I liked IR better when it was more about figuring out what happened than ~OMG CHINA~
—
Kyle Maxwell (@kylemaxwell) May 09, 2012
I got a bit of friendly feedback after recently stating on Twitter that I get tired of all the constant drum-beating about China. That includes some notes from friends and colleagues whom I respect but who do not entirely agree with me. I thought I’d clarify my thoughts on the original APT as a result.
First, anybody who doesn’t recognize that China is engaged in a long-term (and heretofore incredibly successful) campaign of information operations against the West just hasn’t paid attention. We have the evidence, and even the PRC’s protestations to the contrary seem carefully constructed simply to parse meanings and split hairs. They engage in normal diplomatic cover speak, and I can’t fault them for that, but we should still recognize it for what it is. Denials of this reality ring as hollow as denials of the immense volume of fraud and related cyber crimes sourced from Eastern Europe and Russia.
That said, however, I believe some of the reaction in recent months has gone overboard. A number of high-profile individuals have had a significant presence in the press lately, and some of them seem to have the impression that the US should treat this as the most significant issue in its relations with the PRC. Given the range of issues that involve two of the most powerful nations in human history, I find this shortsighted. Climate change, energy policy, human rights, and macroeconomic issues all represent legitimate areas of discussion. Information operations (“warfare” if you like, but I don’t) comprise an important part of those issues but should not overshadow things like nuclear weaponry, for example.
At the same time, they indicate that only the “APT” matters and that professional incident responders only think in term of campaigns (rather than intrusions). I disagree: other significant issues do exist within our domains of threat intelligence, information security, and incident response, as well as within the separate scope of Pacific Rim foreign policy. When your rhetoric reaches the point where your professional colleagues start to openly wonder if you’ve become completely Sinophobic, then you should take a step back and ponder whether to dial it down slightly.
Yes, China’s IO campaigns certainly present a significant challenge in a number of ways, including the need for public awareness in the West, but that challenge exists within the context of many other important topics. Let’s not get so zoomed into one adversary and one issue that we lose focus on the rest.
There are two fights going on in InfoSec – not unlike Defense and Intelligence – it’s the fight for reality and the fight for funding. And as it has been in Defense and Intelligence the fight for funding frequently dominates the discourse until something goes horribly awry.
InfoSec doesn’t suffer the same ~consequences~ as a Defense or Intelligence mistake and thus even the pause-and-review cycle to make sure we’ve got out priorities right is broken. Right now, generally speaking, an InfoSec professional can make an egregious mistake (mistakes are made, guard is down, but I mean egregious mistake) and they are in MORE demand to fix a problem.
With regard to China specifically this call for CHINA CHINA CHINA is masking a whole bunch of other problems related to China as well. Instead of competing on all fronts we sit back and hope that Government steps in and makes it OK to compete on just one front: protection/protectionism. It’s just a false hope, bad promise, and antithetical to America’s historical beliefs. We’re effectively, by my estimation, now responding to threats with indignity – the very “resting on your laurels” we despise elsewhere as InfoSec professionals.
Good post Kyle, -Ali
…Mandiant. Dood was much more realistic / DTE when he was reviewing books and not constantly selling his managed services biz
2(two) comments:
I think the threat’s scope is a bit wider than specifically mentioned (aiming / against West), and for this the world’s awareness is crucial. Neighbor countries like Japan and S. Korea is suffered to these threats in a historical frequent long-term records of unstoppable-flow incidents. As researcher in Japan I personally have full evidence for every malware that call-back to mother-ships in mainland China network, and I believe same as fellow researchers in S.Korea.
Most of spyware/APT incident facts are undisclosed by default. Means nobody can see the actual facts. Thus, no one is having a clue of what is really going on behind those mother-ships. But, since we know of what it does/did, so why not starting by “more” publishing what we got as transparent as possible in order to support actual threat’s facts itself? I don’t think these historical threat will stop by itself. And since incident disclosure will not hurt more than it already had actually why not starting from explosing the fact? Is a way to minimize threat by raising risk & awareness.
So we have a denial here. Why surprised? Everyone will deny any improper addressed/accused crime with the lack of facts or evidence..
Excellent article, I like what you’re saying and I agree – I say the same thing, often, on my blog.
I do have heartburn, albeit mild, from your use of the term Information Operations, as if it is synonymous with cyber operations. I’m using IO in strictly the government or military use but I agree with your sentiment that anything that conveys, degrades, destroys or denys information might be called an information operation (using lower case letters, please). Information Operations is actually all about influence, using cyber or computers as one of many means of transmitting or receiving information.
I’m part of a group of IO professionals that is trying to get more clearly defined terms in our field… I’ll probably never succeed, but I try. The field should probably be called Influence Operations but I’m stuck with what the military has officially declared as a definition.