First the obvious disclosure piece. I’m never comfortable with allowing & receiving reports from those you procure services from. I’m even less comfortable with Northrop Grumman’s Occupying the Information High Ground: Chinese Capabilities for Computer Network Operations and Cyber Espionage report. I don’t understand what would possess the U.S.-China Economic and Security Review Commission to accept such a report let alone request and fund it from a Department of Defense contractor with significant interests in this developing area. I could care less if these information security analysts were the best on the planet this in my mind is a clear conflict of interest and “personnel firewalls” have zero effectiveness.
With all that mentioned let’s see what they put together in this massive document.
The immediate focus of the document is on “information confrontation.” They point to a Chinese paper on Infomization Dominance. Sounds a lot like the U.S. Navy’s Information Dominance Corps focus doesn’t it? Additionally it discusses China’s Integrated Network Electronic Warfare or INEW strategy.
PLA analysts consistently identify logistics and C4ISR infrastructure as U.S. strategic centers of gravity suggesting that PLA commanders will almost certainly attempt to target these system with both electronic countermeasures weapons and network attack and exploitation tools, likely in advance of actual combat to delay U.S. entry or degrade capabilities in a conflict.
This is of significant concern. The United States has continued to outsource and outsupply items through every portion of our lives and the result is this has forced the US Military to be dependent upon similar sourcing paths and venues. Until a shift toward in house production and upfront investments to mitigate supply chain risk this will continue to leave a massive vulnerability through every level of the Department of Defense and Critical Infrastructure of the United States.
At least 50 civilian universities conducting information security research nationwide benefit from one or more of roughly five main national-level high technology grant programs, reflecting what appears to be a broad technology development plan consistent with published national priorities.
My immediate response was that the U.S. has so many more universities conducting information security research that it dwarfs the metric listed. While true what is more concerning is the number of individuals China has attending our universities which compliments this metric. The cost is often prohibitive for the US Government and Military to send or acquire personnel from places like Carnegie Mellon University. However, for a highly resourced entity the ability to integrate with the leading Computer Science and Information Security university and research entities is much more significant.
Without strict control of this complex upstream channel, a manufacturer of routers, switches, or other basic telecommunications hardware is exposed to innumerable points of possible tampering and must rely on rigorous and often expensive testing to ensure that the 11 semiconductors being delivered are trustworthy and will perform only as specified, with no additional unauthorized capabilities hidden from view.
Until the U.S. changes its Research and Development to include Production capabilities this will pose a massive risk which cannot be managed, improved, or worked around. I’ve seen discussions to make this a responsibility of the GSA or other major government entity but I’m not sure GSA could effectively get this accomplished. I believe an entity tasked with this would need to be supported heavily by the National Laboratories and Research & Development components of the USG.
Professional state sponsored intelligence collection not only targets a nation’s sensitive national security and policy making information, it increasingly is being used to collect economic and competitive data to aid foreign businesses competing for market share with their U.S. peers.
There is no longer a difference between national security information and economic and competitive data information. Intellectual Property is part of a Cyber War and this includes the piracy of information and data. The difficult part of this is discerning the difference between Cyber Warfare and Cyber Crime. Where does this get handed to Cyber Command or the Department of Homeland Security? This is something that is currently being debated in the U.S. Congress. There are a couple of Information Security Bills being tossed around; Senator McCain’s Bill and Senator Lieberman’s Bill.
Media and industry reports portray some of the incidents attributed to China as advanced but the reality is that many successful penetrations are “advanced” only because the targeted organization was unable to stop them or detect the presence of the operators on their networks.
This is simply the complex media spin that exists in the United States. It makes it more interesting and sexy if it was complex. The story isn’t as valuable (yes advertisements run everything) to the news venue with out this interesting and sexy spin on it. Not bad to note that this is the case but if you don’t understand that this is occurring you aren’t paying enough attention.
Activities attributed to state sponsored operators often appear to target data that is not easily monetized in underground criminal online auctions or markets but highly valuable to foreign governments. Highly technical defense engineering information, operational military data, or government policy analysis documents rarely if ever appear to be a priority for cybercriminal groups.
