Tags: Chris Mark, corporate espionage, cyberespionage, cybersecurity, Dupont, InfoSec, mark consulting group, San Francisco Chronicle, security
add a comment
Many mistakenly believe that only “high tech” secrets and intellectual property are targets for intellectual property theft. In a clear example of how any propriety secret can be considered a target, a scientist (Tse Chao) who worked for Dupont from 1966-2002 (36 years!) pleaded guilty in Federal court on Thursday to committing espionage for a company controlled by the Chinese government. Mr. Chao testified that he provided confidential information to Chines controlled Pangang Group. What did he steal? Among other things, the recipe for Dupont’s Titanium Dioxide. What is TD used in? Titanium Dioxide is the ingredient in many white products that makes the products white. Products such as paint, toothpaste, and Oreo cookie filling! Stealing the ingredients to Oreos shows just how low cyberthieves will go! According to court documents: “DuPont’s chlorine-based process was eagerly sought by China, which used a less efficient and more environmentally harmful production method”
I have worked with a number of large companies who, when asked why they did not protect trade secrets, replied that they did not believe their industry or type of product was of interest. Make no mistake. If your company has a unique process, technology, or product, it IS of interest to many companies. Unfortunately, the US Government has released reports that state that China is sponsoring much of the US and European cyber espionage.
photo from: http://www.titaniumexposed.com
Asymmetric Warfare 101 July 21, 2015Posted by Chris Mark in Risk & Risk Management, weapons and tactics.
Tags: asymmetric threats, asymmetric warfare, Chris Mark, guerrilla warfare, mark consulting group, risk management, security
1 comment so far
With the current state of affairs I thought it appropriate to ‘republish’ this blog post from 2012. You can also read the article from Secure Payments Magazine on the same topic applied to InfoSec.
Asymmetric Warfare can be described as the strategy of using weapons, tactics, and methods to render the asymmetry that exists between two adversaries as moot. Consider the US Military for a moment. Since the end of World War II, which is arguably the start of US hegemony, the United States has fielded what many believe is the most powerful conventional military in the history of the world (or at least modern world). In spite, of this fact the US, and her allies) have struggled in conflicts in Vietnam, Somalia, and most recently in Iraq, and Afghanistan. In each of these theaters it was groups of lesser-trained, relatively ill-equipped insurgents that created significant challenges to the US military. By applying guerilla tactics, and employing IEDs and other technologies, the adversaries were able to balance the perceived asymmetry between the might of the US and their own capabilities.
The US is not alone in this dubious distinction of struggling with conventionally weaker adversaries. The Soviet Union was defeated in Afghanistan in the 1980s, and a much weaker France, led by Napoleon, defeated the powerful Prussian Military. France, in turn, lost French Indochina with the coup-de-grace coming in the surrender at Dien Bein Phu in 1954. If each of these countries were militarily superior to their foes, how did they end up losing their respective wars? These examples outline the effectiveness of asymmetric warfare.
While there exist a number of different definitions of Asymmetric Warfare, in a basic sense it applies to the strategies and tactics employed by a militarily weaker opponent to take advantage of vulnerabilities in the stronger opponent. As an example, few military forces on the planet would face the US military and her allies in open combat either on land or the sea. Doing so would be certain suicide. A look at the Persian Gulf War in 1991 shows the result of taking on the military might of the Western World in open combat. The Battle of Medina Ridge is a prime example. In this battle between the US 2nd Brigade, 1st Armored Division against the Iraqi, 2nd Brigade of 2nd Medina Luminous Division the US recorded 1 killed, and 30 wounded while recording 4 tanks as being damaged. The Iraqis, meanwhile, reported “heavy manpower losses” while reporting 186 tanks destroyed and 127 Armored Fighting Vehicles destroyed.
If a militarily inferior opponent cannot face the US, or Western powers in open combat, how do they fight? It is fair to day the days of Mahanian sea battles are behind us. Quite simply, they employ strategies that render the superior military might irrelevant or at least less relevant. Guerilla warfare is an example of an asymmetric strategy against a militarily superior foe. As stated in the military classic “On Guerrilla Warfare” by Mao Tse-Tung:
“At one end of the spectrum, ranks of electronic boxes buried deep in the earth hungrily spew out endless tapes. Scientists and engineers confer in air conditioned offices; missiles are checked by intense men who move about them silently, almost reverently….in forty minutes the countdown begins.
At the other end of the spectrum, a tired man wearing a greasy felt hat, a tattered shirt, and soiled shorts is seated, his back against a tree. Barrel pressed between his knees, butt resting on the moist earth between his sandaled feet, is a browning automatic rifle. ..Draped around his neck, a sausage-like cloth tube with three day’s supply of rice…In forty minutes his group of fifteen men will occupy a previously prepared ambush.”
