The Little Guy Against the Bear

There were two stories in the Wall Street Journal last week that tell of the difficulty in being one of Russia’s neighbors.  They are about the small countries of Estonia and Moldova both of which face the Russian Bear every day.  The Russians have not given up on getting them back and use the same techniques so familiar in the Ukraine.  The Moldova article mentions Georgia, just so we don’t forget about that one either.

Mostly, we call what the Russians do harassment- meddling in elections, undermining the military, degrading politicians that do not favor their views, running campaigns to influence every person they can reach.  Both of these countries are small and face the Bear bravely.

Both the leaders who wrote these articles are calling for the same thing - they need help.  It takes huge amounts of energy to fight all the time, and the Russians are both relentless and brazen about their work.  Europe has finally come around to the idea that Russia cannot just take these little states like they did Crimea.  The lesson there was clear.  I always thought that President Obama was talking about Crimea when he said he would have to wait until after the election to carry out his agreements with Russia.  He said that on an open mike and not for public consumption.  Now that little place is gone and the rest of the world will not be getting it back.

We need to give these countries some aid of various types - cyber training, intelligence support, weapons for their own defense, and help them organize.  First they need to organize with one another.  they can fight better together.  Next, they need to organize with Europe which should help them for their own well being.  None of them want Russian controlled countries on their borders like they had for years.  But, like in Ukraine last week, there is room for the rest of the world to help too.  Putting Javelins in their will make a lopsided situation less so.  It doesn’t take much, and like many business executives in them world, President Trump is just paying attention to cries for help.  He doesn’t have to do much, but paying attention is important.  Same for Europe and the border countries of the old Soviet Union.

Suicide before Life in NK

You can read the whole story here.  But for a man to commit suicide rather than go back to North Korea after China returned him, Here, is a statement about both countries.  That China would return a man knowing how well he would be received in the North is a travesty of huge proportions.  I guess they are so attached to the North’s nuclear program that they want to discourage other defections that might allow all of us to know how close they are to a miniature warhead, and to say where that technology came from- China most likely.  What a country.

It isn’t a great place to defect to, unless you have secrets like our boy Snowden.  They didn’t send him back.  But this breaks new ground for shallowness of thought.  They couldn’t have allowed poison to pass through the kind of searches the Chinese give.  They had to provide it to him rather than let him talk or go back.  What nice guys they must be.

Russia and China Sell Oil to N. Korea

Sanctions mean nothing to China or Russia, it seems.  It took them a little over a week to start selling oil to China in what is proabably a “humanitarian” sale.  I can’t believe the Chinese do this with a straight face.  They must smile secretely.  The story is complete with satellite photos anyone can buy from a vendor.    It’s fun to be able to check without going through a government filter.

Reuters has an exclusive on Russian sales to North Korea and transfers at sea.  These are the same people who claim to want to stop North Korea from building a nuclear weapon but violate the sanctions within a week of them being made.  Sanctions are worthless.

Not Like Us

I did a post last week on Andrew Browne’s article on China in the Wall Street Journal.   What it says is that China is not going to be “more like us”, and “The game of make-believe is winding down.”

From a business standpoint, I have been saying that for the last 6 years.  Chinese businesses, many of which are state-owned, and all of which are state influenced, are not like our businesses, though they go to great lengths to keep that illusion.  They pretend that businesses that come to China will be allowed some flexibility in meeting Chinese rules for ownership and cooperation with State Security. They pretend that intellectual property will be protected.  They pretend that censorship rules will not be applied to companies that come there.  They pretend that U.S. companies will not be spying on China’s citizens, and maybe a few other citizens too.

He asks an interesting question :  “What is the appropriate response to an increasingly predatory Chinese state that takes advantage of Western openness to acquire technology even as it shelters its own markets behind protectionist barriers?”  Cooperation with their approach isn’t it.  Browne says a “reset” is in order.  

For years, business leaders have been saying that the free world can “out-innovate” China even if they steal our intellectual property and use it to manufacture their own goods.  We might have to think about that approach more.  By the time Boards of Directors realize that approach fails more than it succeeds, it is largely too late.  They are looking at losses caused by unfair competition from state controlled industries subsidized by China’s banks and partner businesses.   The reset has to be on both sides for it to work well.  Business leaders have to know that short-term profitability is not enough to satisfy shareholders with long-term interests.  

It’s Only Art

Look at the picture shown by BBC.  It is innocent enough, and just a work of art.  You can like it, or not, by the feeling it gives you about spaces and objects, like an empty chair sitting in the middle of a room.  The bars on the windows of the home, with an old scene from China outside them are another clue.  The creators of this art are a pair of French artists, who were unceremoniously hauled away after he mural was completed, and have not been heard from since.  This is, as a plainclothes police officer said, China and not some other country where such things are allowed.  The artists should have known.  Really?

I wondered about  the antics of Kathy Griffin holding up a plastic head of Donald Trump that looks like it was severed with some malice.  It was art, and it was judged by the quality of it, not by the message it sent to the people of the United States.  Kathy Griffin has largely been out of work since.  The quality of comedy was not there.  A few found it hard to see the humor, like the Secret Service, which actually has no sense of humor and thus is not good at considering the source and moving on.  The Chinese are apparently much less accepting of this kind of art.  Amazon is not still sellling severed heads of Xi Jinping, so we can assume Chinese censors would not like that very much.  If they can sell Trump’s, they should be able to sell others too.

The difference is, Kathy Griffin is not in jail.  The whole of China is not very tolerant of critics. But, even for them, this seems a little harsh.  Liu Xiaobo is dead, after all.  But, he made such an impression on the leadership that they won’t let it go, even after his death.  No more powerful statement can be made about a man.

Arresting a couple of French artists just brings more attention to Liu Xiaobo.  Don’t they get it?

Acts of War

We have to think a little bit when North Korea calls sanctions an act of war.  These are the same guys who sunk a South Korean ship, attacked the banking infrastructure, and shot people who tried to escape across their borders.  The latter is clearly not an act of war.  The thing about acts of war is that they are much like pornography - we know them when we see them.  Having sanctions against a country that wants to build a nuclear-armed Missile is certainly not an act of war.  Is building one?

ZTE Monitoring Does Not Go Smoothly

Most people have already forgotten about how ZTE managed to get into court and end up being monitored by two firms, set up by the court to oversee their rehabilitation.  ZTE was not only violating agreements China made to keep nuclear weapons out of the hands of North Korea and Iran, they were using a “rule book” that described how they could avoid detection by a shell game of companies.  When they were caught, the Commerce Department published the rule book along with their indictment.

In somewhat of a mystery, the two monitoring companies both quit, and there was an indication by Reuters that they were not able to do their job under restraints put on them by a court-appointed individual assigned to oversee the monitoring for the judge.  He seems to have limited their access to both documents and people who worked for ZTE - almost like he didn’t want the team to do their job, but wanted the appearance of doing it.

Javelins for Ukraine

Nothing like facing a tank with small arms and grenades.  It is sure to ruin your day.  But, things are a little more even with a Javelin.  It is man carried and small, but it packs a whallop where it counts.  You can see video of one and how easy they are to operate.  It will not be fun for the Russians who encounter one.  All it took for the Ukraine to get these things was political will.

Putin claims there are no Russian soldiers in the Ukraine so he should not be affected by the addition of such a weapon, yet Russia manages to see it in light of an “escalation”.  Putting contract soldiers and missiles into Ukraine is the escalation.  The Obama Administration called for “proof” of missile launchers and Russian troops almost every day of the week.  A long stream of video and photos were surely enough for most people, but not for that White House.  Now that they are mostly gone, the proof seems easier to come by.

