Advanced Pseudonymous Threat: Hyper-Manipulating America's Cyber-Security

"We're being told that the Chinese government is paying people to hack our computers, stealing our trade secrets. Secrets of commerce, invention, defence, formulation, data, records, all of it, everything. It's costing businesses millions of lost revenue, putting us in danger and belittling our very purpose. We are being told this as means to an ends, this much is as clear as is the collaboration of the messengers. The degree of truth in any socially engineered intention has its place in our understanding, but often we can learn more from the lie or the omission."

The post will begin below

It was Marshal McLuhan who said that World War Three will be fought in cyberspace. He went further, adding that there will be no distinctions between nation states and individuals. McLuhan is referring to the battles as being fought, not for a hunk of land full of resources, but for the resources of the mind. These concerns spill over into what could prove to be an ongoing electronic free for all, with real world casualties. For while institutional realities, (like money,) are powerful tools, it is the danger of damages to physical realities, (like infrastructure,) that pose the greatest threat. A cyberwar, if there is to be one, will be for naught without actual casualties.

Before we get into the details of the current cyber-security zeitgeist, we need to discuss the poignancy of the topic. For it is no mistake that we are entering into this conversation today, it has been all but insisted upon. Thus, the qualifier to the title of this piece, we are, in fact, being socially engineered to make this our concern. In particular: we are meant to worry about, not only our security as members of the online community, but also our security as humans in the real world. Even more specifically, we are to direct our worries into actions that counter against a very particular threat, China.

One can always tell when social engineering is taking place by noticing the ratio of transparency versus force of any particular message. At the moment, there is a great deal of force behind the intention that we all be very concerned about our cyber-security and, in a telling moment of specificity, what the Chinese are doing to thwart it. The stronger the force, the stronger the desire of the messenger for us to buy into the message. The transparency of the message is a determination of the accuracy of the information contained in the message, or the amount of “truth,” if you will. Force and transparency are a sliding scale, the more of one the less of the other. Measuring the ratio is the first step of doing anti-social engineering. On the topic of cyber-security in America, there is a lot of force at the moment, but still some transparency as well. Finally, when the social engineering has been pre-programmed to be accepted, as is the case when fear and respect for authority are involved, we at least qualify for hyper-manipulation. Our opportunity for authenticity is diminished, thus the need for the conversation.

The topic of cyber-security has been a hot button for the last few years. This is most likely due to the increase in hacking over that same time period, (or perhaps the quality of information being stolen, or power of the victims.) So let us not muddy the fact that the threat of cyber-espionage is real and a great deal of it comes from China, this much is true. But we are not being asked to consider the hacking taking place from other sources, only China. China is the “bad guy” in this scenario, whether or not that distinction is warranted is up for debate. (So, perhaps this bit of social engineering is merely taking advantage of the situation.) Nevertheless, it is also true that, for a couple years now, President Obama has been trying to push through a revamped Cyber-Security Act to no avail. Senate denied the passing of the bill, and its re-revamped version as well. If you would like to take a look at a reasonable story about the latest incarnation of said bill, please look at
www.infosecisland.com... There too you will find a link to the act itself.

Senator Lieberman was quoted as saying that the main opposition to the bill came from the Chamber of Commerce www.dailydot.com... The Chamber of Commerce, or rather its National Front, essentially claimed that its problems with the Act stemmed from “placing a government agent inside all corporate systems.” The bill, they complain, is too regulatory and any effective security system needs to be flexible and dynamic. The Act as a government plan will be too bogged down in bureaucracy to be effective.
www.zdnet.com... is a link for more information about the non-passing of the act. If you want to have a look at the comments under the article, you will find ordinary Americans complaining that the bill contains things like limiting the number of rounds that can be in gun magazines. (I am well familiar with the idea of “riders” or “omnibus” bills, things being hidden in over indulgent, all encompassing acts and the reasons for doing so. However, despite looking, I could find no evidence of this claim being true. It's not really relevant to our discussion here, other than illustrating public opinion.) For an official statement from the Chamber of Commerce: www.uschamber.com...

I think the most telling observation available into the matter of the Acts not passing, was delivered by the White House, “Despite the President’s repeated calls for Congress to act on this legislation, and despite pleas from numerous senior national security officials from this Administration and the Bush Administration, the politics of obstructionism, driven by special interest groups seeking to avoid accountability, prevented Congress from passing legislation to better protect our nation from potentially catastrophic cyber-attacks.” (Italic emphasis is mine.) In other words, corporate shenanigans wishing to remain clandestine.

