Indictments In-schmightments

Indictments against Chinese officials for hacking into U.S. companies is a typical government move of confusing motion with action. What’s the point of indictments if the targets will never see the inside of a prison cell because they’ll never be tried because they’ll never be extradited?

“Well we have this paper and held a press conference, so…TIGER BLOOD!”

Indictments are a completely impractical move that is designed to show some level of resolve, but is likely to cost both the government and U.S. private industry more than has been anticipated. I do not doubt that someone has attempted to calculate just how expensive and painful the retaliation may be, but if we have learned anything in the last few years it is that such estimates are inevitably low-balled because we underestimate our adversaries and how pervasive technology has become.

It is acknowledged that the Chinese are widely and deeply embedded into computer systems in the U.S. For every intrusion we know about there are others that are unknown to us. We can warn and mitigate against damage or destruction the case of the former, but we have no idea how painful if not crippling the latter may be. To paraphrase Mike Tyson: Everyone thinks they know how things will go down until they get punched in the face.

China is a very large market for U.S. technology (legitimately obtained). What happens when their government decides to not stroke checks to U.S. companies anymore? At what point do U.S. tech giants and the Chamber of Commerce start lobbying our government to stop being such hard-asses? China is not a monolith, but like any sufficiently large entity, once its momentum shifts, the impact is not trivial.

China is a serious perpetrator in this domain, but it is not the only one. Once again: we’re only focusing on China ref cyberspace because we’re focused on (possibly) fighting China in meat-space (someday). Notice that we’re not having this conversation in French.

China is going to react to these events, and it is going to go badly for us in a public way. What would have been a better play?

Start Swinging. If the government is standing squarely behind the idea that this sort of action should stop, it should stop talking and start fighting. We know how to fight secret wars and proxy wars; it’s what all the political re-treads trying to make a name in “cyber” did back in the day when our adversary was another country with a red flag. Put that legacy future thinking to good use for a change and figure out how to inflict pain without actually delivering knock-out punches (remember, in cyberspace you can deny everything).

Change the Game. The U.S. is one of the few countries that doesn’t use its national security capabilities to the benefit of private industry. Its PRIVATE industry and they’re on their own, though we’ve been trying to make sure they take to a level playing field. The idea that we’re going to bring about some kind of international norm in this regard is a pipe dream, so stop smoking: get government out of the fair play business and let companies compete internationally on par with their competitors.

“But Mike, that like, leads to bribes and stuff.”

That’s an ugly word, but actions that “facilitate” deals is pretty much how most of the rest of the world works. We can maintain this white-hat sense of dignity and continue to lose, or we can stop playing that game and come up with one that we can win.

Horse Head in Bed. If you have enough information to indict someone you have enough information to influence them without a big public scene. In the Godfather Don Corleone didn’t send a bunch of muscle to the Woltz studios to get Johnny Fontane his movie role, he did this instead. Wang Dong isn’t a rich international jet-setter, but he has a house or flat, a bank account, and a myriad of other things that can be touched. Is that going to change Chinese policy? No. Is putting a horse head in the beds of everyone in Unit 61398 going to influence policy? It might give them pause, which is more than is happening now because they think they can’t be touched.

We can influence Chinese behavior in any number of ways, but in over two decades of being involved in these issues I have yet to come across an administration that was prepared to go to blows over hacking. Hacking is what the government gets concerned about because there isn’t a shooting war going on. We have brought a knife to a…fight where our opponent could pull out any number of weapons more powerful than a knife. We’re not prepared for this.

What’s the Alternative?

The Director of the National Security Agency argues that the NSA should be in charge of computer security in this country. Long the home of some of subject matter experts in computer technology and cryptography, this would seem to make a lot of sense.

