Sunday, August 16, 2015

DSS Reports Foreign Governments Increasing Espionage Activities Against U.S. Defense Industrial Base Companies

The Defense Security Service just issued its 2014 report "Targeting U.S. Technologies: Trend Analysis of Cleared Industry Reporting" (.pdf). DSS's mission is, in part, to secure the nation's technological base against acts of industrial espionage. These annual reports highlight specific technologies that have been targeted by foreign actors as reported to DSS. In FY13, the agency received and reviewed over 30,000 reports.

Each year DSS highlights a technological sector. In 2014, it was "Inertial Navigation Systems" used in commercial and military aircraft, spacecraft, and naval vessels.

Based on information received from cleared defense sector companies, DSS analysts were able to identify five distinct methods of operation when targeting INS technologies:
  1. an attempt to purchase (usually by finding a corrupt company in an allied State to act as the middleman)
  2. academic solicitation
  3. solicitation or marketing services
  4. sending a Request For Information (RFI)
  5. foreign visit (such as attending a conference in a foreign State)
DSS analysts also break down collector affiliations into five categories: commercial, government, government-affiliated, individual, and unknown.


 This is easier to do with tangible collection activities as described above than with cyber attacks, which DSS (to its credit) acknowledges in the conclusion of its report (p.71). With an RFI or an invitation to attend a conference, you know who sent the invitation. With a cyber intrusion or what DSS calls "Suspicious Network Activity (SNA), it could be anyone.

However, cyber espionage is simply a new way to conduct industrial espionage so it's reasonable to assume that governments and corporations who are attempting to acquire a specific technology in any of the five ways detailed by DSS will also use a network attack if it will produce a successful end result. See our white paper on espionage-as-a-service, for example.

What the DSS Report Won't Tell You

The Defense Security Service produces one of the very best analytic reports available today, both in terms of sound intelligence collection and analysis methodologies (missing from 90% of cyber intelligence reports) as well as actionable content. However, it doesn't tell you who is doing the collecting. It also doesn't provide the entirety of any nation's technology acquisition interests. If your company doesn't produce any of the INS-related technologies mentioned in this report, does that mean that you're safe from foreign collection efforts? Absolutely not.

That's why we built the Redact™ knowledge base and the OverWatch™ intelligence feed. Used in conjunction with the DSS report, you can identify which Chinese and Russian government institutes, universities, state key labs, and state-owned enterprises have received funding for high priority technology R&D projects, and which of those have been reconnoitering your company's website for product information. We are also mining South Korean and French institutes and will be adding more nations over the next few months.

Compatible with Maltego and other Threat Intelligence Platforms

Our OverWatch™ intelligence feed is written in Common Event Format (.CEF) and is compatible with many SIEM products including ArcSight ESM, Splunk, and ThreatStream. We are also about to launch our Maltego transform.

OverWatch™ will alert in real-time when one of the foreign government research institutes that we track is visiting your website while Redact™ will provide you with the details on their government funded R&D projects. We are currently scheduling demos for new corporate customers as well as federal agencies who are approaching the end of the federal fiscal year.

Redact™ is the only commercial database of its kind outside of a classified environment. Read our current product brief and contact us today for an online demonstration.

NOTE: This is cross-posted from the original article at the Taia Global website's blog.

Thursday, August 6, 2015

Why Retaliation Against China for the OPM Hack is a Bad Idea

I've written an OpEd on why the White House needs to look at deterrence in cyberspace differently based upon their announcement via David Sanger at the New York Times that they're looking at taking action against China for the OPM hack.

You can read it at the Christian Science Monitor or at The Diplomat. Comments are always welcome.

Thursday, July 16, 2015

Suits and Spooks at the Wingtip Club - Oct 6th - By Invitation Only

The Wingtip Club in San Francisco is a renovated 13,000 square foot duplex penthouse decorated in the old Gold Coast style atop the historic 1908 Bank of Italy building in downtown San Francisco. On Oct 6, 2015 it will be the venue for the most unique and luxurious Suits and Spooks event that we've ever held.

Taia Global and our event sponsors including Norse Corporation are picking up the tab for this full day of security talks and networking with intelligence veterans and executives from entertainment, banking, security, and technology companies.

Our speakers include:
  • David Fichtner: David Fichtner served 27 years at the CIA working on Soviet Military Forces, Nuclear Weapons Security, Proliferation issues, and information operations. While at CIA, Mr. Fichtner was selected for the Congressional Fellows Program serving on Senator John McCain’s staff. He is also a graduate of the Navy Fighter Weapons School (Topgun) and a designated Air Combat Tactics Instructor. Since retiring, Mr. Fichtner has worked as a consultant on Russian Intelligence services IO for Taia Global.
  • Christopher Burgess: Served 30+ years with the Central Intelligence Agency, serving in South Asia, Southeast Asia, the Middle East, Central Europe and Latin America. Currently the co-founder, President and CEO of Prevendra
  • Anna Vassilieva: Expert in contemporary Russian politics; Professor of Russian Studies at Monterey Institute of International Studies.
  • Simon Baker: Formerly Bloomberg's Head of Information Security and CISO in New York. Currently  advises a number of early security startups as well as the World Economic Forum.
  • Niloofar Razi Howe: Currently Chief Strategy Officer at Endgame and an Operating Partner at Paladin Capital Group.
  • Kurt Stammberger: Founder of the RSA Conference, expert in cryptography, threat intelligence, and security business strategy. Currently Senior VP of Marketing at Norse Corporation.
  • Jeffrey Carr: Founder, Taia Global and the Suits and Spooks conference; author and consultant to U.S. and foreign multinational corporations and government agencies.

