In 2018, Bloomberg published an article covering a Chinese compromise of hardware components built by a U.S. microchip manufacturer. The products found their way onto the networks of some very prominent U.S. companies, generating a great deal of interest from all corners of the globe. Reaction was mixed. Some insiders believed the report and some refuted it. The report is dated, but it was important then, and it is important now.
As a nation we have go to pay more attention to what is happening in cyberspace. It is the most complex and populated manmade environment in history, and it is nearly impossible to distinguish between the good guys and the bad guys within.
Following publication companies cited in the article and many prominent United States Intelligence Community (IC) officials questioned the veracity of the reporting. Of course, Bloomberg stood by its reporting and its sources were very thoroughly vetted – leaving the big questions – ‘Is it true?’
I have a unique perspective. As a former cybersecurity operator and as a former speechwriter at the National Security Agency under Generals Hayden and Alexander, I had access to a lot of information. During that time, I routinely took part in classified intelligence briefings, informing my perspective and enabling me to understand trends, tradecraft, and the capabilities of many nation-state cyber actors. My understanding of those things still applies today – and that is the basis of this commentary. But another reality is that I no longer have access to classified intelligence – so I have no insight into specific reporting that may underpin and either refute or confirm the story as reported.
First, I commend Bloomberg on a story clearly doggedly pursued and researched. I have a professional relationship with Jordan Robertson (the Bloomberg author), and I know his journalistic integrity and bonafides – and they are both a credit to his profession. I also look at this through the eyes of the IC – particularly from an NSA viewpoint. From my experience at NSA as an employee, and now as someone who works with the Agency from the private sector – I believe that they are a national treasure, and I respect their ability to execute their foreign intelligence mission. Further, I know that they steadfastly work within the bounds of the law and honor the privacy of United States citizens.
The other thing I know is that the thing that keeps many national security officials up at night is the potential vulnerability of the critical infrastructure. Our nation’s wealth is stored there, our power grid lives there, and command and control of many public transportation systems occurs there. It is a rich target for any adversary who wants to harm our way of life at home – and that is the very definition of terrorism today.
The irony is that most of the critical infrastructure, while the heartbeat of our nation, is controlled in cyberspace via non-national security networks. That means they do not fall under the authorities of NSA or Cyber Command. It is up to the Department of Homeland Security (DHS) to work with our partners in the private sector to help ensure that those entities are protected. That is a vast responsibility. DHS has taken great steps over the last decade in upping their cybersecurity game. The work that they are doing respective to the Integrated Adaptive Cyber Defense initiative is groundbreaking. If you are not familiar with that initiative, you should take time to read about it.
So, from whom are we trying to protect our national treasure? We have many adversaries in cyberspace and one of the most capable is China. Now that I am not part of the IC, I read more than ever about foreign nation-state actors to try to keep up. I read about what IC officials say publicly all the time. NSA and the rest of its fellow IC and Department of Defense organizations openly acknowledge that China, Russia, North Korea, Iran, and a few others routinely target our critical infrastructure systems. The Chinese government has a catalog of tools, tactics, and paid expert hackers dedicated to wreaking havoc in cyberspace. Not coincidentally, one of the best methodologies in the playbook is supply chain interdiction.
Is that what happened in this case reported by Bloomberg? I personally do not know for sure because I am no longer privy to classified information. Limited access and need-to-know are not government ruses to hide nefarious activity. If information is sensitive to our national security, it is essential to keep it ‘close hold.’ But the Bloomberg account is well-researched, well-documented and well-sourced by industry experts who have deep insights and connections. This type of activity by China is plausible. I get that some very smart, well-connected people publicly say the account is not accurate. Fair enough, but just because smart people disagree (that should be a bedrock of any modern society) does not make it untrue. For the record, I have talked to many brilliant and well-connected folks who absolutely believe the account Bloomberg presents.
Regardless of any disagreement, we can all agree that the Chinese are a capable and motivated nation state with a track record that demonstrates the type of capability reported in this story. And if every word reported is true – that does not mean any of the companies were cutting corners or compromising security practices. They may well be unwitting victims who fell prey to one of the most sophisticated cyber adversaries in the world. Is there shame in that? No. Do we need to learn from it and do better going forward? Absolutely.
We will never know if the reporting is true or not, but the bottom line is – we must do better when it comes to all things cybersecurity related. We hear and read about Russian election meddling. We hear and read about the Chinese stealing intellectual property and leveraging it for the growth of their military and economic engines. Those things are story lines nearly every day. So, it does not matter what we are doing or how we are doing it. It is not effective enough. Period. We cannot afford to lose stuff of great national value – ever. Whether it is once an hour, once a week, or once a year – we cannot accept it. We must do better!
Our cybersecurity posture today does not scale to effectively defend in the current cyber threat environment. We build a better mouse trap and our adversaries improve their tools and creativity and defeat it – then we react again. Repeat ad nauseum. Convenience and security rarely go hand-in-hand. The whole paradigm favors the offensive cyber actor unless we change the game.
We need impenetrable – not ‘really hard to exploit’ – as our defensive posture. Quantum communications, implemented properly, open that possibility of impenetrability. People say that is a ‘future’ technology. They say it is theory, not reality – not yet. Wrong. The big topic of the day – the Chinese – are living proof. They are building a $20B cyber center which is slated to be up and running in 2020. They have already operationalized quantum physics both terrestrially and in space. Simply Google China and Quantum and take it all in!
Why are they ahead? I contend that the reason is not only that China is outspending us on quantum technology (some estimates say 30 – 1 over the last decade), but they practice a level of private/public cooperation that we do not have in the US. Of course, a society like China has the advantage that it can simply compel cooperation from the private sector. We are disadvantaged but blessed in that regard. In our free society we cannot – and should not – operate that way. That is not how our democracy works. But, as the best nation in the world, as the freest nation in the world, we should figure it out. We need a ‘quantum collective’ that unifies efforts between government, industry, academia, and private investment.
We need more trust in and from the public companies. We need more collaboration (and less classification) from the government. We also need the government to drive smart policy moves to enhance the ability to collaborate. We need academia to redouble the work they are doing in research and development. We need private investors to pour venture capital into the quantum training and development market. Simply put, we need to work together.
The government’s 2018 Quantum Initiative Act and associated $1.2B investment was a great start, but we are playing catch-up requiring all hands-on-deck. Consider this a collective call to arms to catch and surpass the Chinese in quantum technology. Remember – the cybersecurity defender of may look more like a quantum physicist than firewall designer.
Comments