Example of Threat-Centric Security

In my last post I mentioned the need to take threat-centric approaches to advanced persistent threat. No sooner than I had posted those thoughts do I read this:

Beijing 'strongly indignant' about U.S.-Taiwan arms sale

The Obama administration announced the sale Friday of $6 billion worth of Patriot anti-missile systems, helicopters, mine-sweeping ships and communications equipment to Taiwan in a long-expected move that sparked an angry protest from China.

In a strongly worded statement on Saturday, China's Defense Ministry suspended military exchanges with the United States and summoned the U.S. defense attache to lodge a "solemn protest" over the sale, the official Xinhua news agency reported.

"Considering the severe harm and odious effect of U.S. arms sales to Taiwan, the Chinese side has decided to suspend planned mutual military visits," Xinhua quoted the ministry as saying. The Foreign Ministry said China also would put sanctions on U.S. companies supplying the equipment.

It would have been interesting if the Obama administration had announced its arms sale in these terms:

"Considering the severe harm and odious effect of the advanced peristent threat, the American side has decided to sell the following arms to Taiwan."

It's time for the information security community to realize this problem is well outside our capability to really make a difference, without help from our governments.

Comments

TXWayne said…
Richard I think there are many of us in the information security community that do realize the problem is well outside our capability to make a difference without help from the government, now if we could just get the government to realize it also. I am hoping that this seemingly perfect storm of press and recent publicized intrusions help push things along.
6:09 PM
Anonymous said…
"Considering the severe harm and odious effect of the advanced peristent threat, the American side has decided to sell the following arms to Taiwan."

Understand your point, Richard, but I feel we need to stop equating APT = China. Many are doing this, and I feel it risks making our defense to these tactics unnecessarily myopic. If we want to say China, we need to say China. If we want to talk in general about APT adversaries, we should say APT.

The worst thing that could come out of this is yet another lost opportunity to leverage history's lessons in informing the future. If we equate APT=China, we risk treating future CNE issues with other nation states differently rather than approaching them with the same fundamental techniques.

I realize this was in no way your intention and I'm almost certainly nitpicking, but breaking this association is becoming another crusade for me, heh...
1:40 PM
gunnar said…
Another term that comes to mind wrt US response is lack of interagency cohesion or just plain clueless

http://thomaspmbarnett.com/weblog/2010/01/tin_ear_on_taiwan.html

But best of luck to IBM & GE on winning the $600B bid for the Chinese grid whilst the govt makes their job harder
2:14 PM
jbmoore said…
It's not beyond the IT Security community. Academia, corporations, and the DOD built the ARPAnet. The US has the people with the skills to tighten up networks, solve problems, and counter these threats. The problem here is the political, corporate, and individual will to do so. While the diplomatic solution is laudable, it will take a long time and the countries that are reaping the benefits have no incentive to cooperate with crafting new international laws regarding cybercrime and espionage. The US can't just go bomb someone for hacking one of our oil companies. And likely, the NSA, DIA, and CIA are actively attacking other countries via cyber espionage as well. But we don't know of our government's efforts, just the attacks by the other side. There are only so many egress points from the US. Want to bet that the NSA is monitoring them? Whether the NSA is catching all of the sensitive material going out is another since it's likely a data flood. But the point is that we are only seeing fragments of this picture.

Another entirely different problem is that so long as people like Dan Geer can get fired for speaking the truth and voicing their concerns, little progress will be made. When it takes a reporter for the Washington Post to shut down McColo with a few phone calls, what does that say about our profession and its timidity in the face of adversity? Is that timidity due to a lack of authority, risk aversion, indifference, excessive organizational secrecy (government and corporate), or the fear that you'll be terminated like Dan Geer or Shawn Carpenter for speaking out or actually taking the initiative? This threat has been with us since the mid 1990's. It's not new as you yourself know. It's just becoming easier and cheaper. The only thing that is new is that we as a profession are finally acknowledging the severity.
6:12 PM
gunnar said…
Front page story from FT today

Aerospace sector fears China sanctions
http://www.ft.com/cms/s/0/6fae2aca-0d9a-11df-ae52-00144feabdc0.html

Clueless threat centric response is now putting $400B worth of aerospace projects, now the grown ups have to go in and fix it
10:38 AM
Anonymous said…
So much truth on one page. Hard to fathom.
8:10 PM
Post a Comment

Popular posts from this blog

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or pol
Read more