July 24, 2011

Cyber Security: A Fact-Based Primer

While the mainstream dialogue related to “cyber-security” most often focuses on issues related to consumer privacy and identity theft, the more cloistered industry and government debate circulates around espionage and so-called cyber-war. The concerns are legit, but the debate is all-too-often hijacked by political or competitive agendas, undermining progress towards true solutions.

So let’s try and dissect this - what are we talking about when we’re debating non-consumer-oriented cyber security concerns? While there are multiple and competing definitions of cyber security, most would all include at least the following: Network exploitation or attack, including espionage and/or the disruption of networks via software in or for or otherwise through the manufacture of network equipment, including via hardwired backdoors in chipsets, routers or other physical parts of the network.

In terms of potential “cyber weapons,” they might include: Unauthorized access to systems (hacking), viruses, worms, trojans, denial-of-service, distributed denial of service (including using botnets), root-kits and, of course, social engineering. Such tools can be used to compromise confidentiality or otherwise facilitate identity theft, web-defacement, extortion, system hijacking and/or service blockading. Key to note, cyber weapons can be used individually, in combination, and – generally most concerning - blended with conventional kinetic/physical weapons as force multipliers.

Who’s in the game? Pretty much everyone, ranging from the Russians to the Israelis, but the big dogs would be the U.S. and China, both of which have been quite public in communicating their cyber capabilities and intent. Indeed, reported instances of China-based cyber-incursions are significant. A couple of well-publicized examples:

Titan Rain (Government espionage) was a series of coordinated attacks with reported Chinese origin on U.S. Government, defense industrial base and R&D institutions, originally identified in 2003. Among other targets, hackers reportedly gained access to: U.S. Army Information Systems Engineering Command; Defense Information Systems Agency; U.S. Army Space and Strategic Defense Center; NASA; and Sandia Labs.

Night Dragon (industrial espionage), according to a February 2011 report from McAfee, was a coordinated series of cyber attacks which began in November 2009, aimed at global oil, energy, and petrochemical companies to harvest sensitive information on industrial operations in Kazakhstan, Taiwan, Greece, and the U.S. McAfee identified the tools, techniques, and network activities used in these attacks as originating in China.

But China is not alone in terms of being perceived (if not absolutely proven) to be engaged in strategic cyber warfare activities. Other examples, specifically geared to more concerning disruptive activities, include:

Estonia: In April and May of 2007, Estonia experienced a heavy barrage of coordinated cyber attacks against information networks, Government services and news portals. The attacks, which followed a decision to relocate a Soviet-era grave marker, were primarily in the form of distributed denial of services (DDOS), including the remarkably coordinated use of sophisticated botnets. The Russian Government was suspected but has not been proven to be responsible. While there were no long-term consequences from the attacks, short-term impact in terms of unavailability of online services were significant, particularly in a market where 98% of banking transactions take place online.

Georgia: In the weeks leading up to a Russian physical invasion of Georgia in 2008, Georgian communications, Government and financial networks came under significant cyber attack. While the immediate and most public perception of the assault was related to the defacement of Government sites, more impactful was the repeat of a strategic and coordinated DDOS attack which, as a force multiplier, disrupted communications and online activity impairing critical Government and citizen communications before and during the physical attack. While the cyber-attacks are widely believed to have originated in Russia, no Government involvement has been proven.

Iran: Stuxnet, a MS Windows computer worm, was discovered in July and 2010. Designed to target Siemens Supervisory Control and Data Acquisition (SCADA) systems, Stuxnet is the first discovered malware that spies on and subverts industrial systems . It is widely acknowledged that Stuxnet was targeted to disrupt the uranium enrichment infrastructure in Iran, with the U.S. and Israel most regularly referenced as the likely perpetrators, although without any proof having emerged. Notably, computers across the globe have been infected – an early example of cyber collateral damage.

These instances notwithstanding, in the U.S. the spotlight remains fixed on China, and U.S. authorities, politicians, pundits and media, perceiving China through the prism of the all-powerful State-controlled past – which is no longer a universal reality – regularly hand-wring about the potential for independent Chinese companies to do the Government’s bidding.

There are certainly some legitimate concerns to be had, but the legitimacy gets all too easily and quickly lost in fear- or politics- or commercially-competitive-based spin. After all, who’s to say what passes for a “Chinese” company today? If one were to be even marginally intellectually honest, and acknowledging for the sake of argument that the Chinese Government is just as committed to cyber tactics as is the U.S., wouldn’t one acknowledge that any company with a presence in China is vulnerable to Chinese Government manipulation, however well-hidden that might be?

