Yesterday I had the pleasure of attending “Supply Chain Security - Do you know who your insiders are?” by Bob Hutchinson, Senior Manager, Sandia National Laboratories’ Information Security Sciences Group.
The key aspect of his presentation that I took away was the National Labs’ ability to control and prevent compromise of the Nuclear Weapons supply chain. And that the lessons learned from almost 7 decades of experience could be applied to the supply chain risk of Information Technology. We’ve solved most problems before it simply takes effort to find where.
This analogy led me to investigate a bit more and I discovered Bob’s statement to the United States House of Representatives Committee on Energy and Commerce, Subcommittee on Communications and Technology. His 4 key points are:
- While strategic data theft of intellectual property and national secrets has become a focus recently do not lose sight of the malicious data modification threat.
- Examine and be aware of your Information Technology aspects of your supply chain; from the software applications and patches to the sub-components of each piece of hardware (and it’s obvious supporting software -firmware).
- While developing the manner and mechanism for Cyber information sharing between Government and Industry there must be a strategy associated with it. This strategy could then be used to assist in an adversary “self-identifying.”
- Identifying the Nation’s noted “profound shortage of qualified cyber security experts.” He adds that having been tasked by DoE, Sandia to has built “a program that’s more like a medical residency than a trade certification” and that this model is much more appropriate to creating the requisite cyber security experts for the nation.
First the obvious disclosure piece. I’m never comfortable with allowing & receiving reports from those you procure services from. I’m even less comfortable with Northrop Grumman’s Occupying the Information High Ground: Chinese Capabilities for Computer Network Operations and Cyber Espionage report. I don’t understand what would possess the U.S.-China Economic and Security Review Commission to accept such a report let alone request and fund it from a Department of Defense contractor with significant interests in this developing area. I could care less if these information security analysts were the best on the planet this in my mind is a clear conflict of interest and “personnel firewalls” have zero effectiveness.
With all that mentioned let’s see what they put together in this massive document.
The immediate focus of the document is on “information confrontation.” They point to a Chinese paper on Infomization Dominance. Sounds a lot like the U.S. Navy’s Information Dominance Corps focus doesn’t it? Additionally it discusses China’s Integrated Network Electronic Warfare or INEW strategy.
PLA analysts consistently identify logistics and C4ISR infrastructure as U.S. strategic centers of gravity suggesting that PLA commanders will almost certainly attempt to target these system with both electronic countermeasures weapons and network attack and exploitation tools, likely in advance of actual combat to delay U.S. entry or degrade capabilities in a conflict.
This is of significant concern. The United States has continued to outsource and outsupply items through every portion of our lives and the result is this has forced the US Military to be dependent upon similar sourcing paths and venues. Until a shift toward in house production and upfront investments to mitigate supply chain risk this will continue to leave a massive vulnerability through every level of the Department of Defense and Critical Infrastructure of the United States.
At least 50 civilian universities conducting information security research nationwide benefit from one or more of roughly five main national-level high technology grant programs, reflecting what appears to be a broad technology development plan consistent with published national priorities.
My immediate response was that the U.S. has so many more universities conducting information security research that it dwarfs the metric listed. While true what is more concerning is the number of individuals China has attending our universities which compliments this metric. The cost is often prohibitive for the US Government and Military to send or acquire personnel from places like Carnegie Mellon University. However, for a highly resourced entity the ability to integrate with the leading Computer Science and Information Security university and research entities is much more significant.
Without strict control of this complex upstream channel, a manufacturer of routers, switches, or other basic telecommunications hardware is exposed to innumerable points of possible tampering and must rely on rigorous and often expensive testing to ensure that the 11 semiconductors being delivered are trustworthy and will perform only as specified, with no additional unauthorized capabilities hidden from view.
Until the U.S. changes its Research and Development to include Production capabilities this will pose a massive risk which cannot be managed, improved, or worked around. I’ve seen discussions to make this a responsibility of the GSA or other major government entity but I’m not sure GSA could effectively get this accomplished. I believe an entity tasked with this would need to be supported heavily by the National Laboratories and Research & Development components of the USG.
Professional state sponsored intelligence collection not only targets a nation’s sensitive national security and policy making information, it increasingly is being used to collect economic and competitive data to aid foreign businesses competing for market share with their U.S. peers.
There is no longer a difference between national security information and economic and competitive data information. Intellectual Property is part of a Cyber War and this includes the piracy of information and data. The difficult part of this is discerning the difference between Cyber Warfare and Cyber Crime. Where does this get handed to Cyber Command or the Department of Homeland Security? This is something that is currently being debated in the U.S. Congress. There are a couple of Information Security Bills being tossed around; Senator McCain’s Bill and Senator Lieberman’s Bill.
Media and industry reports portray some of the incidents attributed to China as advanced but the reality is that many successful penetrations are “advanced” only because the targeted organization was unable to stop them or detect the presence of the operators on their networks.
