return to ICG Spaces home    ICG Risk Blog    discussions    newsletters    login    

ICG Risk Blog - [ Intellectual Property Theft Public ]

A China facet: White light vehicle cloning driven by absence of indigenous vehicle designs and packaging

  #

Previous: A China facet: Defective materials and products driven by greed and ineptitude

BMW and Mercedes have commenced legal action against Shuanghuan for its "blatantly, unashamedly copies. On display in Frankfurt are the Shuanghuan UFO and CEO SUVs. UFO is a Toyota RAV4 clone, and CEO is a 95% copy of the BMW X5. (We say 95% because Shuanghuan apparently elected to copycat Mercedes-Benz for the CEO's front end design.)" The "Nobel is said to be a replica of Daimler's SmartFortwo":

Charging that the [Shuanghuan] CEO is a copy of BMW’s popular X5, the company has filed suit to prohibit its sale in Germany by the Chinese carmaker Shuanghuan Automobile. That did not prevent Shuanghuan’s European importer from showing off the CEO on Tuesday at the Frankfurt Motor Show.

[The Frankfurt Motor Show showed] that the struggle over intellectual property rights between China and the West — a battle that has ranged over products from designer handbags to computer chips — now extends to cars.

[Neither BMW or DaimlerChrysler] which is taking legal action against Shuanghuan to prevent it from selling the Noble, a subcompact that bears an uncanny resemblance to Daimler’s Smart minicar. The Noble did not appear at the show, though the importer, China Automobile Deutschland, insisted that it decided on its own not to distribute the car in Germany…

Chinese carmakers sometimes copied the exterior of a car from one model, and the interior from another. In the case of the CEO, for instance, it is not clear that the BMW X5 was the sole inspiration for its design. Auto critics have said that while the rear end of the vehicle is a dead ringer for the X5, the front end looks more like a Toyota Land Cruiser.

BMW emphasized that under the hood, the CEO is no X5 [unlike other Chinese clones of which we are aware]...

The BMW X5 is pictured on the left and the Chinese CEO SUV is on the right

The term clone bears explanation. We differentiate vehicle or vehicle component reproduction by mathdata, clone and copy methods:

  1. Computer Aided Design (CAD) "mathdata": Original automotive OEM design data in its native form; if not sold or otherwise intentionally transferred to an outside party, it is obtained illegally, i.e., IP theft (in competitor hands a solid/physical object so produced IS the identical component).
  2. Clone: Vehicle/component copied by the use of white light photogrammetry; for a solid/physical object it produces a near perfect copy of the target (but does not address materials, coatings, dynamic design criteria or internal software).
  3. Copy: Vehicle/component copied by the use of more simplistic engineering analysis; for a solid/physical object it produces a nominally similar product but requires much more time and cost (due to the dropping cost and increasing availability of white light scanning, the 'copy' function is fading).

Whereas the Chery QQ minicar was produced from illegally obtained mathdata of the Chevy Spark/Daewoo Matiz, the CEO clone of the BMW appears to be produced by white light scanning. This process will become increasingly common and so vastly compresses the revenue window available to the original designer.

Reverse engineering broadly refers to analyzing and dissecting something with the goal of recreating it. In 3D scanning, reverse engineering typically means the process of measuring an object using a 3D scanner and then creating CAD data that reflects its original design intent. This can also be done by using rulers, calipers, or a CMM. Reverse engineering is sometimes referred to as Reverse Modeling.

For those unfamiliar with photogrammetry, white light scanning or structured light scanning, used in reverse engineering, here is a short summary with a deeper introduction to the technique. Here is a before and after; a photo of a physical Porsche body panel and the reverse engineered surface file of that panel. Two useful/short case studies are here and here. I recommend this masters project, Reverse Engineering of Automotive Parts Applying Laser Scanning and Structured Light Techniques, as a straightforward description of the reverse engineering process shorn of vendor technicalities.

While white light scanning is a pan-industry norm for legitimate reverse engineering, inspection, hybrid modeling and archiving, and is known to be used for conventional competitive analysis, the emerging norm is a Chinese-led wholesale cloning of vehicle subsystems or, increasingly, entire vehicles.

From a limited distribution 2006 ICG report:

Driven by competition from other Chinese automotive manufacturers as well as foreign badges Chinese OEMs have targeted foreign OEM design information, specifically CAD or "mathdata" as a means of leapfrogging the design cycle. In the absence of obtaining mathdata for coveted designs, Chinese OEMs will increasingly resort to brute force copying of entire platforms that they perceive as valuable to the Chinese market and early export penetration. US and EU OEMs should expect collection activities from multiple Chinese OEMs and component manufacturers locked in a domestic competition that considers foreign Intellectual Property (IP) as little more than harvestable assets.

Having surrendered basic manufacturing technology in Joint Ventures (JVs) with Chinese partners, US and EU OEMs have progressively less to offer the Chinese other than design data and marketing know-how not tendered as part of a JV. The foreign OEMs Daimler Chrysler and BMW, recognized by the Chinese as possessing superior manufacturing technology, will continue to suffer predation against their proprietary technologies as well as design data.

Collection activity will not be limited to China. In many cases, the asset will be defended less outside of China than within China. Low cost is not low risk: realities of IP Loss notes:

While certain assets are likely targets inside China, the key is to think "asset" instead of "country". Risk cannot be based on countries or "risky areas" but rather wherever a sufficiently valuable asset is accessible at any tier in any country - as the collector will move to the least defended point that contains the IP.

This wholesale cloning is seen as IP usurpation by the legitimate owner. The Chinese generally do not so much disagree as decline to comment; that changed with the curious defense by Shuanghuan:

The Chinese carmaker accused by BMW and Mercedes-Smart of copying their designs has rejected the claims, citing that it had approval from the Chinese government to build the cars as its defense. Shuanghuan manufactures the Noble minicar, an almost identical replica of the Smart Fortwo, as well as the CEO, a SUV with the rear-end of a BMW X5…

"Noble and CEO cars, approved by the Chinese government, are legal products," a spokesperson for Shuanghuan told reporters from AFP. Further, the spokesperson explained that the Noble is only sold in China, while the only export markets the CEO is sold in is in parts of Africa and Southeast Asia.

White light scanning has many limitations that will spawn ancillary IP collection efforts. From a limited distribution 2006 ICG report:

The marriage of design to manufacturing and assembly will hinder their aggressive effort. Many products are specifically designed for a process, not well understood from reviewing a print or a scanned image. Vehicle dynamics is a product development process unique to each OEM’s developed testing methods. If not married with the prints and manufacturing methods, the clone will not reproduce the same results.

A sample forecast of Chinese IP collection efforts to supplement white light clones. From a limited distribution 2006 ICG report:

We would expect collection efforts against OEM product development processes, which might be reasonably achieved by hiring staff from [redacted] or key suppliers in order to reduce the unknowns in vehicle dynamics affecting manufacturing…

Materials and coatings knowledge will face increasing collection to support dimensional characteristics of scanned/cloned parts and act as a driver for materials cost reduction. Expect key Tier One and Two suppliers and base materials producers possessing these skills to be targeted.

It remains to be seen what actions that US/EU OEMs can take without suffering retribution elsewhere by Chinese authorities, a response standard to the Chinese.

BMW sues Chinese carmaker over X5 clone
Motor Authority
Posted on 12 September 2007

Germans See Imitation in Chinese Cars
By MARK LANDLER
New York Times
September 12, 2007

Car Companies See Counterfeits in China
24/7 Wall St
September 12, 2007

Rumormill: China Automobile almost kicked out of Frankfurt show?
by Alex Nunez
Auto Blog
Posted Sep 12, 2007 3:35PM

Chinese companies copy tires, too
Motor Authority
Posted on 6 September 2007

Chinese Carmakers Will Not Show Their 'Clone' Cars in Frankfurt
Pure Green Cars
By on September 04,2007

Chinese Taking "FAKES" to another whole level: Cars
By BRIM
UpTempoAir
August 31, 2007

There will be no stopping the Chinese-built Smart clone
by Sebastian Blanco
AutoblogGreen
Posted Aug 31st 2007 1:15PM

Clones are perfectly legal, says Shuanghuan
Motor Authority
Posted on Thursday 30 August 2007

BMW joins smart in threatening copy-cat Chinese
by
Damon Lavrinc
Auto Blog
Posted Aug 27th 2007 9:58AM

Chinese Toyota RAV4 & BMW X5 Clones Coming To Frankfurt
Gianni9
submitted on 07/19/2007: 10:51 AM
from: carscoop.blogspot.com

White-Light Scanning Validates Faster, Better Processes for Molded Auto Interior Trim at Eifel Inc.
The use of white-light scanning and photogrammetry ensures accuracy of tool building programs.
By Jack Thornton
Moldmaking Technology
February 2007

3D Scan IT and InnovMetric help Eifel Inc. halve injection-mold delivery times and maintain margins
PolyWorks Case Study

Solving leakage problems on car door assemblies
PolyWorks Case Study

The Basics of Photogrammetry
Geodetic Services
HTML

Chinese tigers prey on Europe’s roads
Cheap labour and low costs prove a challenge for EU car manufacturers, writes Lorraine Mallinder
European Voice
8 March, 2006

Reverse Engineering of Automotive Parts Applying Laser Scanning and Structured Light Techniques
Ngozi Sherry Ali
Project in Lieu of Thesis, presented for the Masters of Science Degree
The University of Tennessee, Knoxville
May 2005

Reverse Engineering
Using digital processes accelerates design and increases manufacturing quality.
Aerospace Engineering
September 2004

Similar material here:
Reverse engineering: the catalyst behind the next big aerospace leap
by Ping Fu, CEO & President, Raindrop Geomagic

Reverse Engineering: An Overview of the Options
By Lisa Federici
Moldmaking Technology
March 2001

For Steel-Wool Maker, Chinese Lessons
By JOHN HOLUSHA
New York Times
Published: May 28, 1996

Gordon Housworth



InfoT Public  Intellectual Property Theft Public  Risk Containment and Pricing Public  Strategic Risk Public  

discussion

  discuss this article

A China facet: Defective materials and products driven by greed and ineptitude

  #

Our clients are familiar with our longstanding forecast of Chinese 'thrifting' in materials, coatings and platings, more so when they occur on interior surfaces, on in internal components, where testing is more difficult. Such thrifting occurs frequently in Chinese supply chains, often evidenced by multiple, substandard parts from different suppliers in the same subassembly.

This thrifting is matched by an aggressive IP theft/harvesting by the Chinese as these same materials areas are key to significant cost and structural improvements in sectors such as autos and elsewhere. Often the US/EU supplier possessing these skills is a tier two or three almost completely unaware of the attack. This bifurcation is understandable as the thrifting and the thefts are being executed by different entities with different goals in the greater Chinese supply chain. No one ever said that China was not a land of contrasts.

Unrecognized by many, the risk has been there

In advising clients that they cannot rely on their Chinese supply chain to enforce part quality, Harris & Moure states that the problem is not new and that they must "take action to ensure the safety and quality" of their products in order to minimize their liability:

Dangerous Chinese products were entering the United States and Europe long before the Melamine pet food tainting hit the news.  But that incident and those which quickly followed it (bad toothpaste being the most prominent) mean everyone is now on notice these issues are real.  From now on, it will be impossible for any Western company to plead ignorance.  Western companies that refuse to take proper action will increasingly be subject to to severe penalties, even including punitive damages, where such damages are available.  In other words, any Western company that does nothing to assure the safety of its Chinese products and then steps into court claiming it had every reason to trust its Chinese supplier (based on faith alone), is likely to face real anger and major damages.  Plaintiff's class action lawyers in the United States should be and are salivating.

And get this straight, we are not just talking about food products here, though that is the most obvious and prominent right now.  If you are selling Chinese bikes, do you know whether the nuts on your seats are really strong enough to withstand a 200 pound Westerner?  If you are selling Chinese electrical goods, do you know if that Underwriters Laboratory (UL) sticker is counterfeit or not?  Is the plastic in your Chinese made baby item really nontoxic?  Will your cigarette lighter explode?  Are you certain the fake fur on your coat is not from a dog?  The time for complacence is over.

As any automotive supplier has painfully come to know, PPAP (Production Part Approval Process) and APQP (Advanced Product Quality Planning) proficiency is thin in China beyond already established suppliers to long standing automotive OEMs and tier one suppliers. As one cascades down the part and commodity chain, production values are problematic:

Sure, greed factors into why Chinese suppliers make defective, even harmful products. But often it's because of just plain ineptitude. If you visited a typical Chinese factory, you'd see why. It lacks capital, technology and know-how. Its workers place obedience over quality. And it sits along an endless chain of middlemen.

On average, it takes China 17 separate parties to produce a product that would take us three. Unlike Japan in the 1980s, little companies drive China's economic growth, not big ones. China's industries are composed of hundreds of thousands of tiny factories and farms -- plus traders, brokers, haulers and agents, all of whom take control of the goods and materials but add little value to the product. With every additional player in the chain, the cost, risk and time grow. Effective quality control in this environment is difficult.

So is effective cost control. Despite cheap labor, making goods in China is often more expensive than in the U.S. Far from being a bottomless ATM of cheap consumer goods, China is a risky, costly and time-consuming place to do business.

Yet polls show a majority of Americans believe China has mastered basic manufacturing -- and it's now barreling into our high-tech backyard. That's false. As the product recalls demonstrate, China can barely make low-value goods reliably, much less higher-value ones. The problems are structural, not the result of a few bad apples.

Faults in areas more critical than toothpaste

China has fundamental faults in essential fabrication materials; start with steel:

Steel imports from China that fall apart easily are making U.S. manufacturers and constructions firms more than a little nervous. Reports of failures during initial fabrication and questions about certification documents will mean closer scrutiny... The biggest concern is hollow structural sections widely used in construction of skyscrapers, bridges, pipelines, office, commercial and school buildings. This high-strength steel is also commonly used in power lifts, cranes, farm equipment, furniture and car trailer hitches.

Chinese high-strength steel tubes and pipes are also a potential problem. They're used extensively in power plants and in large industrial boilers, and must withstand enormous pressures and hellish heat around the clock for weeks or months on end... Inferior high-strength steel could cause catastrophic failures of buildings, pipelines or in power plants' boiler tubing...

"Most of China's 800-plus steelmakers are small fabricators who have no idea what quality is about, so there is a risk that some guy with a welding torch buys some hot-rolled coil steel and just welds it together"

As critical material failures occur regularly in key Chinese infrastructure projects, what makes a US purchaser is going to fare any better? Witness the recent failure that occurred at the 300MW Huadian Datong Power Station Unit 2, Qinghai Province, when the HP main steam line, supposed to be seamless Grade 91 pipe, failed (photos here and here), killing two and scalding one. The failure path was consistent; note that the Chinese government has now banned Chinese pipe for critical power plant applications:

"It is very important that we deal with reputable companies and know the origin of the materials we supply. The material that failed was supplied by a company in Houston TX, called S.M.A.N.T,who certified it as US pipe when it came from questionable sources in China. These details have been confirmed by the Bechtel QA Manager of Power. Bechtel China has also conducted an investigation and the supply chain is ugly due to the extent of how many agents, brokers, and mills are involved. The Chinese Government has stepped in and has called for a formal investigation. The Chinese Government has also banned Chinese made pipe for use in major power plant critical applications. Thus far there is evidence to support that over 30 plants contain similar or other "fake pipe" all over China."

Comissive-omissive chain of actors in government and industry

The Chinese government believes "that more than 40 [Chinese] plants have used the [bogus, noncompliant] Hyrdatic or SMANT pipes." The analysis was:

  • The cost of bogus pipes is only 40% of those imported and margin from a 2x600MW could be 70 million RMB or 9 million USD.
  • Sometimes they do import some genuine product but only a small portion to cheat inspect and examination.
  • The trader and dealer actually know the fact of forge and share the interest together with the counterfeiter, however, they pretend as to be deceived once the reality was disclosed.
  • Normally, owners order the critical pipes directly and then lack of strict inspection and examination.
  • For Huadian Datong Power Plant, the pipe trader, Huadian Piping Engineering & Technology Co is actually a related firm to the owner, both of which under the same umbrella of Huadian Group, one of the five major IPPs (State controls most of shares)
  • Plentiful plants built simultaneous with aggressive schedule furnish markets to low cost fake pipes.
  • Legal and administration penalty is too insignificant to deter to counterfeit manufacture.

A list member added this comment:

Fake seamless pipes is a huge racket prevalent in China. There are any number of unscruplous manipulators in this trade. Last year I had an export enquiry for seamless pipes. My rates were high obviously by 20%. I was asked to quote a lower price,and win the bid. Thereafter I was asked to supply good original samples for approval. Thereafter I could supply fake ones just by placing the stamp of original manufacturer. I refused. The Chinese guy accepted and to this day the orders go to him and the business goes there. [Question as to who the writer was working with] Government tenders are always cornered by the traders,middlemen and are considered a largessse doled out to political beneficiaries. This is a standard practice in Asian countries.For government is the biggest buyer.

Yet:

Imports of specialized structural pipe and tubing steel from China are soaring, up from almost nothing two years ago to 102,000 metric tons in the first six months of this year, according to American Iron and Steel Institute data. China now provides about 25% of U.S. supplies of this high-strength steel, making it the second-largest source behind Canada. U.S. steel mills supply about 16%.

On the heavy fabrication side, caution and the recognition of need to aggressively test are emerging, albeit not widely enough; too much product is still being accepted at face value. This on Chinese steel products from the Boiler and Pressure Vessel engineering Forum:

One of the vendors we deal with regarding boiler pressure parts is Chicago Tube and Iron (CTI). They (CTI) will not purchase tube mill products from China unless the customer specifically requests it. I happen to be in the CTI shop an an audit for our parts and one of the floor guys showed me a batch of tubing from China. It was poor quality - surface finish and tolerances...