Let the Retaliation Begin

It always takes too long for a country to retaliate for cyber intrusions into their internal affairs.  That is because the country of origin always denies doing it, and the proof of it is a state secret on both sides of the action.  Well, the British are about to enter the fray with Russia over the same kind of influence  campaigns run by Russia in the U.S.  We should all remember that Russia has their own elections next year.  We might know who would win that election, but it could be more difficult than they realize if the wronged countries put their heads together.  Germany and France were part of that too.  

The BBC has published a story about how this all started and the threats of retaliation being made.  The British are hot about the interference in the Brexit debate, where the Russians did quite a bit for those wanting to leave the EU, but kept the fires burning on both sides of the debate.  The PM warned Russia in November;  the head of part of the U.K.’s security establishment said it again this month as the Russians continue to undermine the U.K and every democracy they can.

The Russians and Chinese both need to see what the West can do when motivated.  The U.S., U.K., Germany and France all have capable cyber forces that can combine to make like more interesting for both of them.  The Russians and Chinese have 32 agreements on non-interference and cooperation against the rest of the world.  We only need a little of that same kind of cooperation to make them think twice about stealing our technology, and stiring up trouble in our respective countries - without consequence.  Retaliation is a good start, but a deterrent strategy we can all live with would be better.

Time For CFIUS Reforms Has Come

What a mess.  The Committtee on Foreign Investment in the U.S. has been around for as long as I worked in government, rarely raising an eyebrow anywhere because it moved slowly, relied on voluntary reporting for the most part,  and took its time making decisions.  Over the years, that has all changed.  Now, there is sentiment in the Congress for legislation to strengthen and clarify the rules for companies buying into the U.S.  What prompted most of that review and revision is State-Owned Enterprises, almost all from China, buying into the U.S. critical technologies like microchips.

In today’s Wall Street Journal there is another case that is likely to push that movement forward.  I know Congress has been busy on other things, but there is agreement on both sides to get moving on this, and this story gives good reason for some urgency.  It is the case of HNA.  The Journal says, “The requests from Capitol Hill follow recent allegations by a U.S. firm that HNA provided ‘knowingly false, inconsistent, and misleading information’ about its ownership and ties to the Chinese government during the interagency panel’s review of a $325 million deal.”

Of course HNA says it has no connection with the government of China.  In a great article, the Financial Times put this all together pretty well, naming names and posting faces of most of the leadership of HNA.  Most, and they were pretty blunt about a few of the leaders that they couldn’t find much about.  I pointed out at the time that HNA was feeding the Hillary Clinton campaign through other charities and its own.  This sweetheart arrangement fell through, and the protection of HNA went with it.

There are many others besides HNA, and the Chinese will move from one company to another when attention is drawn to one of them.  They keep the national strategy going by changing the face to U.S. regulators.  As I pointed out in my testimony on this last year, CFIUS can’t keep up with the way China is hiding its state connections to its own companies.  They have gotten better because it was possible for researchers to find military leaders in government companies, and ownership and management by state agencies.  It is harder to find anything like that anymore, because their websites now hide the truth.

How Much Surveillance is Enough?

In the Wall Street Journal today there is an interesting article about how much surveillance is enough to deter and prevent terrorism in China.  According to this article there is never enough.  But, one thing I did find interesting was the mention of voice recognition technology, not something I had seen  associated with Chinese surveillance.  Facial recognition is used a lot more than in other parts of the world.  Retinal scanning is more common and seemingly accepted by the most affluent members of the population.  What choice do they have?

The cars of journalists were watched with license plate scanners, the cars stopped and searched just because it was possible to easily identify them.  This is just harassment, though it was easy to tell that it wasn’t just journalists that came in for this kind of treatment.

The “social credit” system shows up here too when a man is blacklisted and everywhere he goes there is an X by his name when he checks in.  He claims to not know why, but says “I can’t go anywhere.” Imagine doing a facial scan at a gas station and then wondering if the police will show up to ask you why you need more gas today.  All this in the name of “harmony”.  You can never have enough harmony.

Reciprocity for the Saudis

The Houthis acquired and fired another of those Iranian missiles, which was intercepted by the Saudis.  The last time this happened the remnants of the missile were put on public display, and fingers were pointed the Iranian’s way because the parts were made in Iran.  We might hope the parts are big enough to identify, yet again.  The New York Times questions whether the missiles actually hit the target, but I don’t think they know much about missiles defense.  The Patriots don’t always have to blow up a target to kill it.

The Saudi’s can play this game if they want to, and reciprocity is always good for discouraging the firing of ballistic missiles into your neighborhoods.  Somebody could get hurt doing that.  So, let the Saudis give a couple of missiles to a bunch of the good guys in Yemen and have them fire these off at a couple of Iranian cities.  They can hope their anti missiles systems will work as good as the Saudi systems did the last two times.

The Iranians have their own, which they call the Bavar 373.  They had the Russian S-300 but that was not provided continued after sanctions started.  They had to build their own, at least that is their story and they are sticking to it.  This is similar to the story the Houthis told about their own missiles, but that turned out to be a fairy tale.  I suspect the Iranian story is equal in fantasy.

One day the Saudis are going to stop playing this game and fire off some of their own through an equal proxy.  That is when we find out if those Russian S-300s really work.  We know how well the Patriot works.  It has a long history in combat.

Cyber Picks Up in U.S. Foreign Policy

The President yesterday laid out a bigger context for competition between national powers, and mentioned cyber as one of the areas he would give additional emphasis.  At the same time, the White House pointed fingers at North Korea over the Wannacry attacks, which most everyone in security circles knew were launched from there.  It sounded like a warning in the context of the other parts of the speech.

I pointed out last year that Janet Yellen mentioned cyber security in one of her major speeches.  That doesn’t happen very often.  The North Koreans and Chinese have pushed the cyber parts of heir strategy into territory that crosses into commercial interests.  The first attacks by North Korea were on the banking infrastructure of South Korea ( along with some military and government targets at the same time).  That was sure to get the desired effect.  The second atttack was on Sony, a further demonstration of what happens when private emails are given to the press after a damaging attack is completed.  These kinds of attacks haven’t stopped coming, now that they have proven to be effective.  Political interference and manipulation of social media is expanding rapidly.

These are all threats generated from foreign governments, or with their sponsorship.  There is a long series of articles in today’s Wall Street Journal on the national of the nation-state threat, but there is very little new in what is discussed.  Attacks on businesses by foreign governments are out of line and need a response.  That response should use two principles, reciprocity and retaliation.  Attacks on business need a response to businesses, especially those contacted to do this kind of work.  Our government needs to sponsor that response, but not necessarily do it themselves.  Attack them, publish their internal email, and disrupt their computers.  Retaliate against the government directly, which the Obama Administration was said to have done with North Korea.  They don’t mind, but that doesn’t mean it shouldn’t be done.  They have to expect that their attacks are not without consequence.

At the same time, start doing more to defend against cyber attacks.  We have seen very little new cyber defense mechanisms that work.  Sow a little reserach money on this area.  Then, start with new policies that recognize advanced cyber defense.  We continue to struggle along with nothing new, and policies that discourage anything that is.

DISA and Russian Programmers

Today, the Justice Department released a long package of documents outlining the case of Netcracker Technology, a software company having part of the code used on the Defense Department’s networks.  These networks are the ones used by a Defense and a number of other Federal agencies.  They range in sensitivity from unclassified to Top Secret.

According to the documents released the geniuses at the Defense Information Systems Agency knew that Russians were writing the code that was used in Netcracker’s software and OKd it.  So they thought it was OK to have code written by Russians, in Russia, running on the networks of the Defense Department.  Whoever made that decision should be roasted in oil, but since 2008, the person is probably gone.  Nobody stays in DISA unless they can’t find another job.

