There has been a lot of media about the recent report to Congress on Foreign Economic Collection and Industrial Espionage. It states that there is a huge level of espionage being done by foreign governments on corporations in the U.S. for intellectual property. There are a couple of things that bother me about this.
- Spying and/or industrial espionage is nothing new. It' been going on for hundreds of years and the introduction of the Internet hasn't changed anything other than the ease in which it can occur.
- These electronic attacks have been going on for over 10 years and now we see a report? Those of us who actually practice security have been dealing with it for a long time and trying to combat the issue in a mature and risk mitigation based manner.
- The report focuses on key areas of data such as defense, energy and others. It should be scoped as such in the beginning to not be inflamitory as it is.
- The recommendations at the end of the report should be a lot better. If they really wanted to drive solutioning to the problem it would have really suggested using an industry mature framework (COBIT / ISO) to do it. This only highlights how far behind they are in understanding the problem.
As I've written before, the problem isn't knowing attribution, threat vectors or anything else. It has everything to do with getting corporate behavior to agree that this is a problem for it. That doesn't mean that all companies will agree that this is a concern and nor should they. It's the discussion that's important for practitioners to drive and have a healthy dialogue about it.
Yet, this report goes for the fear sell instead of actual data and diagnosis. This is the same for certain vendors in their "Marketing Reports". All fear with no data to substantiate it and no solutioning to solve it. In addition, the media picks up on "China does most of the attacks" and reprints because it's catchy. Congrats ONCIX on getting media attention, however, you're ruining all of our chances in fixing it.