Then along comes a report on the specific Chinese hacking of various American enerprises. For those of you who don't know the details of Mandiant's report, I'll briefly summarize. Mandiant is a cyber-security company specializing in digital forensics. (Meaning, they follow the trail of digital breadcrumbs to “the witches house.” They also do mitigation, but are often hired after the hack.) They generally work for large corporations that have cyber-security concerns and who wish to keep those concerns private. (As opposed to, for instance, reporting any offences to authorities, who are not as likely to keep mum on what they find. This, in and of itself, is very telling of these corporations: They don't want their dirty laundry aired and are willing to pay private firms like Mandiant, on average, four hundred dollars and hour, to ensure it isn't.) This, of course, implies there is a degree of corporate shenaniganism going on, but this is not news and as it turns out, is well within their rights, for now. (This is not a comment on the rightness or wrongness of this ability, but rather an exemplification of the status quo, at least in America.)

www.cnbc.com... This is a link that summarizes the Mandiant report in a reasonable amount of detail. You can read the report yourself if you like, but it's a little dry and hackers have already started sending out fake, malicious reports. So if you're going to get the report, get it from a reputable source. Basically the report, which has been correlated from data gathered by Mandiant, and others over the last few years, names key instances of cyber-espionage that have been traced back to a particular group of hackers in China. The Peoples Liberation Army of China Unit 61398. Mandiant believes these hackers are the very same known as “the Comment Crew,” (called so because they like to leave comments behind.) They have cool hacker names like Angry Gorilla, and are known to Mandiant as Advanced Persistent Threat 1.

There is, however, some criticism about Mandiant's report: obviously from the Chinese www.informationweek.com...
(This article, by the way, lists six facts that everyone who cares about this story, should read.) Furthermore, there has been some criticism from other American security firms www.businessinsider.com... Both the Chinese government and domestic security firms have the same concerns with the report: It doesn't address other nations' hacking, such as France, Russia, Israel, etc. It also doesn't explain how Mandiant was able to narrow down their trace to the specific building in Shanghai, nor attach the People's Liberation Army to that particular building. A competitor of Mandiant's went so far as to say, “You could narrow it down to a smallish group, say Shanghai's downtown core, which would provide a range from several hundred thousand, to a few million computers.” Mandiant itself is coy about how the correlations were made. I suspect there are boots on the ground, or they know how to do something their competitors don't, or they are lying, but I'm not an expert, nor a hacker. I can only go with what others tell me, and therein lies the problem. So often what we are told is expletive bovine excrement.

We're being told that the Chinese government is paying people to hack our computers, stealing our trade secrets. Secrets of commerce, invention, defence, formulation, data, records, all of it, everything. It's costing businesses millions of lost revenue, putting us in danger and belittling our very purpose. We are being told this as means to an ends, this much is as clear as is the collaboration of the messengers. The degree of truth in any socially engineered intention has its place in our understanding, but often we can learn more from the lie or the omission.

Having the Mandiant report released was the impetus for this refreshed concern. However, the inspiration to write this piece came to me by way of seeing the US government make such a big deal out of the report, and in particular the blaming of China for the hacking. The matter of the chicken or the egg coming first is of little consequence. When you're bothering to get a quote from former CIA director Michel Hayden, it's all about the message.‘‘You’ve got a nation state taking on private corporations.’’ www.stuff.co.nz... The simple utterance speaks volumes: about purpose, about foundation, about organization, about caution, misdirection and disguise. It is, after all, only the former director of the CIA. The message is the matter, we know who's delivering it.

The White House released a 171 page document on Feb 22, 2013, within days of Mandiate's report. It is entitled “Administration Strategy on Mitigating the Theft of U.S. Trade Secrets. It's freely available as a pdf at the whitehouse website. It's very pretty, with cool cover pages and stylized icons such as the emblem of the US Defense Security Service. There is a 12 page statement from the Gov that lays out a five point strategy action plan, then four annexes that spell out the last few years of Chinese hack attacks. The reports come from the US Patent office, Dept of Justice, National Counterintelligence and Dept of Defense. The fact that last annex talks about other areas of the world hacking our systems not withstanding, these reports, while being factually based, are not without their bias. They do contain some interesting and detailed statistics, in particular the Defense Service Report. However, the 12 page executive summary spells out both the government's immediate “plans,” and, via its intentional language, their obfuscation.

The Administration's strategy seems to be to come up with a strategy. This is a plan to plan something further. There are a few specific actions they express as desires, mostly acts of increased communication and cooperation, domestically and abroad. Trade reps will put the phrase, “Oh, hey by the way, don't forget to crack down on your hackers,” into their repertoire. There's some window dressing in the shape of the Justice Dept considering adding 5 years to the 15 year max charge against economic espionage. The Office of the National Counterintelligence Executive thinks it would be beneficial to “impart counterintelligence tradecraft to the private sector,” so that we can all do our part.

But this is a trade report? So why are there military reports? Well, the military is in the business of Warfighting, which is now a word apparently, and equally as apparently their trade secrets are up for grabs. Looking at the examples of hacking done to the military, there are two types, cyber-attack, which is when a hacker gets into your system via another computer online, and cyber-theft, which is when a human on the inside saves information to, for example, a flash drive, then gets on a plane to China to make a bazillion dollars. (This is not an exaggeration, this exact scenario is spelled out in the White House document, repeatedly.) The problem here is one of correlation, which results in an argument further diluted by the obvious directionality of the message. The Mandiant report is discussing cyber-attack, the White House document is discussing cyber-theft and mentioning cyber-attack in an aside, (long prepared annexes from differing departments that just so happen to carry the same threat assessment.) Obviously, both these realities exist, we have people in jail for both types of crimes. So when do the inconsistencies matter? Where is the conspiracy?