It was Netcracker which actually revived the issue in 2011, again telling DISA that it was using uncleared Russian nationals to write code for the core of this project.  No wonder the Justice Department decided on this novel, and totally worthless, approach of a “non-prosecution agreement”. This amounts to nothing except a CYA document for DISA which made the mistake of allowing them to continue to use Russian nationals when they should have known that was improper.

This, of course, gets to the thorny issue of when software used by Defense Agencies can use software written by foreign nationals.  Take Microsoft for example, where large portions of their software is written In other countries.  Microsoft offered to make Defense a version of Windows and Office but they turned it down.  China has its own version, because it knows better.   This whole COTS product issue has to be reviewed and thought out a little more.

This isn’t about money, because we all know that software is more expensive if the government has its own versions that have to be updated and controlled by U.S. citizens with security clearances.  But, we sometimes pay that money because it is the right thing to do and reduces risk of using just anyone’s software.  I remember a Dilbert cartoon where the Ebonians offered to make software for Dilbert’s company for free, and the boss thought that was a great idea.  That level of humor must have been a little above the idiots at DISA.

A Business Approach to Foreign Policy

Reuters today is describing what it thinks will be in the U.S. President’s speech tomorrow on foreign policy with Russian and China.  People who specialize in this topic will not like what he has to say, probably for the wrong reasons.  That is because he has a business approach to it.

In big business, entities can compete without necessarily fighting.  The President will say that Russia and China are competitors, and are trying to maximize their economies at our expense.  At the same time, they are expanding their territories by seizing land and water claimed by other countries.  Business generally ignores this kind of government activity, focusing on the areas where business can be done. Be friends with the leaders of these countries and work at what works, even though there are political disagreements.  Sure, businesses take territories from one another all the time, but a long-term strategy can get those territories back.  The objective always is to maximize the business without getting into a fight that will hurt profitability in all competing businesses.

In this model, Russia and China are not enemies, determined to destroy the United States.  They are competitors whose business interests are at odds. I would not agree with that view.  The Russians and Chinese both interfere with the U.S. political system, in different ways.  This would be like having the Board of SAIC, in China, undermining the Board of General Motors with proxy fights and stock maneuvers to influence how General Motors does business abroad.  Maybe they do that too, but it isn’t apparent one way or another.   Incursions into the undermining of U.S. political processes, the military, and intelligence capabilities are analogous to direct interference in the operations of General Motors, which businesses generally do not do.  They know that is a two-edged sword.

North Korea is the best example of where such a strategy fails.  NK wants to cloud the dealings by threatening to destroy General Motors and kill large numbers of its workers.  That doesn’t work very well with this model.  It is not behavior that can be tolerated and Russia and China seem to want to let it go on because it is destabilizing.  If we are going to be competitive and not enemies, then North Korea (and Iran too) have to end their nuclear ambitions.  They are neither one playing the game the way this strategy suggests.  Russia and China can stop them both anytime they want.  The fact that they haven’t suggests they are not just competitors.

No Surprise Missiles

In case anyone was wondering, those missiles that were fired by the Houthi rebels were not made by them.  When it first happened, the Houthis showed 3 missiles that were supposed to have been produced in Yemen.  I said, at that time, that Yemen was not known for its missile production, and it likely got the missiles from its best buddy, Iran.  Yesterday, the U.S. put on display components of the missiles that launched against targets in Saudi Arabia, indicating they had been made in Iran.  I wish they had not said how they knew they were made in Iran because the next ones made there will not be produced in a way that makes them so easily identifiable.  Children could have come to the conclusion that missiles with parts stamped by Iranian companies - with their company logos on them - were probably from Iran.  It would have been better to say that analysis shows the parts were made in Iran and leave it at that.

Code Reviews Gone Cold

The BBC ran an article last week that talked about a keylogger preinstalled on several models of HP laptops.  A month or so ago, I talked about the Intel chip flaw that gave admin access to anyone who knew how to exploit it.  My Apple experience with High Sierra was an equal example.  HP and Intel  flaws have been going on for some time,  four and seven years, respectively.  I have to ask:  What ever happened to code reviews?  Don’t we do them anymore?

These are two examples of hundreds that show that commercial products are getting to market with some serious flaws in their security - nothing new to most of us.  Our laws allow vendors to offer products for sale without any liability for what kinds of flaws there may be.  There is not much incentive to do anything accept wait until some security researcher finds the flaw and points it out.  Maybe a year or so later, it gets fixed.

The vendor says that is an acceptable risk to the consumer, but never asks what an acceptable risk is to someone buying a computer.  It isn’t acceptable to me.  Normal due diligence requires code reviews, and vendors are ignoring that in favor of pushing it off on anyone who builds software for them.  It is the integration of that software that the vendor should be responsible for.  It gets integrated in their product, not in the software vendors that produce it.  Why do security researchers, or users, have to be the ones finding these flaws?  The vendors should be doing it before the product goes to market.  Maybe they might hire a couple of those Security researchers to see what flaws they can find before they charge us for the devices.   Then I might accept the risk.

Bitcoin Fits

I was wondering why nobody mentioned Ponzi Scheme when talking about Bitcoin.  As it turns out, The Hill already did, two days ago.  When Bitcoins were first introduced, it seemed like it was a product without value and the backing of no government.  That is the way most Ponzi schemes work. They look like they have something to offer, but there is no real value in what they are selling.  

The Tale of the Mistress

While the political people in this town were talking about an FBI agent and email he sent to his mistress about President Trump, not one of the press outlets made anything of the fact that he was carrying on an affair with a woman in the Justice Department.  You may not have noticed that nobody really cared about his wife, who was the really wronged person here and not the President.  How many people in Justice and the FBI knew about this affair and why didn’t they do anything about it?  Maybe affairs are OK in the FBI.  I‘m sure the wives of Agents must be wondering about that right now.  Washington and the press seems to be filled up with women’s sexual harassment claims but this is a little different.  This woman knew he was married and carried on with him anyway.  Is this an acceptable behavior to othe women?  It is acceptable in the FBI?

Comments in Your Name

The Wall Street Journal has a thought-provoking article today which concerns a study of email comments sent to the Federal Communications Commission about something called net neutrality.  What the Journal found, by surveying a million people those who submitted email comments, was that 7800 of them denied making any comments to the FCC.  One woman who had been dead for 12 years, certainly did not comment.

Now, we might know what the Russians and others have been doing with all of those stolen emails.  They can post public comment in almost anyone’s name and clog up the reviews of any piece of legislation.  But, what the Journal suggested is equally interesting - a number of people who commented agreed with the comments sent in, but did not send them.  That means that some of the lobbying groups that they were registered with may have used their email addresses to send comments in their name.  I do register with groups I don’t agree with, but that is mostly to find out what they are saying to their audience, not because I want to send them money or help them.  Those comments trying to undo this legislation could be mine.

Diabolical.  I suggest any comments be sent to every contributor of comments with an notation that these were received from them and would be reviewed.  It can be a simple thing to do and can be automated so it doesn’t require a lot of work on the Agency’s part.  I know this is a small number of the actual contributions to the FCC, but this is a form of identity theft that we should really not tolerate.  

Contracting with the Russians

There is an interesting story in today’s  Wall Street Journal’s about the U.S. Defense Department taking a contractor to task for having code written by Russians, in Russia, even storing the code on Russian servers.  I can’ tell you the number of times I have seen similar things without much action taken by the government agency involved.  This time, there was something done about it.

This was a classified contract, that should have had a clause in it requiring the developers to be U.S. Citizens, and, usually to have a National Agency Check to make sure they are not wanted felons.  We need more of these kinds of clauses and lots more enforcement of their requirements.  Should we have foreign nationals doing risk assessments of U.S. computer systems?  Should we have risk assessments of our critical infrastructure or National Command Authority being done by foreign nationals?  You would think this would never be an issue, but I have seen all of these and more.

