Cyber Security Motivations Guessing Game
Can we determine what drives infosec and does it matter?
There was a discussion on Twitter about what motivates media attention to infosec, and what does it reveal about the industry, countries, markets and players? This talk was sparked by @agelastic asking why media attention to APTs is so one sided via both volume (Western media) and victim (US/Western victims).
Cyber Kremlinology, a burgeoning field
Figuring out what is going on, with any accuracy, when the players are operating in different environments, with different incentives, risks, strategies and goals, and where several key players maintain tight information control… is challenging. Attempting to discern what is happening based on limited information is a great way to be wrong.
China and Russia are different from the US in a number of ways (that matter here.) The competitive security company market place is very different: Russia has Kaspersky; China has the dominant Qihoo360, and two heavyweights (Baidu and Tencent) attempting to muscle in. Neither China nor Russia has a free press to the extent that the US does, so what we can glean from their media reports is much less revealing.
Spotlight: China’s Cyber Security Market War
For a company that wants to position itself as a security leader, having a long list of dead bugs to your name is a strong signal. The result of the Baidu, Tencent, and Qihoo contest for cybersecurity mindshare inside China is that Chinese teams dominate activities which have a clear PR benefit.
pwn2own 2016
The contestants are three Tencent teams, one Qihoo team, and one amazingly skilled Korean, lokihardt.
- Tencent Security Team Sniper (KeenLab and PC Manager)
- 360Vulcan Team
- JungHoon Lee (lokihardt)
- Tencent Security Team Shield (PC Manager and KeenLab)
- Tencent Xuanwu Lab
pwn2own 2015
The contestants are more diverse, but include:
- Keen Team
- 360 Vulcan Team
- Tencent Security Team
- JungHoon Lee (lokihardt)
pwn0rama 2016
An event held alongside SyScan360 in Singapore had two teams, both from:
- 360 Vulcan Team
A skim over the last few months of Android security bulletins shows a heavy Chinese investment in bug hunting on Android. The first Qihoo 360 vulnerability was credited in September 2015, and by April 2016 they are a significant presence. Chinese vulnerability hunting teams dominate the April, May, June bulletins, including:
- 360 Vulnpecker Team, and IceSword Lab 360
- Alibaba
- Baidu X-Lab
- KeenLab Tencent
- C0RE TEAM (Tencent affiliate?)
Also worth noting is the targets these teams are hitting: Qualcomm RF components, Linux kernel drivers, and other “interesting” components. There’s no denying that China has formidable vulnerability hunters.
MSRC Top 100
The leadership boards of the top contributors to killing Microsoft vulnerabilities are also telling. The number 2 spot is Tombkeeper, the head of a Tencent security research team, and KeenTeam also make a top50 appearance.
China’s Internet Security Push
One takeaway from the above data is that Chinese security company competition is a top drivers for vulnerability disclosure. If you’re from the “killing bugs makes the internet inherently safer” camp, then Chinese companies are clearly doing more to secure the Internet than any European company.
There is a more sinister way to interpret this same data though. Maybe it is a strategic cyber operation to deny Chinese adversaries access to critical resources. For example, if your cyber program doesn’t need unpatched vulnerabilities as a critical component but your adversary’s does, you may invest in disclosing vulnerabilities. So more publicly known bugs is good for Chinese cyber teams (who have made extensive use of dead bugs) and bad for Five Eye cyber teams (who have a strong preference for unpatched bugs.)
Is APT a (Useful) PR Myth
This is some of what I said on Twitter, but covers more ground. First of all, a motivation for US APT defence companies to promote themselves is that US cybersecurity is a competitive marketplace. Having media coverage about the “problem to solve” and positive mention of “solving the problem” is simply good for business.
Clearly, US APT companies have an incentive to promote their success stories. They also have significant freedom to promote those stories because of the extremely loose control over the US press. Therefore, incentive plus freedom equals “promote ‘the APT problem’ and our ‘APT solutions’ via the media.” Does that mean that there are no APTs? Obviously there are. Does it mean that the problem is overstated? Maybe, maybe not.
Chinese companies are under different market pressures. They are trying to take mindshare and marketshare in a more generic “cybersecurity” space, so focussing on niche issues like APT isn’t so important. Or, maybe Chinese companies are not under threat from APT campaigns stealing IP and as result there is no “APT problem” and thus no market interest in a solution. Or, maybe Chinese companies are unable to detect APTs.
The Chinese government also has a strong incentive to prevent media reports of APTs — security. By not telling the adversary what they know, the Chinese help protect their capabilities by denying the opposition feedback and information. So maybe Chinese companies are not allowed to promote APT reports in the media.
Given the available information, it is simply not possible to tell why Chinese companies aren’t pushing APT reports to the media.
What Do We Know?
All that I would be comfortable stating is:
- APT coverage in the media is not a complete, or accurate, picture of the real conflict in the cyber domain
- Control over media coverage is a great way to mask one’s capabilities
- Market forces and strategic interests can align to produce unpredictable outcomes (“politics makes strange bedfellows”)
Media reports are probably not the best source for understanding an invisible silent war fought in the dark.
Update [2016–11–04]: a Chinese company has dropped some NSA implants. This comes several days after the ShadowBrokers released a list of NSA compromised servers that included a lot of Chinese hosts.
