No they did not ask me to do a keynote (isn't security blogger hall of fame better tho?), but here is what I would say and hey you are getting it before the conference even starts, and you don't even have to get on a plane to hear it.
Let's start with some historical perspective- all countries do it, especially emerging countries, including especially the US. China did not invent industrial espionage.
After a decade spent warning people about credit card use, the infosec industry is now atwitter about intellecual property. For the most part that is good, the infosec industry is finally after all these years starting to get closer to protecting strategic assets.
Let's put some context around protecting IP. For the most part, IP by itself has limited utility. Don't believe me, go ahead and buy some black market pharma products. Go on now, I will wait, go check your spam folder for 10 cents on the dollar you can buy some versions of your favorite pharma product. No? You're not? There is a lesson here.
(Internet "Percocet" via Pakistan photo courtesy Marcus Ranum)
IP does not equal the ability to capitalize on what you know. For that you need market access not just IP. Linus Torvalds came to the US from Finland, Bjarne Stroustrop from Denmark, and Guido van Rossum from ther Netherlands. Did they come for the world's greatest healthcare? Not so much. To make their ideas into reality it just worked better to be closer a hub. That more than any piece of IP is the killer advantage, the strategic asset. Probably the main reason it works so well is that its an open system.
Market places make the rules, the US as the largest marketplace is used to dictating terms of agreements with other economies but as China is now the second largest and growing faster than the US there are changes. How worrisome are industrial espionage actions? Worrisome, but its a well worn path to building a competitive economy, one the US trod itself when we stole everything that was not nailed down from the Brits. To me, the emergence of market economies in places like China, India, Indonesia, Vietnam, Mexico, Cambodia, and Brazil is a huge net plus for the world as a whole second only to (and coincidentally related to) the growth of the Web. For billions of people to progress from starving to a global middle class lifestyle is an amazing thing to see. Does not mean as an incumbent that we should just take industrial espionage and all, but we should put the achievements in the context they deserve.
The math is pretty simple, $400B imports to US, $100B exports to China. They are a core part of the US economic engine and we are to theirs. No China, no iPhone. No iPhone, no China jobs. Military conflict is win-lose, but economic competition is often win-win. IP theft needs to be addressed, but its not the largest danger. Much of that activity arises from movement toward a market based economy. Sure its competitive, but they are playing the same game. However, actors outside the system have potential to disrupt things in a different way because they are not playing the same game. Consider 2008, when the Russians approached China about dumping shares of Fannie Mae and Freddie Mac, this would have effectively shut down the US marketplace. From a Russian viewpoint, it makes sense - they want the price of oil to be high beyond that they are not trading with the US so why not? Why did China demure then? Its a totally different equation from Beijing's point of view, why shut down your biggest customer? Especially when they already owe you over a trillion dollars?
Still as the Chinese official said to Hank Paulson in Beijing in 2008 - "your debt is a tremendous vulnerability" Don't tell that to the Pentagon, though! There are weapons systems to build and to do that you need a threat. In the face of both history and common sense, the DoD does not recognize any strategic vulnerability arising from the US piling up the largest amount of debt the world has ever seen, the fact that much of the debt is owned by China does not seem to register either. As Erskine Bowles puts it - the Defense Department's number one objective is to defend Taiwan from China and they are going to do that with weapons paid for by borrowing money from China.
It looks like a sideshow and boondoggle to me. The world as a whole is richer and better off with more and stronger marketplaces. Marketplaces and market place rules should be defended. From a longer term security perspective - our balance sheet must improve, our education system must improve or we won't have a marketplace to defend. Instead we obsess on the short term, there's a trend here.
We have spent 15 years saying that security is about risk management. What we are seeing with IP theft is the output of those risk management decisions. The business side decided to take on some risk by essentially connecting everything to everything else. The security side delivered what controls they could. In short, it did not work.
The trade secrets and IP are guarded by the digital equivalent of tissue paper and fig leaves (fig leaves are for audit purposes). This is not news, this was the plan all along. Take the short term gains of new functionality and deal with the back end consequences later. Well, here we are.
One of the main drivers of the 2008 financial crisis was actors highly incentivized to book short term profits, delegating the long term effects of those decisions to "risk management." What we got was umbrellas that worked right up until the time it rained. Financial collapse. What we see in infosec with budgets laden with infrastructure security spending and "backstopped" by risk management is information security that works until you attack it.
So people are now concerned with IP theft, we are told how hard it is to protect. A good question: has anyone even tried? As an industry the lion's share of the budget goes into protecting networks and hosts. Excuse me, but I don't think your desktop machines and networks are the IP. The reasons security people defend there is 1) they come from an infrastructure background and 2) its easier. Problem is, neither of that protects the asset.
I do not blame infosec for the current state of affairs, its been an underfunded and undermandated operation since its inception, I do think infosec habitually misallocates the resources it has. So if you are really, after all these years, finally concerned with protecting information instead of firewall ports, then try protecting data, apps, and identity. That is your IP.
This blog entry should be posted far and wide; it is a VERY realistic view of our current (wretched) security status, and how we got here!
Posted by: Brian Snow | February 26, 2013 at 06:53 PM