The Microsoft action against 3322.org, a Chinese company, started with the news that computers were infected during the production phase. Stepping away from the controversy surrounding the approach (read e.g. Suresh's in-depth article here), there are important lessons that cyber security officials and upper management, deciding on the level of and budget for cyber security in organisations should learn and take into account. I'm writing this contribution from a premise: China uses the fact that most IT devices are built in China to its advantage. Allow me to start with an account from personal memory to set the stage.
In a train from Paris. Industrial espionage
On one of my very first trips abroad as international liaison at OPTA I came back on the high-speed train from Paris after contributing for three days at the OECD on the anti-spam tool kit. Next to me was a gentleman sitting in silence. When he came back from a visit elsewhere in the train he said something polite after I stood up for him, which I responded to in the same vein. Next he asked me what I'd been doing and I asked him the same. It was then that I found out that the man was bursting at the seams from anger and indignation. He worked for a multinational and came back from discussing a crisis in Paris within the company having to do with production in China. The multinational had built a plant there, because of the low wages, closing down plants in Eastern-Europe as a result. Let me tell you what I heard and why this is of interest to you if you work in cyber security or have to make decisions at the management level on what systems and devices you want to buy or have connected to the sensitive networks within your organisation.
The plant in China
The company was allowed to build a plant in China after negotiations with the Chinese government. One of the prerequisites was that there had to be a Chinese upper manager. This person left the plant after one year, after which circa 500 meters down the road another plant was built, manufacturing the exact same product, but circa 50% under the price and selling this product to several major customers of the multinational. You get just one guess who the manager of the latter plant was. So my travel companion wanted his company to pull out of China as of now, but others decided to remain. Too much money had been invested to pull out. How much did the multinational really save through wages though? Perhaps the opposite happened. It seems a classic case of on-site industrial espionage.
Whether this example is common practice, I do not know. Is the story on Huawei and the spy element in their product strange? And what about the pre-infected computers case, where Microsoft decided to take out the malware's hosting company? Is this as far out as it may seem at first read? Of course conspiracy theories are always fun to read and I'm not one to take them seriously on the whole. I can fully understand Huawei saying it will never support spying through its products; even that the spokesperson is telling the truth, but who guarantees that it happens without management knowing? Australia appears to be banning the company. But is this specific case sufficient when we consider cyber security? Let's take take the high road of conspiracy thinking here.
The first time I heard of pre-infected devices was through a presentation at a workshop or seminar, when someone reported on a specific brand of an iphoto device that infected computers on connections. This was later explained that an old stand alone computer, infected, tested the devices and infected them before leaving the factory in China. The virus was old and out of fashion. This was the element that surprised the researchers as they discovered and researched the case.
In his book 'McMafia', British journalist Misha Glenny already made a short reference to corruption in production processes in China giving criminals access to plants. This way computers were infected for a, mind, twisted commercial approach, not governmental. Low wages are a sure road towards (the temptation to) corruption.
Richard Clarke in his book on 'Cyber war' wrote that China had infiltrated the whole US smart grid with digital bombs in strategic places.
Next to these examples, espionage through the net, connected to servers in China is reported on regularly (and probably more often kept quiet or plainly not noticed). In short, it is not as if nothing has happened since 2000.
Production in China
In the past decade all major western computer device companies decided to shift their production (in part or whole) to China. Lower wages and (perhaps) resulting in lower prices. It's solely for economic reasons these choices were made. So let us make a hypothetical assumption here.
Bring your own device (BYOD)
Devices became more and more popular in the past ten years. Bring your own device is a novelty security officers are forced into, not knowing anything about the security implications of connecting any device to networks holding the data that is most sacred to your organisation. Whether it's production, administration, research and development, policy, privacy sensitive data, etc., each is meant to stay within your network. And here come all these products "made in China", able to connect to the most sensitive places within your network. Did you ever give a thought to this, as with BYOD no one negotiated with anyone from China? It's just some device from a shop or an operator as part of a private contract. In the Australian Huawei case this is different as negotiations would go with Huawei itself.
Negotiations on desk and laptops
Off course computers and laptops were in place long before devices ever came up. And you change them every three years or so. But has the place of production ever entered a negotiation? Did negotiating checks on inner security ever take place during purchasing a product? I very much doubt it. Should it? I leave this up to you, but I'd say yes.
As an interesting aside. Did you ever bother to read the "contract" you enter into with apps? Do you really know what "is allowed to look through your messages" means. Or "has access to your address book"? Why should "they", whoever "they" are, and what does this company do with your data? The app is privately installed on the device that is subsequently connected to your organisation's network. Who knows what sort of info leaks this way. The most simple ones: telephone and email addresses. How about content? Documents attached? Passwords? I'm just guessing here, but doesn't this scare you?
We have some examples in the recent past of espionage. So even if nothing is happening, the temptation to do so is gigantic. I've read at some stage that the military in China is one of the biggest investors and that many companies are joint-ventures. To be honest I do not see a reason to doubt that the Chinese government is active just in this way. They do so economically, so why not strategically, if they have these easy ways to do so? I probably would if I was in its shoes. Hence, for the sake of this blog post let us proceed with the hypothesis: China uses production facilities within its country for espionage. So supposing this to be true, what does this tell governments, industry, associations, etc. in the rest of the world?
What do organisations need to contemplate before buying hard and software and before devices, (whether or not) made in China, are allowed to connect to networks. What choices do they need to make before they buy, rent or hire internet or telephony related systems?
These are questions those responsible need to address, just as cyber security is of such importance that it has to be prioritized on agendas. My best guess is that imagining what could happen in a worst case scenario helps to take measures and write protocols to follow. Yes, and I wrote this several times before, this costs money, but Coca Cola losing its secret recipe through infiltrated system costs multi fold the costs of cyber security and it is the same when you lose your crown jewels, negotiation angle, price offer or policy.
By the way. The same questions should be asked before entering the cloud. Does an organisation want to enter the cloud just because it saves some money? How much does it stand to lose when it does so unthinkingly? Let me remind you of the story I started with.
(If I lived in China, I could write this same story about CIA or NSA involvement in Microsoft and Google, I suppose, if I wanted to write on conspiracies there. And it does not matter to cyber security whether it is espionage or criminality causing the infections. Both are dangerous to organisations and private persons.)
Think and decide knowingly before acting
Some things are irreversible. The digitization of society, production in China, the love of devices. This does not mean that everything has to change just because we can or because the manager brings his new iPhone 5 to the business. It's never the bell boy who shows up first. I repeat: Don't change because it's technically possible!!!
To seriously work on cyber security, an organisation's management and cyber security staff have to agree on the safest way(s) to change and implement. From now on this should never go on the spur of the moment again. There have been enough warnings I'd say. So decide on what to check before and during negotiations as well as the implementation, have protocols in place and stick to them and remember that what you can think of beforehand, is probably already happening. These are some important spin-off self goals, to paraphrase Suresh's title. Awareness starts right here.
|Cybersquatting||Policy & Regulation|
|DNS Security||Registry Services|
|IP Addressing||White Space|
Minds + Machines