James A. Lewis on Five Myths about Chinese Hackers hits key points, starting with point 1:
Trying to cram Chinese hackers into antiquated cold war formulas doesn’t help, either. America’s relationship with China is very different from the one it had with the Soviet Union, in which contacts were extremely limited and there was no economic interdependence. The idea of “containment” for China is inane. How would you “contain” a major economic partner?
Any security discussion that glosses over the economics is just armchair general foo fa ra.
Point 4 (emphasis added):
Even when China steals intellectual property, it can take years to turn it into a competitive advantage. The right technical skills and manufacturing base are needed to turn advanced designs into high-end competitive products. China is still lagging in many high-tech arenas, such as semiconductors.
The one area where this is not true is military technology. Chinese espionage has led to rapid improvements in that country’s stealth, submarine-quieting, nuclear weapons and sensor technologies. While the economic risk from cyber-espionage is generally overstated, the United States has probably underestimated the damage to its lead in military technology.
His conclusion should be reflected on. If James Lewis is right, then much of what is bandied about in DC as a solution for cyber smacks of Alice in Wonderland. Consider that we are routinely told that the public sector will ride to the rescue of the Internet. But from where did DC's imprimatur of divine security expertise come from?
There is no area that I can think of where we automatically assume higher quality products and services simply because the government is doing it. But for some reason we automatically think they will improve and solve cyber? Make no mistake, I am not a government hater by the way, they can do things very well. The CDC is a great example and there are plenty more, what bothers me is the a priori assumption that government involvement automatically makes cyber problems go away.
I don't see it. I don't see that they know OS, apps, data security better than IBM, Microsoft et al. If you agree with James Lewis' conclusion, that public generally lags private in coping with threats. Again, I am not saying that it's impossible for the government to add value, just that its not a given.
When Macondo blew up and BP was leaking oil into the Gulf, the Navy charged. Finally we thought, a group that knows how to operate at a mile below the ocean surface Except they didn't know how to repair oil rigs. I am not sure cyber is all that much different from deepwater drilling. Security knowledge is necessary but not sufficient. Security knowledge helps, but domain specific knowledge is what makes it useful.
One thing government tends to be pretty good at is keeping secrets. They have decades of experience building IT systems which prioritize confidentiality, sometimes to the detriment of function.
There are two problems inherent in applying that knowledge, firstly that outside of government a much greater emphasis is rightly placed on benefits rather than downside risks and much of government security expertise struggles to really factor in upsides of risk. Secondly the decades of experience in domain-based security has resulted in a infrastructure and even a language that is hard to transfer to the flatter more open business world.
There are things business could learn from government such as more rigorous approaches to assurance and domain-based architectures but the transfer of that knowledge from govt to business is fraught with misunderstanding and a lack of a common frame of reference.
Posted by: Phil | June 06, 2013 at 11:15 AM