Errr
If we live in a world where corporations are hacked and their IP stolen, the answer is simple. Don't keep it online.
The poster child for the green energy revolution is in ruins: its executives say they have hard evidence that China's People's Liberation Army stole its breakthrough technology before it could commercialise it. So now the company plans to hack back. The Prime Minister needed response options, so the head of state asked The …
Quite difficult to research things without using a 'online' Search Engine. Search Engines are not a one way knowledge system. Anyone that thinks Google/Baidu/Bing don't scrap search queries for Intellectual IP ideas is deluded, especially when they have targeted IP addresses of individuals knowing to work in the Intellectual IP industry.
You just have to look at the way Google handles its interview process with such individuals. Google use the word 'interview' (interviews) as a means to gather competitive data.
The UK's Investigatory Powers Bill just makes this even worse, because now you can't tell who is doing the targeting, with free reign to penetrate networks.
I'd be blaming Google long before I blamed the Chinese.
> scrap[e] search queries for ... IP ideas
Ideas are not intellectual property. No-one can own an idea: this is not some utopian ideal, it is a settled matter of law. What you can own is a state-granted patent on an implementation of an original idea or innovation. It is crucial to note that the patent MUST disclose the idea, and the innovation, in enough detail for someone else to implement it. If what we are seeking is a better way of protecting the direction of innovative research at e.g. the hypothetical Green Tech Company, then not shoving illuminating search queries into public search engines would be a hot favourite.
If we live in a world where corporations are hacked and their IP stolen, the answer is simple. Don't keep it online.
Simple - yes. Practical - not so much. As you've probably noticed, networked computers are fairly common in today's modern space-age offices. If you airgap the network with the seekrit s0rce,
(1) you now can't do anything useful with it, like email it to manufacturing partners, send drawings to your marketing dept so they can start working on the shiny shiny brochures, and so on; and
(2) Stuxnet.
Some [conceited]* ctte somewhere contrived some absurd, yet weirdly specific, hypothetical challenge, to solicit hypothetical solutionoids which affirm its entrenched dogma.
Bloody wonderful.
May I have the last ten minutes of my ever-more-miserable existence back please?
*Hope you'll forgive the redundancy.
Simon says this was run by the RAND corporation. They've been researching, and influencing policy, for sixty-odd years, so yes, I would expect the outcomes at least to be placed within easy reach of the policy-makers and executives. Whether they take any notice is somewhat up to people like the Reg readership - there won't be, for instance, a security quality star rating system, unless there's a widespread call for it.
"Whether they take any notice is somewhat up to people like the Reg readership - there won't be, for instance, a security quality star rating system, unless there's a widespread call for it."
If it was up to the Reg readership there'd be no warrantless spying, no talk about back-doors only accessible to the good guys and a load of other crap.
"Simon says this was run by the RAND corporation. They've been researching, and influencing policy, for sixty-odd years, so yes, I would expect the outcomes at least to be placed within easy reach of the policy-makers and executives. "
One of the more eyebrow raising discoveries by the RAND corporation was that no nuclear-authorised US military officer will ever use the things. In simulations run during the 1960s-80s they tended to only use them once, then in all subsequent runs, try everything else - including surrendering - _even if the other side has tossed them first_.
The "Nuclear option" so beloved of politicians, isn't. Soldiers pledge allegiance to their country and it's one of those things where the only way to win is not to play - and not to accept such an order.
This is another one of those scenarios. Declaring war and "hacking back" overtly will result in all hell breaking loose.
Intellectual property has been stolen and traded for hundreds of years, one example being Marco Polo's silkworms and pasta. One of the more interesting paths to innovation is when something is copied _badly_ and the copiers actually come up with new ways of doing things as a result (pasta being an example of the latter as an italian version of rice noodles).
