Electric Grid Attacks and Retribution

Dan Goodin at Ars Technica describes an attack confirmed by the Israelis have been made on the Israeli electric grid.  Similar attacks were launched against cities last month in the Ukraine [ see Http://www.cbc.ca/news/technology/ukraine-cyberattack-1.3398492 ] The Ukraine attacks were carried out by Russians.  The Israeli attacks were not pinned down yet, but will probably turn out to be Iran.  Russia and Iran have been friends in Syria and elsewhere for awhile now and seem to be heading in the same direction in cyber attacks.  This creates a problem for anyone trying to retaliate against them.  The Israelis will retaliate.  Whether they should attack the seller of this kind of attack, or the buyer of it, is another matter.

Several analysts have the code used in these attacks.  The Israelis wouldn't have announced the attack until they had dealt with it and had it under control.  This is not a trivial matter, since it is required to figure out who to attack. This is one of those things that requires "in kind" retribution, something the Israelis are good at.

Code analyis is not an exact science, given all the code that is used and sold around the world.  It could be made in Russia and sold by Chinese to someone in Iran.  It might be specifically customized to target the systems used in Israel.  Country of origin is important, but not essential.  They want to know the country that deployed it.  That country may, as the Russians and Chinese do, hire a third party to do the work, either a non-government entity or the government of another country.

Preparing a cyber attack is not a simple process, since they would want to limit damage to the attacker.  They don't want to attack Iran and have the effects felt in Germany where some of the new Iranian networks terminate.  That takes time too.  While we are thinking about it, maybe the time is right to make some preparations for ourselves.

China Needs Unstable North Korea

There are a few articles like this one, by Matthew Lee and Christopher Bodeen, US, China Spar Over North Korea, South China Sea http://abcnews.go.com/International/wireStory/us-china-spar-north-korea-south-china-sea-36541614 that describe the tension between the United States and it allies in the area around the South China Sea.  The Chinese have not stopped doing what they said they were going to do there, and there is little consensus on how to stop them.  North Korea has a part to play in this, and it is a part that the Chinese need.
 
China controls North Korea, but says it is like a wayward son, out of control at times and not listening to its parents.  That is exactly the image of North Korea that China wants the world to have. It has only been recently that the Obama Administration has tried to correct that image and put pressure on the leadership to do something about the son.  This is a kid that runs around the neighborhood killing people and bullying where he can get away with it.  The parents let him get away with it.

North Korea openly threatened the United States several times, a threat we take semi-seriously some times.  They have actually sunk a South Korean ship and fired artillery into disputed South Korean territories.  They recently tested another nuclear bomb of some type - and we know they have the delivery mechanisms for that bomb to reach some parts of the US.  It really doesn't matter what parts.  These are big bombs that will kill hundreds of thousands and do terrific damage.  They just have to hit in the neighborhoods of any city.  CNN says Iran showed up at the last tests so we get the idea that  the kid is bringing in gang members from other neighborhoods and building a base.  

The Chinese need North Korea because the blame for these activities falls on them, not China.  But, it is China that benefits.  It is almost like the kids are building up a gang that terrorizes the surrounding town, while the parents sell security services to the community.   We are tired of this, at last.  Why did it take so long?   

Retail Industry Standards

The Hill is about to engage on the issue of reporting of breaches and another little thing called best practices for groups outside the financial community.  Some think this is what it says, "standards" of how certain types of transactions are going to be done in retailers.  These are really two separate issues, but they are being considered at the same time, belatedly on both counts.  Those who don't develop enforceable standard practices are doomed to have them regulated.  

The financial community has been ahead of most retailers for years because banks and financial institutions had most of the monetary transactions in the days before credit cards.  People were after money, so they developed a number of techniques to get it for themselves.  Each time they e.g. recorded a transaction and played it back to cause a payment the second time, or sliced off a bit of a transaction and put it in a new account, the standards got higher.  They exchanged information about the attack vectors on a regular basis.  We thought most hackers were insiders making money for themselves.  Now, we think more about Chinese, Russian, and Eastern European hackers than insiders.  There are sufficient internal audit controls to find more of those insiders, but there wouldn't have been had they not cooperated.

Two groups do not want information sharing about incidents: retailers and software developers, the latter staying in the shadows anytime this debate comes up.  They do their back doors through trade groups, slipping away into the night when they are discovered.  They are deathly afraid of anyone taking an interest in them because of liability for some of these breaches which they have caused through shoddy development and testing of software.  Retailers can establish all the standards they want, but until we hold software vendors' feet to the fire by making them responsible for their products, the vulnerabilities will continue to play into the hands of thieves.

