Saturday, February 04, 2012

The Toughest Question in Digital Security

The toughest question in digital security is "who cares?"

The recent Tweet by hogfly (@4n6ir) made me ponder this question. He points to an Aviation Week story by David Fulghum, Bill Sweetman, and Amy Butler titled China's Role In JSF's Spiraling Costs. It says in part:

How much of the F-35 Joint Strike Fighter’s spiraling cost in recent years can be traced to China’s cybertheft of technology and the subsequent need to reduce the fifth-generation aircraft’s vulnerability to detection and electronic attack?

That is a central question that budget planners are asking, and their queries appear to have validity. Moreover, senior Pentagon and industry officials say other classified weapon programs are suffering from the same problem. Before the intrusions were discovered nearly three years ago, Chinese hackers actually sat in on what were supposed to have been secure, online program-progress conferences, the officials say.

The full extent of the connection is still being assessed, but there is consensus that escalating costs, reduced annual purchases and production stretch-outs are a reflection to some degree of the need for redesign of critical equipment. Examples include specialized communications and antenna arrays for stealth aircraft, as well as significant rewriting of software to protect systems vulnerable to hacking.

It is only recently that U.S. officials have started talking openly about how data losses are driving up the cost of military programs and creating operational vulnerabilities, although claims of a large impact on the Lockheed Martin JSF are drawing mixed responses from senior leaders. All the same, no one is saying there has been no impact.

While claiming ignorance of details about effects on the stealth strike aircraft program, James Clapper, director of national intelligence, says that Internet technology has “led to egregious pilfering of intellectual capital and property. The F-35 was clearly a target,” he confirms.

The point of this article is to question the impact, in business and operational terms, of the cyberwar China continues to prosecute against the West.

The toughest question in digital security is "who cares" because it is usually extremely difficult to determine the impact of an intrusion. Consider the steps required to define the business and operational impact of the theft of intellectual property (as one example -- there are many others).

  1. The victim must learn that an intrusion occurred.
  2. The victim must determine exactly what IP was stolen.
  3. The victim must understand the adversary's capability and intention to exploit the stolen IP.
  4. The victim must recognize when the adversary exploits the stolen IP by using it in an operational context.
  5. The victim must determine what countermeasures or changes in courses of actions are possible to mitigate the adversary's exploitation of the stolen IP.
  6. The victim must synthesize most or all of the previous points into an assessment of the business and operational cost of the IP theft.

Steps 1 and 2 are largely technical, but 3-6 are more business-focused. From what I have seen, everyone who is a victim in the ongoing cyberwar struggles to conduct "battle damage assessment" (BDA) for digital intrusions. Articles like the one I cited are examples showing how difficult it is to determine if anyone should care about China's exploitation of Western IP.

3 comments:

Jess said...

Pardon my conspiracy theorizing, but it seems that the same parties whose negligence led to the intrusions, i.e. military weapons suppliers, are the primary beneficiaries of the response to the intrusions. I doubt they regret the additional years of development dollars they got out of the deal. This sort of turns the "who cares?" question on its head; it's possible the "victims" in this case cared quite a bit.

Richard Bejtlich said...

You're right -- that is conspiracy theorizing. I know people at just about every major DIB player, and they all desperately want to stop intrusions.

Jess said...

Sorry, I didn't intend to besmirch the professionalism of any computer security people. However, many decisions are made above their pay level, by executives who are more interested in quarterly results than in the security of their organizations or of the USA. If any of the people you know have ever been denied budget, staffing, or even their favored work priorities (seems likely!), they might be thinking along the same lines I am.