In terms of a Tekwar, the problems can be as bad as a nuclear one and using the civilian population of XYZ country as a target is an idea which WILL come back to bite you, even if that's things like targetting the infrastructure to damage power and water supplies. Don't forget that one of the fastest ways to recruit terrorists to attack ABC country is simply for ABC country to drop bombs on his family for no apparent reason - and it doesn't matter if the bombs are literal or logic bombs - if they kill people you'll end up with a steady stream of revenge-seekers.
Everything is too interconnected to consider this kind of thing. Imagine the effect of energy supplies in the central USA being cut off in the depths of winter. How long before people freeze to death? etc. etc.
Could it be western mentality preventing people from Pressing The Button? What if it was an Eastern person where MAD would be preferable to surrender?
As for the winter scenario you describe, what if more people were encouraged to keep their own supplies, including power, in case of a disaster?
Doctor Syntax: "The cynic in me says these are not going to be the decision makers."
Indeed. It is definitely a policy at my company (hence AC) and, it seems, almost everywhere else, is to minimize the set which is the intersection of those equipped to make decisions and those authorized to do so.
"This event was much more than a luvvie-fest."
As someone who attends similar events I'm a little split on their value. Generally you will find that the people who attend either know their stuff or are there to learn, so the company of informed and intelligent people is normal. There will also be some swivel-eyed loons (depending on the invitation policy of the organisers). I've still got the mental scars from attending a "hacker camp" where among the decent folk there was one complete and utter conspiracy theorist who I couldn't shake off after giving my fairly bland talk on the history of hacking in the UK.
The scenarios are really difficult to set up and tend to be quite naïve - after all the organisers can't really divulge what the bad guys do and how they do it. They also can only have limited understanding of the full (political, legal, military) framework within which investigations happen. Cyber offence isn't cyber defence and it's of really questionable value IMO. There comes a point where you need "boots on the ground" to tell if the last IP in the chain really is the perpetrator or if they are yet another zombie. I'm reasonably sure that both China and Russia (not to mention the USA) are working now on offensive operations that are set up to implicate another country. What works when fighting a shooting war also works for infowar.
I am very pleased to learn that there is some kind of intelligent discussion on the matter. Whatever the results and however long it takes, a proper solution starts there.
Good to know that participation was of apparently good level, that means that the results will hold up to scrutiny and "startup-level" bollocks will have a harder time inserting itself into the scheme.
The road to public security is long and hard, and we've just set foot on the path. I look forward to the progress reports on this crucial matter.
This post has been deleted by its author
the second of which dropped players into the year 2022 at a time when several companies have demanded government action after their IP suddenly and mysteriously turn up in the hands of offshore rivals.
So the exercise simulated those government mandated back doors of the recent investigatory legislation becoming accessible to non-government players....
The only solution that makes sense is to bunker your data so it's as near to impossible to steal as possible. You have to be lucky all the time and hackers only have to be lucky once, as the saying goes.
Keeping essential data off the internet is a good start. Limited, layered access to only those people that need it. Compartmentalise the work so that most people don't know the whole picture. Honeypots and other traps. Chaff generation to send anyone that does get in down the wrong path (and if anyone falls for it, you'll have a clue later as to who was behind the attack...plus it'll almost certainly cost them a few quid to sort and debunk your chaff). Strictly limit the software used (nothing by Microsoft or Google as the very start; also nothing cloudy unless it's locally encrypted using your own kit first). And encrypt the living crap out of everything.
Even bunkering properly is going to be expensive, and not just in money terms. If you compartmentalise the work, for example, you are losing out on a lot of creativity and cross-pollination from your own team but if you don't you're more vulnerable to social manipulation.
Attempting to hack back is an exponentially expensive waste of time if you're trying to revenge hack the people who hacked you...what are you going to get from a skilled hacker who's almost certainly using a burner laptop running Tails or similar? If you have some production capacity and no idea what to do with it, you could always try to hack China generally, I suppose, and see what comes up, but there's no guarantee of success and a reasonable likelihood of expense.
P.S. Bunkering has to be built-in from the start; and that's why it's not going to happen in today's corporate culture where you react after the fact to something that's suddenly costing you money/embarrassment. It's too late then.