This is simply the complex media spin that exists in the United States. It makes it more interesting and sexy if it was complex. The story isn’t as valuable (yes advertisements run everything) to the news venue with out this interesting and sexy spin on it. Not bad to note that this is the case but if you don’t understand that this is occurring you aren’t paying enough attention.
Activities attributed to state sponsored operators often appear to target data that is not easily monetized in underground criminal online auctions or markets but highly valuable to foreign governments. Highly technical defense engineering information, operational military data, or government policy analysis documents rarely if ever appear to be a priority for cybercriminal groups.
This is well executed obfuscation of the intent of the adversary. If it is difficult to determine why certain information was ex-filtrated then it provides less alarm to the victim. This allows further ex-filtration from other entities to compliment the data and turn it into very valuable and actionable information.
To date, the former joint venture between Huawei Shenzhen Technology Company Ltd and Symantec, Inc. is the only major partnering between a Western information security firm and a Chinese high technology company.
This has since been disolved as of 26 March 2012. The New York Times did a quick piece called Symantec Dissolves a Chinese Alliance. So we’re starting to see significant implications of a quiet and cold Cyber War that is well underway both in the private and public sectors.
The PLA is to prepare for “Local wars under informationized conditions.”
PLA leaders included additional responsibilities under the third role that identified not only space and distant ocean areas as domains vital to Chinese national security interests, but also included the electromagnetic spectrum—a change that is likely already driving PLA investment in the development of more sophisticated information warfare capabilities.
The PLA Daily described warfare under informationized conditions as being characterized by opposing sides using complete systems of ground, naval, air, space, and electromagnetic forces.
This essentially reflects the exact move the U.S. Navy made in 2009 when Admiral Roughead formed the U.S. Navy’s Information Dominance Corps. It effectively recognized the Electromagnetic Spectrum as the 5th domain. This has also been echoed via General Michael Hayden (USAF, Ret), former Director of NSA and CIA. So who started this operationalization of Cyberspace?
Information Confrontation Theory: The strategic imperative for the PLA to operate in the electromagnetic domain is driving the formulation of a new approach to information warfare, termed information confrontation (xinxi duikang; 信息对抗), that applies system of systems operations theory to information warfare, viewing it as a macro-system comprised of discrete capabilities linked together under a single command structure and fully integrated into the overall campaign plan.
Information confrontation theories currently being developed and refined within the PLA today seek to address these gaps, particularly the need for more coherent command infrastructure.
With this section I see absolutely no difference compared to the initiatives the USG and its Military is pursuing. Remind you of anything? Maybe the Cold War? The “adversary has developed this so I must” paradigm. Locks everyone in a continuous do-loop until someone finally gives up.
PLA had created a “super-elite unit of cyberwarriors” designed to carry out network exploitation of foreign networks.
There have been continued reports on this network exploitation team formed in China and in other countries which now includes the United States Military. Unlike the United States China has denied existence of this type of unit even though numerous evidence, videos, and other indicators continue to validate it’s existence. But at this point this fact doesn’t matter. Most are operating under the assumption that it does exist and that most countries with the ability will form a similar cadre with cyber expertise.
Much of the remainder of the document stipulates and speculates on what-ifs and could happen items. This can be chalked up to “cyber marketing.” This brings me back to the disclosure piece. The document isn’t that bad but since Northrop Grumman produced it you must rightfully discount it. This then devalues the tax dollars that were spent on it. I have nothing against Northrop Grumman. I simply believe this could have been produced in a much better fashion from one of the dedicated Federally Funded Research and Development Centers (FFRDC), like SEI or MITRE vice a services and production based contractor such as Northrop Grumman.
I find it wise to keep on top of developments of key regions and partners. One of those areas is in the Naval Conference arena. DIMEX 2012 started yesterday. You’ll invariably notice the “platform” focus of the show and it’s first day’s newsletter. There are a few notes on Combat and Weapon Systems but the significant draw for the region is still a patrolling maritime asset.
If you take a look at the information in the newsletter you can see significant information on what nation uses what shipyard or country to provide it’s maritime capability. From there I’ll let you infer the easily target-able, with some focused effort, supply chain risk. You could go the “maritime SCADA” route or numerous other paths of exploitation.
About DIMDEX 2012:
Hosted in Qatar DIMDEX 2012 is the pre-eminent maritime event in the Middle East and North Africa (MENA) region. It draws 150 exhibitors that feature Warships, Maritime Patrol Aircraft and Helicopters, Marine Communication Systems, Coastal Surveillance, Total Ship Self Defence Systems, Naval Weapon Systems, Search and Rescue Equipment, and Naval Defence Supplies.
This year 14 warships from 11 navies are participating with an expected draw of 9,000 Maritime and Naval industry participants.