This article can also be found in the Premium Editorial Download "Information Security magazine: Effectively navigating the security risk assessment process."
Download it now to read this article plus other related content.
Jamie Metzl caused quite a stir late this summer with an article he wrote for the Wall Street Journal in which he blasted China’s computer hacking efforts. Metzl, executive vice president of Asia Society
Unfortunately for him, he used McAfee’s Shady Rat research -- which received criticism from several experts in the industry -- as the backbone for his diatribe against China. Regardless, the bigger point here is China’s 10 percent annual economic growth, a staggering number according to bean counters, isn’t exactly being built solely on blood, sweat and tears. Metzl and others we’ve talked to and listened to say China is relentless in its efforts to steal intellectual property, trade and corporate secrets, and anything else that will give them an economic edge—or growth spurt. I’ve had more than one casual conversation land on the topic that some product some startup has been slaving over suddenly shows up on the China market months ahead of a potential launch here.
Are we covering new ground here? No. But it’s worth reminding those who will listen that the Chinese are on our networks and are leveraging state-sponsored or politically motivated computer hackers to steal anything that isn’t nailed down.
China’s efforts aren’t limited to big business either. Despite Art Coviello’s best efforts to tap dance around the obvious, I’ll take some journalistic license to read between the lines and conclude the Chinese were behind the SecurID attack. The attacks that compromised the company’s flagship SecurID authentication technology have been the security story of the year. The seriousness of the attacks quickly came to light when it was revealed they were merely a jumping off point for a downstream attack on the defense industrial base as Lockheed Martin and others subsequently reported they too had been breached.
China computer hacking is also the suspected culprit behind the Aurora attacks on Google, Adobe and upwards of 20 other enterprises, manufacturers and defense contractors in 2009. Plus, two Department of Defense reports released in the last 20 months name China as active in moving digital assets off American networks -- corporate, government and military. Can we stop the politically correct pretense and examine closely in public circles the impact of these intrusions upon our economy and national well-being? Granted, if we cast that spotlight on the Chinese, we’re likely to get an equally bright light shined upon U.S. activities in China, Iran (hello Stuxnet) and other foreign interests. So be it. It’s time for ground rules and time to tame the Wild West before real lives are lost, not just nuclear centrifuges and software source code.
There needs to be discourse at a policy level in Washington on cybersecurity and a clear understanding from legislators on these activities and their ramifications. The call for “offensive” weapons in cyberspace is also rattling around offices at the NSA and DoD and clearly some have been developed (hello again Stuxnet), but there are no rules of engagement written in stone yet in terms of how to react and reply to cyberattacks. How long before a physical, military response from either side follows up a cyberattack perpetrated by either side without a means for attribution of the attack or channels of communication between policymakers well versed in cyber?
The Chinese aren’t shy about taking land or IP by eminent domain it seems. Pretty much anything is in scope to advance their economic agenda, according to Metzl’s op-ed in the Journal. If so, it’s time to bring cyber to prominence in Washington and internationally begin some real forward thinking before real companies are unable to compete in their respective markets, or worse, real lives are lost.
Michael S. Mimoso is Editorial Director of the Security Media Group at TechTarget. Send comments on this column to firstname.lastname@example.org.
This was first published in October 2011