There were vendors subcontracting to Chinese, Russian, Indian, Israeli and French (just as examples) companies for programming of software used in national defense systems.  There were vendors employing foreign nationals who were authorized to work in the U.S. but not authorized to work on these kinds of programs.  There were contractors set up in the U.S. as front companies with authorized workers,  or post office boxes as offices, who then sent all the work to another country to actually be done.  Each of those was competing with a U.S. company for work, and taking jobs they had no business getting away from people who should have gotten them, and putting our security at risk.

Part of the problem is government contracting agencies who have their heads somewhere they shouldn’t be and aren’t paying attention to subcontracting below the second tier.  They have not even looked at some of the contractors to see if they have the capability to perform on these contracts.  Then, they have to write contracts and clauses that pertain to who the work must be done by.  Then, the Industrial Security people have to enforce those clauses.  We cannot have a contractor using Russian contractors in Russia to write code.  We know that.  But, at the same time, we should know what has to be done to prevent that kind of things from happening over and over.  Our contracting agencies need to wake up and do their job.

Putin Tries another Withdrawl from Syria

The press is reporting that President Putin has announced another withdrawal of troops from Syria.  Before anyone celebrates this announcement, remember what happened the last time he said his troops were leaving that country.  They started a new bombing campaign and brought more troops in. Maybe the translation does not work well here.  The Russian word for withdrawl must mean rotate troops. We shall see this time.

A Matter of Quality

A friend of mine got together with us last week, after a year away.  We were talking about the quality of the new people coming into the cyber realm and working for his company.  He was disappointed in their abilities and the salary they were expecting for an entry level job.  One of the things it boiled down to was the number of people who know cyber is a hot field, and try to capitalize on that without having the skill set expects of a person with that kind of salary.  He called it Millennial Expectations, which would make a good book title.

He interviewed a young woman who had 2 years of experience in the field, so he expected she would have quite a bit of knowledge across a range of cyber subjects.  She didn’t.  Her sole job before coming for the interview was publishing vulnerability announcements on websites.  He salary expectations were twice what a new person would expect to get.  She might get it somewhere else, but she wasn’t going to where he was working.  It was all too common a scenario.

When I first started in this field, nobody wanted to be anywhere near it.  It was not well defined, and there were no certifications for people in it.  You had to be something else, “a computer specialist” or a “computer security specialist” were not real fields at that time, but almost anyone could claim it.  Now, all you have to do is go to a two week prep course and get a certification test that costs quite a bit.  With that, and no experience, you are qualified for a job.  How rediculous is that?

HR departments are not very knowledgeable about any of the criteria that make good employees in this field.  Part of that is because they are not getting much help from the people who know how to do the job.  Knowing how to post vulnerability announcements isn’t even one of the qualifications that a Department would look for.  I went out to look at a couple of job announcements and found this as typical:  “Prepare System Security Plans Conduct reviews of computer security requirements for compliance, efficiency, and standardization of technical computer security configurations. Perform technical upgrades, repairs, and patches, modifications or replacement of information security tools and technologies as directed. Perform/assist with technical investigations of security violations involving customer IT systems information. Determine corrective actions, prepare and submit reports in accordance with government and corporate directives. Required Skills Include: Must have a current DODI 8570.1-M IAT Level II (Security+ CE) (minimum) certification. Minimum of three years IA experience Must have experience with ICD 503 accreditation and Information Assurance Vulnerability Alerts (IAVA) tracking, reporting and implementation Must have a good working knowledge of security practices and procedures for various network devices and operating systems. Experience presenting technical information to customers, clients and/or other audiences The ability to work efficiently with frequent and direct customer interaction in a real-time operational environment Must have basic experience with network design; router configuration, and firewall configuration Desired Skills Include: CISSP or CCNP Security Certification Working knowledge of network protocols and common services Experience as an ISSO or ISSM.”  I picked a company that I knew had a good cyber security staff and expected this level of knowledge and skills.  This one expects some work experience in a cyber environment doing work related to security.  This is not an entry level job.

So, take a little more time to write a job description that says what skills you really need to to the job and what experience qualifies a person for a step up.  My friend should not have had to interview somebody who had such little experience and she should have been filtered out by HR before she ever got to an interview.  

What is the FBI Doing in Ukraine?

I was surprised to see a story yesterday in the Wall Street Journal about the FBI investigation of corruption in the Ukraine.  I was thinking the FBI had enough work for it here in the United States without devoting resources to corruption in another country, especially if it does not involve any actions by a Ukrainian against officials or business interests of the USA.  Bizarre.  

The National Anti-Corruption Bureau of Ukraine (NABU) has signed a memorandum of understanding that says, according to their website,  

“At the meeting with the FBI colleagues, the NABU Director pointed out that he sees three possible ways the FBI can support the Bureau, namely the possibility of receiving the operative information on USD flows distribution , experience sharing on the operative and technical work and the work of undercover specialists, possibility of providing the NABU divisions with material and technical support.

This is the usual vagueness of international memos, which try hard to not be too specific to keep opposition parties from saying the agreement was being violated by doing thus and so.  

I think Congress needs to ask the FBI if the Ukraine is incapable of doing their own Internal investigations and why resources are being plowed into this internal political matter.  This is not something we need to be involved in.  

Can’t Take a Joke

The Chinese cannot take a joke, at least not one connected with a senior level bureaucrat and a famous female celebrity.  In an article today, the Wall Street Journal describes what happened to a construction supervisor who was chatting with some of his friends on WeChat.  He was arrested by the local police and held, without charge or trial, for 5 days.

The story is meant to show how censorship clouds even the most personal of conversations in China, but it shows much more too.  If we just look at Twitter, there are about 500 million tweets every day.  Just for fun, go to Internet Statistics  and watch how fast that causes the number to climb as the day goes on.  Now, imagine your boss says, “See if you can figure out a way to monitor and censor all the Tweets put out every day.”  It takes some thought to do that.

It requires algorithms, connections to telecommunications platforms all over the country, and human beings who can look at some of the things collected by algorithms in order to find out which ones are worth pursuing.  The algorithms look for key words in the content of the exchanges.  The content also has to have associations, i.e. more than one keyword is needed or there would be millions of chats that would have to be looked at.  We need both the bureaucrat’s name and his association with the celebrity.  That would then be passed to an analyst who would check it to be sure it was the association, and the analyst would make an alert to the local police.  The locals probably get hundreds of these a week, and have to prioritize them.  They get to them when they can, and may leave the guy in jail while they look around for the extent of his transgressions and his friends.  If this seems like a lot of trouble for a joke, it is.

Now, imagine what it is like to know those algorithms are running in the background of every Twitter, Facebook, and YouTube equivalents in China.  Every note you send, every exchange with a coworker or Facebook friend, even family members.  Say the wrong thing, and you can be spending a few days in the local jail, maybe not knowing what you are there for.  That is China.  Whatever kind of label you put on it, this is stifling, oppressive, and offensive to the dignity of our fellow man.  

Apple Sees China as it is

Time Cook, in today’s Wall Street Journal, is quoted as saying, “When you go into a country and participate in a market, you are subject to the laws and regulations of that country.”  That seems like a reasonable explanation of why he tries so hard to do what the Chinese ask of him in controlling the use of the Internet.  So, he has Apple pull apps from the App Store that China objects to.  No big deal.  