Speakers and attendees will enjoy the Wingtip's new "Wine Cave" as their venue for this all-day event starting with a continental breakfast at 9am, lunch at 1pm, and a Whiskey tasting at 5pm.

Unlike other Suits and Spooks events, this will be limited to 30 invited attendees at the Director-level or above from industries including technology, aerospace, entertainment, banking, and biomedicine.

If you'd like to receive an invitation or discuss sponsorship options, please contact Taia Global. Both the number of sponsors and the number of attendees are limited so act soon. 

Sunday, July 12, 2015

Call For Papers: Suits and Spooks DC Feb 11-12, 2016

The National Press Club Washington DC
I'm thrilled to announced that our Suits and Spooks DC event for Feb 11-12, 2016 will be held at the National Press Club. We're going to be doing a lot of things differently including offering live streaming tickets for those who can't attend in person thanks to the National Press Club's wonderful in-house AV system.

Our event will be broken down into four 4-hour blocks, each with a designated theme:

  1. Aerospace
  2. Critical Infrastructure
  3. Finance
  4. Warfare
The Aerospace block will feature threats against commercial aviation, unmanned aerial systems, GPS, satellites and space travel, and airborne weapons systems.

The Critical Infrastructure block will feature threats against the power grid, water supply, transportation, shipping, and telecommunication sectors.

The Finance block will feature talks on cryptocurrencies, the cyber security investment boom, ransomware, and the global stock and commodity exchanges.

The Warfare block will feature talks on cyber attacks and international law, the Wassennar Arrangement, export controls on offensive and dual use tools, Second Amendment issues, and more.

Attendees will have the option of buying tickets for only one block, multiple blocks, or a full conference pass. All talks will be single-track. 


If you'd like to submit a talk for one of these four blocks or propose a panel, please submit it by November 1st. 

If you'd like to learn more about sponsorship options, please contact us.

Super early bird tickets will go on sale later this month.

Thursday, July 9, 2015

OPM Provides Insight Into Why It Was Hacked

The Office of Personnel Management just released the steps that it has taken to protect over 21 million federal employees whose data was stolen in what may be the worst cyber security breach in history. Now keep in mind that these steps were selected during a time of high criticism against the agency and its director Katherine Archuleta. So I think that it's safe to say that it represents the best effort of Director Archuleta and presumably the new cyber security advisors that she brought onboard post-breach.

Here are the steps:
  1. Providing a comprehensive suite of monitoring and protection services for background investigation applicants and non-applicants whose Social Security Numbers, and in many cases other sensitive information, were stolen.
  2. Helping other individuals who had other information included on background investigation forms.
  3. Establishing an online cybersecurity incident resource center.
  4. Establishing a call center to respond to questions.
  5. Developing a proposal for the types of credit and identity theft monitoring services that should be provided to all Federal employees in the future.
This reminded me of the letter that I received from Premera when they got breached (my wife and I were Premera customers), and had my USCG Top Secret security clearance still been active, I would have received an almost identical letter from OPM. 

Then the realization hit me. 

In crafting the above 5 steps, OPM revealed why it had been hacked so easily. It's because they didn't know (and still don't know) the intelligence value of what they had been trusted to protect - the SF-86 data. SF-86 forms are 120+ page monsters that consume your entire personal history along with all of your affiliations and points of contact in your personal, educational, and professional life. Clearance holders are interviewed every year so the information is kept current including foreign travel and foreigners that you've interacted with. 

Now imagine that you work for a foreign intelligence service and I was a hacker who was offering you a chance to buy the SF-86 forms for every soldier serving in the Special Operations component commands of the Navy, Army, Air Force and Marines. These are the individuals who are responsible for direct action, counter-terrorism, snatch and grab, counter-narcotics, reconnaissance and who knows how many other secret operations. 

Perhaps you work for a large South American drug cartel. How much would you be willing to pay for the SF-86 on every Drug Enforcement Agency employee who holds a clearance? If you had OPM's files and access to a data-mining tool like i2, Maltego, or Palantir, you could construct models that would reveal who was working a counter-narcotics operation in MedellĂ­n last year based upon their SF-86 foreign travel updates. 

Imagine that you were looking to convince a U.S. government employee to work for you under threat of blackmail. The OPM database would provide you with a way to filter for those with backgrounds that make them highly vulnerable to extortion demands because the background investigators who conduct the interviews are looking for precisely that kind of information!


When we speak with clients at Taia Global, the very first thing we do is show them how valuable their IP (intellectual property) is to foreign governments. We call that Target Asset Value™.  Once the client understands his company's TAV, the client can properly evaluate what measures to put into place to protect the company's assets. 

