When someone steals your laptop and doesn’t give it back, that’s bad. It is worse when someone steals your laptop and then gives it back to you.
The Beijing Olympics are upon us and according to a recent USA Today article:
National security agencies are warning businesses and federal officials that laptops and e-mail devices taken to the Beijing Olympics are likely to be penetrated by Chinese agents aiming to steal secrets or plant bugs to infiltrate U.S. computer networks.
Equipment left unsupervised for just minutes in a hotel or even during a security screening can be hacked, mined and bugged… There is a high likelihood — virtually 100% — that if an individual is of security, political, or business interest to Chinese … security services or high technology industries, their electronics can and will be tampered with or penetrated...
Wow. Sounds like China bashing, scare mongering, US propaganda to me. Well, not really. There is a fine line between scare mongering, anti-China sentiment, and stating the facts as we know it. And we know the facts pretty well, or, at least well enough to make these rather pointed and upsetting statements publicly. That said, what is unfortunate to me is that the article did not highlight the issue strongly enough.
Both France and Russia have publicly admitted to one extent or other to actively spying on U.S. businesses and U.S. business people. In fact, it’s not just U.S persons, but any competing business or individual. To quote the Pierre Marion, Director of the French Intelligence Directorate, “This espionage activity is an essential way for France to keep abreast of international commerce and technology. Of course, it was directed against the United States as well as others. You must remember that while we are allies in defense matters, we are also economic competitors in the world.”
And these are our friends.
In this light, it is far from surprising that China might consider conducting the same activities as well as deny it emphatically (“The so-called accusation of the Chinese military espionage against the U.S. is groundless and fabrication with ulterior motives.").
Of course, espionage is status quo. Many readers might be surprised to find out that acts of espionage – especially cyber espionage – are not illegal in international law. Sure, individual nations might make espionage a criminal offense, but not in the international realm (which also means it is very murky whether you can legally go to war over it).
The fact that espionage is largely ignored by international law might make some of us squeamish to some extent... I mean, they’re actively stealing stuff from other people, mannnn…but this is the reality of international economic competition and a globalized economy. Competition is good, but it has its darker, and some might say “necessary” elements.
Some nations dabble in espionage, and others engage in it aggressively. According to a 2007 report by the U.S. Director of National Intelligence, China's espionage services are "among the most aggressive in collecting against sensitive and protected U.S. targets." But don’t think just defense contractors or government agencies are the only targets. Food service companies have been the target of remote cyber attacks also.
It's not whether you think you are a target, it's whether the adversary thinks you are worth targeting.
So In 2008, people will flood into Beijing bringing with them their iPhones, laptops, Blackberry’s (World Phone, of course), you name it. And these devices might be unfortunately lost ("I know I just put in down, now where did it go?"), borrowed ("Excuse, Mr. Smith, we need to examine your laptop before your flight, there seems to be a problem…"), outright stolen ("Hey, who’s been in my room and where's my stuff?"), or the worst of all cases:
“Oh, here it is [laptop, iPhone, whatever]. It’s right here. Now how did I miss that?"
The best thing about espionage – especially cyber espionage – is that you don’t actually have to keep anything as the perpetrator. You can remotely copy a database by exploiting a software vulnerability from 8,000 miles away and leave the hard drive just were it is. You can also take a physical device like a mobile phone, do something to it (which I’ll get to shortly), and give it right back with the owner none-the-wiser, if not a little confused ("...must had too much to drink last night").
Now, I know there are plenty of people out there that might retort, ”Oh, our hard drives are encrypted, this isn’t going to be a problem for us.”
Really?
The best thing that could actually happen to you is that your laptop is stolen and you never get it back. Encrypted hard drive or not. The worst case is when someone “borrows” your laptop, inserts an implant without your knowledge and then gives the laptop back to you. This implant, which could be hardware, software, or both, will happily siphon and record all the information as your hard drive goes about decrypting it to display on the device's screen. The implant will then send that information to heaven knows where, probably hijacking your internet browser when you're not looking (this circumvents your firewall protection, by the way, because most peoples' firewalls permit outbound traffic from their browser).
Hard drive encryption? Please.
Now, outside of the Olympic context, for many people hard drive encryption makes sense. So my cynical retort needs to be diluted just a bit. Why? Because unless you, your company, or your company’s information is important enough, or “of interest” to the adversary, you are probably not a target and therefore hard drive encryption is perfectly fine. This is true for 99 percent of the people out there. Hackers without nation-state backing will have a hard time constructing the hardware implants necessary for conducting these types of operations without being detected.
But when the world comes to your doorstep in the wake of world-wide and none-too-obvious cyber espionage activity emanating from Chinese networks, well, hell, why not throw the net a little wider when the visitors-come-a-visiting and see what happens? It's a cornucopia when the world comes to you! And who among the US populace would really believe statements by U.S. Intelligence about cyber-espionage after slip ups on Iraq and Iran…oh, and the 130,000 Russian troops that swarmed into Afghanistan in the 1980s right under the nose of the CIA. But I digress.
Congressman Mike Rogers says it most succinctly, "the Chinese will take full advantage of any opportunity to not only take a peek at what's on electronic devices but also to implant them."
I’ll tell you what I tell my private clients when traveling to known adversarial nations, “If you care in anyway about what’s on that device, and you care what comes back, leave it at home. Purchase a new device for the trip and toss it upon return. And for Heaven’s sake, don’t connect it to anything.”
If you’re going to the Olympics this year, enjoy! Bring back good memories…but only on an analog, not a digital camera (hint, hint).
Comments