Yesterday's report by Mandiant outlining the activities of a group behind literally hundreds of APT attacks and tracking them back to a specific unit of the Chinese People's Liberation Army (PLA) was chilling. For me, they connected the dots so well that I don't doubt the conclusions of the report. Of course, China has denied these conclusions and any involvement in hacking activities. You should read the report and draw your own conclusions.
As both a long-time observer of the security industry and long-time attendee of the annual RSA Conference starting next week, I had to raise my eyebrow at the timing of the Mandiant report, though. It seems every year on the eve of the conference one security company or another rolls out a report highlighting some dire new threat that the security industry needs to respond to. In years past, the folks at McAfee were great for this. Operation Aurora, the original APT (advanced persistent threat), was a few years back. But there were others before McAfee, and there have been others since. Hey, you can't blame them. RSA Conference is the biggest security conference in the world. Everyone wants to grab a disproportionate share of the media coverage. In a crowded room, sometimes yelling "fire" gets the attention you crave.
Now, don't get me wrong. I am not saying that the research revealed by Mandiant yesterday was wrong or untrue. I am just questioning the timing of the release. Do you think waiting for the week after RSA was considered? To me, coming out with this on the eve of the conference was just so marketing-gimmicky that it hurt the great content and true message here.
This evil plot by the Chinese government and military that Mandiant outlines, coming when it does, sounds like something out of the movies. It reminded me of an old comedy from back in the Cold War days of the 60's called "The Russians are Coming, The Russians are Coming." Again, I don't mean to minimize the risk here or disparage the work done by Mandiant. Trotting out the evil empire as the security industry converges in San Francisco, though, is just too Hollywood.
Being in the media and also helping companies with their PR and marketing activities, I understand the needs and pressure of getting press coverage. I also understand that in the last few weeks we have seen high-profile companies and targets being hacked and infiltrated using the techniques highlighted in the Mandiant report. But, damn it, they diluted it and gave fuel to the doubters by making it a marketing event like this.
I really do believe the conclusions in the report. Having worked in a security company that did a lot of work with the DoD and the U.S. armed services, I know the level of attack that our government networks are under every single day. As I have written, I strongly believe that we need a cybersecurity policy; that we need to do something about this very real threat. The Mandiant report could have been the dam breaker. It could have forced people to take notice and finally do something.
Let us also be clear about what we are talking about. A concerted effort by a nation state to obtain the intellectual property of another nation and its corporate citizens (if you believe corporations are people too). Cyber espionage, if you will. Industrial espionage has been going on forever. The practice of stealing Industrial secrets is far from new. Using computers to do so and getting caught red handed (no pun intended) are the new twists here. New technology poses new issues to deal with. We need to be clear about what is crossing the line of not just criminal behavior but represents activities that will illicit strong strategic responses from our government.
Another view is that we are at a midway point. Having these kinds of attacks and breaches will force us to harden our infrastructure and, as a result in the hopefully not too distant future, these kinds of intrusions will be impossible to pull off. Unfortunately, I don't buy into that one.
In any event, this report comes across as too self-serving being published when it was. So many people I spoke to about the report asked me if Mandiant had a speaker already lined up to speak at RSA and whether the company had been sitting on this information to capitalize on it. Some things are more important than maximizing marketing. I think this is one of those times.
My message to you, though, is don't let the marketing fool you. Forget the timing, forget the RSA Conference, and forget my whining here even. Go read the Mandiant report. If the details are too down in the weeds for you, at least read the executive summary. After you do, let me know if you still think we should not have a national response to this kind of attack.
As co-founder and Managing Partner at The CISO Group, Alan Shimel is responsible for driving the vision and mission of the company. The CISO Group offers security consulting and PCI compliance management for the payment card industry. Prior to The CISO Group, Alan was the Chief Strategy Officer at StillSecure. Shimel was the public persona of StillSecure as it grew from start up to helping defend some of the largest and most sensitive networks in the world.
Shimel is an often-cited personality in the technology community and is a sought-after speaker at industry and government conferences and events. His commentary about the state of security, open source and life is followed closely by many industry insiders via his blog and podcast, "Ashimmy, After All These Years" (www.ashimmy.com). Alan is now also a regular contributor to The CISO Group’s security.exe blog and podcast.
Alan has helped build several successful technology companies by combining a strong business background with a deep knowledge of technology. His legal background, long experience in the field, and New York street smarts combine to form a unique personality.
Disclosure: The CISO Group sells a software-as-a-service PCI compliance application called SAQPro. The company is independent and does not represent any other vendor's products as a reseller.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited.