Friday, October 7, 2011

Congressional Hearing on Cyber Threats

I’ve spent quite a bit of time on the blog writing about Advanced Persistent Threat (APT) recently and I have also been working on creating some public presentations on the issue. I will be presenting on the topic of APT at the CISO Executive Summit in Chicago in December of this year and at the CISO Executive Summit in New York in 2012.  Additionally, I will be providing the keynote presentation for the SC Magazine eSymposium on APT later this month.

The United States House of Representatives Permanent Select Committee on Intelligence was nice enough give me more material to work with by holding a hearing this week on “Cyber Threats and Ongoing Efforts to Protect the Nation”. You can find the statements and witness testimony here. They make for very compelling reading, but the best executive summary of the proceedings was provided by Chairman Mike Rogers. His statement is on the website, but you can and should watch his statement on YouTube. It takes just under eight and a half minutes to watch and is an excellent summary of the severity and uniqueness of the threat that we’re facing from Chinese cyber espionage in particular. Rogers hit on all sorts of great points in his statement that everyone should listen to and understand.

I liked the fact that while he didn’t completely dismiss the idea of “Cyber Pearl Harbor”, he understood it’s really not the prime issue of the day. I’m of the opinion that this sort of threat is a bit overhyped.  Yes, a nation-state could use a cyber attack to do something like bring down a power grid by going after the computers that control it. The rub is that doing that would constitute an act of war and the victim nation-state could very well respond in kind using traditional warfare. I’m having a hard time thinking of a scenario other than a full shooting war where China would want to disable a power station in the United States using a cyber attack.  If they did, they might have to read about the effectiveness of that power company’s disaster recovery plan by the light of the fire from the smoking ruins that used to be their own power stations. Fine. You bring our power stations down using malware. We’ll bring yours down using cruise missiles from Virginia class nuclear attack submarines. We’ll see who gets the lights back on first.

The main point that Rogers made is the unique nature of this current threat. Espionage is probably the second oldest profession in the world so having a cyber component to isn’t anything particular shocking. Intelligence organizations have adapted to the information technology age by making cyber espionage a component of a proper intelligence gathering program. Rogers explained that the difference is that traditional espionage is oriented towards obtaining information on the “plans, intentions and capabilities” of other governments and militaries and that this current threat is much more expansive in scope. He summarized his view very nicely when he stated:

These espionage activities over the years, however, have largely been focused on collecting intelligence on foreign governments and militaries, not on brazen and wide-scale theft of intellectual property from foreign commercial competitors.

Rogers then went on to make this powerful statement about what makes this threat different:

I don’t believe that there is a precedent in history for such a massive and sustained intelligence effort by a government to blatantly steal commercial data and intellectual property. China’s economic espionage has reached an intolerable level and I believe that the United States and our allies in Europe and Asia have an obligation to confront Beijing and demand that they put a stop to this piracy. Beijing is waging a massive trade war on us all, and we should band together to pressure them to stop. Combined, the United States and our allies in Europe and Asia have significant diplomatic and economic leverage over China, and we should use this to our advantage to put an end to this scourge.

This is why I state that APT is a geopolitical problem. This is a problem that is bigger than any one of us and we have to band together to fight this threat. We need to pressure our respective governments to address it at the diplomatic and economic level. One of the ways we can do this is through the government relations teams for the organizations that have them. For example, it is very common for large corporations to have people devoted to petitioning government officials for changes in public policy. This is an issue that is critical for the financial health of these organizations and should be a priority for their government relations efforts.