The PRESS Bullseye

There are two stories today about the press being attacked by the Taliban and ISIS [ Amiri and Stancati, Seven Die in  Kabul Car Bomb Targeting TV Network Staff, Wall Street Journal, and O'Donnell, IS Radio Beams Propaganda, Threats Across Rural Afghanistan, Associated Press, both today ].  Both of these groups, by the way, also attack each other.  If you are confused by this, you should be.  A free press does not benefit either one of them, but what both of these groups have recognized is that a free press can hurt them.

Both of them rely on a good number of donations from Muslim charities and customers for products they sell.    People who donate are a lot like political groups that solicit money for a particular candidate.  If the candidate goes off the deep end and says, "Kill all non-believers" and the definition of non-believer includes Shia Muslims, you can bet they won't get much money from that source.  We had something similar when Donald Trump decided to say he wanted to stop Muslims from coming to the United States until they examined the vetting process being used.  The opposition party jumped on that quickly and made it sound like he was against all Muslims coming here.  What a free press does is publicize what those people say, both privately and in public, and amplify the message.

Sometimes, groups don't like their message coming back to them.  ISIS and the Taliban are not friends to very many people these days, yet seem to stay in business.  How that happens is a frequent subject of a free press.  They get their operating budgets from a number of people who support them, not just from oil or extortion.  What the press does is get that kind of information out.  When they attack each other and make statements about rightness of their causes, they alienate their potential supporters.  A free press amplifies their messages.  ISIS has alienated just about everyone except extremists who make up their mass.  In the end, it will be their undoing.  

Encrypting Information

There is a good bit of understanding of the role of intelligence services summed up in the words of  Andrei Soldatov and Irina Borocan, in The Red Web [Public Affairs Books], a book about the development of the Russian Internet and the role of the FSB in it.  This is what they say:  

"The Ministry of Security got the job of phone and postal interception under a secret decree that was issued June 22, 1992.  Two days later Bulak signed the paperwork giving the Ministry of Security access to communications cables and places where they could work to intercept calls.  When Bulak went to Lubyanka again, he asked the same question:  'Are you keeping up with us?  Is there any direction where we need to slow down?'. The answer was the same, "No, we are keeping up.'  In fact, the security services were lagging way behind."

What they describe is a technologist's dilemma in places where knowing what is being said on the Internet is more important than the protection of information passing between individual users.  Governments decide how far they will go with technological developments that keep them from their business of intelligence collection.  But, governments seldom say more than Soldatov and Borocan got in that interview.  "We are doing just fine."  Only they weren't doing just fine because the pace of development of the Internet got ahead of their government's capability to keep up by monitoring their citizens where they "should" be monitored.  This is an interesting problem we seldom hear talked about, yet all governments have it.  

When the Director of the FBI says he is having difficulties getting access to terrorism-related information, he is saying "We are not keeping up."  You will never hear the Director of any law enforcement agency in any country say, "Yes, we are doing just fine.  We can monitor any e-mail, decrypt any disk, listen to any encrypted phone call."  They may even be able to do it, but nobody ever says it.  China and Russia never admit to having any trouble monitoring much of anything, because they don't have any trouble doing it.  The practical reason for the rest of us, terrorists and criminals will work harder to protect their information if they know they can be intercepted.  They would have to have "FOOL" stamped on their foreheads to not know they need to do something.  

What other countries do is set up laws to monitor everyone on any media that traverses their border.  They don't have trouble from rulings on how much data they are allowed to keep, or under what circumstances they can monitor someone.  They require their Internet Service Providers to give them access.  No court order is required [curiously, Russia has a law that says monitoring does require a warrant, but the authorities don't have to actually produce it].  In the list of countries that monitor their citizens, there are some strange bedfellows.  Vodaphone published a list of some of them that required access to internal networks, in a report on their own problems with monitoring.  [They didn't include Russia, China or the USA.]  Monitoring, of some sort, is ubiquitous on the Internet.  

I expressed the importance of this in my last book, The New Cyberwar, because countries need to be able to collect intelligence to survive.  Some of them need to be able to collect that against their own citizens in order to survive, China being a good example.  The situation today puts Google, Microsoft et. al. in the middle between government policies and privacy of communications, but they are not in the middle everywhere.  China found a way to steal Google software and certificates that will steer a citizen into their own websites that pretend to be Google.  Encrypt all you want in these systems but it won't do much good.  So, when the Director of the FBI says we are not keeping up, I have to ask why not?  It is the job of the intelligence services, of which you are one, to do so.  