The general feeling is that if the Chinese can sell an item and the "value added" (i.e. heat treatment) cannot be easily determined from a visual inspection, then they will try to get away with it...

As a fabricator on the Gulf Coast, we are seeing most users/buyers specifying Domestic,Canadian, Western European, and Japanese manufacture for materials. Many are adding a "melted & manufactured" clause in their specifications. Substantial AMLs [Approved Manufacturer's Lists] are now the norm and Chinese materials are generally excluded due to poor quality which relates to risk...

There is quite a bit of seamless tubular manufactured in the US, from Chinese hollows. It makes sense, the size control, heat treating and NDT are all controlled on this end. And you save some money on the starting hollows. The guys that I know that are doing it are sending people to witness every manufacturing run in China...

Confronted, China assumes the role of aggrieved party or the bully

The CCP suppresses bad news, news that would embarrass the party or its luminaries; when it cannot suppress, it goes on the offensive as the systemic issues resist correction. Witness China's sustained data suppression over the SARS and Avian Flu outbreaks.

In each emergency or embarrassing discovery, China shatters the rules of good public relations and crisis management, doing few or none of the following:

  • Prepare to engage fully
  • Have all the facts
  • Take immediate action, minimizing danger to human life
  • Tell the truth
  • Show care and sincerity
  • Use common sense

To larger states such as the US, the initial response to the recent appearance of poisonous diethylene glycol (DEG) in toothpaste and cough syrup, killing more than 100 in Panama is typical:

"So far we have not received any report of death resulting from using the toothpaste. The U.S. handling (of this case) is neither scientific nor responsible," China's General Administration of Quality Supervision, Inspection and Quarantine said in a statement posted on its Web site over the weekend. "All the toothpaste exported to the United States had been registered by the U.S. Food and Drug Administration for marketing in the States."

While such stonewalling does nothing to resolve matters and establish trust, this response received by smaller states is instructive:

In dealing with product safety complaints from the United States, China has sought to convince a concerned American public that it has reformed and is doing all it can to ensure the safety of its products. But its dealings with other, less-developed countries or those in vulnerable political positions are a different story, according to Husniah and officials in the Philippines and Malaysia...

Chinese food-safety officials argue that the recalls and bans by other countries amount to technical trade barriers that attempt to legitimize what would otherwise be unfair trade practices.

But to a regional state as prominent as Indonesia:

Indonesian officials accuse China of pushing shoddy products and inferior standards on poor countries that have no choice but to depend on it for cheap goods, aid and investment. They say that China, in closed-door meetings, has refused to share basic information, attempted to horse-trade by insisting on discussing disparate issues as part of a single negotiation and all but threatened retaliatory trade actions. The Chinese respond that their products have been the victim of unfair trade actions.

Examples:

After hearing about dangerous Chinese products elsewhere, Indonesia this summer began testing popular Chinese-made items on its own store shelves. What it found has added to the list of horrors: mercury-laced makeup that turns skin black, dried fruit spiked with industrial chemicals, carcinogenic children's candy.

The Chinese government called up in August saying it had a possible solution. [The] the Chinese suggested Indonesia lower its safety standards. [Head of Indonesia's food and drug safety agency] Husniah said she was "very upset and very surprised." "I said to them, 'I respect your standards for your country. I hope you respect ours.' "...

In the Philippines in July, a state-owned Chinese company threatened to sue for defamation after the Philippine government released a public warning saying a popular brand of candy was contaminated with formaldehyde. In Hong Kong, China pushed the territory to reconsider its recall of toothpaste contaminated with a chemical that other countries said might be poisonous but that China argued was present at levels safe for human consumption. It then ordered Hong Kong to submit a report on how and why it called back the toothpaste.

In Malaysia, a ban on fungus-infested nuts and dried fruit with a carcinogenic sweetener from China was met with a Chinese alert on litchi-flavored yogurt from Malaysia that it said didn't meet labeling requirements. Malaysia has long had a history of food safety issues with Chinese products.

When the smaller states do not relent, China enacts countermanding measures;

[Soon after the Indonesian meetings], China had announced a ban on Indonesian seafood. Husniah said she accused the Chinese of taking retaliatory trade actions. "You banned our seafood because of our public warning about your products"... She said Chinese officials denied this was the case...

Days after the Philippines announced the problem, the Chinese government enacted its own recall of banana chips from the Philippines, saying they contained high levels of sulfur dioxide, which is used as a preservative but can be toxic at high levels. China dispatched representatives all over Asia to talk to food inspectors in other countries...

One is left with the impression that China is more aggravated than repentant, and that it will continue to sell defective materials and products where possible. This does little to build trust that China will move to rectify its defects.

Next: A China facet: White light vehicle cloning driven by absence of indigenous vehicle designs and packaging

New Threat From China: Shoddy Steel Imports
By Jim Ostroff
Kiplinger Business Resources
September 7, 2007
Mirror

PRC tries to clean up image in Sydney
FIGHTING BACK: Hu Jintao pointed out that 99 percent of exports from China to the US, EU and Japan from 2004 to the first half of this year were up to standard
By Jessie Ho
STAFF REPORTER, IN SYDNEY
Taipei Times
Friday, Sep 07, 2007

Importer to recall Chinese-made car fuses
Auto parts company alerted regulators to fuses that don't blow when they should and could cause fires.
By Peter Valdes-Dapena
CNNMoney.com
September 6 2007: 11:34 AM EDT

Asians Say Trade Complaints Bring Out the Bully in China
By Ariana Eunjung Cha
Washington Post
September 5, 2007

AISC Requests Data from Independent Testing of HSS
From American Institute of Steel Construction, Inc.
September 04, 2007

Steel Products from China
thread794-195299
Boiler and Pressure Vessel engineering Forum
Eng-Tips Forums
Aug 18, 2007

Also these threads:
Fabricated Vs Forged Flanges-National Board Report
thread292-11849
Chinese steel tube
thread404-187383
origin of material
thread794-188022
Stainless Steel Pipe
thread378-70822

Massive Subsidies and the Great Protectionist Walls of China
By Peter Navarro
FT Press
Aug 17, 2007

China the defective-product king
Beijing's attitude about quality of its goods reflects its Maoist legacy.
By PETER NAVARRO
The Orange Grove
Tuesday, August 14, 2007

Cracks in the Great Wall of China
Nicholas Vardy
Global Guru
7/25/2007 12:01 AM ET

The China Syndrome
By JEREMY HAFT
WSJ
July 16, 2007

Dangerous Made-In-China Products: 2007 Timeline
by Jefferson
Who Sucks?
July 7, 2007

Dangerous steel
Felix Weinstein
Tower crane engineer Felix Weinstein argues that steel impurities are threatening the safety of cranes. Steel produced in ingots from recycled steel is most at risk to contamination. The only solution is extra testing.
Craines Today
July 2007
Mirror

The End Of Cheap China
Fiducia
July, 2007

450,000 Truck Tires Made in China To Be Recalled in US
Posted by chinaview on June 26th, 2007
Status of the Chinese People

original report from DiGiTAL50.com

FDA and The Crisis of China's Poisoned Products News
By Gordon Gibb
Lawyers and Settlements
June 17, 2007

China says US toothpaste warning irresponsible
Reuters
Mon Jun 4, 2007 12:33AM EDT

How To Protect Your Company From Bad China Product
Posted by Dan Harris
China Law Blog
June 6, 2007 at 08:52 AM

P91 failure in China - 3 fatalities
thread330-172967
Boiler and Pressure Vessel engineering Forum
Eng-Tips Forums
11 Dec 06

The China Syndrome: How Subsidies and Government Intervention Created the World's Largest Steel Industry
Alan H. Price, Christopher B. Weld, D. Scott Nance, Paul Zucker
Wiley Rein & Fielding LLP
July 2006

Growing experience with P91/T91 forcing essential code changes
By Jeffrey F Henry, Alstom Power Inc and ASME Task Group
COMBINED CYCLE JOURNAL
First Quarter 2005

Bird Flu: Communicating the Risk
by Peter M. Sandman and Jody Lanard
Perspectives in Health
Pan American Health Organization (PAHO), WHO
Volume 10, No. 2, 2005

Commentary: While China Stonewalled
Business Week
APRIL 14, 2003

Product Quality Law of the People's Republic of China (Amended on 7/8/2000)
Ministry of Science and Technology of the People's Republic of China
(Adopted at the 30th Meeting of the Standing Committee of the Seventh National People's Congress on February 22, 1993, and amended at the 16th Meeting of the Standing Committee of the Ninth National People's Congress on July 8, 2000)

Gordon Housworth



InfoT Public  Intellectual Property Theft Public  Risk Containment and Pricing Public  Strategic Risk Public  

discussion

  discuss this article

Gap between law and practice in multinational compliance and ethics program in China

  #

US SEC-regulated firms responding to the Sarbanes-Oxley Act (2002) and the 2004 revised Organizational Sentencing Guidelines (also here) must now include China’s Company Law in their Chinese operations as "starting January 1, 2006 every new foreign-invested enterprise in China establish the position of "supervisor"":

The position of supervisor derives from European corporate law and the institution of the supervisory board in a two-tier board structure. Many civil-law jurisdictions, such as Japan, Taiwan, Mexico, Brazil, Italy, and Spain, have adopted this model of corporate law and a supervisory board...

[A] limited liability company must establish one or more supervisor positions. (Almost all foreign-invested companies are limited-liability companies, and those that are not are still subject to a supervisor requirement.)...

The supervisor’s principal function is that of an independent watchdog to prevent and detect violations of law. [A] supervisor is to review the performance of the company’s directors and senior management in their official duties and propose the dismissal of directors and senior management who are found to have violated the law, regulations, or the company’s Articles of Association.

The supervisor also has the authority to examine the financial affairs of the company and to investigate irregularities in the company’s operations. And a supervisor has authority to require a director or senior manager to rectify his conduct if it has damaged the interests of the company... [Implementing a Compliance And Ethics Program in China, Torbert, ETHIKOS, July/August 2007]

When a colleague, Preston Torbert, first advised me of this forthcoming analysis of a compliance and ethics program in China that sought to bridge US and Chinese law, my snap response was cheeky:

I think that I could more easily change my carbon-based, oxygen breathing system to a silicon-based, ammonia breathing system, but I will be certain to keep an open mind. [email]

But Torbert's analysis does merit reading as he offers a checklist on the role of Supervisor in a compliance and ethics program in a Foreign-invested Enterprise (FIE) in China as an outcome of exploring four topics:

  1. What specific functions of a compliance and ethics program could a supervisor perform?
  2. What disqualifications do Sarbanes-Oxley and the revised Sentencing Guidelines impose on the selection of personnel to oversee or implement a program, and what disqualifications does Chinese law impose on the selection of a person to be a supervisor? Do these disqualifications conflict with or complement each other?
  3. The Commentary to the Sentencing Guidelines suggests that organizations model their compliance and ethics program on well-regarded programs and best practices of similar organizations. What are the best practices in Chinese companies that are also subject to a supervisor requirement?
  4. What is the experience regarding supervisors in Chinese subsidiaries of U.S. companies since January 1, 2006 when supervisors were required? Given that the position of supervisor is common to the company law of some civil-law jurisdictions, what is the experience in such jurisdictions with supervisors in subsidiaries of U.S. companies?
     [Implementing a Compliance And Ethics Program in China, Torbert, ETHIKOS, July/August 2007]

After reading Torbert's legal analysis, my field comments were as follows:

The supervisor and his "monitoring and auditing" function is the perfect sinecure for institutional espionage, and will be used as such. Isolation (a "Chinese Wall"?), not integration [of the supervisor in the SEC-side], has merit. More on that below.

I would deeply investigate the hiring/posting procedure for this individual posted to my firm. Furthermore, I would look beyond the due diligence on the person hired/appointed to my firm and into the community of supervisors so as to detect patterns (provenance, history, relationships, et al). I would expect to find some interesting undisclosed linkages.

As China is a land of too many, not too few, laws this position further permits discretionary corporate and individual embarrassment or interruption whenever it suits the needs of the CCP. [Discretionary traps await even those of the highest probity.]

The Chinese will welcome extending the supervisor's role so long as it improves Chinese access into corporate information but will restrain it should that expansion reveal information that the state wishes to remain cloaked or cooked.

I maintain that you cannot do business in China, profitably or otherwise, without violating the FCPA. See: A Chinese Catch-22: the implausibility of plausible denial. I think that I am on reasonable ground that SOX compliance will be equally compromised and that the US entity must immediately begin some form of risk factoring to limit its exposure.

I submit that the supervisor role must be held distinct from your SOX compliance officer as the supervisor is "their guy" in so many ways, tangible and intangible, and you need to insure that the SOX compliance officer is "your guy."

I do not believe that the supervisor can be an "independent private inspector general," full stop.

China is not like other places and thus attempting to extend supervisory performance trends to Chinese soil is fraught with peril. The utility, value and threat of the supervisor's role has to be evaluated within current Chinese conditions. [email comment]

These are not idle issues as SEC-regulated firms can find themselves in either a regulatory breach or suffering a loss of Intellectual Property (IP) and operational strategy, or both. Whereas Sarbanes-Oxley and similar US statues are used to provide transparency to the global investor and regulator alike, the law in China is used more to further the aims of the state and thereby state entities and commercial entities fulfilling state goals (as simple as revenue and growth) will, if history is any guide, be favored over foreign firms.

The foregoing comments notwithstanding, I know Torbert to be a very practical attorney as his A Peek into the Black Box on contract negotiation, noting the perils of moving between Chinese and English texts, is highly recommended.

His concluding recommendations on dealing with the ever-present ambiguity between two very different languages and cultures were excellent, yet sadly, those who have yet to be stung will think that a second translation mark-up, a cover note on likely ambiguities and their implications, a back translation with recourse and a side-by-side length comparison are surely overkill and too costly. These are the same individuals who say 'We didn't even plan on making enough time for that,' presuming that is sufficient justification for skipping this rigor even if it was thought to be needed.

Even with Torbert's excellent steps, I have seen cultural and commercial issues make a hash of the best agreement, but his process embedded in an open-eyed understanding of the agreement on offer manifestly improves the chance of succeeding. His comment about the destructive power of successive ambiguities reminded me of my maxim that the two overriding reasons for the failure of a joint venture, merger, or any organizational initiative (in any venue and between any countries/ethnic groups) are:

  • Failure to set and reset mutual expectations
  • Failure to build and maintain a sustaining relationship

When either or both of these needs are breached, the venture will be allowed to flounder onto one of the three "rocks of convenience" - finances, technology, and operations. I hold it as a given that whenever either party gets a surprise that it is a direct indication of an expectation failure and should be a call to action to find out why and prevent it from happening again.

Borrowing the concept of Confidence Building Measures (CBMs) that are a staple of nuclear weapons bargaining for force reductions, my process goals are designed to create interactions that set realistic agendas and expectations, and to develop a relationship that once built, is validated and renewed.

As we are an extension of the legal side, working closely with attorneys in discovery and due diligence efforts, I can say that if Torbert's style of contract definition were embedded in my clients' behavior, our work would be easier.

I can only hope that his guidance vis-à-vis the role of Supervisor equally threads the operational needle of pursuing legitimate business in China without falling afoul of two vastly different intents at supervisory ethical oversight.

Inquiry Threatens Ex-Leader of Securities Agency
By NEIL A. LEWIS
New York Times
August 16, 2007

Implementing a Compliance And Ethics Program in China
By Preston M. Torbert
ETHIKOS
Twentieth Anniversary Issue July/August 2007
NOTE: Not yet accessible online

A Peek into the Black Box
Preston M. Torbert
China Business Review
July-August 2006

Company Law of the People's Republic of China (revised in 2005)
Updated: 2006-04-17 10:09
ChinaDaily
(Adopted at the Fifth Session of the Standing Committee of the Eighth National People's Congress on December 29, 1993. Revised for the first time on December 25, 1999 in accordance with the Decision of the Thirteenth Session of the Standing Committee of the Ninth People's Congress on Amending the Company Law of the People's Republic of China. Revised for the second time on August 28, 2004 in accordance with the Decision of the 11th Session of the Standing Committee of the 10th National People's Congress of the People's Republic of China on Amending the Company Law of the People's Republic of China. Revised for the third time at the 18th Session of the 10th National People's Congress of the People's Republic of China on October 27, 2005)

ORGANIZATIONAL SENTENCING GUIDELINES: THE NEW PARADIGM FOR EFFECTIVE COMPLIANCE AND ETHICS PROGRAMS
JAMES E. BOWERS, EDGARDO RAMOS, SABINO (ROD) RODRIGUEZ III, HELEN HARRIS, CHRISTOPHER V. BECKMAN
National Legal Center for the Public Interest
ISSN 1089-9820
ISBN 0-937299-46-4
ISBN 1-930742-56-8
Volume 8, Number 11
November 2004

Preventative Measures against Criminal Conduct Have Wide Ranging Benefits
By Paula J. Desio
November 2004

Gordon Housworth



InfoT Public  Intellectual Property Theft Public  Strategic Risk Public  

discussion

  discuss this article

Prediction: the Cisco-Huawei IP debacle repeated itself with Denso, and likely for the same reasons

  #

'National security' breach theft from Denso

In briefings three years ago to some of the largest tier one automotive suppliers, we forecast that Toyota/Denso would be the wholesale Automotive OEM target for IP theft as it was one of the few (the only significant) OEM that retained the capacity to design and manufacture everything that they purchased. (All other OEMs were in the process of surrendering their production technology via joint ventures so the only items worthy of hostile collection were their vehicle designs, preferably the mathdata CAD files thereof.) Another forecast was that any Toyota/Denso JV with a Chinese entity would be an IP siphon to the Chinese. The first forecast has now come true, and is likely only the beginning of the loss. The second is undoubtedly in progress.