So, what if the laws of that country say that Apple products must be able to disclose information to the State when asked?  Apple clearly does not agree that it has to help law enforcement in the U.S., but it does so in China because it is part of the laws and regulations of the country?  The problems for Apple are more murky than just taking actions to make the internal systems of computers available to law enforcement.  Apple, like all of its competitors, have to deal with a lot more countries, each with different laws about access.  Some demand direct access to anything produced in their country;  some want available access, and some want a court to issue a warrant before any access is given.   

China wants their citizens Internet access to be filtered and monitored.  Apple has to help them do that.  But, China also has demanded changes to software to collect intelligence-related  information on a global scale.  You can see this in browsers and operating systems made for, and by companies in China.  Microsoft made a special version of their operating system just for the Chinese.  Do we know that is not being used on computers made in China and exported?  If the Chinese monitored only their own people, we would not care very much.  They don’t.  They then build those kinds of controls into development kits sent to other developers the world over.  The University of Toronto has some great reports on the activity.     

So, it is easy to say that Apple must comply with the laws of the country they are in, but when those laws directly, or through enforcement, undermine the national security of your home country does it really matter?  I think it does, and I would imagine that Time Cook does too.  This is why Apple pays him so much money.  

A Question of Fact

In law enforcement there are some things an investigator can determine, and there are some things they have to surmise.  The latter is not guessing - it comes from collecting evidence,  leading to a conclusion.  It can be circumstantial, i.e. indirectly leading to a proof of guilt, or direct, where there is some physical evidence found at the scene.

I had reason to question how this kind of evidence is collected in the reporting by journalists, when twice this week, stories have come out that turned out to be questions of fact.  Journalists are not usually investigators, per se, but they do have a professional responsibility to verify what they publish.  They don’t have to verify that it is true, but they do have to verify that it was said by someone they can point to as a source.  That means they cannot just make things up and publish those things as facts.  

In one story, a journalist says that Michael Flynn, the former national Security Adviser to President Trump was going to testify that the President told him to speak to the Russians.  There were stories based on this “fact” that compared the conduct of the President to treason, a big stretch for anyone paying attention.  Presidents do this every day in some area of national security, so there is almost no chance that this kind of conduct rises o that level, but it sells clicks on a website somewhere.  

The second story is that Deutsche Bank got a subpoena for records on the Trump family accounts there.  Yesterday, the White House in a press conference, and later in comments by the White House attorney engaged for Russia investigation, denied this happened.  Today’s front page of he Wall Street Journal says it did happen, quoting nobody in particular.  

With questions of fact, they are either true or they are not.  It doesn’t make sense that these kinds of stories can present themselves without some basis for them, and it appears that journalists are not going a very good job of verifying their own facts before they publish.  Somebody is feeding this kind of story to journalists who listen and publish without doing any kind of fact checking or due diligence.  To ABC’s credit, they suspended Brian Ross and took him off cases involving the White House.  He still has a job, but his case is a warning to other reporters that they have to be more careful with their sources. They should be looking for where he got that original piece of information and finding out how it came to Ross.  The Russians are accused of doing a lot of things in the run up to the U.S. national election, but as I have often said, they haven’t stopped just because the election is over.  We need to trace some of these fabrications back to their source and name names.  It might make a better story than the ones being made up.  

News Outlets as Foreign Agents

Reuters has announced today that the Russians have indeed named Radio Free Europe and Voice of America as foreign agents who have to register as such in Russia.  This is the retaliation for naming Sputnik and RT as representatives of foreign interests in the U.S. making them register.  On both sides, this is stupid.  Neither country was in the dark about which news outlets are state supported and follow the party line.  China has more than either one of them, probably more than both put together.  Syria, Egypt,  and many others do not have a free press.  Look at the map that Freedom House publishes every year and more countries have fewer free press outlets.

Russia and the U.S. have played these games for years without regard to how it looks to the rest of the world.  Childish is a word that comes to mind.  If we really want to play this game, there are a whole host of state owned enterprises that need to register as agents.  They represent their country, not their business interests.  Why not just forget this and move along?

Cyber Sovereignty for China

I read with some amusement the account today on Chairman Xi’s comments about cyber sovereignty.   It seems rational to say that every country should have sovereign control over its own part of the internet but, what was not said,  that control should extend only to the borders of that country.  The Internet does not have borders.

The flaw in China’s direction is it interferes with any other domain of the Internet in order to control what comes into its own domain.  The clear implication is China has a right to protect and filter anything that comes into its domain.  So, it attacks websites in other countries if the carry unsanctioned news about China.  They prevent certain publications from being seen in China by attacking the distribution points.  Those are in other countries and are available to Chinese- speaking people everywhere.  The Chinese espouse sovereignty but do not honor it.

Russian Access to Half of People on Earth

Not too many people have heard of Karim Baratov, nor is he likely to become a household name anytimes soon, but he has a distinction of being caught working with the Russian FSB to steal Yahoo’s webmail.  His accomplices are all safe in Russia, and likely to remain there.  You will remember the numbers of accounts compromised - 3 billion.  Hard as I try, that is a big number to imagine.  

I’m a little surprised that Yahoo had 3 billion acccounts, since they are hardly the biggest provider of email services.  Google’s Gmail and Microsoft’s Outlook are bigger.  But 3 billion is half of the all the people in the world (7.6 billion), a substantial portion of whom are children with no computers, a few illiterate adults.  UNESCO says there are a billion illiterate adults,  and another billion live in China where they can’t have Yahoo accounts.   That would mean more than half of all the literate people in the world have Yahoo accounts for their email.  Not likely.  

None-the-less, the Russians now have them all, doubtlessly sending out a good bit of news and lots of spam by this outlet.  Baratov’s place in this is explained in the Justice Department press release: 

 “Baratov’s role in the charged conspiracy was to hack webmail accounts of individuals of interest to the FSB and send those accounts’ passwords to Dokuchaev in exchange for money.  As alleged in the Indictment, Dokuchaev, Sushchin and Belan compromised Yahoo’s network and gained the ability to access Yahoo accounts.  When they desired access to individual webmail accounts at a number of other internet service providers, such as Google and Yandex (based in Russia), Dokuchaev tasked Baratov to compromise those accounts.  The Indictment is available here, and its allegations are summarized in greater detail in the press release that attended the unsealing of the Indictment on March 15.”  

The Russians did not care about 3 billion accounts, so the fact that they had potential access to them is not of great concern to millions of normal people the FSB ignores.  But, for the ones they asked for, what were they doing in the name of those accounts the FSB was using?  They could publish almost anything they wanted, respond to email from journalists and government officials, and write to people the owner did not even know.  It is the perfect way to phish.  

Trade Status of China

The really big news of the day was not North Korea’s missile or the stock market highs;  it was a buried story of the US position on China’s status in the World Trade Organization.

Within the WTO there are market economies and non-market economies and China has always been the latter since it came into the organization.  Non-market economies have state-run businesses and funding of state monopolies that conflict with the way market economies work.  They can manipulate markets to their own advantage so market economies can respond by adding additional tariffs.  In several public statements made to any country that would listen, China has said it is a market economy and would be treated like one.  It went on to say that in any future trade talks, that issue was “non negotiable”.

So, non-negotiable meets contrary position, and we are about to find out what China can do about changing its status in the WTO, which is probably nothing.  Still, it will be interesting to see what they try.  China claims, as it always does, that the WTO entry was conditional upon China being named a market economy in 15 years from its entry.  The US is saying that was contingent on certain changes that China has not made.  The drumbeat will be that the member nations are “not living up to their obligations under the membership agreement”.   You will probably hear this from every trade official in every WTO country China visits.  There will be scholarly articles written explaining how the WTO works, and Businessmen pointing to their independence from the Chinese Central Government.  We are just like you, they will say.  They will keep this up for 100 years if need be.  Non-negotiable to the Chinese is forever.