I 'ad a thought, formin' in me 'ead. After the edit window ran out, of course.
Possible company structure:
Inner perimeter/offline
Connected via a one-way link to the:
Outer perimeter/online.
The outer perimeter would have all the usual firewalls etc BUT all staff outside would have to start the day with a blank-ish VM (custom per user so email etc. works). You can interact with the outside world and look stuff up etc; stuff you wanted to keep would be safely saved inside the perimeter but any hacker would only get that day's stuff and would have to re-hack you all over again tomorrow. Or train the users to run Tails.
Part of the image would be a 'shared folder' where the user could save stuff they wanted to keep; which at the end of the day would be copied inside the perimeter via the one-way link and never, ever run on that network. If the user wished to use that data, he would have to copy it from the network (via another one-way link (outwards this time)) to another non-internet-connected machine where they could work. This machine would also have other continuity stuff beamed to it like email archives and so on.
You'd need 2 machines per user, and the system would be a bit irritating to use until you got used to it, but you could have both machines side-by-side on the same desk. Could probably use Raspberry Pis for the outside the perimeter part. But because of the one way links and the fact that *NOTHING* from outside runs on your storage it would be really, really difficult to hack remotely and with the right mix of access privileges, locks, armed guards and piranha moats wouldn't be that easy to social engineer either. Your IT dept would have to be fairly switched on too as they'd have to generate a custom ROM for each user in addition to all the other tasks (but you might make that time back by not having to worry about the users clicking on dontclickonthisFFS.hta). You could automate the ROM part, anyway.
Just a thought.
This post has been deleted by its author
"Just a thought."
Yes... apart from the bit about Raspberry Pis (you really need to think about running an enterprise infrastructure) what you have described is a sort of vague first guess at how it is done in reality. It's an old-fashioned approach with an emphasis on perimeter defence. However as you describe it it's both unworkable and impossible to maintain.
A similar concept can be found in "information kiosk" type delivery where some trusted (but not very trusted) party wants access to sensitive data. The systems will be configured to permit the user to work in a virtual environment and have access to only those resources that they need for their work. There will be no export route. There will also be a lot of other stuff that I'm not going to go into detail about that is used to detect anomalous behaviour. This is expensive provision and it's only worth doing it if the assets to be protected are of high value.
Well I made it sound more complicated than it really is, I think. I agree it's kind of primitive but it would:
1, Severely curtail the amount of data available to be hacked
2. Make it very much harder to get at the central data repository
3. Cut down on damage if a user did click on something unfortunate
4. Be pretty simple.
...of course the whole plan is blown to bits if a user wants to use -say- Office 365; but if you're using that then you effectively don't have secrets anyway. So it would require a willingness on the part of the users to use simpler and more primitive software (which may be a whole new level of unrealistic right there). The basic point is that nothing is executed on the central data repository....treat data like freight in the one place (plus backups) it's all together. The other basic point is that -at the cost of inconvenience to users- you are limiting dependence on 3rd parties as far as is humanly possible.
Anyway, it was a theoretical first draft in a moiety-friendly world where you could tell users "this is the way it's going to be for these reasons" and people would actually listen. And beancounters would appreciate that a few quid upfront and higher running costs is preferable to getting the company ransacked later, even if they are 3 days from retirement. And unicorns frolic in the mist and people buy me beer all the time because they like the cut of my gib.
Well, nice, but spying was a thing even before the internet was invented.
So, let's you network is 110% secure but governments know that your research team is top notch.
How long do you think would be before every geek and secretary in the organization is suddenly 'assaulted' by gorgeous people?
"How long do you think would be before every geek and secretary in the organization is suddenly 'assaulted' by gorgeous people?"
No need for that. Just plant people in the research team. Friendly and unfriendly countries have been doing that for decades (There weren't just Russian spies at Oak Ridge, etc)
Of course if you're spying on your friends you tend to need to be a bit more circumspect about how you use the information you've gathered, but the point remains.