ISIS Funding more than it seems

In the Washington Examiner last week [Jacqueline Klimas, Lawmakers go after ISIS funding, 4 January 2016] is a story in a story.  The House Task Force to Investigate Terrorism, in case you didn't know it existed, has almost no public activities, something no Congressional Committee wants.  Even the Intelligence Committees have public reports and a website with a host of hearings and public policy debates.  They did provide the reporter some interesting context for the story.  

The story tells us that the usual suspects help with the funding of ISIS through private organizations in Turkey, Qatar, and Saudi Arabia.  Some of those are already on a Treasury watch list, and have been for years.  It hasn't slowed them down very much.  

The U.S. Treasury Department has had reports on this over the years to pin down funding of Al Qaeda, which is the root organization of ISIS.  We know that Iran is fueling the fighters on the other side of this mess in the Middle East.  Iraq is certainly not helping very much.  Russia is bombing all sides in Syria, but seems to favor Iran in this.  The Obama Administration seems to be the same, negotiating Iran's nuclear deal and paying them billions of dollars in what looks to be money-for-hostages.  I thought we gave that up years ago.  

So, when it comes to financing terrorism, it seems the Middle East countries all help to fund their own brand of Muslim extremists, then wonder why the fighting is so intense and barbaric.  They don't call them extremists for nothing.  If the Catholics were to decide that Baptists were all wrong about their brand of Christianity, then fund extremists to kill them off and dominate them with force, saying become Catholic or die, we would have an analogous situation here. The Baptists, Seven Day Adventists and Mormons would defend themselves by hiring their own extremists, if they could find any, and attacking everyone who was Catholic.  The Bible Belt would take on a whole new meaning.  

As much as Al Qaeda tried to make it a war between Muslims and Non-Muslims, they have to admit it is a war of extremist Muslims against everyone else.  The rest of the world is starting to get it.  Even Muslims don't like the result.  Maybe they can do something about the money going to ISIS.  We can't.  

The Little Island that Could

China has managed to put a runway about the same size as the main runway at Dulles Airport, in the Washington suburbs, on two little islands that used to be no more than crops of land slightly above the water.  They built islands on them, manufacturing new territory.  They are not in the suburbs where most commercial airports are built;  they are in the middle of the South China Sea, closer to Malaysia, the Philippines and Vietnam than to China.  China is telling us not to worry.  [ see story by Demetri Sevastopulo, FT Weekend, 17-18 January 2016 ]

As I said in my first book, The Chinese Information War, China lays out a plan to do what it says it will do, then does it - without anyone else's permission.  For those who don't think beyond the next election, this kind of long-term strategy works pretty well.  We have complained about this build-up in the South China Sea for at least five years when the Chinese sent ships to tangle with the U.S. Navy in the very same area where those islands are being built.  That was not very effective at keeping them from their goal.

In case you might be wondering what the Chinese said about this build-up, besides "don't worry about it", then you might look to their claims there.  They claim the islands and the South China Sea as their territorial waters.  If you fly near to those islands, like the BBC did a few months ago, warning notices are given in English.  More than 1000 miles from Beijing, and behind the lines for Taiwan, they are claiming the land, air and water as theirs.  These areas are in dispute, not with the United States, but with Vietnam and the Philippines neither of which are very big and not up the test of stopping the Chinese from doing what they have said they will do.  What we should worry about is Taiwan.

Taiwan has just elected a woman who wants to move away from dependency on China, at a time when they are likely to become part of China in the same way Russia took Crimea. Unless the Chinese were sleeping they did not miss the Free World's passing on the Crimea takeover.  China is probably assuming they better move quickly before somebody new gets into the White House.  China tells the US not to worry because it isn't this White House that would worry if China takes Taiwan.  It would be a problem for the next.  That is why long-term thinking is always better than the way we do things.  It most books that is called strategy, which seems to be lacking in both parties in contention.

ISIS ATTACKS EVERYONE

The bombing yesterday of a shopping center in Jakarta, in the largest Muslim country in the world, was attributed to ISIS, a theocracy of Muslims.  We certainly can't say that this is a war of other religions against the Muslims, or vice versa.  This is a war with ISIS, a realization that many countries have come to, and ISIS reinforces.  Historically, when a small group of people tries to attack the rest of the world, they don't fare too well.  This one won't either.  They have lost ground and gained enemies through these attacks, yet still survive.

Somebody benefits from ISIS and the world needs to focus on who that might be.  ISIS was born out of Al Qaeda, and somebody thought they were a pretty good idea too. Radical people who believed violence was the only means of convincing others that their ideas were better than those of the people they were bombing, beheading and crucifying.  The alternative to this violence is declaring for their cause and supporting them.  These are people who cannot be reasoned with.  Diplomacy means capitulation.  China and Russia both understand that, having their own factions inside their countries.  France and Belgium are getting it pretty fast.  The USA gets it and arrests people who attempt to aid either one of them.  Radicals of any religion are a world-wide problem, but both of these are Muslim-centered terrorists.

Governments like to pretend they are funding  themselves i.e. they have their own money from banks they have robbed or extortion.   We would be happier if that were true.  They get a good bit of that money from Islamic charities, sometimes in Western countries.  That is what keeps the families and support for the fighters going. The U.S. Treasury has put names to these groups but they just change their names and move on.  The Israeli's are going after them by getting them into court, a short-term solution.  Our charities need to do better about screening those they are helping in the name of humanity..

When the Internet is Down

ABC news is carrying a story by Hyung-Jin Kim, [S.Korea Fires Warning Shots After North Korean Drone Seen, 13 Jan 2016] about the South firing on a N. Korean drone, but part of that story also covers some of the most interesting aspects of trying to reach people who would normally be on the Internet.  In North Korea they aren't.

Both the North and South tried to send balloons over the border with messages in leaflets, then set up loud speakers along the border to broadcast music and news.  These charming reminders of ancient Cold War slogans call for an overthrow of the South's government or dealing with them as you would "a mad dog".  You can imagine one of these leaflets falling in a place like Anderson, New York, where a farmer plowing a field finds them scattered among the just-started soybeans.  "Wow, what's this? ". He reads the message which says he should treat the Obama White House like a bunch of mad dogs, without much specific detail about what he should do or when.  "Who dropped all this crap in my field?", he says with a stern look around at a balloon draped over the fence on his entryway to the field.  He gets back on the tractor and calls the local Sheriff.  They have had other complaints and are checking around for the source, which appears to be someplace in Canada.  On the way back to the barn, he hears music....

This can't be for real in a world where communication is by cell phone and tablet, but it is real in North and South Korea.  This passes for psychological warfare in both countries, at first a funny thing to even think about, but given the explosion of a nuclear device in the North, less funny than it might otherwise be.  We are dealing with a country in the North that has hacked Sony in the USA, released e-mails from them, fired off missiles one after another, and has broadcast TV showing their leaders kissing the hands of the Great Leader himself.  But, they drop leaflets on the South hoping for some revolution to come from it.   There is something not right there...  

Iran Hackers No Different

Jay Solomon had a nice piece a couple of weeks ago in the Wall Street Journal about hacking by Iran on White House and think tank targets in the U.S.  I would have thought the White House would have learned its lesson during the first election of the President, when the Chinese hacked the campaign.  People want to know what staffers and candidates think, because they are the ones who will be advising the final winner.  Yet, they don't seem to learn.

If Hillary Clinton hasn't gotten better at this, you can bet the Chinese have hacked every person around her.  Maybe the Chinese told her Bernie Sanders' staff member got into the Democratic database that he shouldn't have been in.  They are very good at security of data pertaining to the party faithful, but not so good about policy positions and internal discussions.  It shows where their priorities are.

Iran, according to Solomon's article has been hacking people to find out how they feel about the agreement on nuclear weapons.  The people doing the hacking are not the ones who made the treaty, they are the Revolutionary Guard that reports to the Military office of the Supreme Leader.  There are a couple of aspects to this.

First, this is a good indicator that the Supreme Leader is nervous about this agreement, just as Congress is starting to express concerns about it.  Nobody likes this deal except the outgoing President, who won't be around to defend it.  Hacking the White House is pointless from that perspective.  They all love it.

But second, they shouldn't be able to hack anyone in the White House after all the hoopla surrounding the OPM, State Department, et al.  A reasonable person would think they would have learned something from that.

Somebody there needs to get their collective cyber security policies out and have a look at them.  Are we not paying attention to what occurs almost every day on the Internet?  These people seem to act as if they are either being protected, or nobody will ever find out that they are being hacked.  Maybe, they will even be gone by the time they are found out.  None of these are very thoughtful approaches to the problem of protecting information in White House computers.

When the CEO Vanishes

Imagine for a moment that you are on vacation at Club Med and the e-mail comes that the Chairman of Club Med’s parent company has missed the Board meeting and will be helping the police for an unspecified time. 

