Should we be worried

About state-sponsored attacks against hospitals?

Security and the Board Need to Speak the Same Language

How security leaders speak to thier C-Suite and Board can make all the difference

The Rising Threat of Offensive AI

Can we trust what we see, hear and are told?

Who'd want to be a CISO?

Challenging job, but increasingly well paid

Medical Tourism - Growing in Popularity

Safe, fun, and much, MUCH more cost-effecitive

The Changing Face of the Security Leader

The role is changing, but what does the future hold?

Cyber Risk Insurance Won't Save Your Reputation

Be careful what you purchase and for what reason

Why is the Chinese Military so focused on the theft of Intellectual Property?

PLA Cyber Troops

Yesterday’s indictment of five People's Liberation Army (PLA) cyber espionage officers on charges of hacking into US companies in order to steal trade secrets was no surprise to most of us in the cybersecurity business. Nor was it to China-watchers who have become used to seeing mainland China do whatever it takes to catch up with the rest of the world following its more than half-century of economic stagnation under communism.

The fact that the indictment handed down in the District Court of the Western District of Pennsylvania only named five mid-level officers, says that this highly unusual activity by the US Department of Justice (DOJ) to prosecute the agents of a foreign government, is very much a test case. It's also an open and very public wake-up call to Mainland China to cease and desist its rampant and prolific cyber espionage activities against western commercial businesses.

Despite years of protestations by the US and other law abiding nations, and a very revealing Mandiant report last year detailing the activities of PLA Unit 61398 or ‘APT1’ as it is also known, regarded as the most prolific of over 20 PLA cyber warfare units, China has refused to acknowledge or stop its state-sponsored cyber theft activities, and has further demanded that the US prove its allegations. Perhaps then this is a water-tight test case in which the perpetrators can be proven guilty of not only cyber theft, but also to have acted on the orders of the Chinese State. What's more, this verdict can be handed down in a globally respected US court of law - something for which China, with its general lack of law or an independent judicial system, can only aspire.

Having spent a lot of time in the People's Republic of China since the early 90s, I’m sure that the Chinese leadership will continue to loudly profess its innocence and abhorrence at US accusations, for such is the game that is played in China whenever anyone is caught red-handed. I’m also sure that China will respond in a tit-for-tat manner accusing the US of cyber spying against the People's Republic in order to save the all-important ‘Chinese Face’. However in this case the Chinese leadership in Beijing may well be largely ignorant of the true activities of one of its PLA units located in an innocuous twelve story building on the outskirts of distant Shanghai.

China’s national leaders, in fact, hold very little power in the overall command-and-control structure of the world’s fastest growing economy and most populist nation. Instead China is really commanded and run by regional power players as it has been right the way back to the Qin Dynasty in 221BC. It is these Warlords who hold the real economic and often grass-roots political power in China. A fact that Beijing and the Central Committee puts up with, but doesn't necessarily like. All too often when one of these regional barons or princelings gets too powerful and steps over the line, Beijing is forced to make an example of them with a high-profile execution or life imprisonment as was the case with Bo Xilai 薄熙来 in September 2013.

This regional power model extends down as Marx would have put it to ‘the ownership of the means of production’. Most of China's private companies that emerged during the late 80s and early 90s were, in fact, owned and managed by the PLA, which expanded into manufacturing, hotels and other commercial activities. The revenue from these activities proved to be not only profitable, but also a vital means by which PLA units were able to expand their regional power and influence, and develop a near monopoly of local commerce. These PLA units were directly or indirectly run by local warlords. In fact, many of today’s modern Chinese mega-corporations, some of which are now publicly traded, are still controlled and run by the very same power barons.

And this perhaps explains best the close link in China between official military espionage and the commercial targeting of western companies for intellectual property theft. It's all about the pursuit of power and taking, by whatever means is available, competitive advantage over opponents, even if that involves the outright and very public theft of internationally recognized trade secrets.

Memories are short and China is banking that no one will care 10 or 20 years from now just how Chinese corporations became the biggest and richest in the world, or how everyone else went broke!

See also: Behind the Great (Fire) wall


In this age of commodity IT cybersecurity (cyber) is no longer immune to the C-level challenge to “Prove it!”

Many industries are still making deep spending cuts, and plying customers with “Cyber is ROI” and “Think of it like insurance!” simply doesn’t resonate.

Executives hear “investment” as code for “long time plus big price tag". Despite best efforts, there remains a major disconnect between cyber value and business value.

If you want to compete in the cyber market then the discussion is inevitably a hard dollars and business sense conversation: “Our time to market for mobile apps increased 50% after we deployed a secure app store solution.” Real stories, real metrics, real value.
There are two kinds of companies: those that know they’re compromised and those that don’t.
The imperative today: products and services must work AND must deliver fast. CIOs and CSOs know they will have to have a conversation with their CFOs. As security professionals we need to help them. We must speak their language. The F&A floor is seldom impressed by products that are cool. Even less so if cool can’t demonstrably convey assurance, cost reduction or realized business enablement.

“But we just found a zero day APT!” Not surprised. Breaches are inevitable. This approach, however, is not convincing to the finance director. Anecdotes are good, but they lack tangibility. The new reality is that there are two kinds of companies: those that know they’re compromised and those that don’t.

“So, raise the cost in the kill chain?” Okay, but to what end. Threat identification is a good thing—it’s good to know who’s been living in your house and who’s eating that last slice of pie when all are a slumber. There’s more value if you can estimate marginal benefit (and cost) so we know how much to spend. At some point, there are always diminishing returns for raising that bar. Finance folks understand that. If we want to make our case, we need to be on their page.

Here are a few of leading questions to consider. Your ability to answer questions like this will help demonstrate bona fides:
  1. Did the tool we bought measurably decrease our per incident mitigation costs? 
  2. Did we lower our audit costs because we had evidence-based artifacts? 
  3. Did we increase our up-time during core productivity hours? 
The cost of doing business in the information age is cyber—‘tis a fait accompli'. But the language of business, even in government, is still finance. Numbers get people’s attention, especially executives whose success or failure rides on quarterly statements to their shareholders. Their proof is always in the numbers. As industry professionals, our job is to help make the business case. And if cyber as an industry wants to have a seat at the big table, then we must improve the language we speak.

Written by good friend and colleague Michael Lucero