In March Kyodo News reported that a Chinese engineer, Yang Luchuan, 41, at Denso's facility in Kariya, Aichi Prefecture, was suspected of "embezzling [Dowjones prefers "stealing"] information on about 1,700 types of products, including sensors and industrial robots [of which] about 280 types were considered top secret by the company."

This theft was discovered after the fact during an "internal investigation following a problem with its database system" which could mean that Yang was discovered by accident or that other means and methods were being concealed. In a classic piece of insider theft:

  • Yang made repeated downloads from Denso corporate libraries between October-December 2006 to a Denso-supplied laptop
  • Forensic analysis showed subsequent copying of the files from the laptop to as yet undiscovered external storage devices
  • Yang made at least three trips to China following the downloads including one ( 16 Feb-4 March) two days after being by Japanese authorities.
  • Yang took the laptop home but denied the copying disclosed by forensics
  • Yang destroyed the hard drive of his home computer

The Denso theft again reinforces our maxim that IP holders must protect an asset 'wherever it appears in the global supply chain at any tier' as opposed to only ostensibly 'risky states.' This theft is complicated by the presence of a foreign national in the critical path, a fact that we continually flag to firms placing IP-rich R&D hives in China, which often pose a greater IP risk than in-country manufacturing operations.

What little is known of Yang's background indicates a PLA plant against a high value target, Yang:

  • "Graduated from a Beijing-based university in 1986"
  • Worked "for a state-run company developing missiles and rockets in China" (the firm's name is not disclosed in any article)
  • "Came to Japan in 1990, and graduated from an engineering college in Tokyo"
  • Joined Denso in December 2001
  • Participated in "engine parts development and other works"
  • Served as "vice chairman of the Japan Association of Chinese Automotive Engineers"

Almost immediately after Yang was detained, the Yomiuri Shimbun weighed in with an uncharacteristically blunt editorial noting that:

  • The theft, as great as it was, was "probably just the tip of the iceberg"
  • "National interest [was] at risk" given the nature of Denso's research and engineering
  • "Denso's data management clearly was lax" allowing damage to Japanese interests beyond the confines of Denso
  • "Anti-espionage laws [are] lacking" even as the "National Police Agency believes China is trying to obtain various advanced technologies and related information in Japan"
  • "Employment of foreign engineers and researchers" needed national as well as corporate oversight
  • Management of important corporate information is not an issue "that can be left to the private sector alone"
  • As the Japanese Penal Code only stipulates a maximum five year sentence for embezzlement, the "police reportedly also plan to establish a case under the Unfair Competition Prevention Law as it provides for a heavier [ten-year] punishment"

Little more was published in the Japanese press until small items appeared two weeks later in Japan Times; Japanese magistrates and police had withdrawn charges and released the Chinese engineer that executed the "national security" level IP theft against Denso. The anemic refusal to indict and the release notices (verbatim below as they have now scrolled off) are mind-boggling in their banality, and there has been nothing more from official sources since. Astonishing until one considers the leverage that China could apply against Denso and Toyota:

Prosecutors decide against indicting Chinese man over data theft
Japan Times
Apr 6, 2007
Requested article has expired, and is no longer available

NAGOYA - The Nagoya District Public Prosecutors Office on Thursday decided against filing a formal charge against a Chinese employee of auto parts builder Denso Corp who was arrested on suspicion of taking out product design data without the company's authorization, investigative sources said. The prosecutors apparently decided it was difficult to establish a case...

Prosecutors release Chinese man over data theft
Kyodo News, Japan Today
Saturday, April 7, 2007 at 07:16 EDT
Requested article has expired, and is no longer available

NAGOYA - The Nagoya District Public Prosecutors Office on Friday released a Chinese employee of auto parts maker Denso Corp who was arrested on suspicion of taking out product design data, with a view to suspending indictment against him.

The release of Yang Luchuan, a 41-year-old engineer at the company based in Kariya, Aichi Prefecture, marked the end of the case, with investigators unable to confirm why the data was taken and whether it was handed over to other people.

The affair has been whitewashed. My immediate impression was that Cisco's manhandling by Huawei and the PLA had repeated itself, and for the same reason: threats of extralegal punishment in the Chinese market.

Cisco tried to box with God

Who is Huawei Technologies and how could they have escaped Cisco's legal assault despite Huawei's fielding a router architecture containing stolen Cisco code down to identical text strings, file names, comments and bugs? Look no farther than its founder, Ren Zhengfei, one of China's IT "power players." From RAND's A New Direction for China's Defense Industry:

Huawei Shenzhen Technology Company. Huawei was founded in 1988 by Ren Zhengfei, a former director of the PLA General Staff Department's Information Engineering Academy, which is responsible for telecom research for the Chinese military. Huawei maintains deep ties with the Chinese military, which serves a multi-faceted role as an important customer, as well as Huawei's political patron and research and development partner. Both the government and the military tout Huawei as a national champion, and the company is currently China's largest, fastest-growing, and most impressive telecommunications-equipment manufacturer...

In analyzing the dynamics of the IT sector, it is first necessary to divide the defense portion of the IT sector into two related but distinct categories. The first includes those subsectors providing the PLA with commercial-off-the-shelf IT systems, such as routers, switches, and computers, which have become increasingly central to the digitization of the U.S. military. Key companies in this category include such "red chips" (the Chinese equivalent of U.S. blue-chip companies) as Huawei, Zhongxing, Datang, Julong, and the Wuhan Research Institute, all of which are private companies spun off from state research institutes that enjoy national-champion preferences within the system. They are marked by new facilities in dynamic locales, such as southern and eastern China, a high-tech workforce, and infusions of foreign technology. These firms are not obligated to provide a social safety net for thousands of unemployable workers and their families in rural areas. Instead, they hire and fire staff using market-based incentives and stock options...

The two most important categories of Chinese IT firms, particularly in dealings with foreign multinationals, are telecommunications equipment and electronics. Publicly, the major players in telecommunications - Huawei, Datang, Zhongxing, and Great Dragon (Julong) - appear to be independent, private-sector actors. By contrast, many of the electronics firms are grouped under ostensibly commercially oriented conglomerates, such as China Electronics Corporation. However, one does not need to dig too deeply to discover that many of these electronics companies are the public face for, sprang from, or are significantly engaged in joint research with state research institutes under the Ministry of Information Industry, defense-industrial corporations, or the military. Indeed, each of the "four tigers" of the Chinese telecommunications equipment market (Huawei, Zhongxing, Datang, and Julong) originated from a different part of the existing state telecommunications research and development infrastructure, often from the internal telecommunications apparatus of different ministries or the military. These connections provide channels for personnel transfers, commercialization of state-sponsored R&D ("spin-off"), and militarization of commercial R&D ("spin-on")...

Huawei has also become the most successful Chinese exporter of equipment, entering international markets in 1996. According to one source, "For the future, Huawei wants to be the Cisco of the PRC, but also is ambitious to become a global player." The company is rapidly penetrating Africa, Russia, India, and many other areas ignored by Western telcos...

Huawei is at the core of what is called China's "digital triangle":

The pace and depth of these advances cannot be explained by traditional Chinese defense-industrial reforms. Instead, they originate in a paradigm shift that could be called the "digital triangle," the three vertices of which are (1) China's booming commercial information-technology companies, (2) the state R&D institute and funding infrastructure, and (3) the military. The links among these three vertices are of long standing, given that telecommunications and information technology in China were originally developed under the auspices of the military, and the commercial relationships with state and military research institutes remain important.

The digital triangle approach resembles a classic technonationalist strategy a la Japan, with high-level bureaucratic coordination and significant state funding. But it also has the attributes of market-based, dynamic, nimble, and internationally oriented private enterprises. The techno-nationalist strategy has been attempted by the defense-industrial system in China in the past; that it is currently successful in information technology and shipbuilding may be driven more by the integration of those sectors into the global R&D and production chain than by China's technological strengths per se.

The digital triangle represents an important evolution in the military's strategy for telecommunications development. Under the previous model, such companies as the PLA General Staff Department's China Electronic Systems Engineering Corporation (CESEC) built commercial networks and served as a front company for the acquisition of technology for the military. Private Chinese companies such as Huawei, by contrast, represent the new digital-triangle model, whereby the military, other state actors, and their numbered research institutes help fund and staff commercially oriented firms that are designated "national champions," receive lines of credit from state banks, supplement their R&D funding with directed 863 money, and actively seek to build global market share. The military, for its part, benefits as a favored customer and research partner. Companies such as CESEC continue to exist, but they now serve as systems integrators of technologies from multiple outside vendors...

As part of its backbone infrastructure work with the PLA, Huawei supplied secure fiber optic communications networks widely within the PLA, its missile networks and fire control/command and control systems, and would supply a variant, Tiger Song, to Iraq prior to OIF which greatly complicated US interdiction as previous Iraqi anti-air comm had been interceptable, targetable transmissions. The PRC was one of many UN embargo violators (which included our allies France and Germany as well as Russia):

Iraq purchased a number of Chengdu F-7 fighter jets from Beijing and has managed to trans-ship spare parts made in China for its force of F-7 and MiG-21 fighters through illegal front companies in Jordan, Hong Kong and Singapore. China also supplied Iraq with a large number of T-55 and T-58 tanks equipped with modern night-vision gun sights and laser range-finding systems. Somehow, the Iraqis keep these tanks in tip-top condition with an ample supply of Chinese-made spare parts. It is well known that China sold Iraq the "Tiger Song" air defense system during the 1990s. Both [Powell] and [Rice] have stated that China sold Iraq its new air defense system. The sale took place despite the fact that China also signed on to the U.N. ban on weapons sales to Iraq. NATO gave the system its name in 1998 after it was discovered to be operational in the Iraqi desert.

Tiger Song had interesting antecedents:

The Chinese-built "Tiger Song" fiber-optic air defense system used by Iraq is comprised of American-made technology obtained with a waiver from the Clinton Administration... The advanced fiber-optic system was a result of the friendship between General Ding Henggao, Commander of the Chinese Army military research bureau COSTIND [Commission on Science and Industry for National Defense] and then-US Defense Secretary William Perry...

In 1994, Professor John Lewis of Stanford University... teamed with General Ding to buy an advanced AT&T fiber-optic communication system for "civilian use" inside China. According to the Far Eastern Economic Review, [Perry] wrote a letter to US Government export control officials, favoring the fiber-optic export to China. The venture was called "Hua Mei." The Chinese part of the venture was run by the newly formed firm, "Galaxy New Technology," with General Ding's wife, Madame Nie Li, as the head of the project.

With the support of Perry and the advice of Prof. Lewis, AT&T shipped the secure communications system directly to a Chinese Army unit, using Galaxy technology as a front. The so-called "civilian" Galaxy firm was packed with senior Chinese military officers... Madame Nie was not only the wife of General Ding, but actually Lt. General Nie Lie of the Chinese Army. Galaxy Director and president was Mr. Deng Changgru, also known as Lt. Colonel Deng Changru, head of the Chinese Army communcations corps. Co-General manager of Galaxy, "Mr." Xie Zhichao, also known as Lt. Colonel Xie Zhichao, director of the Chinese Army's Electronics Design Bureau...

"The Chinese army's Electronics Bureau... modified the American fiber-optics communication system, changing it into a secure air-defense system. The Chinese military then exported the newly modified system to Iraq. The Iraqi air defense network, NATO code-named "Tiger Song," is made of US and French fiber-optic parts modified by the Chinese military."

Today [2001], Iraqi anti-aircraft missiles, guided by Tiger Song, regularly target US fighter planes. And following the recent US-British attack on the system, Chinese military engineers are reportedly repairing damages to the system.

Cisco eclipsed by Huawei's theft of IOS

Had Cisco performed a competent due diligence, it would have known that its arms were too short to box with God. Instead, it soldiered ahead as if an award in US jurisdiction would protect "its IOS software package, which lies at the heart of many of its box designs":

After years of pretending they loved the competition of cheap knockoff routers from China, Cisco Systems filed suit today against Chinese telecom equipment giant Huawei Technologies, charging patent and copyright violations which, if proven, could cripple the Chinese company's recent bold expansion.

It is the first-ever intellectual property lawsuit for Cisco, and one senior Cisco officials had tried to avoid by consulting with both Huawei and Chinese government officials...

Mark Chandler, Cisco's general counsel, said the main reason for the suit was the discovery that Huawei was using the same source code for the software powering its routers. The code, called IOS (internetwork operating system), is the crown jewel of Cisco's technology. "Over the past year we had more and more of a case," he says, citing such things as the identical command lines and user manuals between Cisco and Huawei products. "But several months ago we realized the source code was copied--that's when we began direct negotiation." Huawei officials were receptive to negotiations, he said, but never changed their practices.

Chandler says Cisco hopes for what he termed "a recognition by Huawei that its conduct is unacceptable," ending the need for the suit...

Cisco [started] its war in the US, filing its first lawsuit against Huawei in a US district court in Texas, the state where Huawei houses its US headquarters. For Cisco, this is friendly ground. As a San Jose-based company, most of Cisco's patents and trademarks are protected by the US Government, giving Cisco home-field advantage and maybe a stronger position in the case. Clearly, if it wins, Cisco will get the injunction it wants against Huawei in the US...

Cisco filed a lawsuit alleging that Huawei "unlawfully copied and misappropriated Cisco's IOS software... and infringed numerous Cisco patents."

This article was prescient, but likely not for the reasons assumed:

But, you have to wonder if a victory in the US will lead to a worldwide victory for Cisco. Clearly, the battle in the US will be the first in a set of lawsuits the company files against Huawei. The real battleground will be in China. While Cisco has the edge in the US, the advantage balance shifts quickly to Huawei in the Chinese market. Even with a US victory, Cisco will likely fight a long uphill battle to try and convince China to rule against Huawei. And, if they win, they'll fight an even more tedious battle trying to get China to impose sanctions against Huawei...

Even if the US comes to the aid of companies to protect IP infringements in China, there's no guarantee that the infringements will stop. And if a communication giant like Cisco, with its deep legal pockets, can't stop Chinese companies from infringing on IP, how can any comm company targeting the market expect to protect its IP from Chinese pirates...

And then it was over with this fig leaf that did not fool the knowledgeable:

Cisco Systems today [1 Oct 2003] agreed to suspend its patent infringement lawsuit against Huawei after the Chinese equipment manufacturer signed an agreement to modify some of its products.

Huawei will continue to abide by the terms of the preliminary injunction order made by a district court in Texas in June. This injunction served notice on Huawei to stop its alleged use of Cisco router code.

Addressing Cisco's concerns about alleged piracy, Huawei has voluntarily made changes to some routers and switches. The two companies have agreed on a process for reviewing these changes. Provided the review confirms that the agreed changes have been made, the two sides will draw a line under the dispute.

All other terms of the agreement are confidential - so we don't get to know how much (if any) money changed hands.

After having purloined Cisco IOS source code, Huawei could not have satisfied a US court of law by merely agreeing to "modify some of the products." That would be analogous to General Motors, having determined that Chery stole the mathdata of the Chevy Spark/Daewoo Matiz to produce Chery's QQ minicar, absolving Chery and permitting the QQ to proceed after Chery made a few changes in Class A surfaces.

Past Chinese practices and anecdotal evidence bolsters our belief that Cisco was threaten with extralegal penalties that would threaten its ability to do business in the PRC, i.e., revenue, access, and market position. Cisco effectively capitulated; Huawei made no fundamental code changes, nor did it stop shipping any product and it continued to undersell Cisco by a third.

Cisco as collateral casualty of Desert Storm and Operation Iraqi Freedom (OIF)

It is asking much of a commercial firm to be as aware of foreign military needs reacting to changing geopolitical climates when (a) the firm is not focused on, and aware of, collectors' ability to harvest its IP, generally with impunity, and (b) the firm is focused on its perceived commercial competitors, and may be doing a greater or lesser job of maintaining its position and placating its stakeholders.

Still, Cisco's experience is instructive for the need of just such an external awareness and the tools to match. As previously noted, the 2005, 2006 and 2007 issues of Military Power of the People's Republic of China indicate the galvanic shock that Desert Storm, Operation Iraqi Freedom (OIF) and Kosovo had on Chinese military and geopolitical thinking. Achievement of C4ISR (Command, Control, Communications, Computers, Intelligence, Surveillance and Reconnaissance) became a PLA mantra and Cisco was a foundation toolset to that end.

It is instructive to read the section on Impediments to Defense Transformation in the Asia-Pacific from Challenges to Transforming Asian-Pacific Militaries not for what it predicts but using the criteria of its predictions as a watch list for rapidly changing conditions. China has already overturned Bitzinger's limitations on the high end while the Tamil Air Tigers has overturned it on the low end. See China: a planners' preference defense industry succeeds in spite of systemic shortcomings.

Commercial firms should pay heed. Microsoft's Kai Axford has two interesting introductions, Economic Espionage: Mitigating the Risk Using Non-Technical Methods and Economic Espionage: Mitigating with Technical Methods, that are certainly useful steps but even those will fall without integration into a holistic Design Basis Threat (DBT) (here and here) risk response analysis.

Toyota/Denso similarities to Cisco

Denso's global sales and net income for the fiscal year ended March 31, 2007, was $30.6 billion USD and $1.7 billion USD respectively, of which Asia and Oceania provided $4.1 billion USD in sales and an operating income of $388.8 million USD. Strong vehicle production in China contributed significantly to its Asian figures.