There is a good reminder in Gordon Crovitz's column today in the Wall Street Journal [China Disappears Information] that China’s companies are not like ours.  He is more concerned about the types of information that are normally used in business acquisitions or stock trades being taken away to protect China’s market position in world’s markets.  I’m thinking about this in a different way. 

I saw a few businesses raided for criminal behavior, since law enforcement in this country occasionally arrests those responsible for it at their place of business.  It is a jarring experience for those involved.  People cry, yell, flush things down the toilet, pound on a desk, hide papers, go out the back door, erase information off their computers or do all kinds of things that we don’t normally see professionals do.  But, as Crovitz noted in his column, “In all executives from 34 [Chinese] companies have disappeared, with only some reappearing.  Among those was Guo Guangchang. Chairman of the Fosun Group, who is known as China’s Warren Buffet.  His interests include Cirque du Soleil, Club Med, and the former Chase Manhattan Plaza…” 

In no criminal business raid did I ever see a person taken away without telling the people around him/her why the person was being removed.  Lawyers in corporate offices would want to know.  Boards want to know that the Chairman is not going to be there today.  Staff around the CEO would want to know that the Chairman was, in the British term fitting a Hong Kong example, “helping the police”.  That is a nice term that covers a lot of bad situations without saying a person is guilty or innocent, presumed or not. 

Some of these people who disappeared never reappeared.  Where did the Chairman go we asked?  Perhaps has been replaced by someone appointed by the government to help you while he is helping the police.  In a super-conglomerate, somebody else takes over while he is gone and the business never misses a beat.  That is the theory anyway, but that is never quite true. 

There are a lot of beats missed when the Chairman misses his first Board meeting.  How do we not notice that he/she is missing and we have no idea why that is?  The Russians used to say that a person like that was “on vacation” or went to a mental institution for rehab.  That is a nice approach and actually makes more sense than just plucking them off the mahogany row and taking them out of circulation until they get the answers they are looking for.  In a country where Party position means more than business position, this kind of thing can happen and they don’t get too excited about it.  This is what passes for a managed economy.  Managed may not be the most accurate term we could apply when police can come and detain you without cause, round out your business education with some new facts of life, then release you into the world to carry on again.  What does that sound like to you? 

Terrorism and Government Domestic Surveillance

In my last book, I spent some time on the issue of terrorism and how governments use that to justify monitoring and surveillance in their own countries.

 In today's Wall Street Journal [White House Seeks CEOs' Help on Terror] there is a story on a White House gathering in Silicon Valley that is going to ask some CEOs to help in discouraging the use of the Internet as a recruiting tool for terrorists.  James Clapper, the Director of National Intelligence, Loretta Lynch, U.S. Attorney General, and James Comey, Director of the FBI are all invited though we will have to see if they actually attend.  Some people from Facebook, Google and Yahoo will also attend, but we shall see if the CEOs actually come.  Let's see if Tim Cook from Apple gets invited.  His views on encryption, one of the "other subjects that will be broached" are public knowledge.

What our government is doing is linking the use of the Internet with monitoring and disruption of terrorism.  China does the same thing to justify the turnover of source code and encryption technologies that give them access to industrial secrets of every business operating in China.  Russia does it to justify the intense monitoring of citizens of its own country.  At the same time, both of these countries use the publication of Edward Snowden's stash of documents as the reason for not doing business with the United States.  Purely hypocritical.

There are a number of countries of who monitor their own populations much more than the USA, mostly in the Middle East, but some on every continent.  They all use the same "national security" justification.  They buy sophisticated software suites (mostly made in the US) to monitor almost any activity of any citizen.  These are law enforcement tools that are not being used for the kind of law enforcement we thought of when making them.  It is the kind of law enforcement that says, "You cannot speak ill of the government in power" or don't say anything about the king or his relatives.  We have seen a lot of that in almost every country that uses these tools.

Most of these tools are not looking at content, though they are quite capable of that.  They look for associations.  That has limits.  If drug dealer El Capo wants to make a drug shipment to San Francisco, it would be nice to know that he is dropping it off at a warehouse on the south side of town.  Without looking at content of a transmission, that is very hard to figure out.  So, we always end up with the "back door" argument for law enforcement.  Some of Silicon Valley stopped buying that argument when encryption became the only way to protect information that thieves all over the world were taking.  Add the element of terrorists using the same mechanisms to protect their contacts with other terrorists, and you have the basis of a disagreement.  It is a disagreement that is not new.

