"Every major company in the United States has already been penetrated by China."
That's the claim being made by Richard A. Clarke, the former top US government counterterrorism official at the White House, in a long interview about cyber security (or lack thereof) in the April issue of Smithsonian magazine. In the interview, Clark goes on to say that:
"My greatest fear is that, rather than having a cyber-Pearl Harbor event, we will instead have this death of a thousand cuts. Where we lose our competitiveness by having all of our research and development stolen by the Chinese. And we never really see the single event that makes us do something about it. That it’s always just below our pain threshold. That company after company in the United States spends millions, hundreds of millions, in some cases billions of dollars on R&D and that information goes free to China....After a while you can't compete."
Clarke admits that many people will view his statements as alarmist (and I expect the Chinese government to dismiss them as they usually do with such charges) but the Federal Bureau of Investigation's top cyber official gives at least some credence to Clarke's claim. According to a story today in the Wall Street Journal, Shawn Henry, the executive assistant director of the FBI's Criminal, Cyber, Response, and Services Branch, says that the current IT security approaches used to protect against hackers is a non-winning strategy.
Henry told the WSJ that companies will have to change how they assess and manage the risks involved in employing computer networks if they want to avoid damaging the economy as well as national security.
"I don't see how we ever come out of this without changes in technology or changes in behavior, because with the status quo, it's an unsustainable model. Unsustainable in that you never get ahead, never become secure, never have a reasonable expectation of privacy or security."
(I find the last phrase about having a reasonable expectation of privacy or security interesting. Other government officials involved in IT security have basically said that privacy must be sacrificed for security, so a person shouldn't expect to have any.)
In addition, Henry said that the FBI regularly suprises companies by finding data that they didn't even know had been stolen.
"We have found their data in the middle of other investigations.They are shocked and, in many cases, they've been breached for many months, in some cases years, which means that an adversary had full visibility into everything occurring on that network, potentially."
Henry says that, in addition to increasing their network security, companies need to keep sensitive information off of them altogether, which many companies will surely resist. But if they don't, Henry says, they risk having their intellectual property stolen. He said that one company (which he wouldn't identify) had 10 years of its R&D, worth more than $US 1 billion, stolen by hackers.
You can watch (and read) an FBI-posted interview with Shawn Henry (who is leaving the FBI after 20 years).
Furthermore, there are many ways to penetrate company and government IT systems. One such way is to corrupt the IT supply chain with hardware and software that contain malware. The Government Accountability Office's report (pdf) says that few U.S. government agencies (or companies, for that matter) are rigorously checking their IT supply chain for cyber threats (mostly because they are overwhelmed fighting off network hackers).
"These threats can be introduced by exploiting vulnerabilities that could exist at multiple points in the supply chain. Examples of such vulnerabilities include acquisition of products or parts from unauthorized distributors; application of untested updates and software patches; acquisition of equipment, software, or services from suppliers without knowledge of their past performance or corporate structure; and use of insecure delivery or storage mechanisms."
The U.S. isn't the only one concerned about this attack vector, either. According to a story in today's The Australian, the reason why the Labor government banned the Chinese telecommunication company Huawei as a contractor on the construction of the new $36 billion National Broadband Network (NBN) was because of suspected links to the Chinese People's Liberation Army (PLA). According to the paper, Australian government intelligence agencies had "credible evidence" that Huawei was connected to the PLA, a charge that Huawei has repeatedly denied.
The Chinese government is very unhappy about the NBN ban, calling it obstructionist and discriminatory.
Huawei is, however, a major supplier for British Telecom in its effort to roll out a new fiber-optic network to most of the UK by 2015. To allay security fears, hardware and software is being thoroughly vetted by British security specialists before it is allowed to be used in the network.
A story in the Chicago Tribune says that Huawei is offering the Australian government the same access to its hardware and software products as it has in the BT effort. It is unclear whether the offer will change the Australian government's mind much.
The Tribune also notes that the company "has been blocked from deals in the United States due to national security concerns and allegations it violated sanctions by supplying Iran with censorship equipment."
I don't see the U.S. government stance changing anytime soon.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.