5 Comments

Summary:

When it comes to valuable intellectual property, it’s a question of when, not if, it gets compromised, says security guru Dan Geer. Case in point: U.S. weapons designs.

F-35 joint strike fighter
photo: Dysanovic

For anyone paying attention, the fact that Chinese hackers apparently accessed key U.S. weapons designs may be unsettling but hardly surprising. Previously undisclosed findings by the Defense Science Board show that more than two dozen major weapons designs were breached, according to a Washington Post report on Tuesday. Affected projects range from U.S. missile defenses to combat aircraft — including the F-35 Joint Strike Fighter — and ships. (The Post compiled a list of the affected weapons here.)

Dan Geer, a superstar among computer security and risk management experts, spoke to me about just this sort of risk last week. The most sobering part of the conversation was Geer’s stated belief that the game has definitively shifted from prevention of attacks to mitigation of their consequences.

In short: if you have something worth accessing, it will be accessed. The only realistic goal now is to make sure you know when that breach happens as fast as possible.  I quoted him on this topic earlier, but his words ring even more eerily true now:

“If your enemy really is the People’s Liberation Army, what can you do? We can sputter about it but they’re serious and they’re good … The most serious attackers will probably get in no matter what you do. At this point, the design principal, if you’re a security person working inside a firm, is not no failures, but no silent failures.”

Of course security vendors have latched onto these threats as a way to sell more stuff and are increasingly glomming onto big data analysis as a way to shorten the time between an attack and stopping it in a high-stakes game of whack-a-mole.

As RSA executive chairman Art Coviello said a few months ago: “It’s not about perfect security; its all about ratcheting down risk as much as you can.”

And it’s not just huge government contractors, agencies and suppliers at risk. “No industry is immune,”  cautioned Geer, who is also an advisor to In-Q-Tel, the investment arm of the CIA and other security agencies, and to Verdasys, a security vendor. Almost anyone can see why hackers target gigantic players like Boeing that spend billions on designs which could be used to build similar products at much lower cost. But don’t forget that any grocery store chain that uses credit cards is also a target for someone, Geer said.

Feature photo courtesy of  Flickr user Dysanovic

  1. What this proves, as many know, the big integrators and the federal employees responsible for cyber don’t really do it, and we pay 100’s of millions in taxes for them to fake it, the people who turn in the compliance work and permit self assessments and waivers should be fired, but that does not happen in the beltway crony system, they do a lessons learned and then fail again and do another one.

    Share
    1. Chinese compromise of U.S. weapon designs – painful lesson in cybersecurity & the need for DLP systems which actually work, “DLP vs DLD”? @gigaom @gtbtechnologies

      Share
  2. The “only realistic goal” now should be to get our secrets the *#&@ off the Internet.

    Share
  3. Has anyone ever thoroughly researched Apple product reliability? I have two iMacs, two iPads and two iPhones. Both Mac’s crashed at just over 3 years (one was constantly being serviced), just months beyond the 3 year extended warranty, one iPad went totally dark (under warranty this time) and one of the iPhone’s has been replaced four times. We had to replace one of the Mac’s with a new one and replace the hard drive on the other. If my math is correct, this is a 75% failure rate!! My understanding is that Apple charges a premium price for their supposed product quality. Dubious in my opinion. They need to get their act together. The cult like Apple following simply shouldn’t put up with this.

    Share
  4. This only proves that you easily fall for propaganda. You only know this info because they wanted you to know it. For all we know it’s a planted story to raise the alarm for tighter Net security.

    Share

Comments have been disabled for this post