The Wall Street Journal article points to a less than enthusiastic groundswell of support for changing what industry has done to protect our transmissions.  Terrorism is the justification that almost every government has used successfully.  It doesn't seem to be working very well this time.  It isn't because privacy is more important than national security, because there won't be any privacy if our national security isn't protected.  All those countries in the Arab Spring have figured that part out.  This time, we have to do something different.  We have to protect people from thieves, terrorists, and hackers all at the same time.  Maybe all those good minds in the Valley can figure out how to stop terrorists from hiding in plain sight, and using our technology against us, but I doubt it.  I know for sure that they can protect us from governments who monitor their own citizens.

North Korea and Iran

I love Christiana Amanpour because she has such good sources in the Middle East.  She was on CNN today talking about the test of a bomb by North Korea which claims it was a hydrogen device.  Just about everyone knew that, but the rest of that discussion was a little different.  She mentioned the connections between Iran and North Korea.  Part of that discussion was that Iran and North Korea might have cooperated in the development.  I can find nothing about that anywhere in public sources.  That is an interesting enough topic to delve into, though reporters should be on it soon enough just because it was mentioned.    

We might be surprised at the amount of cooperation the two have already had, especially in the arms business, where Donald Kirk [Forbes, Missiles Despite Iran Nuclear Deal 13 November 2016 http://www.forbes.com/sites/donaldkirk/2015/11/13/forget-about-china-n-korea-markets-missiles-as-iran-nuclear-deal-approaches/]  points out that the North Korean arms find their way from Iran into Syria and Yemen:

“Most of North Korea’s missiles for years have been going to buyers in the middle east, notably Iran and Syria but also Egypt, Yemen, Libya and other markets.  Although slowed down by sanctions, sales of short-range Scuds and mid-range Rodongs have been an important source of foreign exchange for the financially strapped regime.

North Korean missiles, moreover, remain a constant threat as seen when Scuds fired into Saudi Arabia by rebels in Yemen were discovered to have been manufactured in the North. South Korean intelligence sources estimated that Saudi forces had shot down about eight of 20 Scuds fired by rebels into Saudi Arabia.”  

Rand Paul said this morning that the same negotiators that did the agreement with North Korea to limit their capacity to get a bomb, also did the one with Iran.  What an irony that would be, if true.  North Korea is proving that trying to do something about nuclear programs is more difficult than promising to “snap back” sanctions.  It doesn’t work without a wide ranging agreement among countries with interests in seeing that North Korea or Iran does not have a bomb.  Apparently, some would like for that to happen.  

I said in my first book that China used North Korea to test its various approaches to manipulating the rest of the world and to see what the reactions would be to certain types of actions.  I still think that is true.  But, we might want to ask China if this test was something they knew was coming.  In April, they warned the whole world that North Korea was ramping up their missile testing.  Did they know that North Korea was about to test a bomb?  Did they know Iran was involved with North Korea on the development of that bomb? How could the Chinese sit in those nuclear discussions with Iran knowing they were involved with North Korea?  They can’t be that desperate for Iranian oil.  

China wants to see our reaction to a buildup of weapons delivery systems, but hardly something like a test of a big bomb that rattled some of China’s own cities, like this one did.  If the Chinese fail to punish North Korea for this test, we will have a pretty good idea that they knew and approved of this test.  All the while, they participated in negotiations with Iran.  We have to wonder what their motivation for condoning this kind of action would be.    

In the meantime, the U.S. has decided to wait to respond until it is confirmed that a nuclear test was actually performed.  They have to be kidding about that one.  Unless our intelligecne services have all gone asleep in the past couple of weeks, they must have known it was coming.  They must have known what that flash was.  As David Sanger pointed out today, 3 of the 4 tests of weapons were on Obama’s watch.  It wouldn’t be a big surprise to the next President that this one could not prevent North Korea from having or exploding a nuclear weapon.  We have to wonder if their intent is to give one to Iran.  

China on Microsoft's Case

This is old news to most people since the Chinese government has investigated Microsoft several times over the years, but this one may be different.  An article in today's Wall Street Journal [China Asks Microsoft About Data "Problems" byline to Beijing] says China has asked Microsoft to clarify some data gathered as part of an investigation by the State Administration for Industry and Commerce (SAIC).  The investigation, now over a year old, apparently related to how Microsoft distributes its browser and media player in China.

When I testified at the U.S. China Economic and Security Review Commission last June, the concern was over impediments that China put in the way of U.S. businesses.  This was at a time when President Xi was speaking to business groups in Seattle telling them how much better relations should be and how much they could benefit from alliances with Chinese industries.  At the time, he was about to test out a new counter terrorism policy that requires industries to hand over source code and encryption keys for any mechanisms used to secure their data.  Why anyone would do such a thing was beyond us.  IBM was the first to publicly comply.  Using excuses to harass U.S. industries while stealing their technology, seemed to not bother the Chinese that much.  Why we don't do more to push back on this kind of thing is hard to imagine.