Denso's Koichi Fukaya identified China's importance early in his tenure as CEO:

Q. Where is Denso's biggest growth area worldwide?
A. The U.S. has already grown quite a bit. But Europe will lead the pack... The No. 2 market would be China.
Q. How important is China for Denso?
A. The amount of cars on the road will double in only few years. A country like that does not exist anywhere else in the world. We want that new business in China. We consider China a very, very important country.
One problem though is the OEM mix is very, very complex. First Auto Works [FAW] has a joint venture with both Toyota and Volkswagen. It was in the media that Toyota would start a new joint venture with Guangzhou Automobile Group, which has a joint venture with Honda. There are a number of activities going on that cannot be seen anywhere else. We are carefully monitoring those moves.
Q. Is your strategy for local production or export?
A. We want to manufacture in China for the growing market there. Export is not an issue... We want to maintain our principle of making products where our customers exist...
Q. What Is the next market for diesel growth?
A. China will be next. Engines in large size, buses and trucks are becoming modernized. So the desire is for high performance, high efficiency engines while making them more compact. China always demands the latest technology. We are trying to bring to China--diesel's newest technology--the commonrail technology...

And Denso can never be viewed in isolation from Toyota; pressure on one is pressure upon the other. Unlike China's positive trade balance with the US, China has a "heavy negative trade balance" with Japan and Korea principally due to:

  • Presence in China of Japanese and Korean OEMs "importing parts from home"
  • Protectionist measures from Japanese and Korean domestic auto part industry to limit imports (especially Japan)

Toyota commenced in-country production of the Camry in Nansha in May 2006:

Toyota joins a rush by the world's automakers for a share of China's auto market, which saw sales jump by 30 percent last year and is poised to overtake Japan as the world's No. 2 market. Toyota, a relative latecomer to China, had a paltry 3.5 percent of the market last year, with 179,000 vehicles. That puts it well behind top foreign automaker General Motors Corp., which vaulted past Volkswagen AG of Germany to grab 11 percent of the market last year...

Toyota began exporting to China in 1964 but lagged behind rivals in focusing its ambitions on the Chinese market, choosing instead to concentrate on the markets in the United States and Europe. It wasn't until 2002 that it rolled out its first locally produced, Toyota-brand car with a Chinese partner, state-owned FAW Group Corp...

[Toyota] says the [Nansha] facility brings its most advanced technology to China -- a step sought by Chinese leaders as they try to build up a world-class auto industry...

The new Nansha factory also has drawn a group of parts suppliers such as Japan's Denso Corp., which said Tuesday it will spend 30 billion yen (US$265 million; ?210 million) over the next five years to shift production to China...

Despite political tension between Japan and China that flared into riots last year, Japanese automakers are heavily investing in China, and last year pumped a total of 113.7 billion yen (US$1.03 billion) into the country.

Both Denso and Toyota are now committed to China out of necessity and that footprint brings risk. I cannot imagine either Denso or Toyota sliding into the 1st China International Auto Parts Expo (29 Nov - 1 Dec, 2007) in Beijing in a confrontation over a "national security" level theft in trade secrets and Intellectual Property from one or more Chinese entities that would in all likelihood involve PLA assets.

The moral is: prepare in advance to defer and deflect predations upon your IP as once the theft occurs there is little recourse under the best of circumstances, and in the face of extralegal sanctions, likely zero.

DENSO Announces Year-end Financial Results
PRNewswire
April 26, 2007

Economic Espionage: A Real Threat
Kai Axford
Security Minded - from Kai the Security Guy

Published Tuesday, April 10, 2007 11:24 AM

Economic Espionage: Mitigating the Risk Using Non-Technical Methods
Kai Axford
Security Minded - from Kai the Security Guy
Published Wednesday, April 11, 2007 3:57 PM

Economic Espionage: Mitigating with Technical Methods
Kai Axford
Security Minded - from Kai the Security Guy
Published Friday, April 13, 2007 11:34 AM

Prosecutors release Chinese man over data theft
Kyodo News, Japan Today
April 7, 2007 at 07:16 EDT
Requested article has expired, and is no longer available

Prosecutors decide against indicting Chinese man over data theft
Japan Times
Apr 6, 2007
Requested article has expired, and is no longer available

The Flowchart Model of Cluster Policy: The Automobile Industry Cluster in China
Akifumi Kuchiki
DISCUSSION PAPER No. 100
INSTITUTE OF DEVELOPING ECONOMIES (IDE)
April 2007

Denso's management of classified data lax
The Daily Yomiuri(Tokyo)
EDITORIAL
March 20, 2007 Tuesday

China Edging US in Espionage, Author Says
By Kevin Mooney
CNSNews
March 19, 2007

Denso Chinese engineer an industrial spy?
ARREST FOLLOWS DOWNLOADING OF TOP SECRETS
Kyodo
Sunday, March 18, 2007

Denso Corp. Engineer Held Over Suspected Data Leak - Kyodo
provided by: Dowjones Business News/Easy Bourse
Friday March 16th, 2007 / 19h20

Toyota in the World (Toyota Chronology) 2007
Toyota
2007

Toyota rolls out first made-in-China Camry in bid to catch up with rivals
DANMEX
May 23, 2006

The Civilian High-technology Economy: Where is it heading?
Adam Segal, Maurice R. Greenberg Senior Fellow for China Studies
Council on Foreign Relations
March 16, 2006

The Quadrennial Defence Review - Revolution Reloaded?
by Greg
06 Feb 2006 04:21 PM PST

Telecom giant taking shape
Huawei and its Plano unit plan to win big in U.S.
By JIM LANDERS / The Dallas Morning News
03:27 PM CST on Tuesday, December 20, 2005

The automotive parts industry in China: gearing up for world leadership
Riccardo Battaglia, Sara Ciavorella
Value Partners S.p.A.
Shanghai, November 2005

Pentagon Document: U.S. Paid Pro-Saddam Figures, Chinese and French
Charles R. Smith
PEHI Newsmax
Monday, Feb 28, 2005

A New Direction for China's Defense Industry
Evan S. Medeiros, Roger Cliff, Keith Crane, James C. Mulvenon
RAND MG-334
ISBN 0-8330-3794-3
2005

China's champions
The struggle of the champions
The Economist
Jan 6th 2005

Inside China - The Chinese view their automotive future
IBM Business Consulting Services
2005

Civil-Military Integration and Chinese Military Modernization
Richard A. Bitzinger
Asia-Pacific Center for Security Studies (APCSS)
Volume 3, No 9, December 2004

Chinese Competitors Chew at Cisco
Light Reading
NOVEMBER 10, 2004

Challenges to Transforming Asian-Pacific Militaries
Richard A. Bitzinger
Asia-Pacific Center for Security Studies (APCSS)
Volume 3, No 8, October 2004

China's Telecom Forays Squeeze Struggling Rivals
Amid a Shaky Recovery, Competitive Pressures Hit Western Companies Hard
By CHRISTOPHER RHOADS and CHARLES HUTZLER
WALL STREET JOURNAL
September 8, 2004

The New Weapon In China's Arsenal: Private Contractors
Once-Lethargic PLA Becomes Stronger Force With Help Of Modern Defense Sector
A Bigger Threat to Taiwan?
By CHARLES HUTZLER
WALL STREET JOURNAL
July 16, 2004

Chinese Military Modernization Aims For Regional Projection
Advanced technologies lie at the heart of most efforts.
By Robert K. Ackerman
SIGNAL
October 2003

Denso to establish Shanghai, China, joint venture - Asia - Shanghai Pudong "EV" Fuel Injection Co. Ltd - Brief Article
Automotive Industries
Sept, 2003

Cisco halts Huawei piracy suit
Peace in our time
By John Leyden
Register
1 October 2003 20:23 GMT

The PLA, Trade, and U.S. Interests
Chapter Fourteen
Kevin G. Nealer

The People's Liberation Army and China in Transition
A Publication of the Center for the Study of Chinese Military Affairs
by Stephen J. Flanagan and Michael E. Marti
National Strategic Studies, National Defense University
August 2003

New Denso head sees growth in A/C, diesel and telematics - Supplier Business - Koichi Fukaya - related article: Denso heads South - Interview
Automotive Industries
August, 2003

The Chinese Automobile Industry and the Strategic Alliances of China, Japan, the US's Firms
--The Cases of FAW-Toyota, Dongfeng-Nissan and Shanghai-GM--
Discussion Paper for International Motor Vehicle Program (IMVP), MIT, U.S.A.
(First Draft)
Chunli Lee Aichi University, Japan; Takahiro Fujimoto University of Tokyo
May 2003

DENSO to Establish Guangzhou, China Joint Venture To Produce Car Air Conditioners
Auto Channel
TOKYO, April 1, 2003

The Chinese Auto Industry
Global Automobiles
Keith Hayes, Max Warburton, Gary Lapidus, Kunihiko Shiohara, Young Chang, Shane McKenna
Goldman Sachs
February 21, 2003

Cisco/Huawei battle could shape move into China
By Robert Keenan
CommsDesign
Jan 23, 2003

No More Mr. Nice Cisco
Quentin Hardy
Forbes
01.23.03, 5:13 PM ET

China Strengthens Ties With Taleban by Signing Economic Deal
John Pomfret
International Herald Tribune
September 13, 2001
Original scrolled off

Mirror

Western Warplanes Hit Iraqi Defenses-Pentagon
By Charles Aldinger
Reuters
Friday August 10 9:08 AM ET 2001
Mirror

China's I.T. Power Players
Rich, savvy and well connected, these are the key people leading China's drive toward commercial success in the world of high tech
Asia Week
7/27 - 8/3/2001

Sanctions Busting: Technology Two-Timing
By Kelly Motz and Jordan Richie
The Asian Wall Street Journal
March 19, 2001
Mirror

Mirror

THE IMPACT OF GLOBALISATION ON THE CHINESE AUTOMOBILE INDUSTRY: POLICY ASSESSMENTS AND TYPOLOGY OF STRATEGIE
Chunli Lee, Takahiro Fujimoto, Jin Chen
Actes du GERPISA no. 34
June 2000
Groupe d' Etudes et de Recherches Permanent sur l' Industrie et les Salariés de l' Automobile (Permanent Group for the Study of the Automobile Industry and its Employees)

Gordon Housworth



InfoT Public  Intellectual Property Theft Public  Strategic Risk Public  

discussion

  discuss this article

US IT infrastructure is as, likely more, vulnerable to active and passive cyberattack than Estonia

  #

'Cyber-collection' versus cyberterrorism

The ongoing organized cyberattack on Estonian state and commercial IT infrastructure is the clearest example of a "cyber Pearl Harbor" - an active attack to disrupt or degrade the capacity of a state to function, to conduct commerce, to defend itself - yet as instructive, even attention grabbing to the thoughtful few, as this active attack is, it is among the smaller risk category of IT cyber risk; The greater risk is the wholesale 'passive' probing and intrusion efforts to reconnoiter infrastructure and steal proprietary/classified information.

Between FY 2005 and 2006, federal assets showed a marked rise in activities involving unauthorized access, improper usage, scans/probes attempted access, investigation, even denial of service, yet a decrease in malicious code (a condition I believe is due more to spear phishing and other, more intelligent exploits than to lessened activity).

In their fiscal year 2006 financial statement audit reports, 21 of 24 agencies indicated that they had significant weaknesses in information security controls. [The] weaknesses persist in major categories of controlsincluding, for example, access controls, which ensure that only authorized individuals can read, alter, or delete data, and configuration management controls, which provide assurance that only authorized software programs are implemented. An underlying cause for these weaknesses is that agencies have not yet fully implemented agencywide information security programs, which provide the framework for ensuring that risks are understood and that effective controls are selected and properly implemented. Until agencies effectively and fully implement agencywide information security programs, federal data and systems will not be adequately safeguarded to prevent unauthorized use, disclosure, and modification.

Without a systemic application of a Design Basis Threat (DBT) analysis, I cannot see federal or commercial systems staying ahead of the growing number of attackers and recon efforts; money and attention will be squandered for "feel good security" rising from false practices and vendors' siren recommendations of their particular wares as plugging the gap. See:

Furthermore, most systems are Brownfield legacy or if they are Greenfield they have critical links/access to Brownfield systems. Atop that, most systems are not designed with security in mind. From The defender's dilemma: common threads in exploiting commercial supply networks:

The problem is that the commercial production environment, in this case the "defender," is supremely exploitable as commercial supply chains are designed around economic efficiency and manufacturing efficiency rather than exploitation security. [Terrorist supply chains, or asymmetrical attacker Supply chains, are not built for commercial efficiency but for detection avoidance at least until the attack is in progress.] Cost and risk rise to the commercial defender as they try to backfill security needs atop a commercial structure. In this situation, it tracks with the difficulty in countering IP theft and diversion unless the process is built in from the onset. In all such environments, it is too easy to ask how often [the target will be attacked] as opposed to if or when?

Readers are encouraged to review my 2005 Malicious marketplace uniting espionage, criminal groups, crackers, terrorism, vulnerable systems, commercial and government targets that highlighted the Chinese Titan Rain intrusion efforts and confirms "our experience that 'cyber-collection' far outranks cyberterrorism":

The black hat community attacking commercial and military targets is as large as it is diverse and global:

  1. State espionage against foreign commercial and military targets
  2. Criminal enterprises focused on money over fame or ideology
  3. Stateless terrorism and its associated criminal money raising campaigns (phishing for example)
  4. "Outsourced" smaller criminal enterprises in low cost, permissive cultures (who can fabricate exploits too labor intensive for more established criminal groups)
  5. Cracker groups selling exploits to groups 1, 2, and 3 directly or through brokers

The Chinese enshrined informationalization, the best definition of which is from the Double Tongued Dictionary, into its military doctrine in 2004:

Subsequent analysis has shown that the People's Liberation Army (PLA) pursues a similar outsourcing strategy in its IT (Information Technology) and IP (Intellectual Property) harvesting by using Chinese commercial entities as proactive agents, i.e., your contract engineering house or supplier is also the collector of your proprietary information [private briefing to clients].

In a DOD background briefing for the 2007 Military Power of the People’s Republic of China, a question was raised on "informationization, which sounds quite a bit like our network-centric. Would that be a correct assumption?"

DEFENSE DEPT. OFFICIAL: I would be hesitant to draw a direct parallel, but I think that certainly China's ideas on what informationization is would be informed by their understanding of network-centric warfare. I think when they say informationization, it's really their understanding of how information technology is now a pretty significant component of the modern battlefield. So it's, you know, intelligence, surveillance, reconnaissance, precision strike. So it's the role of information, information systems, information technology. So I'd probably say it's not a direct parallel.

Target Estonia, and only Estonia

Estonia ranks with Scandinavian states in its level of internet integration:

One of the most wired societies in Europe… Estonia has a large number of potential targets. The economic success of the tiny former Soviet republic is built largely on its status as an "e-society," with paperless government and electronic voting. Many common transactions, including the signing of legal documents, can be done via the Internet...

A massive DDoS (Distributed Denial of Service) attack against such a state had the potential to cripple it, incurring costs and interruptions, and raising the risk calculus of potential partners who might do business with it going forward. With Estonian-Russian relations already strained at best, an Estonian action to relocate a Soviet war memorial, the "Bronze Soldier," on 27 April triggered just such a series of attacks within hours. This attack is unique for its lack of criminal motive and the presence of a direct and identifiable nationalistic motive.

While specific Estonian ISPs have been under DDoS attack for months by the Allaple virus, the motive for those attacks are unclear. The April-May DDoS attacks, in contrast, are massive, immediately tied to causal condition and perpetrator(s). In a stroke, a state's electronic infrastructure was raised to the same level as its sovereign territory and airspace. Estonia's infrastructure - government, banking, ISPs, telecommunications and news agencies - was driven offline, almost completely outside of the Baltic states and Scandinavia.. The Estonian defense ministry ranked the attack on the nation as comparable to 11 September.

There was also precision in the attacks. While Estonia is both a NATO alliance member and an EU member, no NATO systems in Estonia were attacked.

Attack characteristics

Described as a "common-size attack" of 100-200 megabits per second, the Estonian attack is analogous to the Apolo Ohno attack in both size and nationalistic impetus; and similar in size to the 2006 rogue DNS server attack. "Multiple botnets and tools--both botnet-related and not botnet-related" were employed.

Though Estonia is generally cyber-wise, this attack demands substantial numbers of skilled technicians. Estonian ISPs are working with their international ISPs "that give them inbound traffic as well as the attack traffic" in order to push out traffic interdiction, identify root cause and isolate them. Expect changes in botnet locations and sources to retain attack vibrancy; Expect variations in sources, traffic and packet types.

Another 'characteristic' of the Estonian attack is its success; For a modest investment in botnets, the attacks have degraded Estonian commercial and governmental operations, registering an effective and highly visible protest. Governments, factions and corporations should expect copycat events. Much larger attacks, blended with multiple payload characteristics, are quite possible.

Stateless quality of active and passive cyber attacks

"If a member state's communications centre is attacked with a missile, you call it an act of war. So what do you call it if the same installation is disabled with a cyber-attack?" NATO Official

The better DDoS attacks and penetration attacks share a condition common to terrorist groups, namely statelessness, and with it the ambiguity of identifying the culpable state actor and the risk of targeting the innocent. A peer-to-peer botnet can go far in camouflaging its controller. Whereas the first wave of attacks on Estonia largely emanated from Russian servers, including those government, the second, larger series emanated from a global array of servers.

This stateless nature, in addition to the newness of active statewide cyber attacks, raises many questions that have yet to be codified in international law:

  • What is the cyber equivalent for the death of a nation's citizen?
  • How many of those units constitute grounds for cyber or military retaliation?
  • What is the variance between a cyber and military threshold response?
  • What level of proof is needed to secure international approval?
  • If an attack emanated from within a state, is it a sanctioned state action or a rump action by groups of its or other nationals?
  • What is the appropriate level of response, in kind or otherwise?
  • When does a cyber attack become indistinguishable from a conventional attack? (One might well ask when this question will be considered quaint and rendered moot.)

