Data as an instrument of war

[Hair Warrior]

Tech Giants Are Giving China a Vital Edge in Espionage

U.S. officials say private Chinese firms have been enlisted to process stolen data for their country’s spy agencies.

foreignpolicy.com

Status quo: It’s illegal to sell a firearm across US state lines without an FFL. And, illegal to sell internationally without an arms export license. It’s illegal to make or possess certain other destructive devices - e.g. bombs, missiles, mines, grenades, rockets - outside of contracted DoD suppliers.

Unpopular opinion: Congress should make it illegal to sell user data across US state lines or internationally without a similarly-regulated license. Certain data might just be illegal to sell altogether and/or to possess unhashed. The companies that traffic in user data will just have to adapt or stop it.

 

[Brett327]

That train has left the station.

 

[AllAmerican75]

Tech Giants Are Giving China a Vital Edge in Espionage

U.S. officials say private Chinese firms have been enlisted to process stolen data for their country’s spy agencies.

foreignpolicy.com

Status quo: It’s illegal to sell a firearm across US state lines without an FFL. And, illegal to sell internationally without an arms export license. It’s illegal to make or possess certain other destructive devices - e.g. bombs, missiles, mines, grenades, rockets - outside of contracted DoD suppliers.

Unpopular opinion: Congress should make it illegal to sell user data across US state lines or internationally without a similarly-regulated license. Certain data might just be illegal to sell altogether and/or to possess unhashed. The companies that traffic in user data will just have to adapt or stop it.

The Chinese are already eating our lunch. Silicon Valley is full of Chinese nationals and is rife with Chinese operatives stealing IP. It's literally become a serious problem with Chinese workers sterling code and launching derivative services in China preventing foreign entry into the Chinese market. The Thousand Talents Program has been working like gangbusters as well, stealing technology and IP from companies, governments, and universities across the Western World, especially in the US.

But nobody is willing to do anything because we let businesses do whatever they please. And the corporations are too busy sucking up to the Chinese for entry into the Chinese market and importing Chinese and Indian workers to artificially drive down wages. Until we lock down our networks, kick the Chinese and Indians out of Silicon Valley, and give the boot to Chinese spies, then we will continue to lose in the cyber arms race.

 

[Jim123]

The Chinese are already eating our lunch. Silicon Valley is full of Chinese nationals and is rife with Chinese operatives stealing IP. It's literally become a serious problem with Chinese workers sterling code and launching derivative services in China preventing foreign entry into the Chinese market. The Thousand Talents Program has been working like gangbusters as well, stealing technology and IP from companies, governments, and universities across the Western World, especially in the US.

But nobody is willing to do anything because we let businesses do whatever they please. And the corporations are too busy sucking up to the Chinese for entry into the Chinese market and importing Chinese and Indian workers to artificially drive down wages. Until we lock down our networks, kick the Chinese and Indians out of Silicon Valley, and give the boot to Chinese spies, then we will continue to lose in the cyber arms race.

I agree about the problem and I agree that the solution you're suggesting, though its morality and fairness is debatable, would be effective (and though I'm generally against protectionism as a long term policy, I am for it under certain circumstances as a measured, short term policy... anyhoo...).

I will add this thought about history, the human race, and competition between corporations and nations- espionage isn't a Chinese word.

 

[Hair Warrior]

I will add this thought about history, the human race, and competition between corporations and nations- espionage isn't a Chinese word.

Okay... but Sun Tzu wrote about espionage as war in a Chinese language long before the French people even existed or had a language (~500 BC). At that time, they were still Gauls/Franks/Celts and spoke Latin or their native germanic/celtic tongue.

 

[Pags]

Okay... but Sun Tzu wrote about espionage as war in a Chinese language long before the French people even existed or had a language (~500 BC). At that time, they were still Gauls/Franks/Celts and spoke Latin or their native germanic/celtic tongue.

Whatever you call it, spying is an age old game. Neither Sun Tzu nor the French invented it.

 

[AllAmerican75]

I agree about the problem and I agree that the solution you're suggesting, though its morality and fairness is debatable, would be effective (and though I'm generally against protectionism as a long term policy, I am for it under certain circumstances as a measured, short term policy... anyhoo...).

