Tuesday, June 28, 2011

Why Business Methods Are as Important as IP to China

Courtesy of China Defense Blog, I just read a fascinating (if you like aircraft) report on China's capability to natively produce jet engines produced by China SignPost titled Jet Engine Development in China: Indigenous high-performance turbofans are a final step toward fully independent fighter production (pdf).

It's common to see open source reports describing how the APT seeks intellectual property (IP), which many people read as plans, designs, and related mechanical and scientific information. What some miss, however, is that China needs business know-how as well as technical know-how in order to achieve its economic and security goals. The report includes examples of this:

What China must achieve, however, is a methodology akin to Six Sigma or Total Quality Management (TQM) to ensure quality control and sufficient organizational honesty to ensure that actual problems are reported and that figures are not doctored.

Otherwise, standardization and integration may be the one in which the costs of China’s ad hoc, eclectic approach to strategic technology development truly manifest themselves.

The Soviet defense industrial base failed in precisely this area: talented designers and technicians presided over balkanized design bureaus and irregularly-linked production facilities; lack of standardization and quality control rendered it “less than the sum of the parts.”

If there's anything you need to know about the Chinese government, it's that it seeks to avoid mistakes made by others. The Chinese government does not want to repeat the Soviet failure, and it knows that technology isn't the only component when trying to build jet engines. Expect to more open and hidden actions by Chinese actors to gain the resources they need to indigenously create this core military and civilian capability.

Saturday, June 25, 2011

With "Cyber" Attacks, Effects Matter More Than Means

I enjoyed reading Stuxnet Poses Interesting International Cyber Law Issues by Rick Aldrich in IAnewsletter Vol 14 No 2 (pdf). I've known the author since my days in the USAF and he's very clued-in as a CS grad from USAFA and a lawyer who worked for AFOSI. I'd like to share a few excerpts. Please try to avoid fixation on Stuxnet if that topic bothers you. Stuxnet is not the core of Alrich's argument.

Article 51 of the United Nations (UN) charter states in pertinent part, “Nothing in the present Charter shall impair the inherent right of individual or collective self-defense if an armed attack occurs against a Member of the United Nations.” [8]

So can a cyber attack, such as that evidenced by Stuxnet, constitute an “armed attack?”

Clearly at the time Article 51 was written, in August of 1945, such an attack was never envisioned. Traditionally the term “armed attack” has connoted a kinetic attack – missiles, bombs, bullets and the like – but it has never been definitively defined.

Incidents like the cyber attacks against Estonia in 2007 and against Georgia in 2008 have prompted renewed interest in defining if or when a cyber attack can also constitute an “armed attack.”

International legal scholars are increasingly moving away from the means of attack and instead looking to the effects.

The test would be whether the effects of the attack are similar to those of a kinetic attack.

Cyber attacks that result in physical damage, such as the destroyed centrifuges in the case of Stuxnet, may be pulled under the rubric of an armed attack, though this approach does not rule out attacks resulting in non-physical effects if the harm is substantial.

This is fascinating, because it makes "cyber" less relevant and requires judgement regarding the consequences of an event. Clearly physical harm takes precedence here, but the underlined portion shows that even digital events without physical harm could still be considered attacks, in the eyes of legal experts.

The article raises other interesting points, such as options for Iran, but I wanted to emphasize the points I listed above.

Wednesday, June 15, 2011

Saturday, June 04, 2011

Security Conference Recommendations

After my post Bejtlich Teaching at USENIX Security in San Francisco 8-9 Aug a reader asked the following:


I was curious if you could suggest other security conferences that either you have attended or have heard are better than average?

It seems as though everyone and their brother sponsor some sort of security conference and it is difficult to tell how educational they will be just by reading the website.

Perhaps you could provide some insight into how you determine which conferences you would actually pay to attend? Thanks!

Great question. The answer that follows is just my opinion, and I'm sure others feel differently. For me, I like these conferences:

  • Black Hat offers the best combination of training plus briefings per unit time, on a consistent basis. In other words, I believe attendees will learn more in two days of Black Hat Training plus two days of Black Hat Briefings compared to any alternatives, every year. The content is uniformly high, regardless of whether you attend in DC, Barcelona, Las Vegas, Tokyo, or Abu Dhabi. This is why I will be teaching two TCP/IP Weapons School 3.0 classes this summer and staying for the two days of Briefings that follow.

  • My next favorite event is probably the SANS What Works in Forensics and Incident Response Summit organized each year by Rob Lee. His Summit connects me with the sorts of people who do the same work that I do. The event is a mix of panels and briefings by interesting people.

  • In terms of value per dollar spent, you can't beat Security B-Sides. Why is that? Well, your travel cost will likely be almost nothing, since B-Sides events happen all over the world. Registration is free. Content quality is mixed, but when you throw a lot of local security people into a room in a non-traditional format, the output is surprisingly good!