Answering these questions will not be easy as the international community has yet to formulate responses to lesser levels of cyber crime and terrorism, much less a massive cyber attack; Neither NATO or the EU have yet defined what constitutes a cyber attack.

US ability to withstand a major active cyber attack

If the federal government is seriously contemplating a 'cyber Pearl Harbor' threat, the unclass reporting and current asset deployment does not reflect it. Quite the opposite, the current US cyber warfare strategy is seen as "dysfunctional" and a "complete secret to everybody in the loop" by General James Cartwright, US Strategic Commander. Cartwright made this assessment:

  • Cyber warfare strategy divided among three groups: Net Warfare (attack and reconnaissance), Joint Task Force for Global Network Operations (network defense and operations) and Joint Information Operations Warfare Center (electronic warfare)
  • Groups operate independently with poor information sharing
  • Present DOD approach "developed ad-hoc" based on terminal defense, commences action "only after an attack, and takes weeks for a response
  • Result is a "passive, disjointed approach that undermines the military's cyberspace operations"
  • US not developing cyber intellectual capital at the required rate to address a tiered hierarchy of "hackers, criminals, and nation-states"
  • "DOD must move away from a network defense-oriented cyber architecture [while] cyber reconnaissance, offensive, and defensive capabilities must be integrated and leveraged for maximum effect"

As Cartwright was opining in early 2007, it does not give this author comfort that the first federal cyber war exercise, Cyber Storm, carried out in February 2006 had such a relatively positive outcome. (It is moments like this when I remember the counsel of a skilled practitioner who noted that any exercise presided over by political elites must be designed not to fail lest their stewardship be called into doubt.)

Cyber Storm was to provide a "controlled environment to exercise State, Federal, International, and Private Sector response to a cyber related incident of national significance" affecting "Energy, Information Technology (IT), Telecommunications and Transportation infrastructure sectors." My lack of comfort was not improved by the choice of attacker, a group of "anti-globalization radicals and peace activists" called the Worldwide AntiGlobalization Alliance (WAGA) instead of a substantive Hezbollah or al Qaeda effort, or better yet, the expected swarm attack of a Chinese or Russian cyber offensive. See Informationalization in Chinese military doctrine affects foreign commercial and military assets.

Were the stakes not so high, this lighthearted review might be funny:

The attack scenario detailed in the presentation is a meticulously plotted parade of cyber horribles led by a "well financed" band of leftist radicals who object to U.S. imperialism, aided by sympathetic independent actors… Apparently, no computers were harmed in the making of Cyber Storm. "There were no actual attacks on live networks, no Red Team," the presentation notes. "Players reacted to situation and incident reports according to their regular/normal SOPs." So it was more of a paper exercise. A referee points at someone and yells, "You! Your website is defaced. What do you do?" -- and the organization responds accordingly… And on it goes, with over 800 scenario "injects" over four action-packed days.

Having spun scenarios without limit, Cyber Storm's "Overarching Lessons Learned" offer painful parallels to each of the TOPOFF series simulating large-scale terrorist attacks involving biologic, chemical and radiological WMDs ("diseases are fearsome, hospitals and first responders are overwhelmed, interagency and intra-agency coordination is pummeled while communications in the form of multiple control centers, numerous liaisons, and increasing numbers of response teams merely complicate the emergency response effort"). See Bioterrorism Drill TOPOFF 2 -- Failing to think like al Qaeda & relearning old lessons and Katrina as an "incident of national significance" puts the lie to DHS scenario planning for terrorist event preparation.

Who could be surprised by these lessons learned? They could describe any large bureaucracy under stress, perhaps even their daily environment:

  • Correlation of multiple incidents is challenging at all levels:
    • Within enterprises / organizations
    • Across critical infrastructure sectors
    • Between states, federal agencies and countries
    • Bridging public private sector divide
  • Communication provides the foundation for response
  • Processes and procedures must address communication protocols, means and methods
    • Collaboration on vulnerabilities is rapidly becoming required
    • Reliance on information systems for situational awareness, process controls and communications means that infrastructures cannot operate in a vacuum
  • Coordination of response is time critical
    • Crosssector touch points, key organizations, and SOPs must be worked out in advance
    • Coordination between publicprivate sectors must include well articulated roles and responsibilities

A way forward

USAF (Air Force) is undertaking what I believe is some long overdue consolidation, removing all ISR (intelligence, surveillance and reconnaissance) from the operations community and consolidating them under the intelligence directorate (A2), and standing up a Cyber Command based on 8th Air Force infrastructure capable of seeing "Cyberspace [as] a fighting domain where the principles of war do apply."

If the US was confronted with a major cyber attack against critical IT infrastructure, DoD is said to be "prepared, based on the authority of the president, to launch a cyber counterattack or an actual bombing of an attack source" but I am not sanguine. "The primary group responsible for analyzing the need for any cyber counterstrike is the National Cyber Response Coordination Group (NCRCG)" whose key members are US-CERT, DoJ and DoD. But it appears that a coordinated response remains a work in progress:

The NCRCG's three co-chairs acknowledge it’s not simple coordinating communications and information-gathering across government and industry even in the best of circumstances, much less if a significant portion of the Internet or traditional voice communications were suddenly struck down. But they asserted the NCRCG is "ready to stand up" to confront a catastrophic cyber-event to defend the country.

I think it accurate to say that interagency coordination and response, together with coordination with the private sector who manages much of US IT infrastructure, has yet to be tested; Cyber Storm's next event should inject realism over rainbow scenarios. At the moment, US Strategic Command will issue a counterattack recommendation to POTUS:

In the event of a massive cyberattack against the country that was perceived as originating from a foreign source, the [US] would consider launching a counterattack or bombing the source of the cyberattack [but] the preferred route would be warning the source to shut down the attack before a military response.

Given that initiating a cyber counter-counterattack will currently violate the Computer Fraud and Abuse Act, we have a long road ahead.

Informationalization
Double Tongued Dictionary
Note: The Double-Tongued Dictionary is useful to readers of Asian issues in particular as it "records undocumented or under-documented words from the fringes of English, with a focus on slang, jargon, and new words [that are] absent from, or are poorly covered in, mainstream dictionaries."

War Fears Turn Digital After Data Siege in Estonia
By MARK LANDLER and JOHN MARKOFF
New York Times
May 29, 2007

Cyberattack in Estonia--what it really means
Arbor Networks' Jose Nazario takes stock of the denial-of-service attack against the Baltic nation--and the wider implications.
By Robert Vamosi

CNET News.com
May 29, 2007, 4:00 AM PDT

Air Force examines its vulnerability to cyberattack
BY Sebastian Sprenger
FCW
May 29, 2007

Feds take 'cyber Pearl Harbor' seriously
BY Jason Miller
FCW
Published on May 28, 2007

China Crafts Cyberweapons
The Defense Department reports China is building cyberwarfare units and developing viruses.
Sumner Lemon
IDG News Service
May 28, 2007 10:00 AM PDT

DoD: China seeking to project military power
By William H. McMichael - Staff writer
Marine Times
Posted : Friday May 25, 2007 16:11:31 EDT

DoD Background Briefing with Defense Department Officials at the Pentagon
Presenter: Defense Department Officials May 25, 2007
[No attribution, comments for background only]
[Subject was the 2007 China Military Power Report]
News Transcript On the Web
Office of the Assistant Secretary of Defense (Public Affairs)
US Department of Defense
May 25, 2007

Military Power of the People’s Republic of China
ANNUAL REPORT TO CONGRESS
Office of the Secretary of Defense
2007

Cyber Assaults on Estonia Typify a New Battle Tactic
By Peter Finn
Washington Post
May 19, 2007

Estonian DDoS Attacks - A summary to date
by Jose Nazario
Security to the Core
Posted on Thursday, May 17, 2007

NATO concerned over cyber attacks on Estonia, possible impact on alliance
Associated Press/IHT
May 17, 2007

Estonia urges firm EU, NATO response to new form of warfare: cyber-attacks
AFP/Sydney Morning Herald
May 16, 2007 - 12:05PM

Russia accused of unleashing cyberwar to disable Estonia
· Parliament, ministries, banks, media targeted
· Nato experts sent in to strengthen defences
Ian Traynor in Brussels
May 17, 2007
The Guardian

A cyber-riot
The Economist
May 10, 2007

INFORMATION SECURITY: Persistent Weaknesses Highlight Need for Further Improvement
Testimony Before the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, Committee on Homeland Security, House of Representatives
Statement of Gregory C. Wilshusen and David A. Powner
GAO-07-751T
April 19, 2007

Black Hat: Botnets Go One-on-One
Kelly Jackson Higgins
Dark Reading
FEBRUARY 22, 2007

Cartwright: Cyber warfare strategy ‘dysfunctional’
BY Josh Rogin
FCW
Published on Feb. 9, 2007

RSA - US cyber counterattack: Bomb one way or the other
Ellen Messmer
Techworld
vrijdag 9 februari 2007

Blue Force Tracker for cyberspace?
BY Josh Rogin
FCW
Jan. 25, 2007

Air Force to reorganize intell community
BY Josh Rogin
FCW
Published on Jan. 12, 2007

When Hippies Turn to Cyber Terror
By Kevin Poulson
Wired Blog 27B Stroke 6
August 15, 2006 | 12:27:58 AM

Report: Hackers engage in vulnerability auctions
BY Rutrell Yasin
FCW
July 12, 2006

National Cyber Exercise: Cyber Storm
National Cyber Security Division
New York City Metro ISSA Meeting
June 21, 2006

Military Power of the People’s Republic of China
ANNUAL REPORT TO CONGRESS
Office of the Secretary of Defense
2006

Risk management critical for FISMA success
Experts say IGs, execs must agree on common enforcement and audits
BY Michael Arnone
FCW
March 13, 2006

China Investing in Information Warfare Technology, Doctrine
By Kathleen T. Rhem
American Forces Press Service
July 20, 2005

The Military Power of the People’s Republic of China
ANNUAL REPORT TO CONGRESS
Office of the Secretary of Defense
2005

Gordon Housworth



Cybersecurity Public  InfoT Public  Infrastructure Defense Public  Intellectual Property Theft Public  Risk Containment and Pricing Public  Strategic Risk Public  Terrorism Public  

discussion

  discuss this article

Informationalization in Chinese military doctrine affects foreign commercial and military assets

  #

Informationalization, the computerization of business, industry, and military, has entered Chinese military thinking in earnest, affecting both foreign commercial and military assets. US and EU commercial assets have already suffered serious predation from Chinese military assets and Chinese commercial assets operating under military direction.

In the absence of a US counter-cyber warfare strategy, Chinese IT technologists enter all but the most secure US systems, exceeding the limits of passive examination and surveillance. Naval Network Warfare Command (Netwarcom) and others observe:

  • Chinese attacks "far outstrip other attackers in terms of volume, proficiency and sophistication, [the conflict having] reached the level of a campaign-style, force-on-force engagement"
  • "Motives of Chinese hackers run the gamut, including technology theft, intelligence gathering, exfiltration, research on DOD operations and the creation of dormant presences in DOD networks for future action"
  • Chinese employ complex, parallel attacks including using a virus plant "as a distraction and then come in "slow and low" to hide in a system while the monitors are distracted... spear phishing, sending deceptive mass e-mail messages to lure DOD users into clicking on a malicious URL, [and innovative implementations] of more traditional hacking methods, such as Trojan horse viruses and worms"
  • Attacks are so deliberate, "it's hard to believe it's not [Chinese] government-driven"

Shifting from 'passive' to active cyberwarfare, the PRC intends to "be able to win an "informationized war"" by 2050. Where technology continues to outstrip policy, the advantage goes to the agile able to pierce regulatory and technical barriers.

In reverse order, I have gathered together the pertinent information warfare snippets from the 2007, 2006 and 2005 annual Military Power of the People's Republic of China that outline the significant leaps made by China in both conceptual thinking and implementation:

2007

The 2007 Military Power of the People's Republic of China cites active and passive Chinese cyberwarfare in two chapters:

Chapter Four, Force Modernization Goals and Trends:

Information Warfare. There has been much writing on information warfare among China's military thinkers, who indicate a strong conceptual understanding of its methods and uses. For example, a November 2006 Liberation Army Daily commentator argued:

[The] mechanism to get the upper hand of the enemy in a war under conditions of informatization finds prominent expression in whether or not we are capable of using various means to obtain information and of ensuring the effective circulation of information; whether or not we are capable of making full use of the permeability, sharable property, and connection of information to realize the organic merging of materials, energy, and information to form a combined fighting strength; [and,] whether or not we are capable of applying effective means to weaken the enemy side's information superiority and lower the operational efficiency of enemy information equipment.

The PLA is investing in electronic countermeasures, defenses against electronic attack (e.g., electronic and infrared decoys, angle reflectors, and false target generators), and computer network operations (CNO). China's CNO concepts include computer network attack, computer network defense, and computer network exploitation. The PLA sees CNO as critical to achieving "electromagnetic dominance" early in a conflict. Although there is no evidence of a formal Chinese CNO doctrine, PLA theorists have coined the term "Integrated Network Electronic Warfare" to prescribe the use of electronic warfare, CNO, and kinetic strikes to disrupt battlefield network information systems.

The PLA has established information warfare units to develop viruses to attack enemy computer systems and networks, and tactics and measures to protect friendly computer systems and networks. In 2005, the PLA began to incorporate offensive CNO into its exercises, primarily in first strikes against enemy networks.

Chapter Six, Force Modernization and Security in the Taiwan Strait:

Beijing's Courses of Action Against Taiwan

Limited Force Options. A limited military campaign could include computer network attacks against Taiwan's political, military, and economic infrastructure to undermine the Taiwan population's confidence in its leadership. PLA special operations forces infiltrated into Taiwan could conduct acts of economic, political, and military sabotage. Beijing might also employ SRBM, special operations forces, and air strikes against air fields, radars, and communications facilities on Taiwan as "nonwar" uses of force to push the Taiwan leadership toward accommodation. The apparent belief that significant kinetic attacks on Taiwan would pass below the threshold of war underscores the risk of Beijing making a catastrophic miscalculation leading to a major unintended military conflict.

2006

This is consistent with the 2006 Military Power of the People's Republic of China which described Chinese IT warfare preparation as follows:

Chapter Five, Force Modernization Goals and Trends:

Formation of Information Warfare Reserve and Militia Units

The Chinese press has discussed the formation of information warfare units in the militia and reserve since at least the year 2000. Personnel for such units would have expertise in computer technology and would be drawn from academies, institutes, and information technology industries. In 2003, an article in a PLA professional journal stated "coastal militia should fully exploit its local information technology advantage and actively perform the information support mission of seizing information superiority."

Militia/reserve personnel would make civilian computer expertise and equipment available to support PLA military training and operations, including "sea crossing," or amphibious assault operations. During a military contingency, information warfare units could support active PLA forces by conducting "hacker attacks" and network intrusions, or other forms of "cyber" warfare, on an adversary's military and commercial computer systems, while helping to defend Chinese networks.

The PLA is experimenting with strategy, doctrine, and tactics for information warfare, as well as integrating militia and reserve units into regular military operations. These units reportedly participate with regular forces in training and exercises.

Exploiting Information Warfare

The PLA considers active offense to be the most important requirement for information warfare to destroy or disrupt an adversary's capability to receive and process data. Launched mainly by remote combat and covert methods, the PLA could employ information warfare preemptively to gain the initiative in a crisis.

Specified information warfare objectives include the targeting and destruction of an enemy's command system, shortening the duration of war, minimizing casualties on both sides, enhancing operational efficiency, reducing effects on domestic populations and gaining support from the international community.

The PLA's information warfare practices also reflect investment in electronic countermeasures and defenses against electronic attack (e.g., electronic and infrared decoys, angle reflectors, and false target generators.

Computer Network Operations. China's computer network operations (CNO) include computer network attack, computer network defense, and computer network exploitation. The PLA sees CNO as critical to seize the initiative and achieve "electromagnetic dominance" early in a conflict, and as a force multiplier. Although there is no evidence of a formal Chinese CNO doctrine, PLA theorists have coined the term "Integrated Network Electronic Warfare" to outline the integrated use of electronic warfare, CNO, and limited kinetic strikes against key C4 nodes to disrupt the enemy's battlefield network information systems. The PLA has established information warfare units to develop viruses to attack enemy computer systems and networks, and tactics and measures to protect friendly computer systems and networks. The PLA has increased the role of CNO in its military exercises. For example, exercises in 2005 began to incorporate offensive operations, primarily in first strikes against enemy networks.

2005

The 2005 Military Power of the People's Republic of China identified Informationalization as a key element of Chinese Military Doctrine in all its aspects:

Developments in Chinese Military Doctrine

  • China's latest Defense White Paper deployed authoritatively a new doctrinal term to describe future wars the PLA must be prepared to fight: "local wars under conditions of informationalization." This term acknowledges the PLA's emphasis on information technology as a force multiplier and reflects the PLA's understanding of the implications of the revolution in military affairs on the modern battlefield.
  • The PLA continues to improve its potential for joint operations by developing a modern, integrated command, control, communications, computers, intelligence, surveillance, and reconnaissance (C4ISR) network and institutional changes.
  • During 2004, the PLA began to integrate military and civilian suppliers in the procurement system and outsourced a number of previously military jobs to civilian industry. The PLA is placing greater emphasis on the mobilization of the economy, both in peacetime and in war, to support national defense...

