I was browsing some blog posts this morning and came across one on The Dark Visitor which is a site focusing on Chinese Hackers.  The post was about how China’s cyber warfare efforts have caused India’s military to step up their own cyber defense capabilities. 

This may seem to be an international political issue but does your company outsource anything off shore?  Do you offshore to India?  Do your partners?  Do you really know where your critical information is once it leaves systems under your direct control?  Do you verify that your outsourcing company protects your information at least as well as you do?

Let’s forget for a minute that the attacker is China (Honestly they’re just an easy target for my attention; there are other countries that have information warfare programs.); let’s forget that the target in this case is India.  The real point is that critical information is at risk once it has left the corporate environment.  By outsourcing, companies are delegating responsibility for protecting the information but in the end they cannot truly transfer this responsibility. 

It is not enough to include clauses in a contract that mandate the protection of your critical information, you must audit and verify that your partner (be they domestic or international) is conforming to how you mandate your information be protected.  Outsourcing can bring great savings but along with that savings comes additional Risk.  Have you considered the additional risk?

The recent statements from Congressmen claiming to have been hacked the Chinese really isn’t a surprise.  In case you missed it here is a brief review:  Officials have indicated that the intrusions began in August 2006 although I would think that it has been taking place for much longer than that.  Anyway the extent is currently unknown but Rep. Frank Wolf (R – VA) and Rep Christopher Smith (R – NJ) were named as being among the targets.  Other targets included other members of Congress and at least one congressional committee.  Rep. Wolf is quoted as saying “They got everything”.  China of course has yet to comment on this incident. 

They have however offered comment on the allegation that they copied the contents of a laptop left unattended during a visit to China by Commerce Secretary Carlos Gutierrez last December.  Foreign Ministry spokesman Quin Gang is quoted as saying

 ”These reports are totally groundless… These allegations are highly irresponsible…. China has made clear our principled position on many occasions: China is opposed to computer criminality including hackers.”

Of course this is the diplomatic response.  It isn’t like they could openly admit that they did this.  It isn’t like they haven’t openly published statements concerning their use of information warfare to achieve their objectives.  Oh wait – they did.  Check out Unrestricted Warfare by Qiao Liaug and Wang Xiangsui (Beijing: PLA Literature and Arts Publishing House, February 1999).  The book advocates a multitude of means, both military and particularly non-military to strike at the United States.  This includes hacking into websites, targeting financial institutions, terrorism, using the media and conducing urban warfare.  Targets also include private companies in a form of economic warfare conducted against our country and its interests.   

From Unrestricted Warfare:

 ”The reality of information exchanges and intertwining interests is continually broadening the meaning of warfare. Also, any country which plays a decisive role has various capabilities to threaten other countries, and not just with military means. The use of means singly will produce less and less effect. The advantages of the combined use of various kinds of means will become more and more evident. This has opened the door wide for supra-means combinations, and for the employment of these sorts of combinations in warfare or quasi-war actions.”

 Just in case China’s own words don’t ring home here are some quotes about China and its capability over the years:

 ”With the advent of the 21st Century, not only is it likely that many of the conflicts facing the United States and her allies will be of an asymmetrical and devolving nature, but it is also likely that”…”low-intensity conflict will be accompanied or compounded by computer/infrastructure attacks that may cause damage to vital commercial, military, and government information and confront communications systems.”

- Journal of Counter-Terrorism and Security International

“The potential advances in Chinese IW doctrine and capabilities have direct implications for U.S. national security. The ability of China to conduct IW against the United States in peacetime, confrontation, or conflict could pose severe challenges to defense planners.”

- Strategic Studies Institute

“China, Russia, and other nations have begun to focus on US commercial computer networks’ vulnerability in preparation for any future conflict.”

- CIA Director George Tenet, Wired Magazine

“In addition to developing wartime applications for its robust information control and perception management capability, China is pursuing IO/IW development as part of its overall military modernization.”

- Department of Defense Annual Report to Congress

While the most recent events are nothing new, I do hope that their blatant targeting of Congress will result in something more than hot rhetoric.  Perhaps a Congressional Investigation over China’s activities against the United States public and private interests will result?  Well if it results in public outrage and a change in how we as a culture view the protection of information then I’m all for it.