03.09.12
US Cyberwar Assessments — the usual conflict of interest
Yesterday’s cyberwar news revolved around a report issued by the U.S.-China Economic and Security Review Commission.
The government commissioned Northrop Grumman to do the report.
Northrop Grumman is a big arms manufacturer and one part of its business model is now the selling of cybersecurity/cyberdefense contracting to the the US government.
For the last ten years, at least, the US government had regularly outsourced threat assessment to the defense and national security companies providing defense against the threats assessed.
It’s a terrible conflict of interest but it’s the way things are. Set in impervious stone, there is no way to change it.
The cynic could view it as just a practical dealing with the ways of the defense machine. If the government went to the trouble of hiring and paying its own people to do the job, they’d sooner rather than later wind up doing the same thing for a contractor, selling the product back to the government at not-so-cheap prices, anyway. The government has become a stop on the way to the private sector, a shop where you can arrange things so that when you hit corporate America, you know what buttons to massage and who to grease to get a share of the national spoil for your firm.
So why even bother with the pretense of having an in-between stage of allegedly independent employees doing it?
Having put this to electrons, the report is here.
For what it is, it’s rather modest, particularly in comparison with the press spawned.
It spends a lot of print mapping the cybersecurity training and defense structures in the Chinese government, academia and the private sector, so far as they can be determined from the public record.
In this, readers see a simple mirroring of the government, private sector and academic interest in cybersecurity and the topic of cyberwar in the US. Nothing more, nothing less.
A final section of the report deals with security concerns over supply chains and alliances between Chinese state-sponsored businesses and the information technology industry in the US.
The report presents the problem of determining whether or not chip manufacturing, now almost all done in a distributed manner overseas. (The report calls it “fabless” manufacturing — the companies that are the suppliers and brand manufacturers now simply being fronts for ships which aggregate finished goods, parts and processes from all over the world.)
At this point in time, it’s impossible to secure. However, it’s also so complicated that there is no one person, or group of people, or central repository, that can map it. There are always people, or agencies, which insist they do. They’re almost always lying or exaggerating for their own purposes.
The complexity of this network defies securing. It also is problematical for those who, according to US suspicions, might wish to exploit to embed trojan horses and malicious products all over the US. More complexity seems to always breed more vulnerability. It also makes it so less and less people accurately grasp the entire picture, including experts.
Attackers can no more determine whether poisoned products will wind up in critical areas, or if they will wind up anywhere important at all, any more than defenders.
Easier to have someone on the inside of a very specific target, ready to add a contaminated device, perhaps ala Stuxnet.
And far easier to just try and get into network points from the web.
The Seattle Times published a piece that, like the rest of the news generated on the report, overstated it by sins of omission and commission.
For a decade or more, Chinese military officials have talked about conducting warfare in cyberspace, but in recent years they have progressed to testing attack capabilities during exercises, according to a congressional report to be released Thursday …
The Chinese military conducted an exercise in October involving “joint information offensive and defensive operations” and another in 2010 featuring attacks on communications command-and-control systems …
American officials have stated that the Chinese have penetrated the U.S. electric grid and that they have gained access to U.S. government and corporate networks.
In other words, the Chinese are running cybersecurity/cyberwar/penetration testing exercises in the same way the US has done, through the public and private sector, for many years.
As for the Seattle newspaper’s insertion of a sentence on the electrical grid, it’s stock sloppy repetition of received wisdoms and does not really reflect much that’s actually in the Northrop Grumman report. The arms manufacturers analysts make only one mention of the US power grid and taking it down through cyberwar.
One Chinese technical report — that’s one — is cited as having discussed the topic. And there is none of the usual theorizing and empty claims about what could be done to the power grid. It’s a bit of a contrast with the usual way the subject is handled.
In this it shows a slightly refreshing break from the usual official cant on the matter. A small favor, perhaps.