Apple Root Follies

Nothing has ruined my day more than High Sierra, but I’m having problems figuring out how testing did not discover this serious flaw before it was deployed to the mass of people using MACs.  I was able to see that something was wrong when I started the new OS and another user showed up on the login screen.  I don’t allow guest users, so that got my attention.  It was not something a tester would not notice.  When I couldn’t get Apple to fix it, I took the computer in and had it overwritten and Sierra reinstalled.  That worked, but one little thing happened as a result - the new file system of High Sierra changed the file structure and I could no longer get access to them with Sierra.  It corrupted my backup drive.  I expect better from Apple.  We all spend more for Apple products than those of other companies because they provide good security and testing before we get a new OS.  Take away that and you don’t have a material difference between the competition and Apple, except for the best service techs anywhere.  It is unfortunate that they have to explain this to users.

Apple has done more to damage its business reputation in one day than in any other day I can think of.  Users are not going to forgive them quickly.

NOKO Missile Politics

North Korea does not do a lot without China approving it.  This time they sent what was called an ICBM into the Sea of Japan.  An ICBM can travel a good bit further than that, so we only have some missile experts to say it is really an ICBM.  I did look like one, in fact it looked a good bit like an old Chinese missile, which it probably was.  While China loves to say that it is trying to restrain the North, the proof of that is in the actions the North actually takes.  Shooting off a string of missiles and raising the stakes is exactly what the Chinese want, otherwise it would not be happening.

For those worried about an attack by these idiots, I don’t think we have very much to worry about.  The United States is a big country and anyone wanting to engage us would have to drop a few weapons on big cities - but then they would have to duck because missiles would be coming back their way pretty quickly.  There are not as many targets in the North, so the ones there are will be taken out pretty quickly.    Nobody day can convince me that the North does not care.  They will cease to exist as a country.  China will not have to worry about unification or lots of people coming across the border.

The South may have something to say about a strategy that blows up the North, as will China.  Radiation follows the wind.

When Caught, Remove the Problem

Before a spy gets caught there is a brief period when escape is possible, but after they are caught, the best option is to limit damage as much as possible.  We are seeing that in China with the company Guangdong Bo Yu Information Technology Co., also known as Boyusec.  Three of its employees have been identified as being responsible for hacks seeking sensitive information in commercial facilities.  A month ago, the US tried to get China’s help in stopping this behavior.  After waiting without reply, the US decided to indict instead.  

Instead of the usual response, today’s Wall Street Journal says the Chinese disbanded the company.  While odd to some, it is anything but.  

Boyusec had links to the Ministry of State Security.  If this spying was related to any of the tasking given by the Ministry, then their work would be traceable back to official government hacking-by-proxy which violates a 2015 agreement with the US to stop doing that kind of thing.  The Chinese took their hacking out of the Army and brought it under control in agencies with better expertise and less chance of being caught.  The downside is that commercial work has a tendency to drift away from multiple government partners who pay for this kind of work. Closing the company may have a couple of effects:  (1) warning government agencies that their tasking of contractors should stay within Central Government guidelines, (2) putting tighter controls on how they carry out their work - so they don’t get caught and (3) giving the appearance of doing something to stop hacking, without interfering with that work.  

Much More to Follow

A spokesman for the Justice Department said the three Chinese nationals that were hacking Moodys and Siemens were employees of a technology company, BoYu Information Technology Co. in Guangzhou, China but were not in custody.  A Journal article on the same subject says the US tried to get China to assist in stopping the three individuals in September but got no response.  Subsequent to that, Justice filed charges.

This is partly an outgrowth of the agreement to stop hacking industry targets.  The Chinese moved their collection efforts from the military people who got caught, and into portions of the government and govenment companies that were better at hacking and didn’t get caught so often.  At least that is what they thought.

The Chinese do not do what they say;  they only do what they want.  Agreements with the UN or WTO are just pieces of paper that can be ignored.  It does no good to make an agreement with a country like that.

Russia Uses Mercenaries for War

There is a good piece in The Cipher Brief yesterday on the Russians use of Private Military Companies to augment or replace their special forces in deployed locations like Syria and Ukraine.  These are mercenaries, and we would also have to believe their may be some foreign contractors as well in this mix, though none were identified in this article.  Pay for play soldiers are very much the same the world over.

The obvious cited advantage is plausible denial.  We have no soldiers in that area;  we don’t have any idea who shot off those mortars;  we promise to assist in any investigation.  The Russians have already hired people individually who were captured with “contracts” from their government still in their pockets.  Not wanting to be called spies, these people quickly confessed and were hustled off to jail.

There is not much new in this, but mercenaries have some disadvantages.  Private military forces have occasionally gone beyond their “mission” and hired themselves out to more than one agency in the same government, sometimes, different governments with similar roles in the same areas.  Peter Benicsak’s article  hits some of the more obvious drawbacks:  the costs are higher;  “loose cannon” effects; less transparency and accountability; and, of course, they encourage the same type of contracts from other governments.

Let’s not make too much of this.  Most every government has some contractors who are employed to do things the government does not have the expertise to do.  Cyber often enters into this equation, so I ran into a few.  Experts have their own arrogance and think because they are good at what they do, nobody will ever catch them, but the other side hires the same kinds of people.  Like the contract killers I wrote about a couple of days ago, these are specialists who are hunted by other specialists and, like their fictional parallels, the Secretary will disavow them if they are caught.  Not a very comfortable way to live.  They are always looking over their shoulder, often literally.

Arrogance Knows No Bounds

We have a government employee of a small office in consumer protection, Leandra English, suing the President of the United States over his appointment of a new director of that office.  She claims she is the “rightful acting director” and the President has no right to replace her.   I can’t think of one other country in the world where this kind of thing would be tolerated.  In fact, I can’t think of any country in the world where it should be tolerated.  It is the height of arrogance.

Being Good Does Not Help

Ask Lu Wei if being popular and doing great things his boss wanted done will get you ahead for long in China.  This guy did some of the hardest things that have ever been done in any country - getting the Internet under control and censorship of the population of people who use it.  It was an impossible task he came close to doing well.  He was the Cyberspace Administration until he lost that post last year.  

When the Russians wanted to know how to get their networks under control, they called him and he came.  He was, after all, the expert who helped create the Great Firewall, the Great Cannon, and the technology that provides the infrastructure for China’s Internet.  His expertise was in policy and politics, but the technology that went into implementing that policy was noteworthy.  At a time when most people thought the Internet could not be controlled, he did almost control it.  

How times have changed.  Too much popularity or power is not a good thing.  There is only one boss in China.  Now he is under investigation for who knows what because the billing says “corruption” which can be almost anything the government wants it to be.  Time to retire.  

A Novel Made in Ukraine

In what makes one of the most interesting stories in a long time, a hired killer ends up in the murkiest of places hunting Russian paid killers trying to make the Ukraine a dangerous place to live.  The twists and turns make for a sure novel or true-to-life spy thriller, only this is not fiction.  It may not be a true representation of the facts, but it is true to someone buried deep inside an unsavory job of killing people for a living.

Don’t say you haven’t thought about it.  Being a paid spy like James Bond seems like a job that few could say no to, but what this shows is those killers are in a circle of  targets trying to kill one another.    In the meantime, they covertly kill some of the most sensitive targets in governments like the Ukraine.  The Russians show their lack of patience in allowing persuasion and political warfare to win wars;  they just kill off those they know are hurting their operations in the border areas of the south.  Someone else will take those jobs but they won’t have the political will or veracity of the person killed off.  Would you?

These kinds of people have no conscious, and most of them work for both sides of the game.  Working for just one makes you a target for the other, so how better to protect yourself than by playing both ends against the middle?  On the surface it makes sense, like arms dealers who sell to both sides, but Assassins are a peculiar bunch who can be targets as much as targeting someone else.  It makes for a paranoid existence without many friends.