But the NSA is an intelligence agency, and free people in a democratic society don’t like the idea of an intelligence agency – built to listen in on the conversations of “others” overseas – turning its extremely powerful data collection apparatus on them. The same or at least a similar argument is made whenever the topic of a domestic intelligence agency is brought up and the FBI argues that they should do the job: People don’t like the idea of those who can arrest you also having the authority to snoop on you. Dig hard and long enough into anyone’s life and you’re bound to find them committing a “crime,” and when you’re rewarded by the number of arrests you make and convictions you win, well, the recipe for abuse becomes obvious.

The hyperbole surrounding computer security that has been bantered about over the past few years aside, it’s clear that the more pervasive computers (in all their forms) become in our lives, the more of a problem insecure systems pose. But if access to, and the use of, such technology is increasingly viewed as a “right,” then some mechanism for defending that right is in order. If that defending entity isn’t the NSA, what is the alternative?

The Department of Homeland Security is often touted as the place where domestic computer security (if that’s even a thing) should be addressed, but I know of no one who would entrust such a mission to an organization that is famous for its dysfunction, and there is enough of that in computer security already. Remember, this is the agency that changes out “cyber czars” more frequently than Liz Taylor changed husbands (am I dating myself?).

Before we completely discard the idea of NSA involvement it may be useful to point out that the NSA is actually two large organizations underneath the same umbrella: an intelligence collection and analysis organization, and an information security organization. The former is the part that listens in on people’s conversations; the latter is the part that is in charge of wrapping math around our own conversations. There is an obvious symbiosis there, but what if you spun the INFOSEC organization out of big-NSA and let if focus on cyber security for all of us? Removed from Ft. Meade, ideally out of the Washington DC area altogether, it could be the center of expertise both the government and private sector need and would trust because they’d be about “security” not “intelligence.”

There is also an argument to be made that there isn’t a compelling need to do anything new from a governmental perspective. Leaving industry to its own devices seems like a bad idea, but cases where poor computer security led to the outright downfall of a company are notable because they’re so rare. The fact of the matter is that companies that get hacked and lose intellectual property suffer no long-term financial penalty, and since that’s what Wall Street grades C-level executives on, where is the incentive to change? It’s worth noting that the loudest voices lamenting the cost of IP theft all have a vested interest in more security, not higher profits.

This begs the question: is “economic prosperity” truly a national security issue? If that were the case the Chinese would have started chopping off French heads once they learned d’Entrecolles had stolen the method for making ‘china;’ the British would have hunted down and shot Slater and his ilk. Protecting IP and R&D that supports defense is a stronger argument, but traditionally our government isn’t in the business of making sure private enterprises can turn a profit (let’s not get side-tracked talking about farm subsidies). This is not the case in other countries, but since when is the US, France? If we became France (in this regard) at some point while we weren’t looking, then it’s time to make that policy known so that we can all act accordingly.

At this point, if forced to do something, I’d say we shift our resources as noted above. I’d rather have a solution that wasn’t a big-government one, but I can’t come up with one at this point. Anyone have any other, original ideas that don’t involve more spooks in the wire?


Premature

Former Defense Intelligence Agency (DIA) analyst Ronald Montaperto, convicted last year on espionage-related charges that involved passing secrets to China, is scheduled to get out of federal prison Sunday. Prosecutors say he will be barred from meeting any Chinese intelligence personnel as a condition of his release.

Montaperto claimed the passing of intelligence to China was unintentional and the result of being tricked by two Chinese officers.

Consider the difference between Montaperto and Franklin. Both were in essence doing something that happens all-too frequently – in essence ‘how things are done’ – but in Montaperto’s case he wasn’t doing it willingly, he was tricked, tricked by those inscrutables!

Certainly there are aspects to each case that we are unaware of that could force a re-assessment of the situation, but as it stands now, it is clear there is one “lobby” that has real pull in the national security apparatus, and it isn’t headquartered in Jerusalem.
P.S. – If the comparison with the Franklin sentence wasn’t enough, contrast the “time-out” that Montaperto got with the sentence of this poor bugger. The former gave away state secrets, the latter was just a greedy spammer direct-marketer. Have we no sense of priorities?