Saturday, January 30, 2010

Example of Threat-Centric Security

In my last post I mentioned the need to take threat-centric approaches to advanced persistent threat. No sooner than I had posted those thoughts do I read this:

Beijing 'strongly indignant' about U.S.-Taiwan arms sale

The Obama administration announced the sale Friday of $6 billion worth of Patriot anti-missile systems, helicopters, mine-sweeping ships and communications equipment to Taiwan in a long-expected move that sparked an angry protest from China.

In a strongly worded statement on Saturday, China's Defense Ministry suspended military exchanges with the United States and summoned the U.S. defense attache to lodge a "solemn protest" over the sale, the official Xinhua news agency reported.

"Considering the severe harm and odious effect of U.S. arms sales to Taiwan, the Chinese side has decided to suspend planned mutual military visits," Xinhua quoted the ministry as saying. The Foreign Ministry said China also would put sanctions on U.S. companies supplying the equipment.


It would have been interesting if the Obama administration had announced its arms sale in these terms:

"Considering the severe harm and odious effect of the advanced peristent threat, the American side has decided to sell the following arms to Taiwan."

It's time for the information security community to realize this problem is well outside our capability to really make a difference, without help from our governments.

6 comments:

TXWayne said...

Richard I think there are many of us in the information security community that do realize the problem is well outside our capability to make a difference without help from the government, now if we could just get the government to realize it also. I am hoping that this seemingly perfect storm of press and recent publicized intrusions help push things along.

Michael Cloppert said...

"Considering the severe harm and odious effect of the advanced peristent threat, the American side has decided to sell the following arms to Taiwan."

Understand your point, Richard, but I feel we need to stop equating APT = China. Many are doing this, and I feel it risks making our defense to these tactics unnecessarily myopic. If we want to say China, we need to say China. If we want to talk in general about APT adversaries, we should say APT.

The worst thing that could come out of this is yet another lost opportunity to leverage history's lessons in informing the future. If we equate APT=China, we risk treating future CNE issues with other nation states differently rather than approaching them with the same fundamental techniques.

I realize this was in no way your intention and I'm almost certainly nitpicking, but breaking this association is becoming another crusade for me, heh...

gunnar said...

Another term that comes to mind wrt US response is lack of interagency cohesion or just plain clueless

http://thomaspmbarnett.com/weblog/2010/01/tin_ear_on_taiwan.html

But best of luck to IBM & GE on winning the $600B bid for the Chinese grid whilst the govt makes their job harder

jbmoore said...

It's not beyond the IT Security community. Academia, corporations, and the DOD built the ARPAnet. The US has the people with the skills to tighten up networks, solve problems, and counter these threats. The problem here is the political, corporate, and individual will to do so. While the diplomatic solution is laudable, it will take a long time and the countries that are reaping the benefits have no incentive to cooperate with crafting new international laws regarding cybercrime and espionage. The US can't just go bomb someone for hacking one of our oil companies. And likely, the NSA, DIA, and CIA are actively attacking other countries via cyber espionage as well. But we don't know of our government's efforts, just the attacks by the other side. There are only so many egress points from the US. Want to bet that the NSA is monitoring them? Whether the NSA is catching all of the sensitive material going out is another since it's likely a data flood. But the point is that we are only seeing fragments of this picture.

Another entirely different problem is that so long as people like Dan Geer can get fired for speaking the truth and voicing their concerns, little progress will be made. When it takes a reporter for the Washington Post to shut down McColo with a few phone calls, what does that say about our profession and its timidity in the face of adversity? Is that timidity due to a lack of authority, risk aversion, indifference, excessive organizational secrecy (government and corporate), or the fear that you'll be terminated like Dan Geer or Shawn Carpenter for speaking out or actually taking the initiative? This threat has been with us since the mid 1990's. It's not new as you yourself know. It's just becoming easier and cheaper. The only thing that is new is that we as a profession are finally acknowledging the severity.

gunnar said...

Front page story from FT today

Aerospace sector fears China sanctions
http://www.ft.com/cms/s/0/6fae2aca-0d9a-11df-ae52-00144feabdc0.html

Clueless threat centric response is now putting $400B worth of aerospace projects, now the grown ups have to go in and fix it

Anonymous said...

So much truth on one page. Hard to fathom.