During a recent off-the-record meeting, a senior government official warned that cyber attacks on United States in 2013 will be worse than they were in 2012, a year during which they reached a peak. (Participants were free to use what they were told, but not to disclose the names or venue).
Representatives of private corporations in the audience were told that there is not one whose computers have not been hacked. The official appealed to self interest (“you spend scores of millions on brand ‘D’ and someone else brings it to the market at a fraction of the cost, after stealing the fruits of your studies”), communitarian concerns (“don’t let your computers be used as a basis for attacking others”), and patriotism (“our systems are only one-third secure”). He pointed out that beyond stealing trade and defense secrets, computer hackers destroyed the data of the computers of Saudi Aramco, and warned that they could easily bring down our infrastructure, from the electrical grid to banking.
Asked about counterattacks, he allowed that we live in a house of glass, and that it does us little good to throw a rock at someone whose house has a small window. (Translation: there is little to steal in China). He urged people to read The Basics of Hacking and Penetration Testing by Patrick Engebretson and share it with their CEOs.
What struck a chord more than anything the official stated was his tone and approach. It was a long way from a powerful, controlling, overwhelming government; he was requesting, even pleading, for cooperation and mere information. If a corporation would just let us know when it has been attacked, he allowed, it would help a great deal. But the private sector all too often is not playing ball. It fears that if it discloses its vulnerabilities, this would damage its bottom line and may even subject it to liability suits. And major segments of the private sector continue to resist cybersecurity measures on the ground that they entail government interference in and constitute “costly regulation” (in the words of the U.S. Chamber of Commerce) of the private sector.
After a year of study, the House Intelligence Committee recently concluded that the Chinese companies Huawei and ZTE, both major producers of telecommunications equipment that seek to enter the U.S. market, pose a major security threat to the United States. Their tools could be readily used by China to spy on Americans through technological “backdoors,” and even to disrupt many essential services on which the American economy relies. Huawei’s activities have come under particular scrutiny: their activity on the global market has already been inhibited by the governments of Australia and India, who cited similar national-security concerns. In the words of Mike Rogers, chairman of the House Permanent Select Committee on Intelligence, “if you care about your intellectual property, if you care about your consumers' privacy, and you care about the national security of the United States of America,” and if you “are looking at [buying from] Huawei, I would find another vendor.”
The recent inquiry by the House Intelligence Committee found that immigration violations, corruption and the use of pirated software were part of Huawei’s “pattern and practice.” The House committee “received internal Huawei documentation from former Huawei employees showing that Huawei provides special network services to an entity the employee believes to be an elite cyber-warfare unit within the PLA (People’s Liberation Army).”