I will add this thought about history, the human race, and competition between corporations and nations- espionage isn't a Chinese word.

The fact of the matter is that we must change the way we think of our data and our networks. These are bank vaults that must be protected with our crown jewels in them. Right now we are allowing the Chinese to walk into our bank vaults with reckless abandon. No amount of "being good with the cyber" will save us when there are Chinese nationals writing the code for our software (Which is usually a black box to us) and Chinese companies handling the off-peak coding for our contractors.

 

[Pags]

The fact of the matter is that we must change the way we think of our data and our networks. These are bank vaults that must be protected with our crown jewels in them. Right now we are allowing the Chinese to walk into our bank vaults with reckless abandon. No amount of "being good with the cyber" will save us when there are Chinese nationals writing the code for our software (Which is usually a black box to us) and Chinese companies handling the off-peak coding for our contractors.

Only leverage Govt has is via policy/law and or contracts. If there's no policy with teeth to it businesses that don't deal with the US Govt are free to do what they want. But we also have to not go too crazy with OPSEC. At some point this is the 21st century equivalent of a phone book. Much of this data has always been there, now it's just being gathered in different ways.

Also, this policy needs to decide what is amore important: buggering businesses or defense/NATSEC?

 

[Hair Warrior]

Only leverage Govt has is via policy/law and or contracts. If there's no policy with teeth to it businesses that don't deal with the US Govt are free to do what they want. But we also have to not go too crazy with OPSEC. At some point this is the 21st century equivalent of a phone book. Much of this data has always been there, now it's just being gathered in different ways.

Also, this policy needs to decide what is amore important: buggering businesses or defense/NATSEC?

“Buggering businesses”?

That is a weird turn of phrase. You could say the govt was “buggering” the business of 19th and early 20th century elixir salespeople by making cocaine and opium illegal. You could say the govt was “buggering” the business of nuclear energy companies by restricting the sale of nuclear reactor technology, even though the business would make money selling it around the world. Govt had no problem “buggering” the business of tobacco companies - and Hollywood was all about it. My point is that personal user data is as dangerous an instrument today as smoking and nuclear reactors.

Some businesses need to be highly restricted or even not exist at all. Data has been overlooked for too long. If someone is saying “oh no, too late, nothing we can do about it now” and the “phone book” is already out there that’s like saying we have no control over whether we choose to keep publishing the phone book next year. You can stop the flow of data today. Over time, people will change, move, die, be born, etc. and the old “phone books” that China has now will be less and less useful.

 

[AllAmerican75]

Only leverage Govt has is via policy/law and or contracts. If there's no policy with teeth to it businesses that don't deal with the US Govt are free to do what they want. But we also have to not go too crazy with OPSEC. At some point this is the 21st century equivalent of a phone book. Much of this data has always been there, now it's just being gathered in different ways.

Also, this policy needs to decide what is amore important: buggering businesses or defense/NATSEC?

There's definitely a balance to strike, I've just found that many decision-makers view the cyber domain as something completely alien and foreign with new concepts for conducting it. Frankly, it's no different than physical security and the concepts of defense in depth, appearing to be a hard target, and buying response time are just as applicable, the techniques to achieve them are just slightly different.

I think we ultimately need to view our cyber infrastructure and contractors the same way we view our highways, nuclear infrastructure, and weapons exports. There need to be restrictions of some kind but I don't know what those would be.

 

[wlawr005]

How does blockchain computing technology help or hinder security protocols?

 

[nittany03]

How does blockchain computing technology help or hinder security protocols?

A question with a classic Weapons School answer . . . it depends.

 

[Pags]

“Buggering businesses”?

That is a weird turn of phrase. You could say the govt was “buggering” the business of 19th and early 20th century elixir salespeople by making cocaine and opium illegal. You could say the govt was “buggering” the business of nuclear energy companies by restricting the sale of nuclear reactor technology, even though the business would make money selling it around the world. Govt had no problem “buggering” the business of tobacco companies - and Hollywood was all about it. My point is that personal user data is as dangerous an instrument today as smoking and nuclear reactors.