Perceptions of Modern Warfare and U.S. Defense Transformation

China observes closely foreign military campaigns and defense modernization initiatives. The United States factors heavily in these observations as a model of how a modern military engages in modern warfare. China draws from U.S. military operations by adopting or emulating lessons in some areas, and in others, by identifying exploitable vulnerabilities in potential high-tech adversaries. In addition, U.S. defense transformation, as demonstrated by recent U.S. operations, has highlighted to China the expanding technological gap between modern military forces and those of developing countries. The 2004 Defense White Paper identifies the "technological gap resulting from the revolution in military affairs" as having a "major impact on China's security." These concerns have prompted China's leaders, including President Hu Jintao, to order the PLA to pursue "leap ahead" technologies and "informationalized" capabilities to increase the mobility, firepower, and precision of PLA weapons and equipment.

Operation DESERT STORM (1991) was a primary motivator behind China's efforts to prepare for future warfare. The PLA noted that the rapid defeat of Iraqi forces revealed how vulnerable China would be in a modern war. The Gulf War drove the PLA to update doctrine for joint and combined operations to reflect modern warfare and to accelerate reform and modernization. The Gulf War also spurred PLA debates on the implications of the revolution in military affairs, and led China to seek modern C4ISR and to develop new information warfare, air defense, precision strike, and logistics capabilities...

Observations of Operation IRAQI FREEDOM
In May 2003, PLA Deputy Chief of the General Staff Xiong Guangkai authored an article assessing the broad implications of Operation IRAQI FREEDOM for Chinese assessments of modern war. Some of his more salient observations follow:
-- On gleaning lessons from coalition operations: ". . . the trend of new military changes is developing rapidly in the world, and the recent Iraq war has reflected this trend. We should not only profoundly research and analyze this trend but also actively push forward military changes with Chinese characteristics according to our country's actual conditions." ...

Informationalization
Dougle Tongued Dictionary
Note: The Double-Tongued Dictionary is useful to readers of Asian issues in particular as it "records undocumented or under-documented words from the fringes of English, with a focus on slang, jargon, and new words [that are] absent from, or are poorly covered in, mainstream dictionaries."

China Crafts Cyberweapons
The Defense Department reports China is building cyberwarfare units and developing viruses.
Sumner Lemon
IDG News Service
May 28, 2007 10:00 AM PDT

DoD: China seeking to project military power
By William H. McMichael - Staff writer
Marine Times
Posted : Friday May 25, 2007 16:11:31 EDT

DoD Background Briefing with Defense Department Officials at the Pentagon
Presenter: Defense Department Officials May 25, 2007
[No attribution, comments for background only]
[Subject was the 2007 China Military Power Report]
News Transcript On the Web
Office of the Assistant Secretary of Defense (Public Affairs)
US Department of Defense
May 25, 2007

Military Power of the People's Republic of China
ANNUAL REPORT TO CONGRESS
Office of the Secretary of Defense
2007

Cyber officials: Chinese hackers attack 'anything and everything'
BY Josh Rogin
FCW
Published on Feb. 13, 2007

Military Power of the People's Republic of China
ANNUAL REPORT TO CONGRESS
Office of the Secretary of Defense
2006

The Military Power of the People's Republic of China
ANNUAL REPORT TO CONGRESS
Office of the Secretary of Defense
2005

Gordon Housworth



Cybersecurity Public  InfoT Public  Infrastructure Defense Public  Intellectual Property Theft Public  Risk Containment and Pricing Public  Strategic Risk Public  Terrorism Public  

discussion

  discuss this article

Generic elements and process of a Design Basis Threat (DBT) protection system

  #

Part 1, Structured IT risk remediation: Integrating security metrics and Design Basis Threat to overcome scenario spinning and fear mongering

An international design basis threat (DBT)

The aftermath of the 11 September attack brought renewed urgency to US, EU and Russian efforts to strengthen physical protection of nuclear materials and all nuclear facilities, power and weapons. While Sandia's Jim Blankenship noted that a "Design Basis Threat (DBT) has been used by the United States since the 1970s as the basis for the design and evaluation of a nuclear facility’s physical protection system and as a standard for comparison as the threat changes", the DBT was too often scenario-based rather than procedural - a condition not challenged until the Khobar Towers attack. From Multisourcing: belated recovery of forgotten first principles, part 2:

Scenario-based responses are dangerously omissive, driving clients to extraordinary cost and diversion, often without merit, but is prevalent in part because it is simple. It requires no procedural rigor or grounding in fact, only the ability to ask "What if?" endlessly, yet is virtually ineffective for deferring, deflecting, or interdicting an adversary's preparation.

Witness the events of the July 2005 mass transit bombings in London where the UK had had a thirty-year history of dealing with a variety of terrorist attacks and bombings, the "scenario" and "lessons learned" from the earlier transit attacks in Madrid, Spain, were well-known, yet proved little benefit to the British in interdicting the London attacks of July 2005.

Scenario-spinning has no logical end and provides no threat assessment, vulnerability assessment, or risk assessment that would normally be enshrined in a firm’s Governance Model.

Scenarios were an Army staple until the terrorist truck bomb attack along the northern perimeter of Khobar Towers, Dhahran, Saudi Arabia, on June 25, 1996. (Khobar Towers was a facility housing U.S. and allied forces supporting Operation SOUTHERN WATCH, coalition air operations over Iraq.) The report by Wayne A. Downing, General, U.S. Army (Retired) which has become known as the Downing Report (Introductory Letter, Preface and Report), reinvigorated the uphill effort to substitute procedurally consistent threat and vulnerability analyses in place of scenario generation.

Without guiding bounds, scenarios proliferate endlessly, often crippling most well-intended, protective efforts (paralysis by analysis). Defenders must define a coherent view of their risk tolerance before they can craft a response strategy that can reasonably and consistently respond to the threats on offer.

Rising from efforts at Sandia, DoE and the NRC, the "IAEA desired an international approach for a DBT methodology that could be offered to all Member States." By 2002 member states had agreed upon a DBT "international standard model" that reconciled varying approaches as to where "risk" was accommodated.

The DBT has become the basis for the design of the physical protection system (PPS), the evaluation of a PPS under assault and the means to document and absorb future threats. Within this framework, each state can modify "the DBT process to better accommodate their culture, the technical resources of their facilities and authorities, and their regulatory frameworks."

Blankenship paints the need for DBT in bold relief:

  1. If the facility does not know who the adversaries may be and what the adversaries’ resources may be, then the design of the [protection system] probably is inaccurate...
  2. Without a DBT, the evaluator has no objective measure for evaluating the effectiveness of the  [protection system]. This lack could lead to inconsistent evaluations...
  3. [Changes] could not be documented, and in fact might not even be noticed, if there were not a standard DBT created at some point in time, against which the future threats are compared...

Nine steps were recommended for developing, using, and maintaining a DBT:

  1. Identify Roles and Responsibilities of all Organizations
  2. Develop Operating Assumptions for Use with the DBT
  3. Identify the Range of Potential Generic Adversary Threats
  4. Identify an Extensive List of Threat Characteristics
  5. Identify Sources of Threat-related Information
  6. Analyze and Organize Threat-related Information
  7. Develop Threat Assessment and Gain Consensus
  8. Create a National DBT
  9. Introduce the DBT into the Regulatory Framework

The outcome of the first six steps [is] the Threat Assessment (TA) document, which contains a description of the full range of credible threats to the nuclear facilities in the State… This TA is then sent to the competent authority, which implements the State’s regulatory framework and sets policy for the physical security provisions in the State. The competent authority evaluates the risks associated with the DBT, the consequences of a successful attack by the DBT, and the probability of such an attack. The agency knows the State resources that are available or could be made available to counter the DBT. This agency then reduces the threat assessment document to incorporate the risk that the state is willing to accept. This produces a Design Basis Threat (DBT) statement against which the facilities must protect and against which they will be evaluated by the State competent authority.

Redrawing Blankenship's model for added clarity:

Generic elements of a DBT protection system

Axel Hagemann, a GRS (Gesellschaft für Anlagen und Reaktorsicherheit mbH) representative to IAEA undertook a description of DBT for IAEA member states in DBT - Basis for developing a European physical protection concept. Hagemann's DBT procedural descriptions for a state implementation are noted in its appendix which I have attempted to generalize for a corporate setting without losing Hagemann's original presentation model.

The result of Blankenship's threat assessment enters in box 1, having documented an analysis of the credible motivations, intentions, and capabilities of potential adversaries that could cause undesirable consequences:

Generic Elements of a DBT Protection System

The consequences represented in box 2 are defined as the potential level of impact on the interests of the public, nation, key interest groups, and possibly the international community. Consequences could be defined in relation to the class of event derived from end-items. The concern on potential consequences will influence policy of the decision making process in the development of a DBT. This decision making process is represented in diamond 3, which represents the Governance committee’s responsibility to decide with the definition of a DBT on the level of protection. The decision making process represented by diamond 3 can include technical, resource, administrative and political concerns. This reduces the influence of emotions on the concern and opens provides opportunities to adjust existing definitions of the DBT.

The key elements in the creation of a DBT are threat assessment and decision making considering potential consequences. Threat assessment and decision-making are separate and different processes even though in practice they may be carried out simultaneously. The threat assessment process, and the document that describes the conclusions, scopes all the realistic and credible threats that the Governance committee needs to consider.

Some threats may not be manageable in terms of a DBT because some aspects of the protection system fall outside the responsibility of the Governance committee. These threats are described as being out of scope of the DBT, i.e., "Outside DBT" does not necessarily describe a magnitude of threat above that described in the DBT, but can describe threats that are inappropriate to include in a DBT.

Those threats still need to be accounted for and either ruled out of scope or other competent authorities need to be involved to define a response. The diamond 13 represents this additional decision making process for which the Governance committee is responsible. The decisions symbolized by diamond 13 could be of high relevance if new concepts emerge that were not included in the design basis. The goal is to achieve a process which results in achieving acceptable risk, box 14. The Governance committee can, as available, draw on external agencies for provide intelligence and data to support creation of the Threat Assessment and maintenance of the DBT.

The protection definition shown in box 6 must be designed against the DBT and will be evaluated by the Governance committee using the definition of the DBT. Protection objectives will be specific for the items transiting the system. The security functions in box 8, detection, deter, deflect, defend and recovery must be defended against the DBT.

Responses may be graded or immediate depending upon the current evaluation of the threat, the relative attractiveness and potential of items and the potential consequences associated with diversion of that item. The requirements on the security function "Deter" can vary depending on the desired response time, response capability and method.

Process steps

Threat assessment (box 1): An analysis documenting the credible motivations, intentions, and capabilities of potential adversaries that could cause undesirable consequences from diversion of end-items. The result of the threat assessment process describes the credible threats.

Consequences (box 2): The potential level of impact on the interests of the public, nation, key interest groups, and possibly international community.

Decision process (diamond 3): Consideration of the results of the threat assessment, the consequences and the policy leads to definition of the DBT. The corporate Governance committee coordinates the development of a DBT and is responsible for its maintenance.

Outside DBT (box 4): Describes those threats identified in the Threat Assessment that will not be included in the DBT, but still remain as a credible threat. Threats outside the DBT must be considered and ruled out of scope and indefensible or an external authority must be involved to complete the mediation required by the DBT.

Design Basis Threat – DBT (box 5): Describes the attributes and characteristics of potential insider and external adversaries who might attempt acquisition of items deemed sensitive, and against whom a protection system has been designed and evaluated.

Protective envelope (box 6): Describes the total protection against unauthorized acquisition or diversion and will likely require a design that includes procedures, facility design, and hardware.

Specific protection objectives (box 7): Describes the means of protecting items that are moving through the system, and all other items defined as having some risk.

Specific responses (box 8): Describes methods to "Detect" or "Defer" an acquisition of an item or to invoke emergency containment responses as appropriate under the DBT.

Vulnerability assessment and capacity evaluation (box 9): A test of the system’s ability to respond to both the DBT and ongoing threats "in the wild".

Decision process (diamond 10): Represents internal decisions made during the design or evaluation of the protection process to include an evaluation as to whether the specific objectives are achieved. This decision box includes any decision regarding improvement, redesign or post damage crisis management.

Crisis management (box 11): Describes an internal post-incidence damage control in response to an undesired acquisition of an item.

Internal emergency response (box 12): Describes actions required to mitigate an inadvertent breach or loss of control of an item.

Decision process (diamond 13): Describes a process under which the Governance committee achieves an acceptable level of risk for all items in the DBT.

Acceptable Risk (box 14): Defines acceptable risk in which the term "risk" is used as the likelihood that a threat will be able to affect an undesirable consequence. Risk can be reduced but not eliminated. All the judgments and decisions imply an acceptance of a degree of risk.

External competent authority (diamond 15): Describes how to respond to credible threats not included in the DBT. (The DBT may be revised or extended in this process.)

External authority responsibility (box 16): Describes a class of external action, protection or assistance taken by external authority.

External authority response (box 17): Describes external authority response in support of the corporation.

External security (box 18): Describes measures taken by external authority in support of corporation that acknowledge a credible threat as External to the DBT. Any such measures are made in concert with internal emergency response measures.

Use of Design Basis Threat at Department of Energy

It is instructive to consider one of the best practitioners of the Design Base Threat and Vulnerability Assessment process, the Department of Energy (DOE). DOE is also remarkable in its rigor, and among the few in and out of government that reject a scenario based ‘threat’ definition.

The key component of DOE’s risk-based security practices is the DBT, a classified set of characteristics of potential threats to DOE assets. The DBT traditionally has been based on the Postulated Threat, a classified, multi-agency intelligence community assessment of potential terrorist threats. The DOE DBT considers external threats that include terrorists, criminals, psychotics, disgruntled, employees, violent activists, and spies. The DBT also considers internal threats by insiders who have authorized unescorted access within DOE facilities and programs. These insiders may operate alone or in concert with an adversary group, and are routinely considered to provide assistance to a terrorist group noted in the DBT. The DOE generally considers the threat of terrorist groups to be the most demanding threat contained in its DBT.

For over a decade, DOE has employed a risk management approach that seeks to direct resources to its most critical assets (Category I special nuclear material) while mitigating the risks to these assets to an acceptable level. Levels of risk are derived from a mathematical equation that compares a terrorist group’s capabilities with the overall effectiveness of the crucial elements of the site’s protective forces and systems, and then assigned classified numerical values.

DOE counters its terrorist threats noted in the DBT with a multilayered protective system. While specific measures may and do vary among sites, all DOE protective systems at the most sensitive sites employ a in-depth defense that includes sensors, physical barriers, hardened facilities and vaults, and heavily armed paramilitary protective forces equipped with such items as automatic weapons, night vision equipment, body armor, and chemical protective gear. The effectiveness of the protective system is formally and regularly examined through vulnerability assessments.

A vulnerability assessment is a systematic evaluation process in which qualitative and quantitative techniques are applied to detect vulnerabilities and arrive at effective protection of specific assets. To conduct these assessments, DOE uses subject matter experts (SMEs), computer simulated attacks, and force-on-force performance testing in which the site’s protective forces undergo simulated attacks by a group of mock terrorists.

Assessment results are documented at each site in a classified document known as the Site Safeguards and Security Plan which, in addition to identifying known vulnerabilities, risks, and protection strategies for the site, it formally acknowledges how much risk the contractor and DOE are willing to accept.

Historically, DOE has strived to keep its most critical assets at a low risk level and may insist on immediate compensatory measures should a significant vulnerability develop that increases risk above a low risk level. Through a variety of complementary measures, DOE ensures that its safeguards and security policies are being complied with and are performing as intended, e.g., identified high and moderate risks require corrective actions and regular reporting. Response measures can go so far as to curtail operations until the asset can be better protected.

While contractors must perform regular self-assessments and are encouraged to uncover any problems themselves, DOE requires its field offices to comprehensively survey contractors’ operations for safeguards and security annually. All deficiencies identified during surveys and inspections require the contractors to take corrective action.

The DOE’s May 2003 DBT reflecting a post-September 11 environment by identifying a larger terrorist threat than did the 1999 DBT and expanding the range of terrorist objectives to include radiological, biological, and chemical sabotage. Notable issues of the 2003 DOE DBT included an expansion of terrorist characteristics and goals, and an increase in the size of the terrorist group threat:

Expansion of terrorist characteristics and goals: "The 2003 DBT assumes that terrorist groups are the following: well armed and equipped; trained in paramilitary and guerrilla warfare skills and small unit tactics; highly motivated; willing to kill, risk death, or commit suicide; and capable of attacking without warning. Furthermore, according to the 2003 DBT, terrorists might attack a DOE facility for a variety of goals, including the theft of a nuclear weapon, nuclear test device, or special nuclear material; radiological, chemical, or biological sabotage; and the on-site detonation of a nuclear weapon, nuclear test device, or special nuclear material that results in a significant nuclear yield. DOE refers to such a detonation as an improvised nuclear device."

Increase in the size of the terrorist group threat: "The 2003 DBT increases the terrorist threat levels for the theft of the department’s highest value assets—Category I special nuclear materials—although not in a uniform way. Previously, under the 1999 DBT, all DOE sites that possessed any type of Category I special nuclear material were required to defend against a uniform terrorist group composed of a relatively small number of individuals. Under the 2003 DBT, however, the department judged the theft of a nuclear weapon or test device to be more attractive to terrorists, and sites that have these assets are required to defend against a substantially higher number of terrorists than are other sites. For example, a DOE site that, among other things, assembles and disassembles nuclear weapons, is required to defend against a larger terrorist group. Other DOE sites, such as an EM site that stores excess plutonium, only have to defend against a smaller group of terrorists. However, the number of terrorists in the 2003 DBT is larger than the 1999 DBT number. DOE calls this a graded threat approach."

The moral of DBT: a living instrument

The moral is that a DBT must be a continuously maintained instrument as "Things Change" as David Mamet so wittily showed in his film of the same name: New attackers with expanded characteristics and goals will appear. Attacker group size may swell unexpectedly - and that includes swarms of seemingly unrelated attackers operating against different parts of one's organization. Higher authority may mandate extended protective strategies. Corporate environments can weakened under stress, sometimes degraded imperceptibly, due to issues of financial pressure, takeover, expansion, new roll-outs or other restructuring.

