ANAHEIM, CALIF.–The theft of intellectual property through attacks on U.S. networks, both government-owned and private, has become one of the major concerns for officials at the top level of the federal government, not just among security staffs, but at the upper echelons of the White House and intelligence agencies, as well, the former top cybersecurity adviser to President Obama said.
Much of the blame for the attacks on defense contractors, financial services companies and utilities has been pinned on groups in China, both state-sponsored and private crews. U.S. government officials have expressed concern with these attacks publicly and privately in recent months, but mostly in somewhat oblique terms. The government has come under criticism for being slow to act on the issue, but Howard Schmidt, the recently retired White House cybersecurity coordinator, said that people at the highest level of the administrations are well aware of the scope and seriousness of the problem.
“They’re very concerned. The lion’s share of the awareness is about the intellectual property theft and the exfiltration of tha data, presumably to China,” Schmidt said during a press briefing at an ISSA conference here. “The large percentage of the meetings we had while I was there were about that. And the awareness is across all government agencies, not just intelligence or DHS. And just because [the stolen IP] is going to China doesn’t mean it’s going to the government.”
Schmidt retired in June after serving as Obama’s top cybersecurity adviser for more than 18 months. A former CSO at Microsoft, Schmidt has seen the threat landscape from a number of different angles over the years, and he said that the major change he’s seen in the last couple of years is the focus on IP theft and economic espionage as a major national security issue, not just a technology issue.
“That’s the change we’re concerned about,” he said. “We need to work on questions like, what are the norms in cyberspace. Most countries don’t do economic espionage attacks and then turn that information over to companies in their own country. The theft of intellectual property is huge. That’s where it comes home to us. Is it ok in a cyber conflict to affect our medical devices? I say no. Military versus military is the norm. Espionage going after the privacy sector is what’s really changed.”
While the government certainly is the target of some of the high-level attacks coming from China and other countries, much of that activity is aimed at private companies, especially those in the defense, financial and critical infrastructure sectors. Information on these attacks is hard to come by, not just for the public, but for people involved in defending against them, as well. Schmidt said that he expects that situation to change relatively soon, as better cooperation between the government and private sector is vital to successfully defending against advanced attackers.
“We had a pilot program with the defense industry, and they found that it gave them some more information than what they had collected themselves. But one of the challenges is that we can’t share classified information with people who don’t have clearances,” he said. “They’re working on a new mechanism that will say that information like this should be shared unless there’s a very good reason to justify not sharing it. Right now, it’s the other way around. You can’t share it unless it’s declassified. I’d be real surprised if that doesn’t happen soon.”
The other main threat that has people inside the Beltway worried is that of compromised supply chains, not just in China or other foreign countries, but in the U.S. as well. There have been several recent examples of products being sold with pre-loaded backdoors, compromised firmware or other malware. Microsoft recently took action against the Nitol botnet, which was built in part with laptops pre-loaded with the malware. Schmidt said government officials are seriously concerned about the integrity of hardware and software supply chains.
“They’re tremendously worried about the supply chain. It’s not so much where things are built, but how they’re built,” Schmidt said. “It’s about the processes that are implemented. There are three things we need to work on to address this. One is the technical piece, figuring out what we can do to detect malware or malicious chips in products. The second is trade-related activity. Look at the competitive landscape and see who’s doing this. And the third is innovation. How are we innovating for the future so that we have reliable infrastructure for the next generation?
“We really need to jump on innovation for the next generation of technology, to make sure that it’s deployed securely.”