This is well executed obfuscation of the intent of the adversary. If it is difficult to determine why certain information was ex-filtrated then it provides less alarm to the victim. This allows further ex-filtration from other entities to compliment the data and turn it into very valuable and actionable information.
To date, the former joint venture between Huawei Shenzhen Technology Company Ltd and Symantec, Inc. is the only major partnering between a Western information security firm and a Chinese high technology company.
This has since been disolved as of 26 March 2012. The New York Times did a quick piece called Symantec Dissolves a Chinese Alliance. So we’re starting to see significant implications of a quiet and cold Cyber War that is well underway both in the private and public sectors.
The PLA is to prepare for “Local wars under informationized conditions.”
PLA leaders included additional responsibilities under the third role that identified not only space and distant ocean areas as domains vital to Chinese national security interests, but also included the electromagnetic spectrum—a change that is likely already driving PLA investment in the development of more sophisticated information warfare capabilities.
The PLA Daily described warfare under informationized conditions as being characterized by opposing sides using complete systems of ground, naval, air, space, and electromagnetic forces.
This essentially reflects the exact move the U.S. Navy made in 2009 when Admiral Roughead formed the U.S. Navy’s Information Dominance Corps. It effectively recognized the Electromagnetic Spectrum as the 5th domain. This has also been echoed via General Michael Hayden (USAF, Ret), former Director of NSA and CIA. So who started this operationalization of Cyberspace?
Information Confrontation Theory: The strategic imperative for the PLA to operate in the electromagnetic domain is driving the formulation of a new approach to information warfare, termed information confrontation (xinxi duikang; 信息对抗), that applies system of systems operations theory to information warfare, viewing it as a macro-system comprised of discrete capabilities linked together under a single command structure and fully integrated into the overall campaign plan.
Information confrontation theories currently being developed and refined within the PLA today seek to address these gaps, particularly the need for more coherent command infrastructure.
With this section I see absolutely no difference compared to the initiatives the USG and its Military is pursuing. Remind you of anything? Maybe the Cold War? The “adversary has developed this so I must” paradigm. Locks everyone in a continuous do-loop until someone finally gives up.
PLA had created a “super-elite unit of cyberwarriors” designed to carry out network exploitation of foreign networks.
There have been continued reports on this network exploitation team formed in China and in other countries which now includes the United States Military. Unlike the United States China has denied existence of this type of unit even though numerous evidence, videos, and other indicators continue to validate it’s existence. But at this point this fact doesn’t matter. Most are operating under the assumption that it does exist and that most countries with the ability will form a similar cadre with cyber expertise.
Much of the remainder of the document stipulates and speculates on what-ifs and could happen items. This can be chalked up to “cyber marketing.” This brings me back to the disclosure piece. The document isn’t that bad but since Northrop Grumman produced it you must rightfully discount it. This then devalues the tax dollars that were spent on it. I have nothing against Northrop Grumman. I simply believe this could have been produced in a much better fashion from one of the dedicated Federally Funded Research and Development Centers (FFRDC), like SEI or MITRE vice a services and production based contractor such as Northrop Grumman.
Founded in 1901 and now part of the U.S. Department of Commerce the National Institute of Standards and Technology (NIST) guides many things. NIST “measurements support the smallest of technologies—nanoscale devices so tiny that tens of thousands can fit on the end of a single human hair—to the largest and most complex of human-made creations, from earthquake-resistant skyscrapers to wide-body jetliners to global communication networks.”
This document provides the definition of Cloud Computing. NIST isn’t known for being able to convey things perfectly ingestible to normal humans so you may want to take a look at the piece from INSA on Cloud Computing.
To cut to the chase the Definition provided by NIST and that should then be used by U.S. Goverment for Cloud Computing is:
“Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”
I think NIST did a decent job in this definition. Now weather the U.S. Government and Department of Defense are able to effectively use this definition and physically employ Cloud Computing capabilities will be a different matter. It always helps to know the definition first to ensure everyone is operating from the same basic understanding.