China’s Media Warns of Challenges to US Businesses in Wake of Edward Snowden’s Revelations

This English summary from Taiwan-based Want China Times zeros in on Cisco but other tech giants are named:

Furthermore, Cisco is the key technology and equipment supplier to the US government and its military. Security experts are therefore worried that in the even of war, the US government could use Cisco’s products around the world to create an internet war to deal a major blow to adversary countries.

Cisco has overtaken Hewlett-Packard and IBM to become the world’s biggest IT equipment provider in terms of cloud computing, according to market researcher Synergy Research Group.

Cisco raked in income of more than US$1.6 billion last year in China, representing 30% of its total profits. It is expected that the Prism incident will seriously affect its business in China, while other companies such as Microsoft and Apple will also see their business in mainland China affected, the report said.

Chinese companies, Huawei is a great example, have been getting hammered by the U.S. over security concerns and Snowden’s revelations have turned the tables in a very substantial way. Jobs and growth are at stake if China further limits technology company access to it’s market. Billions of dollars, and god knows how many jobs, are at stake here.

Snowden’s root motives and the extent of Chinese involvement are still unknown but as Tech In Asia points out his betrayal adds real punch to an angle that the Chinese government has been trying to play for some time:

China has been concerned about the threat Cisco poses to Chinese information security since right around the same time the US got serious about Huawei. It’s not a coincidence, but if recent reports in the Chinese press are to be believed, China might have more reason to be concerned than originally thought.

This story, for example, suggests that NSA whistleblower Edward Snowden has told Chinese authorities that Cisco is helping the NSA spy on Chinese networks and computers. That would be a problem given that Cisco’s equipment is a part of the infrastructure of much of China’s internet.

It may not be for long:

Xu Qi, a Beijing telecom industry expert, said the Chinese authorities should conduct investigations into Cisco’s network in China.

“Based on sound evidence, market restrictions should be adopted, if it truly represents a threat,” he said.

With every revelation, every utterance, from Edward Snowden there is one primary beneficiary and it is clearly China. Spy, or not, he is the greatest assest to ever land in their laps. And it looks like we are just getting started.

Read more about Edward Snowden on the blog and follow @blogsofwar on Twitter for around the clock updates on this and other important national security stories.

Live Tweets: House Intelligence Committee Hearing on NSA Operations

Read the entire archive.

Tara Maller: Half the Homeland – Mobilizing Women for Cybersecurity

tramillersquare Tara Maller: Half the Homeland Mobilizing Women for CybersecurityTara Maller is a research fellow in the National Security Studies Program at the New America Foundation. Her current areas of focus include sanctions, diplomacy, intelligence, cybersecurity, terrorism and women in security. Previously, she worked at BrightWire Inc., a NY-based startup, where she served as the managing editor and managing director of Operations, Americas. In 2011, she received her Ph.D. in political science at MIT, where her dissertation focused on information collection, diplomacy and sanctions. During this time, she was an affiliate of MIT’s Security Studies Program and she served as research fellow in the International Security Program at the Belfer Center for Science & International Affairs at Harvard’s Kennedy School of Government. Previously, Maller worked as a military analyst at the Central Intelligence Agency, focusing on the Iraq insurgency. She has published articles in The Washington Quarterly, Studies in Conflict and Terrorism and PS: Political Science and Politics. She has also written for foreignpolicy.com, CNN.com and The Huffington Post and has appeared on CNN’s Erin Burnett OutFront and Bloomberg’s Bottom Line. She graduated with a B.A. in government from Dartmouth College and received a M.A. in international relations from the University of Chicago. You can follow her on Twitter at @TaraMaller

Over the last year, women in security have captured the public’s attention on the big screen as the lead characters in shows like Homeland and movies like Zero Dark Thirty. While the former is fictional and the latter is loosely based on the real hunt for bin Laden, both cull a sense of fascination with the intelligence community and place a spotlight on women protagonists. Clearly, portrayals on the screen are dramatized and may even misrepresent actual events, but the power of the media should not be lost – particularly at a time when the national security community is in dire need of more women in its ranks. Men and women may also bring different types of experiences and perspectives to understanding, identifying and ameliorating potential threats. In general, adding more women to the security workforce and making sure they advance to positions of leadership in the security community is critical – particularly in the realm of cybersecurity.