Let’s consider this from the perspective of the information communications technology industry, one which has become utterly globalized, resulting in virtually every major ICT company having significant research and development, production and software coding capabilities in China. Why? Well, among other things, comparatively speaking, China possesses rich resources in available talent and low labor costs. Indeed, in 2010, China's college graduates reached 6.31 million, while in the U.S., the figure was 1.65 million. And, the average salary for an engineer in China remains below $10,000 a year, with the average disposable income per capita resting below $3,000, while in the U.S., it’s around $50,000 (and engineers command salaries many multiples of their Chinese counterparts). All of these – and other- advantages have attracted global ICT companies to move manufacturing bases and significant R&D functions to China.

So what does this mean in practice, in terms of major ICT players that supply the guts and intelligence to cyber-threatened global networks?

Ericsson: Ericsson opened its first office in China in 1985 and as of 2009 had 7,900 employees in China, 27 offices and 10 joint ventures. Ericsson’s second largest global supply hub is in Nanjing, China, producing wireless network equipment - over 50% for export. And, Ericsson has over 1700 R&D personnel in China and an annual R&D investment in excess of $155 million, developing as many as 100-150 products each year for Ericsson’s global markets (indeed, Ericsson’s first “3G” (WCDMA) base station was developed by Ericsson’s China R&D shipped to Europe in 2004). And, finally, Ericsson has a strong China-based service Organization featuring 36 customer network support centers and 5,000 local engineers.

Alcatel-Lucent: Shanghai Bell Telephone Equipment Manufacture dates back to 1983 (pre-Lucent AT&T) and, after uniting with Alcatel’s China-based operations following the Alcatel-Lucent merger in 2006, was ultimately renamed Shanghai Bell Co, Ltd in 2009. Shanghai Bell, employing approximately 10,000, is a 50-50 joint venture between Alcatel-Lucent and China’s State-owned Assets Supervision and Administration Commission of the State Council. Shanghai Bell hosts several China-based global R&D centers employing over 6,000 people, has full access to Alcatel-Lucent’s global technology resource pool and develops technologies that serve all of China and over 50 countries worldwide. And, Shanghai Bell’s two Chinese manufacturing bases generate products for fixed-network, mobile, optical, and multi-media with annual production values of approximately $2.48 billion.

Cisco: Since its entry into China in 1994 and the 1998 establishment of Cisco Systems (China) Network Technologies Co. Ltd., Cisco has promoted the development of Chinese innovation and the Chinese ICT industry. In1998, the Cisco Network Technology College project officially entered China establishing over 220 Cisco Network Technology Colleges that teach comprehensive courses on the latest network technology. In 2005, the Cisco China R&D Center was launched in Shanghai, accompanied by promises to further invest $37.7 million to co-construct 35 model software colleges along with China Ministry of Education. And, in 2007, Cisco announced investments and joint ventures in China totaling $16 billion, committed to expand its Networking Academies to 500 to train an additional 100,000, and to double its manufacturing in China (a production value of as high as $14 billion).

Intellectual honesty would demand an acknowledgment that to the extent that cyber security concerns are real (and they are), then they apply to all of these global companies with operations spread across the globe, including in China. And yet, in the U.S., the focus – for political and competitive reasons – circles around global players with a Chinese heritage, like Huawei, the second largest telecommunications equipment provider on the planet.

Why? Well, Huawei is based in China and the U.S. and Chinese Governments are engaged in competition on multiple fronts, from politics to economics, and beyond. And, well, like the U.S. Government, the Chinese Government has been vocal about its cyber-intent and, certainly more public than any American activities, China-based cyber-incursions into foreign networks are well- and regularly-reported. So, with all of that in mind, ill-founded beliefs that Huawei is somehow state-influenced contribute to ill-founded fears that Huawei might facilitate Chinese Government-endorsed espionage or disruption.

Without getting into the silliness of such concerns in the context of a global leader with a presence in 140+ markets and far more sales outside China than within, intellectual honesty would still demand that any true solution to cyber security concerns would demand agnosticism. Consider:

The quality and integrity of Huawei solutions have been audited and passed the security requirements of 45 of the world’s top 50 global operators and no company or government has found Huawei solutions to vary from international standards in any manner material to security. These are facts. And, given that Huawei’s solutions are built to the same global standards as those of competitors, all of which manufacture product and code software in China and all of which share common potential vulnerabilities in component and code origin, manufacturing, logistics, distribution, installation and support, it is intellectually honest to say that Huawei’s solutions are no less secure than the equipment its ICT peers.

So where does this leave us? Well, if we take a fact-based, intellectually honest and politics-free approach, we should all agree that legislation, regulation or policy intended to address cyber-security concerns based on a company's country of headquarters is akin to throwing a mosquito net over a reservoir to prevent an outbreak of cholera…

…Not only is the prophylactic mis-used (mosquito nets are of course meant to manage the spread of pest-borne malaria), but such measures do nothing to address the true issues of plumbing, sanitation and water supply.

The facts are that true, rational and effective solutions to cyber-security concerns will only emerge from an industry-led, non-politicized, pragmatic process that acknowledges the common vulnerabilities of all ICT companies and addresses the challenges in a manner agnostic to nationality.