Microsoft recognized years ago that it was being ripped off by the Chinese.  They fought them and suffered for it, at least until they gave up and went along.  Water torture was not a term invented by the CIA.  The Chinese use the techniques on every business in their country.  Microsoft stayed because they could make more on the 10% of software sold verses the 90% counterfeited, and maybe today can make the latter number lower.  They think it is worth it.

The Chinese fined Qualcomm a billion dollars under similar circumstances.  While they get all the benefits of lower prices, we don't.  I don't get to pay any less for Microsoft products because China accuses it of doing things that raise prices there.  They fork over a similar amount of money and allow that software to be duplicated without any benefit to me.  I listen to Donald Trump with a great deal of skepticism, but I'm wondering if some brashness would not be beneficial here.  None of the businesses that operate in China should be allowed to do so unless they can lower their prices in the USA.

When the Punishment Fits the Crime

The Associated Press released news of the punishment of Deniss Calovskis, sentencing him to time served (10 months in a Latvian prison and 11 months in ours).  What he did was make what the court is calling a virus, but is really a part of the code used in a trojan that is used to get banking credentials from unsuspecting users.  If you want to see how this really works, check out the analysis by Don Jackson at Dell
Secureworks [http://www.secureworks.com/cyber-threat-intelligence/threats/gozi/].  This is from the summary of that analysis:

"  Russian malware authors are finding new ways to steal and profit from data which used to be considered safe from thieves because it was encrypted using SSL/TLS. Originally, this analysis intended to provide insight into the mechanisms used to steal that data, but it became an investigation into the growing trend of malware sold not as a product, but as a service. Eventually it lead to an alarming find and resulted in an active law enforcement investigation.

Highlights

A single attack by a single variant compromises more than 5200 hosts and 10,000 user accounts on hundreds of sites.

• Steals SSL data using advanced Winsock2 functionality
• State-of-the-art, modularized trojan code
• Spread through IE browser exploits
• Undetected for weeks, months by many AV vendors
• Customized server/database code to collect sensitive data
• Customer interface for on-line purchases of stolen data
• Accounts compromised by stealing data primarily from infected home PCs
• Accounts at top financial, retail, health care, and government services affected
• Data's black market value at least $2 million"  

The convicted Calovskis has a lawyer who says Mr. Calovskis didn’t create or disseminate the actual virus, didn’t join the conspiracy until years after the virus’s creation, and received only $1,000 for his participation. 

 [see http://www.wsj.com/articles/latvian-hacker-deniss-calovskis-sentenced-to-time-served-1452032841]  Calovskis developed part of the code that changed the appearance of banks websites on infected computers to trick victims into giving up personal information that would allow the hackers to steal money from their bank accounts.  The Journal article suggests the judge actually considered exceeding the amount of time because there would be little deterrent value in the sentence actually given.  I have heard this story before.  

The Computer Fraud and Abuse Act, which has expanded quite a bit since it was written, had it first prosecution while I was still teaching at the Defense Security Institute, in the 80's.  People were saying the same thing then, only in that first case, they had a point.  That guy was stealing information on the tracks of forestry being sold off by the Federal Government and he got a suspended sentence of 6 months.  That resulted in a legislative panic and the stiffening of sentences that has been going on since then.  It never seems to be enough, but it is more than a 6-month suspended sentence.  

I don't know how many criminals are in Russia paying for the development of this kind of software, but I do know that Calovskis was one of their employees who did good work.  Many of those selling these kinds of software hire good people and develop good products worthy of the amount of money they charge for them.  Calovskis had the misfortune to live in Latvia and get caught.  Those living in Russia do not.  There is a certain injustice in the whole process to bring an action against ones who are not safe from prosecution, and let all those others go.  So, before we jump to the conclusion that "time served" is not a real punishment, think about the context of what he did.  The punishment seems to fit the crime.  

Russia and Iran

I wondered what Russia got out of supporting Assad in Syria, except maybe those two big bases in Syria.  When Russia started bombing it was to target ISIS and help get rid of these terrorists who are disliked by almost everybody, but still survive.  Only they didn't bomb ISIS;  they attacked the enemies of Assad instead.  That makes sense if you want to keep those bases and believe that Assad is the only one who can say you can stay.  Bombing ISIS can be done later.  They seemed to be using the adage that the enemy of my enemy is my friend, but that requires going back in recent history to figure out who the enemy really is.