In a speech this fall, U.S. Secretary of Defense Leon Panetta warned of the potential for a “cyber Pearl Harbor.” The possibility of a large-scale cyberattack on American soil with physical ramifications and loss of American lives is a real one. Recently, the Pentagon released a report condemning the Chinese cyberattacks on a wide range of U.S. targets – both government and private. In his March 2013 Intelligence Community’s Worldwide Threat assessment, the Director of National Intelligence, James Clapper, recently named the cyber threat as the number one threat to the United States. Just last week, U.S. officials also reported that cyberattacks on U.S. energy companies and infrastructure could be traced back to Iran. According to U.S. military officials, cyberattacks on critical U.S. infrastructure have increased 17-fold from 2007 to 2009. In 2011 alone, cyberattacks increased 40%. In the 2013 defense budget, cybersecurity is one of the few areas of defense spending projected to increase.

In response to the growing concerns over the cyber threat, the U.S. Department of Homeland Security (DHS) and other Washington, D.C. professional organizations and universities have ramped up recruiting and hiring for cybersecurity jobs. But to effectively fortify American cyberdefense, recruiters must focus also the efforts on recruiting more women for those positions. The U.S. can’t afford to neglect the talent and brain power of half its population if it expects to compete with populous countries with advanced cybersecurity capabilities, such as China and Russia. A homogenous workforce precludes the innovative and creative thinking that’s essential to the development of a new policy area, such as cybersecurity.

While women have made great strides in the realm of foreign policy, they remain underrepresented across the intelligence, defense, and security community. Women make up half the homeland, but they do not make up nearly half of the workforce responsible for protecting it. Even at the CIA, where the percentage of women is higher than at other agencies, a gap still exists at the more senior levels. For example, according to the CIA’s March 2013 Director’s Advisory Group Women in Leadership report, although women make up 46% of the CIA’s workforce, “as of October 2012, females constituted 31 percent of the Agency’s Senior Intelligence Service officers.” At other intelligence community agencies, the average is less than 30% in the senior executive positions.

Unfortunately, the cyber ceiling could widen this gap since there are generally fewer women in science, technology, engineering, and math (STEM) fields. As a result, there are less women in the pipeline with the specialized skills required for certain cybersecurity jobs. Second, there are also significant misperceptions about careers in security and the backgrounds of value in this field. The field is not only in need of computer scientists, engineers or those interested in analyzing nuclear weapons and tanks. Cybersecurity work requires men and women from a variety of backgrounds such as international affairs, law, psychology and public policy. Awareness about the skills and backgrounds valuable in the cybersecurity realm might also help attract more women since women have been underrepresented in the science, technology, engineering and math (STEM) fields. The numbers are quite alarming. In 2010, The National Center for Education Statistics reported only 18 percent of computer science undergraduates to be women. Karen Evans, the National Director of CyberChallenge, an organization whose mission is focused on the reducing the shortage of cyber professionals in the U.S., reported that only 22% of its participants in the Spring 2012 Cyberquests competition were women

Lastly, we need to work on expanding the base of female applicants with targeted social and cultural messages that change perceptions about women in national security and get younger women more interested in pursuing careers along this path. We need to change cultural and social perceptions and stereotypes about the types of individuals who are well equipped for these roles and alter the image of what it means to be a security professional in the 21st century. Dynamic and inspiring role models and mentors are critical.

Educational programs, government initiatives and scholarships designed to attract women to foreign policy and national security are extremely critical and must continue to serve as the pillars of strengthening the talent, expertise and diversity of our security workforce. However, we should not underestimate the role that less conventional approaches may be able to play in this effort. For example, television, magazines, books and public relations style campaigns can potentially play in inspiring women to pursue careers in national security. For example, back in 2004, the CIA employed Jennifer Garner, the star of Alias, in CIA ads and recruitment videos. Currently, each week almost 2 million people watch Homeland. Leveraging the recent popularity of shows like Homeland can also help spark interest in national security in the next generation.