Some businesses need to be highly restricted or even not exist at all. Data has been overlooked for too long. If someone is saying “oh no, too late, nothing we can do about it now” and the “phone book” is already out there that’s like saying we have no control over whether we choose to keep publishing the phone book next year. You can stop the flow of data today. Over time, people will change, move, die, be born, etc. and the old “phone books” that China has now will be less and less useful.

Typo. Should have said, "biggering." Like the Onceler.

 

[Pags]

“Buggering businesses”?

That is a weird turn of phrase. You could say the govt was “buggering” the business of 19th and early 20th century elixir salespeople by making cocaine and opium illegal. You could say the govt was “buggering” the business of nuclear energy companies by restricting the sale of nuclear reactor technology, even though the business would make money selling it around the world. Govt had no problem “buggering” the business of tobacco companies - and Hollywood was all about it. My point is that personal user data is as dangerous an instrument today as smoking and nuclear reactors.

Some businesses need to be highly restricted or even not exist at all. Data has been overlooked for too long. If someone is saying “oh no, too late, nothing we can do about it now” and the “phone book” is already out there that’s like saying we have no control over whether we choose to keep publishing the phone book next year. You can stop the flow of data today. Over time, people will change, move, die, be born, etc. and the old “phone books” that China has now will be less and less useful.

But to just say "data" makes it such a giant problem with no real definition. Every business makes data. What data do you want to contrain/restrict? All of it? If so, good luck doing business (stock market is data). Software? Can't really do that as someone can always reverse engineer what you field. Even if you lock it down first someone can break the lock and reverse engineer it. Locks just make it take longer. And come with a performance penalty. Maybe restrict who can and who cant work on our stuff? Then the other guys (not all "bad". It's always interesting to get a security brief and see who gets mentioned) will just pay someone to hand it over to them as has been done in the past. Our system is largely based on free and open exchange of ideas as exemplified by the internet. Our openness has always been a challenge and how to balance the bads with the goods of openness will always be a tricky balance to strike. For sure, there should be some more scrutiny placed in the right places, but "all data" isn't the right place. To use your nuke example, what are the current crown jewels that we need to keep safe? If offer that a lot of them are probably kept safe as appropriate but we still need to be careful with COTS enterprise solutions. They come with all the same vulnerabilities everyone else has that anyone can look up on opensource databases. But that's a good reason to ensure that the crown jewels don't live on networks based entirely on COTS solutions. But to lock down everything would come with huge cost and performance pricetags.

 

[Hair Warrior]

But to just say "data" makes it such a giant problem with no real definition. Every business makes data. What data do you want to contrain/restrict? All of it? If so, good luck doing business (stock market is data). Software? Can't really do that as someone can always reverse engineer what you field. Even if you lock it down first someone can break the lock and reverse engineer it. Locks just make it take longer. And come with a performance penalty. Maybe restrict who can and who cant work on our stuff? Then the other guys (not all "bad". It's always interesting to get a security brief and see who gets mentioned) will just pay someone to hand it over to them as has been done in the past. Our system is largely based on free and open exchange of ideas as exemplified by the internet. Our openness has always been a challenge and how to balance the bads with the goods of openness will always be a tricky balance to strike. For sure, there should be some more scrutiny placed in the right places, but "all data" isn't the right place. To use your nuke example, what are the current crown jewels that we need to keep safe? If offer that a lot of them are probably kept safe as appropriate but we still need to be careful with COTS enterprise solutions. They come with all the same vulnerabilities everyone else has that anyone can look up on opensource databases. But that's a good reason to ensure that the crown jewels don't live on networks based entirely on COTS solutions. But to lock down everything would come with huge cost and performance pricetags.

I specified user data. As in, data tied to a selector or to PII, such as a name, email, SSN, address, phone number, IMEI, smartphone advertising identifier, cable box identifier, smart home device ID, IP address, etc.

Maybe we say businesses can collect them for the purpose of doing business, but maybe we force this user data to be hashed when stored (encrypted at rest) and maybe we restrict/halt the sale or transfer of user data. Right now, doctors cannot sell your medical records bc there are strict laws against it (HIPAA). We need to start treating everyone’s personal online data as such. People got all upset in the early 2000s when the Patriot Act seemed to allow law enforcement to see your library card checkout history (yeah, I’m old, I remember that far back). Well, this is 1,000x more pervasive and un-American.

I said it was an unpopular opinion.