In the meantime, the Ukraine will be thinking about reciprocity for the dead.  How do you even the score for that head of special operations killed by Russian funded bad guys?  You hire your own.

Speaking of Long-Term Hacks...

There was a Wall Street Journal article describing the concerns about software made in Russia’s Kaspersky Labs in 2004 by the Defense Intelligence Agency.  The warning said they thought it could be used by Russian Intelligences Services to get into US systems.

I have some sympathy for those that ignored the internal discussions about this, if they did not see the classified intelligence reports the article cites.  Many civil agencies do not have enough people cleared to see those kinds of reports, so they don’t see them.  But other do have them, and still ignore any warning that is “not specific enough to say that it is a threat”.  In other words, unless the threat of being hacked using that software was not found on one of our computers, we are not going to change what we see as a good product.  Usually, this is the height of arrogance.

In either case, too many government agencies do not take action on this kind of threat because there is no central management of the threats to agencies.  That is left to each agency to decide.  That includes the morons at the Office of Personel Management who allowed the Chinese to steal the most sensitive records we had over years of ignoring the signs, the Internal Revenue Service which got hacked twice in the same year using the same methods, and an NSA contractor who took hacking tools home with him.

Now, there is a known hacking tool out there running on government systems for over 10 years.  The damage that was done is done, but doesn’t go away because we stop using Kapersky software.  Too many things have been undone by long-term hacks of government systems that got patched and covered over with new paint.  The hackers are still in there, as the State Department found out when for three years they tried to get rid of them.  The same is true of the Intel chip vulnerability in my last post.  It goes on much longer than the chip itself because, even if you try - and most agencies don’t - you still won’t be able to get those guys out of the systems without a lot of work.

Get NIST our of the policy business and put an agency that can do something in charge.  Start going through these systems and closing them off or rebuilding whole parts of them to be secure against the insiders that we now have.  Close down the Operations centers that are supposed to be doing security for all of these agencies but just employ friends of the Directors and CIOs.  Put the money into making these systems safe again.

New Warnings About Chinese Intel Chips

Reuters is today saying that US businesses have been warned to check for vulnerabilities in Intel chips embedded in business computers sold by HP, Dell, Lenovo and others ( though there can’t be too many others when preceeeded by the three largest).  In my previous post on this I said the discovery matched up with events that led back to when Intel started making chips in China.  The Chinese have never been shy about putting things in computers for the good of people who use them, though most of that was software.  Apparently, what is good for China is good for the rest of the world.

Intel was quick to say they know of no known use of this vulnerability to gain access to computers.  How would they know?  It is a vulnerability in the chipset that would show administrator access in an audit log.  Most administrators access their computers every day, for long periods of time.  It may be recorded by audit software, but would seldom be seen as unusual.  That is what makes it so useful as a hacking tool.  Their second feint was the old “well you have to have it set for remote access and have the password and user name of the administrator” thinking we would buy that as something that was very hard to get.  Come on, not even children believe that fairytale.  That is what root kits do and there must be a few hundred of them around that work pretty well.  Administrators must not use remote access where these fairies live.

Nobody has said yet (it may still come) that this Homeland Security warning was issued “out of an abundance of caution” rather than known exploits they have seen.  As one comment said, “This has been going on for 7 years and nobody (at Intel) found it?”  It is not so easy to find.  It is built in.

The great harm in this kind of exploit is that nobody will ever know how much damage has been done by root access to so many computers, over such a long time.  Patching this is not something that should make a user feel good.

Most businesses do not allow such things to happen because it does tremendous damage to a company’s business reputation.

Looking for Collusion

Gerald Seib has a good analysis piece in the Wall Street Journal today that looks at collusion between Russia and China to disrupt democracies.  I’m sure he would say it isn’t that simple, but this article talks about something I have been looking at for the past few years - the Russians and Chinese are using different parts of Inforamtion Warfare to undermine democracies in the West.  More important than that, they are succeeding.

The Russians use Political Warfare and the Chinese use Economic Warfare to achieve their objectives.  Again, it is not all that simple, but if you want t a place to start analyzing what they are doing, that is the best place. In May, 2015, the Russians and Chinese announced they had signed 32 bilateral agreements that cover everything from military cooperation to cyber operations against each other.  Of course, since we have never seen all of these agreements, we can guess there are probably some that are state secrets.

These agreements do not benefit the rest of the world, particularly and I was a little surprised that they announced them at all.  Since then, we have had organized intrusions in almost every election in any country that does not favor the two of them.  None of those campaigns stopped when the election was over.  Germany is now in trouble;  Britain is not going quite as well as we thought;  the target on the back of President Trump is clear for all to see.  This is not a conspiracy theory, unless you believe that these political disruptions are caused by the rotting of democracy in every country that uses that form of government.

The sad truth is that democracies have within them a flaw not found in dictatorships like Russia and China - they allow conflicting views to be ironed out in public.  Minority parties seem more than willing to help them out by “resisting” a term used in other countries as well as the US, impeding and disrupting their own government.  If they have found the silver bullet of policial and economic domination we are in a lot of trouble.

Counterfeiting for Fun

The latest sanctions on Iran have a peculiar but not surprising target - counterfeiting.  That would be counterfeiting of currency by the Iranian government.  This much is in the Wall Street Journal today, though there is probably a lot more to this than the surface story of counterfeiters making Yemeni bank notes so as to bypass European export control restrictions.  If they are doing it on Yemeni bank notes, you can bet they have been doing it with other currency exchanges as well.  They paid for a lot of high-quality equipment to do good counterfeiting and Yemeni bank notes would not be high up on the list of things I would take for payment of anything.  Apparently, some banks are not too particular.  They made hundreds of millions of dollars worth of these bonds and are probably paying for mischief in Yemen with the proceeds.

What we have to ask ourselves about this is how does a government sanction, and support, counterfeiting of currency anywhere?  The risk they take is just the one demonstrated here - they get caught.  There are more consequences to getting caught than just sanctions.

 Iran must believe that it is OK to make money that way.  As long as they don’t get caught, that may be true.  The real outcome is to make Yemeni bonds less valuable by flooding the markets with fakes.  You have to think about this for a minute.  Suppose those Swiss francs the Iranians use to pay for that watch are fake?  Suppose the Iranian rials that pay for international exchanges are fake.  People have to start worrying about this kind of thing when a government becomes a counterfeiter.  How do I know the currency is real when the source is Iran?  Check it.

Counterfeiting is a big business and I have watched bank clerks, without much experience or practice, run money through a machine to check it.  You can buy one of these things for yourself at Staples for less than $200.  I didn’t see one that did Yemeni bank notes, but the vendor could probably have one made up in a day or two.  I don’t know how good they are, but banks can afford to have ones that work.  Eventually, banks get pictures of the people bringing in these fakes and start hunting them down.  Taking money from anyone associated with Iran, business or personal, would good reason to check.  This is what happens when a country becomes a counterfeiter.

The Empire Strikes Back

For those of you familiar with the movie, the evil Empire is unhappy with the destruction of the death star and sets out to even the score.  In this version, George Soros, by his own accounts, and those of his paid-for-views associations, suggest the Hungarian government has launched attacks against the rebels.  The rebels have held out against the giants and fought bravely.  Cheers and applause follow.

This rebel has a net worth of $8 billion.  He certainly could spend his money on better things.

Out in the Middle of Nowhere

In a previous post I talked about the dispute between China and India over a small piece of land on the border with Bhutan, a country most people have never heard of.  Both Bhutan and Arunachal Pradesh, one of the 29 states of India, are in an area that is in dispute.  Indian President Ram Nath Kovind visited there and set off a diplomatic exchange like he had invaded the little place all by himself.  This is typical of the way the Chinese react to anything they don’t like - especially when it involves territory they want.  They do it with Taiwan and the South China Sea almost every day.  