  • If you want more of an academic approach, I recommend any of the USENIX conferences. They are also a mix of training, "Refereed Papers" (see what I mean), and Invited Talks. I tend to see more college students talking about "solutions" more or less detached from the real world, but the diversity of specialized events means you're likely to find something of value that meets your direct needs, especially regarding system administration. After a multi-year break, I'm returning to teach TCP/IP Weapons School 3.0 in San Francisco at USENIX Security in August.

  • Returning to the incident response world, you might also like FIRST conferences. I think every CIRT should become a FIRST member, and attending a conference or other FIRST event every other year or so is a nice way to stay in touch with a very globalized security community.

  • If you qualify to attend, you might also enjoy the DoD Cybercrime or GFIRST conferences. As you can tell they cater to the .gov and .mil communities, but their focus tends to involve more interesting problem sets.

  • I should also give CanSecWest an honorable mention, although it's been years since I've attended. I could say the same for BSDCan and ShmooCon.

    Speaking of Shmoo, the logistics are the main reason I stopped going. At least with my old job, it was a hassle to commute to DC for only a Friday evening, then again for a full day Saturday, and again for only a few hours on Sunday morning. I don't like weekend events since I'd rather spend the time with my family, and the ratio of travel-to-conference for Friday evening and Sunday morning was just too high!

Regarding how I pick conferences, I primarily want to learn something and see people whom I may not have seen recently. I prefer to avoid any conferences where keynotes are given to sponsors based on their sponsorship alone. I also try to attend conferences where I expect new material to be presented.

What conferences do you like to attend, and why?

Friday, June 03, 2011

China's View Is More Important Than Yours

In my post Review of Dragon Bytes Posted I wrote the following to summarize analysis of Chinese thoughts on cyberwar, as translated from original Chinese publications:

The Chinese military sees Western culture, particularly American culture, as an assault on China, saying "the West uses a system of values (democracy, freedom, human rights, etc.) in a long-term attack on socialist countries...

Marxist theory opposes peaceful evolution, which... is the basic Western tactic for subverting socialist countries" (pp 102-3). They believe the US is conducting psychological warfare operations against socialism and consider culture as a "frontier" that has extended beyond American shores into the Chinese mainland.

The Chinese therefore consider control of information to be paramount, since they do not trust their population to "correctly" interpret American messaging (hence the "Great Firewall of China"). In this sense, China may consider the US as the aggressor in an ongoing cyberwar.

Today's Reuters article China PLA officers call Internet key battleground elaborated on these ideas:

The essay by two PLA scholars, Senior Colonel Ye Zheng and his colleague Zhao Baoxian, in the China Youth Daily nonetheless stressed that Beijing is focused on honing its cyber-warfare skills, and sees an unfettered Internet as a threat to its Communist Party-run state.

"Just as nuclear warfare was the strategic war of the industrial era, cyber-warfare has become the strategic war of the information era, and this has become a form of battle that is massively destructive and concerns the life and death of nations," they wrote in the Party-run paper...

"Cyberware [sic] is an entirely new mode of battle that is invisible and silent, and it is active not only in wars and conflicts, but also flares in the everyday political, economic, military, cultural and scientific activities."

The first highlight makes me think the Chinese see the current cyberwar as being similar to the Cold War. During the Cold War, nuclear warfare (or avoiding it) was the strategic form of war. During the current "Electronic War" (my term, not sure I like it), cyberwar is the strategic form of war.

The second highlight shows that the Chinese see cyberwar as being active right now, and "not only in wars and conflicts." By "wars and conflicts" they mean physical combat.

The AP article China Calls US Culprit in Global 'Internet War' contained a few more choice quotes:

Writing in the Communist Party-controlled China Youth Daily newspaper, the scholars did not mention Google's claims, but said recent computer attacks and incidents employing the Internet to promote regime change in Arab nations appeared to have originated with the U.S. government.

"Of late, an Internet tornado has swept across the world ... massively impacting and shocking the globe. Behind all this lies the shadow of America," said the article, signed by Ye Zheng and Zhao Baoxian, identified as scholars with the Academy of Military Sciences.

"Faced with this warmup for an Internet war, every nation and military can't be passive but is making preparations to fight the Internet war," it said...

China needs to "express to the world its principled stance of maintaining an 'Internet border' and protecting its 'Internet sovereignty,' unite all advanced forces to dive into the raging torrent of the age of peaceful use of the Internet, and return to the Internet world a healthy, orderly environment," the article said.

As you can see, the Chinese think an information war is already being waged. The US started it, and the US continues it (in the Chinese view) as demonstrated by turbulence in the Middle East.

China's view is more important than yours, because China is acting on its view while too many in the West and the US in particular argue about whether or not a cyberwar is happening. The Chinese believe cyberwar is ongoing, and that the US started it. From what I can tell, the Chinese intend to win it.