Saturday, June 26, 2010

In a cyber-war, we fight for economic well-being

Earlier this month NPR’s Planet Money podcast had a session entitled, “A War Between States And Corporations,” where they interviewed Ian Bremmer (President, Eurasia Group). Mr. Bremmer is the author of The End of the Free Market: Who Wins the War Between States and Corporations? Near the end of the podcast Ian said something about the economy and internet security that really resonated with me.

“When you have hundreds of western multinational corporations that have seen industrial espionage, that’s been directly targeted at them through cyber attacks, massive unprecedented cyber attacks, that were either directly organized by the Chinese government or were known about and actively tolerated by the Chinese government on behalf of Chinese corporations -- that’s a pretty good description of a war.”

I’m inclined to agree because as he puts it...

National security is no longer about tanks. National security is increasingly about economic well being, internet security, and issues that allow us to live on a daily basis. We’re not worried today about the soviets blowing us up with nukes, but we are worried that our kids to be able to enjoy a quality of life vaguely related to our own.”

Precisely. We want our children to have a good quality of life and the lack of internet security places that in jeopardy for all us. Historically economic failings, obviously not through cyber-war, played a role in the fall of the Roman Empire, the Soviet Union, and very nearly Greece. Our cyber-war, and it is a war, isn’t over in so much as that we haven’t lost our economy; nor solved the problem. What we citizens want, what we desire most (qualify of life), is facilitated through economic prosperity. To achieve this the U.S. needs entrepreneurialism and innovation. The latter is what enables business to grow and our economy flourish, which is exactly what our enemies want to steal from us, over the network, because they can.

“And, I see this as absolutely being a fundamentally conflictual relationship that is coming up between these corporations that are increasingly going to have to fight against other entities, economic entities, that are being supported by governments where there isn’t rule of law.”

Yes, how exactly can a western corporation, or any non-nation-state sponsored entity, possibly defend itself against such an adversary?

Legal and diplomatic remedies to enforce various cyber-crime laws is an option. Only this approach has proven all but completely ineffective. DoSing malicious network nodes has been suggested, but will certainly not deter let alone stop an advanced persistent threat. Increased attack distribution and subtlety is the result. The current WhiteHouse administration will not easily opt for conventional shock-and-awe warfare to target digital adversaries, even in occasions when we know names and locations. At least I hope not, although it may eventually come to that if we can’t find a way to succeed through technological means.

On the defensive side the U.S. government is simply not equipped to help businesses defend their networks or the applications above. GOV is out staffed and overwhelmed already trying to defend their own systems from classified data breaches. At best they may provide the private sector some welcome threat intelligence. If corporations desire security, not all do, and survival is optional, they must learn to adequately protect themselves against other corporations who may have the support of nation-states.

Adobe, Juniper, Symantec, Northrop Grumman, etc. recently received a warning shot in Operation Aurora, as did other named and unnamed corporations. A sure sign of the times. Bad guys want more than just money. They’re very keen on intellectual property, new inventions, source code, customer lists, contract negotiations, acquisition plans, product strategy, sales figures, names of employees and their friends & family, and so on. All of which is located on some computer, likely multiple computers, on the corporate network (or Facebook’s) accessible from anywhere the Internet.


Dan said...

Industrial espionage is not "Cyber-war".

If any of these companies thought that industrial espionage, which has been going on for thousands of years, would skip networks as a vector, they are confused to the point of negligence.

There are, IMO, several problems with assigning the "war" moniker indiscriminately.

First, when you convince the masses that we are "at war" with other nations because of actions well below the threshold of conflict, you risk the escalation of conflict.

Second, if we are "at war" then we should expect the US government to protect us right? Do you really want the government generally involved in the day to day operations of your networks and companies? Not enough regulation for you yet? Do you really think that the government is measurably "better" then the private sector when it comes to security? I've been heavily involved on both sides of the fence and I can't think of an area where they are better equipped then the private sector.

So, after 650 words, I think the message we are left with is, "Try Harder", which we already knew. :)

Jeremiah Grossman said...

@Dan, thanks for comment.

> "Industrial espionage is not "Cyber-war"."

Let's break this down. "Industrial espionage," which I agree is age old, and in this case carried out over the network. So the word "cyber" suitable.

When the industrial espionage is nation-state sponsored/supported/carried-out, targeting our people (and corps), on a mass scale, and puts the economy of our country at risk -- I have to say that sounds very war like to me (or cyber-war), but to each his own.

Perhaps the cyber-war conflict needs to be escalated and made highly visible, on the US side. We risk much by doing nothing, not enough, and not calling it what it actually is.

And just to be clear, I made no suggestion that the government should or could be of assistance to businesses. As president Ronald Reagan said, "The nine most terrifying words in the English language are: 'I'm from the government and I'm here to help.'"

Rob Lewis said...

It's a matter of degree. Just because we are dealing with livelihoods, not lives, does not mean we are not involved in a battle for the welfare of future generations.