Similarly, pulling together a bipartisan dream team of inspirational and high-profile women who have served in leadership positions in technology and foreign policy, to engage in a high-profile public relations campaign could help raise visibility to this issue. Featuring these women in profile pieces in media targeting young girls and teens, along with involving high-profile women who have portrayed national security professionals behind the cameras in an ad campaign or in in publications targeting women could help garner national attention to this issue. Lastly, simply getting more young women from these fields into classrooms around the nation and more visible in the media would go a long way in inspiring younger girls to be security leaders in the next generation.

In the nearer term, shattering the security ceiling requires the immediate mobilization of women into these careers and being committed to working on the various obstacles that have contributed the gender gap in security over the last few decades. Women should take the lead in this effort by both encouraging other women and stepping up to the plate to express interest in this area. Protecting the homeland requires that we tap not half of but all of the best and the brightest.

Look for Tara on Bloomberg TV tonight at 7:10EST where she will be discussing Iran sanctions.

Interview: Ali-Reza Anghaie and Scot Terban on InfoSec, Hackers, China, and Cyber Hype

terbali2 Interview: Ali Reza Anghaie and Scot Terban on InfoSec, Hackers, China, and Cyber Hype

Ali-Reza Anghaie (Right) is a Consulting Security Engineer and Senior Analyst with Wikistrat. His varied work in engineering and security has taken him to numerous universities and Fortune 500 companies in the Defense, Energy, Entertainment, and Medical fields. You can follow Ali-Reza on Twitter and Quora. Scot Terban (Left), AKA the gonzo INFOSEC blogger Krypt3ia, blogs at http://krypt3ia.wordpress.com. You can also find him on Twitter. Both host the weekly Cloak & Swagger: Security Unhinged podcast.

John Little: Let’s start off with a Skyfall-esque word association game. Ready? “Cyber Pearl Harbor

Ali-Reza Anghaie: Geraldo. (Yes, that’s my answer. Say `Cyber Pearl Harbor` in his voice and you’ll want to strangle yourself too.)

Scot Terban: Expletive.

John Little: Alright, so what is it about “Cyber Pearl Harbor” that sets you two, and many other infosec professionals, off? What are Panetta, Lieberman, and other Beltway types getting wrong about the legitimate threats we face in the digital domain?

Ali-Reza Anghaie: Lets clarify “getting wrong” – as professionals we encounter `wrong` all the time. ~Intentionally~ exaggerating and obfuscating threats is what has been happening in DC. However, it’s also politics – you never hear a politician talk about any issue in a way that satisfies the wider professional community of that issue. That’s quite intentional – as the people who really know are absolutely the people that politicians need to play ~against~ to centralize and pull power toward their own spheres of influence.

And that’s really the part that burns me – the echo chamber they’ve built is designed to accomodate just those that will work within the confines of the existing DC dynamic. And so much energy is exhausted in just that posturing that by the time you get to actual technical working groups – you’re already on the tail end of resource availability. So, if you’re lucky, you’ll get through one or two iterations of actual policy driven work before the next manufactured crises hoovers priority elsewhere.

Since this is the inevitable cycle, I suggest we move straight to the end – private industry needs to step to the plate as a competitive matter because Government, as Government always does, will punish you using whatever laws do or don’t exist as soon as it’s politically tenable. And won’t provide any solutions along the way. Why not just get it over with?

You know – I’d probably be less cynical and in a better mood if you stopped saying “Cyber Pearl Harbor”..

Scot Terban: It’s jingoism at its best. It is propaganda and a tool to get people to react in a knee jerk way.

What are Panetta, Lieberman, and other Beltway types getting wrong about the legitimate threats we face in the digital domain? Everything. They do not comprehend the technologies involved nor the complexities of what they are advocating as the end of the world. They need to let the professionals who deal with this technology and space give the answers. It’s akin to telling a five year old to go on to Meet The Press and explain quantum mechanics.