OPM clearly did not understand the concept of Target Asset Value as it relates to the government employees whose data they were responsible for. If they did, they wouldn't have proposed credit monitoring protection as a solution when the threats are so much greater than simple identify theft or an Amazon shopping spree. OPM's current solution is wholly inadequate and will continue to be so until Director Archuleta and her staff come to grips with the true value of the data that they were entrusted with, and lost.

Monday, June 22, 2015

OPM Breaches Go Back to 2012 and 2013

The Office of Personnel Management's troubles extend even further back than the current reported 2014-2015 timeline according to a 2013 Office of the Inspector General audit report on OPM's use of Serena Business Management software. The system was hacked in May, 2012 and March 2013 and sensitive data was lost (p.ii of the Executive Summary).

Appendix II of the above-referenced 2013 report contains a copy of the FLASH Audit Alert to the OPM, which states:
"In May 2012, a malicious hacker successfully breached OPM's Serena Business Manager system (Serena, formerly known as TeamTrack). The system was briefly taken down by OPM's Office of the Chief Information Officer (OCIO), but was quickly restored and made available on the public Internet." 
"Over the past year. the a CID 's Network Security Branch has conducted vulnerability scans that detected security flaws in the Serena system. However. it appears that no action was taken by the system administrators to address these issues, as another application on the Serena platform was hacked in March 2013. 
After both security breaches. the hackers boasted on the Internet about compromising a government computer system. leading to embarrassing publicity for OPM."
According to the company, Serena Business Software has been used by OPM for automating process solutions for background checks, FOIA requests, health and compliance issues, etc.

Friday, June 12, 2015

Tianjin University Use Case For R&D As A Way To Predict Breaches Targeting IP

On May 19, 2015, The FBI announced that it had charged six individuals (including two Chinese professors) with economic espionage and theft of trade secrets "for their roles in a long-running effort to obtain U.S. trade secrets for the benefit of universities and companies controlled by the PRC government(1)."

Here are the details from the FBI's press release:
"According to the indictment, PRC nationals Wei Pang and Hao Zhang met at a U.S. university in Southern California during their doctoral studies in electrical engineering. While there, Pang and Zhang conducted research and development on thin-film bulk acoustic resonator (FBAR) technology under funding from U.S. Defense Advanced Research Projects Agency (DARPA). After earning their doctorate in approximately 2005, Pang accepted employment as an FBAR engineer with Avago Technologies (Avago) in Colorado and Zhang accepted employment as an FBAR engineer with Skyworks Solutions Inc. (Skyworks) in Massachusetts. The stolen trade secrets alleged in the indictment belong to Avago or Skyworks."
"Avago is a designer, developer and global supplier of FBAR technology, which is a specific type of radio frequency (RF) filter. Throughout Zhang’s employment, Skyworks was also a designer and developer of FBAR technology. FBAR technology is primarily used in mobile devices like cellular telephones, tablets and GPS devices. FBAR technology filters incoming and outgoing wireless signals so that a user only receives and transmits the specific communications intended by the user. Apart from consumer applications, FBAR technology has numerous applications for a variety of military and defense communications technologies."
"According to the indictment, in 2006 and 2007, Pang, Zhang and other co-conspirators prepared a business plan and began soliciting PRC universities and others, seeking opportunities to start manufacturing FBAR technology in China. Through efforts outlined in the superseding indictment, Pang, Zhang and others established relationships with officials from Tianjin University. Tianjin University is a leading PRC Ministry of Education University located in the PRC and one of the oldest universities in China." 
"As set forth in the indictment, in 2008, officials from Tianjin University flew to San Jose, California, to meet with Pang, Zhang and other co-conspirators. Shortly thereafter, Tianjin University agreed to support Pang, Zhang and others in establishing an FBAR fabrication facility in the PRC. Pang and Zhang continued to work for Avago and Skyworks in close coordination with Tianjin University. In mid-2009, both Pang and Zhang simultaneously resigned from the U.S. companies and accepted positions as full professors at Tianjin University. Tianjin University later formed a joint venture with Pang, Zhang and others under the company name ROFS Microsystem intending to mass produce FBARs."
"According to the indictment, the stolen trade secrets enabled Tianjin University to construct and equip a state-of-the-art FBAR fabrication facility, to open ROFS Microsystems, a joint venture located in PRC state-sponsored Tianjin Economic Development Area (TEDA), and to obtain contracts for providing FBARs to commercial and military entities."
While this case is an example of industrial espionage, identical cases involving cyber espionage and other forms of IP theft happen frequently against companies who engage in research and development that's of interest to rival governments, state-owned enterprises and for-profit corporations world-wide.

Taia Global's REDACT™ is the only commercial product outside of a classified environment that is entirely focused on collecting, aggregating, and mining foreign government funding of R&D at the project level. Had Avago and Skyworks been REDACT™ customers, they would have been able to identify which government-funded research universities and state key labs were working on FBAR and other precision acoustic technologies and then assess how valuable their technology was to rival governments, thus establishing their Target Asset Value™.