Its a party in the cybers and everyone’s invited!
What I wanted to talk about was how the parameters of The Great Game have changed so much so rapidly that no one is really sure what is happening. During the Cold War it was a very simple KGB vs CIA (and MI6, etc) slow and steady chess match played out over long periods of time. One rapid change has been counterterrorism, where plots can be hatched planned an executed at comparatively lightning speed (hours, days, weeks.)
For me though, the interesting change has been in the way that intelligence collection has moved heavily into the cyber sphere. One of the consequences is that civilians and non-defence industry companies are intimately involved in the Great Game. This change, both for infosec professionals, and the role of cyber in intelligence is something I addressed in my keynote at the Power of Community conference in 2015
Exciting Career Opportunity: battle intelligence agencies and management
Someone who joined information security as a career in 2005 wasn’t really planning on battling the PLA and KGB at their day job a decade later. And the NSA has never really had “provide technical quality assurance for American software companies” as a serious part of their core mission… but now that the parameters have changed so much, all of the rules are sort of out the window. Should NSA devote resources to fixing American software? How is that different from PLA devoting resources to helping Chinese software vendors?
What counts as economic espionage anymore?
“NSA audit approved, level 3 certified router” would certainly count as an economic advantage for American software companies, so will “economic espionage” require even more gerrymandering? “Stealing secrets for trade negotiations is OK, because it doesn’t help an individual company, and using stolen secrets to help improve security of an individual company is ok because it is only for security, and stealing secrets for defence industry purposes is ok because technically we think of that as military espionage, not economic, and endorsing a product doesn’t count because it isn’t stealing secrets even if stolen secrets were used to make the product qualify for the endorsement…” I don’t doubt the US would be happy to split hairs forever over that one, but would it really matter to the French or the Chinese or the Russians? Is there a material difference between stealing the formula for Coca-Cola to duplicate it (cola flavoured drinks are roughly equal parts vanilla and lime) and stealing the exploits of a foreign company/agency to patch those vulnerabilities? Depends on how you squint…
Critical National Infrastructure: that’d be your problem now
The big deal is still really that civilians, and civilian companies, are now intimately involved in the Great Game, voluntarily or not. This is a massive change. For example, a significant amount of critical national infrastructure is now owned and operated by civilians — the “private sector”. Those companies need to protect this infrastructure against attack by foreign intelligence services (FIS), but they never signed up for that, and furthermore, they don’t necessarily have the fiduciary duty to protect critical national infrastructure. In fact, that might be the opposite of their duty to their shareholders which is to maximize shareholder value (almost no articles of incorporation include “engage in conflict with foreign intelligence services.”)