A Russian Perspective on Cooperation Threat Reduction
Dmitry Kovchegin
BCSIA Discussion Paper 2007-04, Kennedy School of Government,
Harvard University, April 2007

Systems Security Engineering: An Updated Paradigm
John W. Wirsbinski
INCOSE Enchantment Chapter
November 8, 2006

Nuclear Security: DOE Needs to Resolve Significant Issues Before It Fully Meets the New Design Basis Threat
Report to the Chairman, Subcommittee on National Security, Emerging Threats, and International Relations, Committee on Government Reform, House of Representatives
GAO-04-623
GAO
April 2004

Using Bilateral Mechanisms to Strengthen Physical Protection Worldwide
Nuclear Terrorism and International Policy
Dr. Edwin Lyman
Union of Concerned Scientists
Institute of Nuclear Materials Management, 2004

Approaches to Design Basis Threat in Russia in the Context of Significant Increase of Terrorist Activity
Dmitry Kovchegin
Presented at the INMM 44th Annual Meeting, Phoenix, Arizona. Conference Paper, 2003

DBT - Basis for developing a European physical protection concept
Axel Hagemann
EUROSAFE, Towards convergence of technical nuclear safety practices in Europe, Paris
Nuclear material security, Seminar 5, p. 59-68
25-26 November 2003

Protection against Sabotage of Nuclear Facilities: Using Morphological Analysis in Revising the Design Basis Threat
Stig Isaksson, Tom Ritchey
Swedish Nuclear Power Inspectorate and Swedish Defence Research Agency
Adaptation of a Paper delivered to the 44th Annual Meeting of the Institute of Nuclear Materials Management - Phoenix, Arizona, July 2003

INTERNATIONAL STANDARD FOR DESIGN BASIS THREAT (DBT)
Jim Blankenship, Sandia National Laboratories
EU-High Level Scientific International Conference on PHYSICAL PROTECTION
Salzburg, Austria
8-13 September, 2002

PRACTICAL EXPERIENCE WITH IMPLEMENTATION OF ASSISTANCE PROGRAMS WORLDWIDE
Jim Blankenship, Sandia National Laboratories
EU-High Level Scientific International Conference on PHYSICAL PROTECTION
Salzburg, Austria
8-13 September, 2002

List of Papers
PROCEEDINGS (All Papers)
EU-High Level Scientific International Conference on PHYSICAL PROTECTION
Salzburg, Austria
8-13 September, 2002

COMBATING TERRORISM: Threat and Risk Assessments Can Help Prioritize and Target Program Investments
Report to Congressional Requesters
GAO/NSIAD-98-74
General Accounting Office
April 1998

Gordon Housworth



Cybersecurity Public  InfoT Public  Infrastructure Defense Public  Intellectual Property Theft Public  Risk Containment and Pricing Public  Strategic Risk Public  Terrorism Public  

discussion

  discuss this article

Structured IT risk remediation: Integrating security metrics and Design Basis Threat to overcome scenario spinning and fear mongering

  #

Industry absorption of effective metrics for realistic threat and risk analysis in IT is moving far too slowly. A 2003 article, Information security: why the future belongs to the quants, contained a useful metric, Business-adjusted risk (BAR), "for classifying security defects by their vulnerability type, degree of risk, and potential business impact." The BAR used Risk of exploit ("how easily an attacker can exploit a given defect") and Business impact ("the damage that would be sustained if the defect were exploited"). The BAR's use of "relative ratings for both likelihood of occurrence and business impact [allowed it to behave] similarly to insurers’ annual loss expectancy calculations."

Four years on, the quants are still waiting while scenario spinning and FUD continue to flow from the unskilled or the commercially craven; Too many members of management, IT included, are among the former while too many security vendors populate the latter. A co-author of that 2003 piece, Andrew Jaquith, has recapitulated and expanded his work in security metrics in Security Metrics: Replacing Fear, Uncertainty, and Doubt, providing a one-stop shop for defining and implementing IT metrics for risk. It has merit to me as the metrics can form inputs to a Design Basis Threat (DBT) calculation for IT in place of the fear mongering from certain security firms. (Expansion for special nuclear material here.) There are threats, numerous and growing, but often not the threats solvable by the security products on offer. Worse, too many firms, Symantec among them, sell products that are consumptive of system resources while providing attack windows in their own code. Enterprise clients are generally deprived of a realistic means of identifying and interdicting realistic, often trivial, penetrations of their infrastructure.

I refer readers to The danger of confusing terrorist interdiction with the consequences of terrorist action for the perils inherent in pursuing scenario-based responses, and, as a start, to FEMA 452 - Risk Assessment: A How-To Guide to Mitigate Potential Terrorist Attacks for its introduction to assessment of threat, asset value, vulnerability and risk.

I fear that Jaquith's efforts have been ignored in the main as Escaping the Hamster Wheel of Pain which forms the first chapter of Security Metrics has been around since May 2005 as has his criticism of Symantec (easily 2005) and a useful but overlooked The Vulnerability Supply Chain (also 2005).

Useful metrics have been out there but have not been picked up en masse, but then neither has DBT, especially in its pure form used on the weapons side of DoE as opposed to the scenario laden approach on the nuclear power side. The combination of effective metrics shorn of histrionics with the Design Basis Threat process offers a realistic means to enterprises needing to formulate a cost effective and sustainable defense posture. We are among the few that have successfully applied DBT to Intellectual Property (IP) threats and remediation.

It cannot be overemphasized that the solution to this problem is NOT an Information Technology (IT) solution but IS primarily a Counterterrorism (CT) and Counterintelligence (CI) solution applied to corporate infrastructure, augmented by IT as the CT/CI process demands. Were it solely an IT solution, then one might suppose that this class of problem could be solved at least as often as major IT applications succeed (which depending upon whose statistics one chooses to accept, some 40 to 60% of large IT solutions either fail, are withdrawn, or at best suboptimal in their performance). The solution path can only be hinted at in this brief survey and the requisite CT/CI practionership and its understanding of an asymmetric attacker takes years to develop (which is one of the reasons that it occurs in so few instances and why the market tolerates so many pretenders as the clients cannot properly estimate the skill set needed to address the problem).

It is also a substantial systems analysis problem. In asking Scott Borg for a current copy of the Cybersecurity Checklist, I noted that I refer clients to his PPT, The New US-CCU Cyber-Security Check List, and its flagged need to address both physical and IT/cybersecurity, but add the following to it:

  • (First I have to describe Ackoff's three laws of systems - people can grasp the first two but the third floors them)
  • Systems fail at their boundaries, and that includes boundaries between components and clusters of components that act as subsystems.
  • Physical and cyber are two of those subsystems; there are many more, all interacting to Ackoff's third law.
  • A check list is a still frame from a motion picture, but people rip the frame, losing the underlying assumptions and context in the process.
  • A check list without a date/time stamp is useless, even dangerous.
  • Process-based threat and vulnerability assessment are key in defining appropriate levels of protection; remediation steps are then pulsed to insure that they deliver against the threats.
  • Scenario-based defense, while useful in estimating consequences of a particular scenario, is dangerous as it spins out of control, usually missing the fatal payload.
  • Good security is process-based rather than hardware-based (process is 10:1 over hardware, and process comes first as it will define the needed hardware).
  • Defenders never see themselves as attackers do, especially asymmetrical attackers, and so rarely protect the right mix against legitimate threats.
  • Defenders too often look for "peer attackers" instead of a simple asymmetric.

Scott's reply mirrors our own experience:

You are right in pointing out how hard it is for most people to think in terms of dynamic systems and processes.  I like the way you have formulated the problem in your e-mail.  We have been struggling with many of the same issues when it comes to getting people to understand the problems they will increasingly face.

The following is derived from an unclass analysis, Asymmetric Threat Detection in the Material Security Environment, we performed for a DLA unit in 2005. Seasoned practitioners will easily envision frontloading Jaquith's metrics into the threat side of DBT.

Evolving Nature of Threats

Technological surges in many sectors, so many as to effectively shield the collective effect from many investigators, coupled with globalization, the availability of WME (weapons of mass effect) has changed the risk landscape, most notably in the means to effectively address low-probability, high-consequence threats.

Too many fail to properly differentiate threat from risk, i.e., a threat is a source of harm (loss) whereas a risk is the estimation of the likelihood of that harm occurring coupled with the potential impact from its occurrence. Threat assessment is only one aspect of a larger and more complex risk analysis process, yet too many remain fixated on threat analyses as the sole basis of applying protective measures without sufficient attention paid to precision or control in their application.

Too many designs for low-probability, high-impact threat sources tend to skew the design of the security plan to costly countermeasures when precision could have provided cohesion and freed up resources. Too often, an organization adopts what it assumes is an extremely ‘secure’ system that either cannot be implemented, cannot be sustained, is impractical for its users or overlooks active threat paths because finite resources are fully engaged elsewhere.

Threat Levels

A threat can be defined as the intended potential to cause an undesirable consequence. The result of a threat assessment documents the result of an analysis of the credible motivations, intentions, and capabilities of potential adversaries that could cause undesirable consequences... The threat level provides a current estimate of ongoing risk to personnel, facilities, or interests from terrorist attack. Analyses deriving threat levels at Department of Defense (DoD) are commonly performed by the intelligence staff at each command level, and resulting threat levels can differ by echelon. Threat Levels range from Negligible to Critical, are based on a systematic analysis of the factors of existence of terrorism, terrorist capability, history of terrorism, intentions of terrorist groups, and targeting by terrorist groups. The system is not perfect but can be effective in a relatively contained risk environment, as it inherently allows for a concentration of resources for periods of elevated risk, conserving those resources in the process.

Threat Analysis

To supplement a risk responsive approach, such as in the use of threat levels, ICG prefers to create a risk matrix for each identified threat group so as to perform a more precise capabilities analysis. ICG prefers this more extensive version -- as it allows greater ability to profile the group under examination and to create a baseline for ongoing comparative analysis, a means to capture outlier data that may indicate an emerging threat:

Variant 2: Threat Analysis Factors

Factor must be Present: X; Factor may or may not be Present: O

Threat
Level

Existence

Capability

History

Intentions

Targeting

Critical

X

X

X

X

X

High

X

X

X

X

O

Medium

X

X

X

O

 

Low

X

X

O

   

Negligible

X

O

     

In response to threat levels, companies or commands adopt or change Force Protection Conditions (FPCONs), which are measures to protect people and facilities from the postulated current threat. Each FPCON potentially entails increasingly stringent security measures. A nominal DoD matrix contains intelligence assessments, warning reports, spot reports and law enforcement reports. The Department of State (DoS) adds broader factors, such as political violence which encompasses terrorism, counterintelligence, anti-U.S. technical intelligence, and activities against the U.S. community in determining its threat levels.

Risk is a function of threat, likelihood, consequence, vulnerability, and asset value. Impact is a function of:

  • Resources (the adversary's resources to execute and the defender's resources to defend, respond and recover post-attack)
  • Unexpected Methods by the adversary
  • Adversary's understanding of our infrastructure and the means to achieve exploitation
  • Defender's vulnerabilities
  • Effect Multipliers -- Where typical effect multipliers are:
    • Disruption of cyber infrastructure
    • Prevention or reduction of response and retaliation
    • Decrease or suppression of initiative to respond politically
    • Employment of psychological operations (Psyops)
    • Generation of fear and indecision
    • Introduction of WME (Weapons of Mass Effect)

Asymmetrical Rules Base (Attacker Rules)

Crafted from the 'success' of an earlier World War I static defensive war, the French Maginot Line failed under the newer concept of a mobile mechanized infantry. Accordingly, current defenses will fail under attack by the small-scale, high-impact operations of an asymmetrical attacker employing unexpected, non-traditional and broadly applicable methods unless we learn the current methods of the adversary and adopt simple effective measures.

Threat assessment must include the ability to impute an asymmetrical rules base as part of the threat definition so as to permit the defender to think more like a terrorist (as opposed to a defender) in defining a realistic threat posture, i.e., act without the self-imposed rules and limitations of the defender so as to view the risk calculation through the eyes of any number of threat groups, be they Muslim fundamentalists, Patriot right, Millennialists, single-interest terrorists such as the Earth Liberation Front (ELF), or various groups aggrieved at US actions. Each threat group has 'rules' such as preferences in targets and timing, varying motives for action, specific means or technical capability for action, and the later the threat detection the greater the threat group’s opportunity for action.

Asymmetric adversaries employ very different variables in their calculations for risk than the defender where the adversary is essentially interested in forestalling detection and accomplishing mission fulfillment. As previously noted in threat definition, a study of each category of attacker and, in specific cases, individual adversary groups, will identify a typology of action such that we can view risk and reward through the eyes of the asymmetric attacker. Without that view, much of successful defense is happenstance.

Introduction to Design Basis Threat (DBT)

The successful approach to defer (delay hostile efforts), deflect (move hostile intent to another target) or defend (interdict an incipient hostile attack) against an asymmetric attacker is almost all proactive process with a modest amount of strategically placed hardware that adds specific and reliable value to the process.

The core of that process is the Design Basis Threat (DBT) that will capture and formulate risk management objectives that balance commercial and security objectives, providng a means to evaluate threats over time. The DBT becomes an integral, inseparable part of corporate governance. The DBT becomes the mechanism that informs management of the types of threats it may face over time and allows them to define the threats that are in or out of scope, the response level that will be committed to each threat, and the cost for that response level.

The DBT absorbs the 5-Step Risk Management Process of FM 100-14, Risk Management, which is the commander’s principal risk reduction process to identify and control hazards and make informed decisions:

  • Identify hazards
  • Assess hazards
  • Develop controls and make risk decisions
  • Implement controls
  • Supervise and evaluate

The DBT, just as all sound risk management, does not:

  • Inhibit the commander’s and leader's flexibility and initiative
  • Remove risk altogether, or support a zero defects mindset
  • Require a GO/NO-GO decision

The DBT will include threat assessment, a safety-oriented hazard assessment, asset value assessment and an asset risk assessment that draw upon technical insights and the results of internal and external pattern detection. Where the best DBT implementations differ from almost all conventional DBTs is that the DBT must NOT be a scenario-based risk process but rather a rigorous procedural analysis. As noted above, a solution to IT risk identification and remediation is not solely an IT solution but rather the application of a CT/CI approach to a firm's infrastructure, augmented by IT as required. The DBT process is used to assess risk more effectively, enshrining speed to flag rising risk for inspection and action.

The DBT process can be used also to identify security guidelines that should be migrated across supplier relationships on both the buy (outsourcing) and make (manufacturing) side. Upstream outsourcing is a too often overlooked failure point. See Multisourcing: belated recovery of forgotten first principles, parts 1 and 2.

If history is any guide, integration, implementation and wider adoption of IT metrics DBT will be slow while phishers and penetrators will lunge ahead (here and here), but at least the path is there.

Part 2, Generic elements and process of a DBT protection system

Security Metrics
Posted by samzenpus on Wednesday May 16, @03:35PM
Slashdot
May 16, 2007

8 Questions For Uncovering Information Security Vulnerabilities
Tips for testing information security vulnerability hypotheses with questions designed to head off potential problems.
By Andrew Jaquith
CSO
16 May, 2007

Google: 10 percent of sites are dangerous
By Tom Espiner, Silicon.com
Published on ZDNet News
May 15, 2007, 7:56 AM PT

Do you know what’s leaking out of your browser?
Posted by Ryan Naraine @ 11:22 am
Zero Day
May 14, 2007

Using Metrics to Diagnose Problems: A Case Study
When initially deploying transactional financial systems it's wise to make sure perimeter and application defenses are sufficient.
By Andrew Jaquith
CSO
11 May, 2007

Models for Assessing the Cost and Value of Software Assurance
John Bailey, Antonio Drommi, Jeffrey Ingalsbe, Nancy Mead, Dan Shoemaker
Software Engineering Institute,
Carnegie Mellon University
Last modified 2007-05-10 10/07 4:38:24 PM

Security Metrics: Replacing Fear, Uncertainty, and Doubt
Andrew Jaquith
Addison-Wesley Professional; March 26, 2007
ISBN-10: 0321349989

ebook: ISBN: 0321509471
File Size: 4393 kb
Released online for download: 03-03-2007

Making the Business Case for Software Assurance
Nancy R. Mead
Software Engineering Institute,
Carnegie Mellon University
2007-02-06 12:30:16 PM

SECURITY METRICS FOR ENTERPRISE INFORMATION SYSTEMS
Victor-Valeriu PATRICIU, Iustin PRIESCU, Sebastian NICOLAESCU
Department of Computer Engineering
Military Technical Academy, Bucharest, Romania
Journal of Applied Quantitative Methods
JAQM, Vol 1, No. 2, Winter 2006

Rational Choice of Security Measures via Multi-Parameter Attack Trees
Ahto Buldas, Peeter Laud, Jaan Priisalu, M¨art Saarepera, and Jan Willemson
In J. Lopez, ed.
Proc. of 1st Int. Wksh. on Critical Information Infrastructures Security, CRITIS '06 (Samos Island, Aug./Sept. 2006), pp. 232-243. Univ. of the Aegean, 2006

NOTE: The following PDF of a PPT presentation by Buldas et al is useful for stepping a reader through the attack tree process under discussion:

Rational Choice of Security Measures via Multi-Parameter Attack Trees
Ahto Buldas, Peeter Laud, Jaan Priisalu, M¨art Saarepera, Jan Willemson
[PRESENTATION] CRITIS’06
August 30 – September 2, 2006, Samos Island, Greece

Checklist outlines new cyberthreats
BY Michael Arnone
FCW
Published on April 26, 2006, updated at 5 p.m. May 5, 2006