John Little: There are countless layers to this problem and many of them are not “technical”. There are human factors and physical security issues for example. In most cases there are no paths to 100% security. So where, from a national security perspective, should we focus or efforts and dollars? What would get us the most bang for the buck?

Scot Terban: Well, contrary to what a Dave Aitel or lately Schneier might posit, more security awareness for the general populace to start I think. This is more so for companies that are within the sights of an APT adversary but also look at what goes on with crimeware to start right? How much of this could be stopped just with making sure people understand the technology that they own and should be managing? We are all supposed to have training to drive a car and a license so why not at least have a better grasp on the PC and how things work right?

*wait’s for Ali’s head to explode*

But really, knowledge is power and unfortunately I don’t think this will happen either really. The money will all go into offensive campaigns within the CyberComm and we will lag behind on defense. Look at the EO and how the corps responded to it. “hey yeah, we would like to do less” I know Ali thinks that is all about letting the gubment take over and that is what they want but I disagree here. I think they do not want the government dictating to them nor do they want to be responsible for the security of their environments at the level of mandate because they would be held to it by assessment.

I think in the end your question is moot because nothing will be done that will help us.

Ali-Reza Anghaie: The pounding of the `do the basics` drums needs to be louder than the `sexy` drums..

However, I think the biggest things we can do at a national security lever are:

1) Admit defeat at the Government level. Make it clear – CLEAR – that if you’re waiting for Government to combat your hacking problem, you’re going to die.

2) You. Must. Compete. There is a concept called “Intellectual Property Obesity” that has ravaged the American innovators for some time. They spent too much time on Copyright, Patent, and IP theft and not enough on risk analysis, business development, existing means of competition.. concentrate on ~everything else~ that has made America less competitive on a global scale.

In the end, if we’re to suffer a `death by a thousand cuts`, it’s not because of cyber espionage from the Chinese or anyone else. That’s but a small part of the bigger picture.

Now – that speaks to national security at the economic level, which I think is most important – but some conflate this as all purely defense/military in nature. The solutions to that problem set as a bit different and, in part, require actually letting people fail. Not retroactively but put a pretty solid post in the ground that says: `Hey, if you get hacked and all the IP is stolen. Your program funding is going to take a BIG hit. We don’t want to tell you how to fix it – we (Government) doesn’t know how. Likewise, if the data gets stolen while with us (again, Government), you’re going to get a bit of automatica business helping us or influencing our direct means of securing it`.. something along those lines without the tin-foil gaps.

John Little: Although I know and respect many security professionals the ones that I encounter professionally seem to be bureaucrats rather than technical professionals. They are just lords of a massive fixed documentation process that must be completed whether I’m building a simple web page with public data or a massive mission critical enterprise system. The problem is that I can answer 500 questions about my application and get it approved but at the end of the day there’s nothing about the process that really enhances security. What are your thoughts about how the private sector utilizes InfoSec professionals?

Ali-Reza Anghaie: Firstly – I’m sorry. Really really sorry. You’ll have to file a RC269B exception to ask me this question. It’ll be rejected of course because everyone knows of the `Great RC268T Debacle` of 2012. I have my big red stamp ready to reject your request because email isn’t secure enough and the ColdFusion workflow app we had developed in Bangalore was, of course, developed by non-US Citizens so we can’t really use it. I have spoken.

There is this inherit fear of InfoSec that comes with the noise around incidents right now – similar to how auditors were perceived just after SOX went into effect. Nobody knows what to do with InfoSec except to not piss InfoSec off. Along with that come a lot of non-technical professionals or entry-level professionals enabled with copious amounts of authority and confidence over – well – nothing in particular. So, much like politics, you do exactly what you can get away with without punishment.

This is a cynical view – as my answers have trended so far – but it’s quite normal and recent trends leave me very optimistic.

We’re at the tail end of this trend and, as an industry, we’re going through it a fair bit quicker than many of our predecessors. Somewhat due to economic constraints but I sincerely believe the best of the best in InfoSec have taken more responsibility recently for knocking down their own echo chambers. They’ve seen the charlatans flourish and they know “we” created room for them with ambiguity and hand-waiving. “We” want our industry back..

