Security and the rise of corporate espionage
Cold War hangover, China Google hack, and Climategate are your reality today
By Richard Power | CSO | Published: 15:58, 01 March 2010
Even today there are some still blank stares when I suggest to an audience of C-level executives or security professionals that they should all read the front pages of the Financial Times, the Yomiuri Shimbun, etc., as well as the technology news, if they want to know what cyber risks and threats to prepare for.
Oh, the battle might be waged in bits and bytes, and bloodied patch bulletins that arrive six months too late; but the war will be won by those who could read between lines of the lead stories in politics and business, and it will most certainly be lost by those who disregard the world beyond the imaginary perimeters of their "network defenses."
Fifteen years ago, ten years, even five years ago, this recommendation was met with almost unanimous incredulity.
Related Articles on Techworld
And even today, although the validity of the exhortation is beginning to sink in many, the full scope of its implications still eludes most.
Likewise my suggestion that the conventional wisdom about industrial espionage, or economic espionage, should not be so heavily relied on as we moved forward into the 21st Century, because it would undoubtedly be supplanted with information age espionage, which would demand an entirely different mind-set.
Year after year since 1994, I said that sooner than later, the turning of insiders, whether through bribery or blackmail, and the dropping of intruders with cameras, Ninja-style from the ceiling, would in many cases by completely supplanted by stealthy cyber attacks, and in other cases by rolled up into hybrid attack strategies combining the best of both centuries.
Well, here we are. The global economy, geopolitics and cyberspace interpenetrate in new ways, and our world will never be the same. Of course, we have been here for a while. Now it is simply harder to deny. Consider to recent blockbusters: "Climategate" and China-Google. Both stories have received tremendous coverage, but much of that coverage is still missing the big picture, and the big takeaways.
One of the most fascinating aspects of the "Climategate" story is that the thrust of the news coverage has been about the content of the hacked e-mails (which, by the way, was largely misrepresented in most reports), rather than inquiring into the much more telling issue of who did this, and why.
Months after the caper, some truth has started to bubble up.
"A highly sophisticated hacking operation that led to the leaking of hundreds of emails from the Climatic Research Unit in East Anglia was probably carried out by a foreign intelligence agency, according to the Government's former chief scientist. Sir David King, who was Tony Blair's chief scientific adviser for seven years until 2007, said that the hacking and selective leaking of the unit's emails, going back 13 years, bore all the hallmarks of a coordinated intelligence operation--especially given their release just before the Copenhagen climate conference in December." (Independent, 2-1-10)
I suggest that if the full story is ever known is will indeed be proven to be an intelligence operation, perhaps utilising intelligence resources of some government or another, but instigated by something much more larger and much more powerful than any government, e.g., some entity within the global fossil fuel industry. Remember, the stakes are planetary, macroeconomic, geopolitical and millennial.
And then there is the China-Google affair.
The shock waves will be reverberating through the vast expanse of cyberspace for some time to come, but whatever else comes of it, this is certainly a teachable moment.
It has led my friend and co-author, Christopher Burgess and I to reflect on the message and contents of our 2008 collaboration, Secrets Stolen, Fortunes Lost: Preventing Economic Espionage and Intellectual Property Theft in the 21st Century, and how prescient it was in regard to the China-Google story, and the need to address such threats by proactively strengthening the enterprise's security posture to a level commensurate with the realities of a 21st Century environment in which the global economy, geopolitics and cyberspace interpenetrate seamlessly.
In it, we introduced the concept of Holistic Security; in other words, a security programme, in which all the elements (eg, personnel security, physical security, and information security) are integrated (ie, responsive to and reflective of each other), and which also benefits from a serious commitment to both awareness and education (to engage and empower the work force) and intelligence (to enlighten decision-making).
So what does this teachable moment offer us?
Well, let me start with a big question, within the context of the China-Google affair, secrets were certainly stolen, but were fortunes lost? Perhaps a rephrasing of the question reveals another dimension, and a better framing, of this teachable moment, if your secrets are stolen, and part of your fortune is lost before you have even made it, was it ever yours and did you lose anything?
You realise, of course, it wasn't just Google that was compromised in this operation; it was also those individuals and enterprises using Google's infrastructure and resources to conduct their online activities.
Three weeks after the attacks on Google were disclosed, Kim Zetter, writing for Wired, contributed a story on some deeper insights into the nature of the attacks:
What the information indicates is that the attack that hit Google is identical to publicly undisclosed attacks that have quietly plagued thousands of other US companies and government agencies since 2002 and are rapidly growing. They represent a sea change from the kinds of attacks that have commonly hit networks and made headlines. "The scope of this is much larger than anybody has every conveyed," says Kevin Mandia, CEO and president of Virginia-based computer security and forensic firm Mandiant. "There [are] not 50 companies compromised. There are thousands of companies compromised. Actively, right now." (Kim Zetter, Wired, 2-3-10)
For some sage analysis from a serious student of Sun Tzu, I turned to my friend and colleague, Lawrence D. Dietz, Managing Director of TAL Global, and Adjunct Professor at American Military University. Over the years, I have been discussing the nature and evolution of the cyber dimensions of warfare with Dietz, who served with distinction in the US Army as an expert in psychological operations and strategic communications,
"I am frankly overwhelmed with the reactions concerning the recent activity with regard to Google and China. Apparently naivete is abundant and there is a general lack of historical knowledge. It is certainly a well-known fact that the government of the People's Republic of China is inextricably intertwined with the economy. It is also pretty much common knowledge that the concept of intellectual property in China is quite different than it is in the Western World.
Furthermore it would seem that most people have lost sight of the long haul nature of the Chinese and the strength of their loyalty to their country. Putting things into perspective, any organization operating overseas must realize that their indigenous work force will put loyalty to their country over loyalty to most businesses. It also follows that industry leaders such as Google would be regarded as prime targets for economic espionage if not regarded as a threat outright. In Google's case, there are two aspects of why the Chinese government would pay special attention to Google: first of all open access to information is contra to the philosophy of the government of the People's Republic of China and secondly Google as a business offers lessons to be learned. Consequently it should be no surprise that Google has been attacked from inside and outside. Organizations operating outside their native countries need to redouble their efforts to adopt a holistic approach to security that safeguards employees and assets from attack and collection threats."
OK, so what does it mean to you and yours? What can I offer you of a practical nature, so that this is something more than another exercise in "I told you so..."