“Economic Cyberwar and the New Security Mandate”

A conversation between Mark Anderson and Richard Marshall, Director, Global Cyber Security Management, Department of Homeland Security

MA: The issue of intellectual property and China is not an issue of accident or benign neglect. Trillions of dollars of IP has been transferred from US, EU, etc to China.

China was trying to tell us that IP was worthless, while forcing us to disclose IP, center research in China, etc. IP was the centerpiece of the Chinese economic model.

Without IP, China would look like Malaysia, Vietnam and India, rather than China. The reason why it looks like such a miracle boom-story isn’t because Chinese people work longer days. It’s because there is a terrific effert in economic centers to collect IP.

The fault is not in the government, but in those private capitalists, such as Jeff Immelt, who gave away their IP without protest.

Technology is the key to the world economy and IP is the centerpiece of technology. In the cyberworld, there has historically been a lot of concern about viruses, trojans.

But recently, experts have been worried about APTs (advanced persistent threats), mounted by specific teams looking for blueprints of how you make your living, and then cleaned it up so that users wouldn’t have any idea their stuff was being taken.

According to the DOD, 90& of these come from China.

RM: The concept of manipulating electrons to do things on the internet is not new.

Eg. During Gulf War, government needed to investigate Iraq telecommunications systems without disrupting essential services, like hospitals, etc.

Janet Reno was absolutely riveted by the idea of cyber manipulation. Made sure that the lowest ranking officer had the power to pull the plug when the investigation moved in a direction it shouldn’t.

Can no more do business today without adequate IT, than you can without carbon, gas, etc.

Has issue with the term “warfare”, which pushes all kinds of buttons in WA, D.c.

There has not been adequate focus at CEO level on making sure applications are business enablers. Eg. Sony CEO with an option to protect your systems or paying the damages, American business and American govt have not done enough to protect their IP because they’re operating under the false assumption that it costs too much.

MA: People who are used to other issues with a lot of security issues attached, don’t get the significance of IP. Eg. a doctor has a patient on the operating table and messes around, extracting organs until the patient is dead and they have all of its valuable parts.

People inside Chinese society fully believe that they’re right, and that this IP theft is what they should do.

RM: We need a new phrase for this: cyber exploitation for economic advantage. We are confronted with an economic distress and borrowing from China that creates an economic dependency between nations.

Intellectual property has become diffused as re-outsourcing takes place. We outsource all the time, starting with India to update our computers to Y2k.

MA: Returning to security: how should we think about APTs?

RM: We must project a polymorphic hand. If you look at the history of hacktivism, the initial moneymaker was the DDOS attack, monetized by protection right. Eg. Taking down websites, such as offshore gambling accounts.

Criminal minds developed techniques and technologies that were profitable for them. China borrowed a lot of these techniques.

It’s kind of a nice thing to have hackers doing dastardly things, who China can protect and use.

Attribution — We know China is stealing IP, but we’re not going to address it, because we want to be able to do the same thing. And we don’t want to have to deal with the response.

MA: New Obama paper reserves the right to use economic or military response, because we recognize that this is an aggressive act. No one wants a military conflict, but when China attacks we reserve the right to respond.

RM: Problem with paper, is that it’s over-cooperative, with no one held responsible for protecting our critical IP infrastructure. Solution: a public-private partnership. But there is the problem of private companies not wanting government intervention, etc in their private spaces.

MA: Why haven’t they attacked the grid? No financial reward, as there is in attacking Boeing, etc, which leads to great financial gain.

RM: Suppose the government helped protect Boeing’s IP and manage supply-chain risk management and software robustness, there’s no way we could complain about the French government protecting EADS.

MA: Boeing historically never gave away their crown jewels, but when China came along and forced Boeing and EES to compete for Chinese market based on IP production in China. Now Boeing is competing with the 919 — a copy — which is cheaper.

RM: That was a witting business decision. Vs. Companies not adequately protecting their security systems.

Kamron Elahian: Putting all of the blame on China is an exaggeration. We are also producing more lawyers than engineers, Nuance is fighting more legal battles than innovating, voice control on iPhone does not work.

MA: Does not speak lightly about China, but rather at great risk to his reputation. All info he’s been able to gather, (maintaining his own database of IP attacks), points to an astounding acceleration of effort, put forth almost solely by China. Believes China now has the first pass of what they want, whether it be aerospace, medical tech, etc. Nuance has purchased 43 companies in their corporate lifetime. That is not bad. Bad is stealing rights and then trying to underprice companies in their own markets.

RM: Most Chinese PhDs in computer science are educated in the US. In fact, there is one Chinese school that produces more US students in the sciences than all of the US students combined. That is a sad commentary on our ability to produce  math, physics, technology students. We aren’t keeping the best and the brightest. “If it were up to me, we’d staple a green card to their diplomas.” They’re going home, producing technologies, and they;re going to be producing the technologies we need. “We’re on the verge of becoming a vassal state. We’re on the verge of becoming a colony.” If we don’t change that, we’re going to be in trouble.

Q: Will attack continue to be cheaper than attack? If so, perhaps the right strategy is retaliatory.

RM: No, not really cheaper to do attack than defense: no way to measure how long people spend on the attack. Do they get a greater return on investment for the attack? Yes. It is cheaper to absorb the economic loss than to defend it. Those losses are passed on to consumers, which is a skewed economic system.

MA: Were seeing a realignment of trade now to countries like India, who are willing to protect IP. Eg. Washington has passed a law which prohibits sale of goods with IP and seizes those goods. Whoa, end of Walmart.