There is actually a dispute about who owns this land and soldiers tried to settle that a few years ago, without success.  If it is a state in India, as the Indians say, then it seems like nobody else could claim it.  I did find some news stories claiming it was not a state in India which seems odd.  It either is or it isn’t.  

The whole mess is centered around a familiar theme that goes back to 1913-1914 with negotiations between India, China, and Tibet producing the Simia Accord.  The Chinese representative refused to accept the territorial claims, similar to how the UN Tribunal took up the settlement of islands in the South China Sea, where China did not participate.  When things don’t go their way, they take their ball and go home.  When they do go their way, the expound the “multinational agreement” to the high heavens, and deliver a barrage of messages about how everyone agrees.  One China is the best example. 

This is the “what’s mine is mine;  what’s yours is negotiable” style of the Russians and Chinese.  We allow this type of diplomacy for reasons that seem beyond my understanding.  Apparently, India sees this the same way and is not giving up.  With the Chinese, the only thing that succeeds is force.  It doesn’t have to be armed force, but it has to be forceful diplomacy or force of armed men to get their attention, then, it has to be applied forever - not just a few days.  They won’t quit, so India can’t either.  In the case of the South China Sea and Taiwan (and South Korea) we are in it forever.  There won’t be a time when we can say we can negotiate the release of Taiwan to China as the British did with Hong Kong.  We saw how that worked out, and the people living there can be lessons for Taiwan too.  We are not going to give up control of the trade routes for what China believes is their territory.  Forever is a long time, but we better get used to it.  

Silence the Messenger

I heard a rumor a few days ago that there was an effort to close down the US- China Economic and Security Review Committee.  This is the group that first identified the use of joint ventures as a way to steal US technology, and how China was doing that.  This is a group that found the targeting of US chip manufacturers for purchase by China.  This is the group that pushed for changes in CFIUS to stop China’s incursions in US markets that affect national security. This is the group that pointed fingers at China for stealing US technology by computer.  Who benefits from doing away with them?

Not the citizens of the US.  There are a few international businesses that depend on manufacturing in China for a sizeable chunk of their income.  They don’t like the Commission and want it to go away.  The researchers there go into too many aspects of business in China and how closely those are tied to the Chinese central government.  That has resulted in proposed legislation to change the way CFIUS These businesses want us to believe Chinese businesses are “just like ours” even though there are offices of the Communist Party ri/ght in their plants, and Chinese officials are put in senior leadership positions in their companies.

We wouldn’t know half of what we know about the real China if it had not been for this group.  I’m not surprised that Chinese interests would have targeted it, but I am surprised to hear they have made headway in stopping them.

The Russian White Knight

If anyone could save Venezuela, we could not imagine it being Russia.  As it turns out, Russia is restructuring the debt of $3.2 Billion to offer more favorable terms to keep them from defaulting on their debt.  This allows one more breath for the country which owes the world $142 Billion.  Russia and China have put a lot of money into Venezuela as a friend a long way from home.  China gets oil in return, Russia not so much.  Both get political support in our hemisphere, being scooped up at a fairly fast pace in the years of past Presidents.  Maybe nobody pays attention to South America, but the two allies sure have been.

China Stands on NOKO, Sits on US

There is no negotiating with China.  It wants things its own way, and proceeds on that path regardless of what anyone says, including the UN, the US or any other entity in the world.  They smile when they do it.

I reference the stand on North Korea  which is that the US should stop holding exercises with the South in exchange for an agreement from North Korea to stop developing nuclear weapons.  This is new kind of nuclear blackmail, which I am sure we will see again.  A country no longer has to have  have nuclear weapons; all a country has to do is announce that they want them.

We hold joint exercises with the South to show the North that we have the capability to defeat them if they move to take over the South as they did 40 years ago.  That is ancient history to millennials, but yesterday to the Chinese.  Most millennials don’t even know that we had a war with North Korea and China on that same ground.  The only reason North Korea is developing nuclear weapons is because China allows its companies to do business with them and help them with the development.  They could stop it any time but don’t.

So, China holds out the carrot and says we stop having exercises with the South - our readiness for a hostile takeover of the South - in exchange for delaying the nuclear program of North Korea the same way we agreed to delay the nuclear program of Iran.  We must have STUPID written across our negotiators foreheads to allow the suggestion of this kind of agreement.

The treatment of President Trump in China was a clear indication they know how to get what they want.  The rolled him in butter and fluff.  They signed some trade agreements to make him look good.    Then they offered him a solution to the North Korean nuclear problem.  

In the meantime, China tightens its grip on the South China Sea.  Three aircraft carriers are not going to stop them.  Only an alliance of our friends in the area can do that - undoubtedly the reasons for the visits before and after China.  I hope those visits were more productive than we can imagine.

Offense and Defense in Cyberworld

According to a Reuters’ article today Trump Administration is going to publish guidance on what to disclose about security flaws discovered by intelligence agencies.  I have sympathy for the cause, but the discussion is about the wrong thing.

The issue for many years has been that flaws are found by the offense side of cyber and those flaws are used to get into systems outside the US.  When I started, we didn’t admit that we had an offense, but since Snowden it is a little harder to avoid.  The defense in cyber finds the same flaw and sets out to get the vendor to correct it to make for better security.  We used to call the difference between the two sides equities.  Is it  more important to be able to get into a foreign system or fix a flaw that occurred but was not detected by the public or the vendor?  I know that sounds like a rational question, but it is the wrong question.

The real question should be, “Should we allow the offensive side of cyber to work with the defensive side of cyber to improve defenses?”  That answer is no, even though every rational person in cyber security thinks it is a great idea.  It is counter-intuitive to say no to the question.

First, both sides look for flaws in systems.  One side wants to exploit them;  the other side wants to fix them.  Cooperation seems to be of mutual benefit.  Only in this one case, it isn’t.  What the offense gives up in this is its ability to exploit systems from defects that already exist and have not been defected by the defensive sides of the world.  Sharing those with the defense side reduces their effectiveness and ability to collect.  It is not in their collective interest to do it.   Those kinds of flaws should be state secrets and not published anywhere.  The tools that are used to exploit them should be state secrets and protected accordingly.  Never publicly talk about what they do or how they do it.

Second, the defense cannot be entirely open about what they have discovered either.  Vendors have to develop patches before they want to advertise that the flaw has been discovered.  It would be easier to handle this if vendors had liability for what they produce, but they don’t, so it takes a long time to correct those flaws.  During that time, criminals, other state hackers (who probably already know) and other security firms are discovering that these flaws exist.  That creates pressure on the vendor to get a change out that actually fixes the flaw.  That is the real difference between the two sides - in equities, how long can we allow that exploit to exist before it starts to hurt us because we have told nobody, except the vendors, that it exists.  Note that this is a question for the defense and not the offense.  The offense will continue to use an exploit until it is patched.

The defensive side of cyber never needs to know what the offense is doing.  Sometimes the offense will complain that something or another has been disrupted by something the defense has done, but that goes with the job.  They don’t run over to the other side and tell then what they have done to disrupt them.  They find something else that works.

The offensive side has a vested interest in keeping the status quo in cyber security, so the less they say about what they do and how, the better.   The defense thinks it can get better by finding and fixing those flaws.  The simple rule is not allow the two sides to cooperate, even where it seems like both might benefit.  Only the defense benefits, and we take away important intelligence assets by thinking any other way.

So while we might think guidance on how to treat flaws exposed by the intelligence community is a good idea, unless it says “keep quiet about them” it isn’t helping.