current equation and making cyber defense inherently more powerful that the offense. That won’t happen until the doomed legacy password and firewall paradigms are abandoned and replaced by fundamentally different technologies.

Kaspersky and Symantec Kicked Out of China – For a Reason

The great cyber triangle of US-Russia-China seems to be shaping up in a definitive way. For a while China was technologically and skill-wise behind the US and Russia, the two early leaders in cyberspace, but it’s catching up, and fast.

It was announced last week that Kaspersky Lab and Symantec have been taken off the list of approved vendors in China’s government cybersecurity software market.  Reuters recently reported one example: http://www.reuters.com/article/2014/08/03/us-china-software-ban-idUSKBN0G30QH20140803

Traditionally very polite, the Chinese did not cyberwhine, did not make any fuss, did not lay any blame, but simply took the pair off the list. Some Western and Russian analysts were very quick to assume and announce  that this was a trade protectionist move to favor China’s national cybersecurity companies. That’s definitely wrong. If that were true, China would bar foreign companies from the country altogether – their private market is huge and very profitable. But they didn’t; they specifically only addressed their government cyberspace security. Apparently Chinese cyber experts found some extracurricular activities in products from both companies, which is not terribly surprising. Furthermore, they probably realized that detecting all the malware in modern software is practically impossible, and correctly decided to keep the foreign security well-wishers away, at least from their government.

The Chinese perception of individual privacy is different from the Western, and they don’t seem to be very concerned about the privacy of the regular common users, at least currently. However, they will probably watch Kaspersky’s and Symantec’s products sold to the Chinese private sector very carefully from now on. If they detect any sizeable collection of data from customers’ computers they will probably bar Kaspersky, Symantec, or both from doing business in China altogether.

The great cyber triangle is definitely becoming more and more equilateral. Interestingly, for the first time that I can recall, China is taking the lead in a trend that is logical and most likely to continue.

Why do Russia and China not cyberwhine?

Usually in my posts I try to provide answers. This time I can only manage a question, but it’s an interesting one.

We constantly hear complaints, if not outright whines, about the US being attacked in cyberspace, either by China or Russia. We’ve gotten used to these attacks, and our response is becoming more and more like “what else is news?”

But there’s an interesting angle here: in the more-or-less symmetrical US-Russia-China great cyber triangle we rarely if ever hear about Chinese or Russians being hacked. Is it that they are not being attacked? Not at all. For example, recently Russia detected a five-fold increase in powerful DDoS attacks over the last year, the longest one lasting ninety days. That one was by any standard a major cyber security event. Was it a big media deal in Russia? Not really– it was barely mentioned.

Initially I thought this difference was mainly a cultural thing. In Russia boys grow up in a culture where if you’re beaten up, you don’t cry “Mommy, he hit me!”, and for sure you don’t complain to teachers or the police. Just heal your bruises and learn to defend yourself. I believe that in China the culture in this respect is somewhat similar. The reaction to cyber attacks on the US is just the opposite. Instead of developing a really effective technology of cyber defense and immediate counterattack, we whine loudly time after time and waste our credibility with vague threats, when everyone knows there will be no real response.

However, cultural difference is probably not the reason for Russia’s and China’s  mute response. As an example of the opposite response, we can recall frequent border disputes between Russia and China in 1960s (over the areas where nobody was present for many miles except a few occasional border guards). During those clashes there were extensive media coverage on both sides, with many diplomatic notes saying something like “This is the 104th serious warning.”

So, the question remains: compared to our constant whining, what is the reason for the very muted Russian and Chinese responses to cyber attacks?

Privacy Posturing in the Great Cyber Triangle

The recent New York Times article, “Internet Giants Erect Barriers to Spy Agencies,” reflects the current political rhetoric over privacy, but it also misrepresents the reality of the situation.

http://www.nytimes.com/2014/06/07/technology/internet-giants-erect-barriers-to-spy-agencies.html

The companies cited– Google, Facebook, Yahoo, and the like– are taking steps to make NSA interception of their data more difficult. But this is a basically political move. They are merely reducing levels of voluntary cooperation with the government. The simple truth is that with the cybersecurity technology currently available and deployed these companies are not capable of protecting themselves, and ultimately their customers, from cyber attacks.

In the great US-Russia-China Cyber Triangle each government has enjoyed the quasi-voluntary cooperation of its cyber-based large companies. The other two governments were simply attacking the companies at will, and with full success. Of course, the companies’ cooperation was helpful to their host government, but it should be clearly understood that this was merely a matter of convenience and efficiency, and had little bearing on the actual result.

So the only change this new US cyber company fad  is that it will take a little more effort by the US Government to get the same results. The other two sides of the great triangle aren’t affected (nor, for that matter, are several  other governments).

This might suggest that the only way to protect people’s privacy is a legislative approach that would prohibit the Government from spying on its own citizens. But then we have to clearly understand that while we can prohibit NSA collecting Americans’ personal and private data, we cannot prevent Russia or China from doing the same. This is a symmetrical situation: Russia and China, and any other country, cannot prohibit the US collecting whatever they want. The situation would be awkward indeed if only American Government cannot collect unrestricted information on Americans. Spying is the oldest profession, and it’s going to prosper for the foreseeable future.

There’s a simple conclusion to be drawn: until and unless we develop new and truly effective cybersecurity technologies all the discussions about our privacy are just exercises in political rhetoric.