U.S. Blames China’s Military Directly for Cyberattacks

New York Times – U.S. Blames China’s Military Directly for Cyberattacks:

The Obama administration on Monday explicitly accused China’s military of mounting attacks on American government computer systems and defense contractors, saying one motive could be to map “military capabilities that could be exploited during a crisis.”

From the report itself:

In 2012, numerous computer systems around the world, including those owned by the U.S. government, continued to be targeted for intrusions, some of which appear to be attributable directly to the Chinese government and military. These intrusions were focused on exfiltrating information. China is using its computer network exploitation (CNE) capability to support intelligence collection against the U.S. diplomatic, economic, and defense industrial base sectors that support U.S. national defense programs.

Cyber-espionage protections in HR933

Someone snuck some pretty serious restrictions on government purchases of IT from Chinese-owned companies into the recently-approved continuing resolution. (Specifically: HR933, Division B, Title V, Sec. 516.)

Sec. 516. (a) None of the funds appropriated or otherwise made available under this Act may be used by the Departments of Commerce and Justice, the National Aeronautics and Space Administration, or the National Science Foundation to acquire an information technology system unless the head of the entity involved, in consultation with the Federal Bureau of Investigation or other appropriate Federal entity, has made an assessment of any associated risk of cyber-espionage or sabotage associated with the acquisition of such system, including any risk associated with such system being produced, manufactured or assembled by one or more entities that are owned, directed or subsidized by the People’s Republic of China.

(b) None of the funds appropriated or otherwise made available under this Act may be used to acquire an information technology system described in an assessment required by subsection (a) and produced, manufactured or assembled by one or more entities that are owned, directed or subsidized by the People’s Republic of China unless the head of the assessing entity described in subsection (a) determines, and reports that determination to the Committees on Appropriations of the House of Representatives and the Senate, that the acquisition of such system is in the national interest of the United States.

My questions: Why does this only apply to Commerce, Justice, NASA, and NSF? What will the real impact be? Does this only apply to big-A Acquisition programs, or will it impact procurement?

I’m surprised this hasn’t gotten more publicity. I’m going to be very interested to follow how these restrictions are implemented.

Further reading:
U.S. law to restrict government purchases of Chinese IT equipment
Congress Bulls Into China’s Shop
New U.S. Cyber-Security Law May Hinder Lenovo’s Sales Growth

Resilient Military Systems and the Advanced Cyber Threat

The DOD Defense Science Board has just released a task force report, Resilient Military Systems and the Advanced Cyber Threat, and it’s been getting a lot of attention.

From the report:

  • The cyber threat is serious, with potential consequences similar in some ways to the nuclear threat of the Cold War
  • The cyber threat is also insidious, enabling adversaries to access vast new channels of intelligence about critical U.S. enablers (operational and technical; military and industrial) that can threaten our national and economic security
  • Current DoD actions, though numerous, are fragmented. Thus, DoD is not prepared to defend against this threat
  • DoD red teams, using cyber attack tools which can be downloaded from the Internet, are very successful at defeating our systems
  • U.S. networks are built on inherently insecure architectures with increasing use of foreign-built components
  • U.S. intelligence against peer threats targeting DoD systems is inadequate
  • With present capabilities and technology it is not possible to defend with confidence against the most sophisticated cyber attacks
  • It will take years for the Department to build an effective response to the cyber threat to include elements of deterrence, mission assurance and offensive cyber capabilities.

Serious stuff.

Protection of Mission Critical Functions to Achieve Trusted Systems and Networks

On November 5, DoD approved/released DoD Instruction 5200.44, Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (TSN). The memo “Establishes policy and assigns responsibilities to minimize the risk that DoD’s warfighting mission capability will be impaired due to vulnerabilities in system design or sabotage or subversion of a system’s mission critical functions or critical components, as defined in this Instruction, by foreign intelligence, terrorists, or other hostile elements.”

This policy memo may look like the most boring thing ever, but it’s actually pretty exciting for my work. DoD has been blazing the trail for US Government supply chain risk management (at least, what’s what GAO says), but the high-level policies are still being developed. The memo formalizes a large part of DoD’s supply chain risk management program.

Congressional Report on Huawei and ZTE

From the House Permanent Select Committee on Intelligence report,
Investigative Report on the U.S. National Security Issues Posed by Chinese Telecommunications Companies Huawei and ZTE:

I. The threat posed to U.S. national-security interests by vulnerabilities in the telecommunications supply chain is an increasing priority given the country’s reliance on interdependent critical infrastructure systems; the range of threats these systems face; the rise in cyber espionage; and the growing dependence all consumers have on a small group of equipment providers.

A. China has the means, opportunity, and motive to use telecommunications companies for malicious purposes.

B. Suggested “mitigation measures” cannot fully address the threat posed by Chinese telecommunications companies providing equipment and services to United States critical infrastructure.

The full report is actually a pretty good read.