Wednesday, August 08, 2007

CIO Magazine on IP Theft

CIO magazine, which features an impossible-to-navigate Web site but decent print version, published Hacked: The Rising Threat of Intellectual Property Theft and What You Can Do About It by Stephanie Overby. I liked these excerpts:

“There’s a ceiling on how much money can be made by stealing identities,” says Scott Borg, director and chief economist of the U.S. Cyber Consequences Unit, an independent nonprofit institute set up at the request of the federal government to examine the economic and strategic consequences of cyberattacks. “You can actually steal the business—its processes, its internal negotiating memos, its merchandising plans, all the information it uses to create value. That’s a very large payoff.”

I agree, but what's up with the USCCU Web site? I had to find an archive from February 2006 to see what this group does. Spend a little of that DHS money on a Web site, folks.

CIOs may be less aware of the threat to IP than to their systems, and therefore less prepared to protect the former. “Companies are thinking about worms and viruses, things that will not have very bad consequences and have always been wildly exaggerated,” says Borg. “Or they’re thinking about ID theft, which attracts a lot of attention, even though the number of cases is remarkably low.”

There’s a difference, too, in the systems an intruder looking for corporate secrets may target. IP thieves “won’t necessarily look at obvious financially sensitive areas,” says Borg, thereby escaping detection. “They may be looking at technical data, controls systems, automation software.” And the results of IP theft can be hard to see—a slow degradation of one’s competitive position in the market may easily be attributed to other, noncriminal factors.

Until recently, the most conclusive public evidence that sustained industrial espionage has taken place in cyberspace has come from the military. Titan Rain was “the most systematic and high-quality attack we have seen,” says Ira Winkler, author of, most recently, Zen and the Art of Information Security. Chinese hackers successfully breached hundreds of unclassified networks within the Department of Defense, its contractors and several other federal agencies. One Air Force general admitted at an IT conference last year that China had downloaded 10 to 20 terabytes of data from DoD networks.
(emphasis added)

Forget about "slow degradation." In some future war over the Taiwan Straight an American jet fighter is going to dogfight a Chinese plane and lose the battle because some sensitive design or technical data was stolen. This is a constant in warfare as I mentioned in my post FISMA Dogfights.

To defend against targeted attacks, Motorola uses traditional controls such as firewalls, intrusion detection tools, antivirus software and digital forensics—but with a difference. “We’re operating our information security toolkit with a counterintelligence mind-set,” says Boni [Motorola CIO]. Like the military, Boni assumes there’s an enemy looking for an advantage and it’s his job to outwit him. “Putting those tools together with an understanding of what is or could be of greatest interest to competitors allows a more granular focus on the data,” says Boni, “not just on the network.”

Bingo. CI is exactly right.

The thought process is no longer making sure nothing bad ever happens,” says DuBois [general manager of information security and infrastructure services security for Microsoft]. “There may be a bug in the Cisco code or someone might misconfigure a device. If [attackers] get at that chess piece we left unprotected, what will we do?”...

“If eternal vigilance is the price of freedom,” says Boni, paraphrasing Thomas Jefferson, “continuous monitoring and preparation to respond quickly is the cost associated with global digital commerce.”
(emphasis added)

Again, exactly right. Prevention Eventually Fails. Detection. Response. Hopefully more CIOs will pay attention.


jbmoore said...


Where have you been? This is the same administration that reclassified public and declassified records. They put the O and the S in Security through Obscurity. And, you complain that a DHS branch doesn't give out enough information on their web site! Duh! Then they'd actually have to put up or shut up. This is the same agency (DHS/TSA) that has a secret watch list and if you're on it, there's no redress to get your name off of it, or how it got on the list in the first place. So, now they scare people about stolen trade secrets when they can't or won't do anything about identity theft. Does trade secret theft hurt me personally. No. Does identity theft? You betcha. Corporations are still using telnet for remote administration of routers and high end Sun systems when they know better. If they lose their trade secrets with maybe they'll wake up and smell the coffee, or at least, quit using telnet.

Rob Lewis said...

While Mr. Boni has correctly identified the need for “a more granular focus on the data” and a counter-espionage mindset, the fact is that real defense of trade secrets requires data-centric security in order to do so.

Network segmentation still hints of perimeter security no matter how you label it, and will be limited in its effectiveness in protecting IP from authorized insiders, any of which can be compromised.

My obervation of late is that efforts in the area of network segmentation, virtualization and encryption are all attempts at domain separation, but each with their own set of accompanying problems.

As I have written before, we offer a scalable MLS that provides granular access and audit technologies for all users at the data file level, in an innovative implementation that removes previous barriers to practical use that were found with trusted systems.

The move to information or data-centric security, called for in the RSA keynotes in February and by other opinion leaders will certainly assist in the task of protecting IP and other data.