Espionage and China

This article by the Washington Post makes an interesting read regarding the threat of economic espionage from China and Chinese nationals.

I wonder how much current concern about this topic is grounded in reality versus hysteria. It'd be worth finding out how many cases of corporate espionage involve countries other than China, and how many are perpetrated by U.S. citizens or by non-Chinese foreign nationals. Maybe it seems like there's an epidemic of Chinese espionage simply because those are the stories that sell best.

Infrastructure Attacks

I'm not big on arm waving, notions of cyber terrorism, or blowing things out of proportion. Still, this PC World article is kind of interesting. It reports on internet-based infrastructure attacks on cities in an undisclosed location (outside the U.S.). While the reality of these specific attacks is news, the possibility of such attacks is surely no huge surprise to anyone in IT security.

As long as one doesn't jump to conclusions or fall into the trap of overestimating the risk because of its recency or other factors, such a report is a good reminder that infosec professionals need to methodically analyze and address a wide array of threats and risks. Of course, not all infosec pros have to deal with this sort of issue.

Another reminder are the (count them) five undersea cable cuts in the Middle East. Whether from anchors, sharks, terrorists, intelligence agencies, or just normal failures that the media hypes into a story ("Cable cuts happen on average once every three days"), there are lots of risks that maybe we don't think about, and occasionally the unlikely does occur. Thinking carefully about such rarities, we may choose to accept the risk even if our ill adapted brains scream that we need to prepare immediately right after reading the news article.

Back to the infrastructure attacks. The motivation in this instance was extortion. When doing risk analysis at different levels (individual facility, city, county, state, country) I could see that motivation would change the nature of the threat and risk. I wouldn't expect extortion to be extremely widespread or coordinated in locale or temporally. The impact of such an attack might be more limited. If instead the motivation of the threat source was some sort of military action, terrorist action, etc., that would change matters and the scope of impact would be greater if the attack were successful.

Let's hope the infrastructure security folks are on top of this. It makes me a little nervous to read "The U.S. is taking steps to lock down the computers that manage its power systems, however." Shouldn't we have already done that years ago?