Whenever any intention's endgame is played out, the truth of the matter is revealed. While the reality of the situation is that hackers and hacking are real, it is also no less true that our thoughts on the matter are being directed. This manipulation is evidenced by the force of the intention being high, and the transparency being low. So, just by being aware that we are being asked to “think this about that” we have already defeated it. We can look at all the information and decide more authentically, more fairly. It is when we are being asked to do something that any social engineering becomes dangerous. By way of our awareness we can avoid said danger.

In the matter of hacking into domestic systems, I'd like to propose that it is infrastructure that poses the greatest risk to life and limb, therefore deserves the most immediate attention. I'd further dare to suggest that this particular threat is easily avoided. Simply don't put the ability to control things like ventilation online.
www.cbc.ca... Maybe keep the ability to direct airline traffic, nuclear power plants, trains, traffic, gas, water, hydro, power etc, off the grid. Maybe hire some poor bastard to sit in a chair and punch something into a keyboard when a vent needs to be opened. Call me crazy, but “compartmentalization” is part of your own proposal. Use it.

In the matter of a state sponsored crime against another nation's economy, America is King. The only difference now is we do it online and anyone can play. Keep that in mind as you watch for two things: 1.) A narrowing of the cyber-security act into an actionable document. 2.) An implementing of that document. The manipulation of our minds is ongoing, the actions we undertake will create the changes to the system. We have to decide if we want these changes and then act appropriately. It would be best if we could do so knowing all the facts. At the moment we can only work with the information we're given. You can be confident that the information we're given is only presented to China by way of it being made public. The show is not for them, it's for us.

Excellent thread! S&F from me. I don't claim to understand it all but I can see you certainly have your finger on the button and hopefully others do too.

Thanks for sharing!

Remote access of networks are the biggest culprits. VPN, sure, nice and secure.

It's the idiots that administer passwords that are to blame. Hacking? The Chinese are only busting passwords, and gaining access to these systems.

Responsibility. Random passwords, always.

The IT staff is not doing their job. Point your finger at skimping in the IT department.

Anyhoo, I condensed the pic if you want it as Profile Background. You're on a mission, so wear it with pride.

Thanks Druid.
Looking forward to the collaborative thread.

reply to post by Druid42


I am pretty sure there is more going on here than simple password cracking. Many systems have settings where a small number of bad password attempts will lock the system.

Along with the APT1 report, Mandiant released over 3,000 indicators of compromise, which is something more than just password cracking..

The prospect of an attack on America’s power grid, water supply, or gas pipelines is devastating enough to be considered “a cyber Pearl Harbor,” as outgoing Defense Secretary Leon Panetta warned just last fall.

SOURCE

And the soundbites keep rolling in...

reply to post by briantaylor


Yes, this is a legitimate risk. One that could destroy your usual quality of life.
Why are you crying foul about this?

reply to post by briantaylor


Yes, this is a legitimate risk. One that could destroy your usual quality of life.
Why are you crying foul about this?

I cry foul whenever social engineering is taking place and whenever hypermanipulation rears its ugly head.
To quote myself, "So often what we are told is expletive bovine excrement."
However, the piece, while based on the facts found in a weeks worth of research, is really only OpEd citizen journalism, from a philosophical point of view.
Thanks for reading.

reply to post by briantaylor


You claim that social engineering is always bad.. when that's not the case. Such things are never black and white.

Most people do not take the time to properly inform themselves. Sometimes a topic needs to be sensationalized in order to create enough social awareness to act upon it. It can be hard to present a case when most people do not care beyond what is in their immediate vicinity.

I had a post about this back in 2009:

www.abovetopsecret.com...

They've been preparing the stage for this for some time. These things don't happen over night but this is just another step in this charade. I won't be surprised when they start pushing this paranoia to enforce anti-privacy laws and measures in the US.

If you pay attention to the news the fabricated nature of it all is quite funny. The way public reacts to this is on the other hand is tragic.

reply to post by VonDoomen


I don't claim that. Social engineering has it's place, it's as old familial lessons learned.
But the typification of the engineering, from experiential to social, and the steps it goes through to become so are on a scale from assignee's prerogative to hyper-manipulation and it is from within this measurement we find an appropriate concern.
As the piece states, we must adopt a "wait and see" stance on this particular matter.

You are correct in your belief that most people don't think about the things they need to. Doing so is half the battle.
Battle on, friend.

Today, is tit for tat day.

China accuses US hackers of targeting its websites.
"Over 60 per cent of attacks on Defense Ministry website come from U.S., spokesman says."

SOURCE