This post has been deleted by its author
The poster child for the green energy revolution is in ruins: its executives say they have hard evidence that China's People's Liberation Army stole its breakthrough technology before it could commercialise it. So now the company plans to hack back.
That sounds like the company is trying to wriggle out of explaining why the odd billion $ they got from the government for their revolutionary idea produced nothing worth while but did allow the executives to live the high life.
The thinking was that if China, or whoever hacked the company, could see an easier route to profit than espionage, why would they not pursue it?
Maybe because they are potentially going to get everything by cracking rather than a small subset of what you want them see when you sell it to them? Anyway, 'easier' isn't important. What is important is 'cheaper' and if that's what you really do mean, how do you know it's cheaper?
You cannot trace back the origin of malware or an attack just like you cannot trace back the origin of a text. Of course you can say that a text is written in Chineese so it might come from China, but that's largely bullshit. Everyone can fake that...
...and this is the problem with "Cyberwar", anybody can trivially claim they are X and attack country Y so Y will strike back to X even though X is innocent. You don't need people to learn a foreign language, just compile your code on a Windows version from that country and rent a foreign server at a hosting company in that country and people will only find that.
So whenever you hear "Country X did it", there usually is a very flimsy chain of evidence behind it. It's virtually impossible to actually know where such an attack came from.
What we can do to prevent is is normal IT security. And that's _much_ cheaper than any "Cyberwar".
This post has been deleted by its author
It WILL involve spending something: usually money (translated from time and/or resources). It's always been that way, even down to physical defenses in the past. Separating resources will cost you time because it's harder to reach, especially if you face the dilemma of information that's both vitally secret to your business but needed all the time, like a "Top Secret" door that nonetheness has to be opened several hundred times a day, any one of which can cause the corporate jewels to be stolen. Furthermore, no security in the world can do much against a skilled insider.
"..China's People's Liberation Army stole its breakthrough technology before it could commercialise it."
Is the scenario likely? Wouldn't you have patented the idea in most major markets long before commercialising it? Therefore restricting the chance someone else can make money from it.
If Apple can patent rounded corners then you should be down the patent office as soon as an idea crystallizes.
Perhaps a government funded patent body that UK businesses can go to who will handle this process in multiple regions? Go even further and this body can aggressively purchase intellectual property portfolios to defend UK businesses or even generate income. I hate to condone patent trolling but if everybody else is being a d**k why not?
"Is the scenario likely? Wouldn't you have patented the idea in most major markets long before commercialising it? "
Are you unfamiliar with the Chinese approach to patents? A patent provides no protection within China, hence the enormous range of knock-off Chinese goods.
As to likely, it's not just likely, it's a deal that has been done many times. China is information hungry and will take data even if they don't have a clear reason to use that information today. They have been caught fingers in the pie more than once obtaining both commercial and military information. Have a look at GhostNet, Operation Aurora, Green Dam, Lan Lee and Yuefei Ge for example.
There's also this indictment.
"Are you unfamiliar with the Chinese approach to patents? A patent provides no protection within China, hence the enormous range of knock-off Chinese goods"
Actually a patent _IN CHINA_ provides the same protection in China that a patent in the USA provides in the USA or a UK patent provides in the UK.
If you can't be bothered patenting in all applicable countries then expect this to happen. If a chinese manufacturer is making somehting that's patented in the USA then he has zero liabilities unles he's also the one importing and selling it in the USA.
You can thank the USA for this kettle of worms. They set up laws so they could conveniently ignore other countries' patents/copyrights/Intellectual Property until it suited them not to. Now what goes around has come around.
Surely the company can just go ahead and commercialize its breakthrough technology despite what happened.
Any products made in China with that stolen technology would be infringing, and thus would be banned from import anywhere in the civilized world. Any country that didn't cooperate with the ban would find itself isolated, like Iran or North Korea.
That would be the measured response to the first time such a thing happens. The second time, all trade with China would be cut off.
Still no global thermonuclear war involved.