This is warfare today. Unfortunately, the US, and her allies have learned that technology alone cannot win a war against a determined, creative enemy.
As discussed earlier the concept of Asymmetric Warfare is a field of some debate. When applying the concept to the business, and specifically the Information Security arena, it is more appropriate to apply the concept of Asymmetric Threats posited by C.A. Primmerman. Without going through too much of the math, and modifying Primmerman’s original theory, we can state that a threat can be expressed using the following two statements:
- Adversary A could & would attack Adversary B by doing X
- Adversary B could & would respond to Adversary A by doing X.
Now we have the simple conclusion that statement (1) represents an asymmetric action if statement (2) is false, and it represents a symmetric action if statement (2) is true.
As an example of this concept working in practice, consider the following:
1a. Adversary A would attack Adversary B by using terror tactics against the civilian population.
2a. Adversary B would respond to Adversary A by terror tactics against the civilian population.
If statement 2a is false then the threat in 1a is asymmetric.
According to Pimmerman, an Asymmetric Threat must meet three criteria. These have been modified for our purposes and include:
- It must involve a weapon, tactic or strategy that the adversary both could and would use against another adversary.
- It must involve a weapon, tactic, or strategy that the would not or could not be be employed by one adversary.
- It must involve a weapon, tactic, or strategy that, if not countered, could have serious consequences. If a threat meets these three criteria, it would be considered asymmetric.
As any student of military strategy can attest, being in a purely defensive mode is a losing proposition. Unfortunately, in many instances asymmetric threats place one adversary in an almost purely defensive position. One of my favorite quotes that appears appropriately relevant now is by Julius Ceasar:
“There is no fate worse than being continuously under guard, for it means you are always afraid.”
While not intended to be a comprehensive discussion of Asymmetric Threats the basic concepts are relevant in today’s world.
“SpyGames” – Global Cyber Espionage Ring Discovered January 15, 2013Posted by Chris Mark in Uncategorized.
Tags: Chris Mark, cyberespionage, information security, InfoSec, Kaspersky, mark consulting group, Stuxnet
add a comment
In an article published today in RT Magazine, it was disclosed that recently Russia’ Kaspersky labs uncovered. “A sophisticated cyber-espionage network targeting the world’s diplomatic, government and research agencies, as well as gas and oil industries…” “The majority of infections are actually from the embassies of ex-USSR country members located in various regions such as Western Europe and even in North America – in the US we have few infections as well. But most infections are concentrated around Russia,” Vitaly Kamluk, chief malware expert at Kasperky Lab, told RT, adding that in Europe, the hardest-hit countries are apparently Beligum and Switzerland. Kaspersky is also the company that identified Stuxnet, Flame, and Duqu malware.
According to the article: “The hackers’ primary objective is to gather information and documents that could compromise the security of governments, corporations or other organizations and agencies. In addition to focusing on diplomatic and governmental agencies around the world, the hackers also attacked energy and nuclear groups, and trade and aerospace targets.”
In August, 2012, I published an article in The Counter Terrorist Magazine titled: “The Rise of CyberEspionage” which outlines the International efforts to steal data from Western nations. Unfortunately, while many companies are busy trying to protect NPI, PII etc. advanced efforts are being undertaken to steal their intellectual property. Stay tuned for a February 2013 article in The Counter Terrorist, as well!
Offensive Cyber Attacks – A Dangerous Proposition December 8, 2012Posted by Chris Mark in Uncategorized.
Tags: Chris Mark, cyber attaks, cybercrime, cybersecurity, deterrence, failed state of security, homeland security, jim cilluffo, mark consulting group, security
add a comment
Let me preface this by saying I have been outspoken about passive cyber defensive strategies and their failure. You can read my paper: “Failed State of Security” to learn more. On that note, Foxnews had a story today that had me scratching my head. The recommendations were pedestrian at best, and dangerous in the most severe cases. In short the article suggests that companies should take a more ‘offensive approach’ to preventing cyber attacks. Some of the recommendations include:
“Misinformation campaigns” such as planting fake documents and data for criminals to steal. As stated in the article: “One such strategy involves creating a disinformation campaign by distributing fake documents throughout a company’s own network to confuse and potentially misguide potential adversaries.” Companies today have a difficult time managing their own ‘real’ documents. This approach is inefficient, and bound to cause confusion among employees. How do you differentiate between the “real” and the “fake” internally?
Jim Cilluffo, Director of George Washington Universitie’s Homeland Security Policy Institute stated in front of Congress: “We should provide opportunities and responsibilities to the private sector to hack back,” REALLY? Vigilante justice is being proposed by a Director of a major universities’ homeland security institute? We are going to trust commercial entities to use the authority to ‘hack back’ judiciously? What about when they hack into a competitor and claim they were being hacked? What if a company hacks into a personal computer and the person decides to exact revenge on their employees for the act by escalating the issue to violence? Many of these ‘cyber criminals’ are associated with organized crime. These are not the types of groups you generally want to attack. This ‘mall cop’ mentality has not place in corporate America.
More disturbingly is the correlation between vigilante justice and bank robberies. “If someone were to rob a bank today, doesn’t the bank have a responsibility to protect its customers and employees from someone armed? They don’t simply wait until someone shoots innocent victims,” said Frank Cilluffo, director of George Washington University’s Homeland Security Policy Institute. The difference is stark. A person walking into a bank with a weapon is a ‘clear and present danger’ to people’s safety. A company being hacked may e angry, offended, insulted, etc. but the hacker is endangering a person’s safety in the same way a person with a gun would be.
While an executive order from the White House could be forthcoming, Cilluffo said legislation from Congress would be far more helpful and could even indemnify companies from lawsuits.
“We need to have these conversations because the current approach is doomed for failure. We’re losing too much,” said Cilluffo.
Autocracy, Anocracy, & Democracy – “Verbal Masterba(bleep!)…” November 15, 2012Posted by Chris Mark in Laws and Leglslation, Politics.
Tags: anocracy, autocracy, Chris Mark, democracy, Dr. Heather Mark, facebook, mark consulting group, politics
1 comment so far
Election season in the US is always interesting. Passions run high and people are quick to proclaim their positions on government and politics. Unfortunately, as many will likely agree, election season also gives voice to many who should probably remain silent.
Recently I was taken to task on Facebook and lectured on the concept of governance and democracy by a particularly obtuse and offensive individual. When I attempted to explain that democracy should NOT be considered a strictly binary proposition and that the US was indeed a democracy, his attacks became personal and I was accused of (among other things) “verbal masturbation”. According to this master of the English language: “Most folks like me would call your ideas verbal masturbation. They sound good from the outside but are really kinda stupid”…he actually wrote: “Kinda”…somehow this person drew a line between my comments on democracy and his belief that the federal government would force parents to stand by while their 12 year old daughters got abortions without consent. I am at a loss as to the logic… But…I digress. Back to democracy!
To understand governance and democracy it is important to understand the concepts. One great resource is the Polity IV project. Democracy, while seemingly simple, can be a quite difficult concept to explain especially when considering the many different governments in the World. The Polity project attempts to quantify and qualify governance and code them based upon their level of autocracy to democracy.
First…let’s understand democracy. Wikipedia states that Democracy:
“… is a form of government in which all eligible citizens have an equal say in the decisions that affect their lives. Democracy allows eligible citizens to participate equally—either directly or through elected representatives—in the proposal, development, and creation of laws. It encompasses social, economic and cultural conditions that enable the free and equal practice of political self-determination.”
At its core, democracy is principle of government by the people. So why the confusion and what is the relevance of the Polity IV study? Good questions!
Democracy, as described by the Polity study, is defined by three factors. Each democratic government may implement these in different ways. Democracy requires the “…existence of Processes and Institutions through which citizens can 1) affect their government 2) constrain the power exercised by the executive and 3) guarantee civil liberties.” (BTW: You can read this in Dr. Heather Mark’s Dissertation found here.)
There are numerous forms and styles of democratic governments. There are direct democracies in which citizens take part in the process directly. There are representative democracies (like the US) where the citizens vote for representatives who then represent the interests of their constituents. Each of these general types of government then have sub-types. The US is a Presidential Republic, the UK is a Parliamentary Republic, and so on. It is much like dogs. All Rottweillers are dogs but not all dogs are Rottweillers. So is a Poodle more of a dog than a German Shepard? It is this type of question that the Polity study addresses. The Polity study ranks each form of government based upon the ‘democratization’ of the government. Countries can be more autocratic or more democratic. All governments will find themselves somewhere on the spectrum. Governments with a score of +6 to +10 are counted as democracies, with the higher scores representing more democratic governments. A perfect 10 is reserved for those that are absolutely democratic. Those who range from a -5 to a +5 are considered Anocracies. As Polity states: “Anocracies are a middling category rather than a distinct form of governance. They are countries whose governments are neither fully democratic nor fully autocratic but, rather, combine an, often, incoherent mix of democratic and autocratic traits and practices.” Those with a score -6 to a -10 are Autocratic with a -10 representing complete autocracy.
All governments will fall somewhere in the spectrum. Simply because the United States is a Presidential Republic does NOT mean we are NOT a democracy any more than the ugly dog down the street is NOT a dog because it does not look like my rugged, handsome, purebred Rottweiller (he is good looking but not very smart, sad to say…and still pees in the house!). While the US System of democracy is implemented one way, the UK system is implemented another way. There are benefits and drawbacks to each but each IS a democratic system of government.