So – to answer your question – I think a huge majority of the private sector is very confused in how to apply InfoSec. And it’s our fault…for now.

Scot Terban: I think we need to differentiate between the INFOSEC folks like an archaeological dig here to start. First off, not all INFOSEC’ers are built the same. I come from the pentesting side AND the policy as well. I performed many assessments that had a combination of both and understand them both well enough to see where the rubber meets the road to so speak. Unfortunately not everyone has the skill sets to see both sides of coin and to work efficiently in the space. So we have people who get into INFOSEC primarily from a “legislative or paper” side of the issue. They understand that security is necessary and there are rules that need to be in place and that is about it. They follow their checklists and once they have checked the boxes they are good. This is bad but all too often the real aegis of many folks in corporations who perform audit from SOX to other government audit standpoints.

Then there are the people who perform just pentest and who many often think that rules are just useless. Why? Because the hackers/adversary does not follow the rules and all too often rules get mired in minutiae that doesn’t matter to their attacks. I have heard way too many times, and rightly so, that SOX and other check box security measures are useless. I too have felt the same thing but, too often the pentest crowd is just dismissive of it because they are broken and not workable in their present state much of the time. So you can develop an app as you say, the “Bob’s” can come in with their checklists but in the end they have not made the product more secure because they lack the dimension of the attacker perspective.

So we have two camps.. Both out to secure things and neither really can because of a third camp.. Let’s call this camp the “Corporation” The corp all too often is motivated not by an innate desire to protect their data, their clients etc.. Their driver is to make as much money as possible and in doing so security spend is even today, not what it should be because it is a cost center. When looking at the options and the legal drivers we can see how it is so easy for a company to go for the check box security approach mainly because that is what the government and the laws are mandating. It is the “due diligence” mentality and in that, the only due diligence we have primarily is to have the boxes checked to insure that they can say that once they get sued or after an incident. THIS is to minimize the legal remunerations that they may incur to law suits and that’s the extent of it. Rarely have I seen a company throughout my career that was proactive about their security enough to engage true red teaming and effective policies, procedures, and audit to insure a modicum of security.

It’s mostly set and forget as well as get drones who check SOX boxes every year. Aye, there’s the rub huh? This is where you have the paper CISSP’s and others who really do not have a grasp of adversarial INFOSEC that needs to be in place to protect yourselves and this is where the engine of popularity and money have made a glut of people who don’t really have the chops to be in the business doing business. So yeah, you could create an application and the SOX types come along and ask questions but they really aren’t coders nor understand application code security right? They do their bit but they don’t see the whole picture and you, you could totally hoodwink them that your application is up to standard because this is the only appsec that they are carrying out.. Asking questions and not validating code?

To me, that says that the system is broken. What we need is a middle road where true application security people are involved in your case. In other cases I would like to see people who have a good grasp of security (defense as well as offense) in the roles of audit. Will this happen? Probably not and that is because as was lamented recently “Defense isn’t sexy” add to that the corp’s aren’t looking to do anything but be “risk averse” and you have a broken system.

John Little: So we have a system that is broken and seems bound to stay that way. With the increasing complexity and distributed nature of data and applications, the vast number of application users (a good portion of the planet now), the rapid advancement of technology, and the challenges involved in building and maintaining an even barely adequate cadre of INFOSEC professionals how will the future not become even more of a hacker’s playground?

Ali-Reza Anghaie: The problem space is going to continue to grow at an accelerating pace. We will drown in more data and we won’t ever have enough bodies to throw at the problem. Government “regulation” will likely further exasperate the staffing problems. Generally we’ve shown ourselves incapable of effective security automation. Woe is me?

There is a difference between a hacker’s playground and an unmanageable risk. Like any other type of crime, society will compensate in some areas and not in others. Some regions will do better with the same `door locks` and other regions will need `burglar bars` on all windows. So the question isn’t if the attack surface will continue to outpace us – it certainly will – the question is how will we compensate, as an industry and society, elsewhere?