In my last book, I used the example of the Iran-Iraq war as a symbol for the proxy wars fought by Russia and the U.S./allied forces.  That didn't run out well for the U.S. But, it seems to have worked out well for the Russians who backed a winner.  In an area where nothing is simple, this may have been too easy an explanation.

Oil and gas seem to be involved here too, and the oil markets respond to both good and bad news in the Middle East.  As Iran was about to go on-line with its oil sales, Saudi Arabia was cutting back on its internal largess because of sinking oil prices.  The U.S. began to sell oil again because it had so much.  Those were trends that nobody in the oil sector would like.  Russia and the United States are not enemies there.

Religion is an issue too, and I naturally thought since the United States and Russia were both Christian countries, they would be at least neutral in this area.  Then I read Al Jazeera's story on the number of Muslims in Moscow and the great lengths they have to go to get to their prayers [http://www.aljazeera.com/indepth/features/2015/07/animosity-moscow-muslims-change-city-150720093306298.html ]. In a city of 12 million, there are a million Muslims.  In contrast, Pew Research says there are less than 1% overall in the United States and less than 2% in Washington D.C.  [ http://www.pewforum.org/religious-landscape-study/religious-tradition/muslim/ ].  There are almost as many Buddhists as Muslims living here.  

I read a paper, "Russia and Iran: An Anti-Western Alliance?" on how these two countries have again come together as allies in an alliance that is based more on the needs of dictatorships (an economy based on oil and gas sales to countries that are not exactly friendly towards them, religious justification for their manner of ruling, and absolute power over their populations) than the practical necessity of an alliance against a common enemy in the West.  [ Abbas Milani is the head of Iranian studies at Stanford and a research fellow at the Hudson Institute.  You can read his paper at http://web.stanford.edu/~amilani/downloads/CurrentHistory1.pdf ]

If you look around at the countries that are dictatorships (I include China in that number), there are a lot of similarities between the governments' justification for holding onto their positions.  Assad, Putin, Khomeini, Xi, Castro, have totally different policies for religion in their countries, economic assets, and natural resources, but they all have one thing in common - they control their populations by intimidation, sometimes crudely applied.  They define the limits of freedom of expression.  They claim they are elected to power and remain by the will of the people, but limit that will by controlling information.  No wonder they fear the democracies of the world, their one real enemy.

What Passes for Deterrence

Sean Lyngaas has an interesting story on the deterrence strategy posed by the White House, "White House sends cyber deterrence policy to Congress"  https://fcw.com/articles/2015/12/17/lyngaas-congress-cyber-deterrence.aspx

This must have been greeted on the Hill with quite a bit of skepticism.  

I can't remember a less inspiring set of ideals being expressed as a 

policy.  It looks for all the world like wishful thinking, not a strategy.  

The article goes on to say this:" The administration is particularly concerned about cyberthreats that "could cause wide-scale disruption, destruction, loss of life and significant economic consequences for the United States," the report states.

The document is meant as a roadmap around which federal agencies will align their efforts. It reaffirms the administration's efforts to bolster deterrence through more resilient network defense; the imposition of costs, such as sanctions, on hackers; and the establishment of international norms in cyberspace."  

What the Administration has missed here is that hacking, on the level the Russia, Iran and China have shown, is state-sponsored.  Neither one of them give a hoot about international norms, since both have already undone all there ever were.  The Internet used to be a safe place to go before they started supporting people who try to undermine our basic industries and use the information they steal to compete directly with us.  They are not going to stop, or even think about stopping, until we actually do something to deter them.  The Chinese haven't even blinked since Xi was over here promising less hacking of our business interests.  He has a good thing going and is not going to give it up until he has consequences for continuing.  This kind of wishy-washy diplomatic language applied to a deterrence strategy is more likely to encourage him to continue than stop. 

Let us start with a simple strategy of deterrence:  reciprocity.  What you do to us, we do to you.  That will be the international norm for behavior. 

 You may deny all you want, but we know what you do and we can prove it to our government officials.  If the Russians hack the Ukraine government, we will help the Ukraine government hack Russia.  If he Chinese hack an industry here, we will help that industry hack back.  There is no need to help individual companies at a strategic level. Industries that steal need to feel the sanctions, so far non existent.  When the national policy is to talk loudly about sanctions, but do none, credibility suffers.  

So, the two words that make a policy are credibility and reciprocity, neither of which are found in this new policy.