The New US-CCU Cyber-Security Check List
Scott Borg
GSC-11 Chicago
2006

The Vulnerability Supply Chain
by Andrew Jaquith
SecurityMetrics.org
6 December, 2005
last changed on 00:06 07-Dec-2005

Asymmetric Threat Detection in the Material Security Environment
With Initial Recommendations Regarding Disposition of WMD-Related End-Items For Defense Reutilization and Marketing Service
Prepared by Intellectual Capital Group LLC
21 September, 2005

The Symantec Threat Report: Read Between the Lines
by Andrew Jaquith
SecurityMetrics.org
September 20, 2005
last changed on 09:51 22-Sep-2005

A Few Good Metrics
Information security metrics don't have to rely on heavy-duty math to be effective, but they also don't have to be dumbed down to red, yellow, green. Here are five smart measurements—and effective ways to present them.
By Scott Berinato
CSO
July 2005

Escaping the Hamster Wheel of Pain
By Andrew Jaquith
Securitymetrics.org
4 May, 2005
Last changed on 11:56 04-May-2005

The Metrics Quest
Under pressure from the CFO to quantify security benefits, a CSO finds measures that matter
BY ANONYMOUS
CSO
November 2004

Nuclear Security: DOE Must Address Significant Issues to Meet the Requirements of the New Design Basis Threat.
Testimony Before the Subcommittee on Oversight and Investigations, Committee on Energy and Commerce, House of Representatives
GAO-04-773T, General Accounting Office (GAO)
May 11, 2004

Collecting Effective Security Metrics
By Chad Robinson
Robert Frances Group
April 09, 2004

Information security: why the future belongs to the quants
Daniel Geer Jr, Kevin Soo Hoo, Andrew Jaquith
Security & Privacy Magazine, IEEE
Volume 1, Issue 4, July-Aug. 2003 Page(s): 24 - 32
Posted online: 2003-08-11 14:23:28.0
ISSN: 1540-7993

Abstract
PDF

Risk Management
FM 100-14
Field Manual Headquarters
No. 100- 14 Department of the Army
Washington, DC, 23 April 1998

Gordon Housworth



Cybersecurity Public  InfoT Public  Infrastructure Defense Public  Intellectual Property Theft Public  Risk Containment and Pricing Public  Strategic Risk Public  Terrorism Public  

discussion

  discuss this article

Deducing IP collection targets among military, commercial and dual use applications from Chinese science and technology core competencies

  #

The id
entification and analysis of the science and technology core competencies of China permits much deduction, from a targeting standpoint, of Chinese interest against foreign military, commercial and dual use technologies. A first in the unclass area, this Office of Naval Research (ONR) comparative effort contrasts the impact/quality of all of China's research (versus India and Australia) and research investment emphases/strategy (versus the US); Its algorithmic data is of interest to those of us interested in automated search.

This analysis has rising interest as China surpassed Japan in 2006 to "become the world's second highest investor in R&D after the United States":

China's spending on R&D as a percentage of GDP, known as R&D intensity, has more than doubled from 0.6% of GDP in 1995 to just over 1.2% in 2004. In current prices, this represents an increase from just over USD 17 billion in 1995 to USD 94 billion in 2004. And it is growing even faster than the economy which is growing by between 9 and 10% a year.

Less widely reported, save for certain European sites, was that China surpassed "Germany as the 5th world largest supplier of patent applications."

The ONR's "bibliometric" study of Chinese scientific publications shows that the PRC is
making significant strides in science and technology areas related to national security and commercial enterprise:


In addition to identification of the technical structure and infrastructure of the Chinese science and technology literature, two unique approaches were developed to compare characteristics of China's science and technology output with that of other countries. First, a novel method was used to compare the impact/quality of all of China's research with that of two other countries, India and Australia. Second, a unique approach was used to compare China's research investment emphases/strategy relative to that of the US:


The study proceeds from a series of straightforward observations and analyses to several increasingly dense methodological appendices that are likely unintelligible to non-specialists.

Read the initial and summary sections.  Leave the "dense methodological appendices" to automated text mining and ranking - which will interest a couple of us.

Patent Review, Back to the Future?
IPEG
posted by IPEG at Tuesday, October 24, 2006

Japan's auto makers focus on key markets
By Hisane Masaki
Asia Times
Jun 2, 2006


The Structure and Infrastructure of Chinese Science and Technology
by Ronald N. Kostoff, Michael B. Briggs, Robert L. Rushenberg, Christine A. Bowles, Michael Pecht
Office of Naval Research
2006

China will become world's second highest investor in R&D by end of 2006, finds OECD
OECD
04/12/2006

Services, R&D attract rebounding FDI in China
Asia Times
Feb 22, 2006

Gordon Housworth


InfoT Public  Intellectual Property Theft Public  Strategic Risk Public  

discussion

  discuss this article

A Chinese Catch-22: the implausibility of plausible denial

  #

If you or your firm does business in China, successfully or relentlessly in pursuit of profit, your firm and likely yourself or one or more individuals in your reporting stream is guilty of violating the US Foreign Corrupt Practices Act (FCPA). The only barriers to discovery are a Chinese arrest of your counterparty for reasons internal to the Chinese, perhaps an anti-corruption drive or an official's fall from favor, and a US warrant against you or your firm for actions with Chinese entities that are deemed illegal under US law.

In a perfect Catch-22 (also here), it is highly likely that you can't even operate in China without violating the Act, especially so when one understands the pervasive nature of purchasing favor in China, even among Chinese. Rich Kuslan offers a nice introduction (and also has a good money laundering series, parts 1, 2, 3):

The idea that one must buy favor permeates Chinese society, even down to the lunch offered by a family member asking for assistance. But bribery and the [FCPA] do not mix well. Since most commercial transactions can not be accomplished in China without the former, in one form or another, the latter tends to suffer when sales figures must be met. As to the actual payment of moneys, most corporations in China who fork it over do not do so directly, but instead make use of third (and fourth) parties -- often foist upon them by potential customers, but sometimes selected. Payments may be made within China or even overseas through a wide range of entities that may help mask the payment. One can be as sure of crisp US $100 bills in a satchel as often as numbered Swiss accounts.

An important note: the use of agents does not necessarily shield the American executive from prosecution. Actual knowledge that a payment or a promise to pay will be forwarded to an official is not required: constructive knowledge -- you "should have" known, given the facts -- can make the exec just as liable.

And is it even debatable that [Zhang Enzhao at China Construction Bank] is an official for the purposes of the FCPA, when the CCB is a quasi-governmental organ of the state of China? The [principal purchaser] in China remains the state. How does the exec defend foregoing a big sale to a quasi-governmental organ and a payment to its key decision-maker in a market your headquarters believes will save the company?

For those of us with a long history with the FCPA, 1998 separates what many call FCPA I and FCPA II. The essence is plausible deniability in connection to a prohibited act. Among the "Prohibited foreign trade practices by domestic concerns" there had long been statute, to wit:

(3) any person, while knowing that all or a portion of such money or thing of value will be offered, given, or promised, directly or indirectly, to any foreign official, to any foreign political party or official thereof, or to any candidate for foreign political office, for purposes of-- influencing... inducing...

The 1998 amendments to what is now called "FCPA I" strengthened the definition of "knowing" such that "FCPA II" removed plausible denial with:

(A) A person's state of mind is "knowing" with respect to conduct, a circumstance, or a result if--
(i) such person is aware that such person is engaging in such conduct, that such circumstance exists, or that such result is substantially certain to occur; or
(ii) such person has a firm belief that such circumstance exists or that such result is substantially certain to occur.

All accounts indicate that DoJ is ramping up its enforcement efforts. In 2005, Assistant Attorney General Christopher Wray flagged a rise in FCPA cases:

Even today, attitudes toward that kind of conduct vary widely among executives around the world and, unfortunately, right here at home. Some folks persist in thinking that bribery is just a cost of doing business in certain countries. The problem is, these bribes undermine exactly what the Corporate Fraud Task Force is intent on restoring: public confidence in the integrity of American business. Under-thetable bribes distort the playing field and hide the truth from the public...

First, the SEC has significantly stepped up enforcement of the FCPA's civil provisions against publicly held companies... Second, we're seeing more cooperation from anti-bribery investigators and prosecutors around the world. That kind of cooperation is essential because these are often tough cases to make. Evidence of the bribe is often located abroad - sometimes in the very country whose officials have been bribed. And these matters are almost always politically sensitive. Our investigators rely on the good graces and cooperation of our international partners... Finally, we're seeing many more companies disclose FCPA violations voluntarily [as] companies are getting the message that we're serious about rooting out illegal corporate conduct...

As a theater operator, I'd often seen the situation that Rich describes as:

[When] senior management passes out copies of the FCPA -- with the notation in biro "read this and make sure you do not violate this law," [it] does not mean they care whether you violate the law, but just that they don't.)

Given the propensity of DoJ to prosecute corporately and individually, I think that it is no longer be sufficient to attempt to remain at arm's length while leaving subordinates at risk. Given the FCPA risks of doing business in China, I think that it will be increasingly difficult to satisfy Rich's admonition:

If you have not seriously considered it before, now is the time to give serious consideration to the value of risky behavior in light of the demands presented by the FCPA, the DOJ and, now, it appears, the Chinese government.

My export sales operated extensively under FCPA I. I think it reasonable to assume said work would not pass FCPA II scrutiny for plausible denial. By the same token, I do not believe that any current Chinese operation could withstand the rigorous scrutiny of FCPA II. The result is discretionary enforcement waiting to happen from either Chinese or US authorities; the counterparty becoming collateral damage to the exposure.

General comments on compliance with FCPA and other statutes

My commercial dealings in Central and South America, Africa, the Middle East, India, and Indonesia painted an intriguing picture of financial compensation through a 'supply chain' of actors in which one could obey FCPA I with modest effort. Most interestingly, China was not then an issue for us as we possessed a high value technology (Computer Aided Design (CAD)) slowly emerging from embargo coupled with then nascent commercial IP collection. In fact, we had competing suitors within China to secure a commercial relationship with us. (The issue rose to the point that these competing groups would, in turn, call me to the embassy in Washington to berate me for dealing with the other party.) Contrasting our preferential treatment, even in the 80s, I saw what happened when the Chinese considered a product more a commodity than a specialty. The commercial terms offered to those vendors were immediately tough.

I have a special memory of the landing of the first space shuttle, STS-1 Columbia, on 14 April, 1981, as I spent the day in Brasilia being hit up for a bribe by a government functionary who became increasingly more exasperated and blunt as I feigned no understanding of his real request. I could afford to be politely obtuse as I already had the means to get our systems past the clutch of Brazilian customs. One would have to be derelict not to understand the empire that was Brazilian customs, or to be unaware of the elegant apartment blocks outside Rio that housed ostensibly low level customs officers. The fact that my client was another government agency made no difference to customs, but it did offer a workaround. We shipped the systems to an airbase in the US where it was transferred to a Brazilian military aircraft which delivered the equipment to an airbase within Brazil. A domestic flight back to the coast outflanked Brazilian customs. One may surmise that there were costs associated with that transit but they were opaque to me and were considered acceptable by all local parties on our side.

Save for the Republic of South Africa (RSA) then under Apartite government and possessed of its own special issues, there was no country in Africa that was free of extralegal payment demands. I sympathize with anyone doing business on the continent as, even with layers of intermediaries, I would not like to endure an FCPA II deniability cross-examination. Regardless of your opinion of FCPA, it is does limit freedom of maneuver by US firms, advances US extraterritoriality, and makes it easy for states such as China gain a commanding position in state to state agreements on the continent. By contrast, French extralegal efforts in the energy sector were easier to deal with as they could be threatened with exposure if they did not limit certain activities.

Reflecting on my operations on many continents, I again submit that FCPA II and its tightened rules on plausible deniability puts a tier of managers, and likely their companies, in a Catch-22, i.e., if you are truly competent at your craft in the region, you will know things that violate FCPA II.

I also believe that the US government can, and has, regularly put commercial firms in the breach between US diplomatic intent and FCPA and export guidelines. Citing private notes from 2004, I submit my commercial experience in the Republic of South Africa (RSA) as an example of skimming the rim of plausible deniability in FCPA I and other statutes:

On my [first] commercial visit to RSA, I was to make a presentation to CSIRO [Commonwealth Scientific and Industrial Research Organisation] in Johannesburg, [with] some 600 in attendance. My [demonstration choice] was a kinematic model of an M-60 machine gun [that I had built to show 3-D interference checking as the round was stripped and chambered - not an easy thing to do with the wire frame models of the day]. I had memorized enough Afrikaans to open the presentation and then shifted to English. My distributor said that the hall [fell] silent... No one instructed me to take military examples. It was just my reading of the reality on the ground...

As CoCom (Coordinating Committee for Multilateral Export Controls) was then governing export licenses to COMECON states, the PRC and other states considered suspect for embargoed use or diversion, I became aware of what I described as a special tilt towards certain governments based upon the degree of difficulty or permissiveness in securing an export license.

I came to see a very favorable tilt towards Pretoria that was at odds with then current state department pronouncements which in hindsight could have been at odds with FCPA:

I [believe that I] was party to a special tacit arrangement to RSA in the late 70s and early 80s [during] which my firm received a blanket $7 million export license to Pretoria for all our CAD/CAM systems. Export seven million and reapply for another seven. [At the same time] COCOM was raking me over the coals on a case by case basis to export technology that was then five year old to the PRC and Czechoslovakia. The RSA economy could not justify sole commercial use of our size of CAD systems [then 75K USD per station]. Every thing we sold was dual use. I took down [unclass] demo models based on proof of function for China Lake [Weapons Test Center], Draper Labs, as well as for the French Superphénix (SPX) reactor series. [In the case of the Superphénix demo, I later learned that I had] sold the CAD systems that went into Valindaba [enrichment] and Pelindaba [weapons design and production] along with enough spares to build a third... Almost every prospect meeting had me presenting to folks who asked questions but never identified themselves. I never took down a commercial example. Things got looser over time as I surmised that my distributor was advising clients that I was not a hostile.

A valid end-use certificate came up from Joberg for every system, and while we did not visit RSA client installations save, if memory serves, for a small manufacturer of excavating equipment, one had to ponder ultimate use. We later learned that this small excavator manufacturer which had purchased a one-terminal system to design tungsten carbide cutters for excavators also designed and fabricated tungsten carbide cores for armor piercing rounds. As noted, everything seemed to be dual use, a functional capacity mandated, as it turned out, by Pretoria as part of its policy of autarky. I would not liked to have been under FCPA II for those efforts. I think it all too easy for an enterprising attorney to build a case of breaching plausible denial.

As an aside, in defense of export license sales to contested states such as the PRC and Eastern Europe (Bulgaria was a major site of advanced design and manufacturing for the USSR):

I even testified at the Pentagon to a foreign technology diversion group telling them how the Soviets, Czechs, and even the Chinese were already making LSI scale chips by stitching together designs produced by a UK system supposedly limited to PCB (Printed Circuit Board) design density. [The process was utter simplicity: the chip design was sectored such that each segment would fit the PCB system, and each sector had defined I/O points to adjacent sectors. Giving up some silicon was an easy trade for otherwise unattainable low volume military production.] They were astonished. Another sign of the fallacy of looking for a mirror-image enemy with mirror-image technology/weapons/tactics. [My testimony] may have made them smarter but it did not ease my export licenses. If memory serves, this was when Richard Perle was in his heyday at export [control].

China's Crackdown on Corruption Still Largely Secret
By Edward Cody
Washington Post
December 31, 2006

Charges of Bribery in a Chinese Bank Deal
By DAVID BARBOZA
New York Times
November 29, 2006

Rare Look At China's Burdened Banks
By DAVID BARBOZA
New York Times
November 15, 2006

The Cost of "Free Trade" in China: Corruption and the FCPA
Posted by Richard at 4:07 PM
Asia Business Intelligence
November 8, 2006

China's bank corruption doesn't faze investors
The multi-million-dollar scandals are a footnote in the floats, write Tom Mitchell and Justine Lau
Tom Mitchell and Justine Lau
The Australian-FT Business
June 05, 2006

Basics of the Foreign Corrupt Practices Act
What Every General Counsel, Transactional Lawyer and White Collar Criminal Lawyer Should Know
By: Robert W. Tarun
Latham & Watkins
April 2006 Edition

REMARKS TO THE ABA WHITE COLLAR CRIME LUNCHEON
CHRISTOPHER A. WRAY
ASSISTANT ATTORNEY GENERAL, CRIMINAL DIVISION
UNIVERSITY CLUB, WASHINGTON , DC
FEBRUARY 25 , 2005
Note: Mr. Wray frequently speaks from notes and may depart from the speech as prepared.

Opinion Procedure Release No .: 04-03
Foreign Corrupt Practices Act Review
June 14, 2004

Anti-Bribery Provisions of The Foreign Corrupt Practices Act
COMPARISON OF S.2375 (AS PASSED) WITH THE CURRENT FCPA
[Redline comparison of FCPA to the final version of  S. 2375]
UNITED STATES CODE ANNOTATED
TITLE 15. COMMERCE AND TRADE
CHAPTER 2B--SECURITIES EXCHANGES
§ 78dd-1. Prohibited foreign trade practices by issuers
1998 Amendments

Foreign Corrupt Practices Act (FCPA)
Department of Justice, Criminal Division

Gordon Housworth



InfoT Public  Intellectual Property Theft Public  Risk Containment and Pricing Public  Strategic Risk Public  

discussion

  discuss this article

Prev 1  2  [3]  4  5  6  7  Next

You are on page 3

Items 21-30 of 61.


<<  |  October 2019  |  >>
SunMonTueWedThuFriSat
293012345
6789101112
13141516171819
20212223242526
272829303112
3456789
view our rss feed