This goes to the very root of competition – and we’re stuck with this idea that InfoSec is absolute. You’re either not using computers or your pwned. In no other aspect of life or society do we so readily say that to customers, through Governments, and in our daily routines.

So I would say that hackers will hack and that’s OK. If you aren’t viable and complete even under hacker fire – I’d say you were never actually viable or complete.

Scot Terban: It shall be just as it is now. The only answer is to become a new age Luddite and live in a bunker awaiting the end…

John Little: A significant portion of the cyber-chatter inside the Beltway and in the media is focused on China. How would you characterize the threat Chinese hackers (official or not) pose to the U.S. and how should we be talking about it?

Ali-Reza Anghaie: Lets be clear – the Chinese threat is real and it’s aggressive. It is also entirely irrelevant.

We’re at such an early stage of secure architecture and software that concentrating on a given foe is foolish for all but a small core of defense and intelligence agencies. Along those lines, Government emphasizing a given nation-state threat also leaves people with the false impression that these threats ~require~ a nation-state to execute. And…. wait for it… a nation-state level response.

About now big red spinning alarms should be going off in your head. THAT is the problem with “the Chinese threat” – it’s become a political football that has turned into a lobby interest that has turned into a disadvantage to an already painfully broken field. It creates whole classes of C-levels looking at the wrong problems, wrong solutions, and wrong people to deliver those solutions.

Scot Terban: How would I characterize the Chinese threat… Well, they are a threat because they are just persistent and mostly sneaky. Not all of the teams are uber ninja’s like portrayed in the news media or in a Mandiant self propaganda piece but they are pretty good (some of them) What the question really should be though is how would I characterize the attacked.. Not the attacker. We are on the whole not prepared to deal with attacks either in the MIL space or the private whatsoever. Companies are reticent to fix their infrastructures because it would cause loss of productivity, they hold on to old technologies like XP and IE6 for way too long, and they generally are not as a whole, security savvy.

So.. How hard is it for the average Chinese hacker to get someone to click on a link, pwn a machine, enter a poorly managed network, and steal them blind? Furthermore, how hard is it then to keep persistence?

Meh.

John Little: You both raise a very important point. While the debates over terminology, doctrine, and threats rage on the assets are going unprotected. We hear case after case of hackers having an easy time with their targets because of laziness, ignorance, and irresponsibility on the behalf of individual users, software developers, and network owners. It seems like we could eliminate most threats by shifting the focus away from “external” threats and back to our own behavior and business practices.

Ali-Reza Anghaie: Some years ago various groups started referring to de-perimeterisation as an inherit system design goal – that is to say that every system’s functions should act like it’s facing the “outside” world. From the outset I thought that should be the data protection goal as well – trust no one, period. Everything should have a forensic trail, least-privilege model, etc. Insiders can become your outsiders – prepare as such.

Now, that was naive of me – cost applies. So I think it comes down to appropriate risk assessments in the complete context of your business, legal, and technical resources – which is non-trivial for multinationals and small business alike.

So – the “right” answer to your question is – we still have an accountability problem period. Internally or externally the risk assessments, valuations, and models just aren’t being done appropriately on a reliable basis for most organizations. The good news is that the body of work on these topics are increasingly reliable – we can fix the overall scheme of things. Where fixing doesn’t always mean absolute security as the goal.

I’d like to thank Blogs of War for taking the time to put together this interview. It’s been great and I really enjoy your various feeds.

Scot Terban: The answer is “yes” but I would also hasten to say that it’s not just accountability but a more encompassing problem of OPSEC altogether. The point being that many people today lack understanding of the need never mind the practice of OPSEC. So we have all these private and public entities that really have no concept of the security landscape in the first place and why it is important to protect their data so how do you expect them to be aware of internal or external threats? While in the military and government space they have an idea they too suffer from lackadaisical attitudes and lack of comprehension of the technologies that they are using to manipulate, store, and use data. I tend to think of it as a human nature issue in general that we need to tackle just to bring people to the security table in the first place before we can make them aware enough to think about and secure their assets. Once people are on the same page with the technologies (not just the tech folks we all work with but the end users) then we will have a discussion over the internal versus the external threats posed.