Tuesday, November 3, 2020

A second byte at the China apple

Recently I read an interesting paper by Michael Fischerkeller, who works at IDA (a US Govt contractor that does cutting-edge cyber policy work). The first concept in the paper is that the Chinese HAD to implement a massive program of cyber economic espionage in order to avoid a common economic trap that developing countries fall into, the "middle-income trap". 

One thing that always surprises me is that most people have missed the public and declassified announcement that the USG made when it came to how primary the effort of cyber economic espionage was to the Chinese strategy - to the point of having fusion centers to coordinate the integration of stolen IP into Chinese companies.

It shouldn't surprise anyone on this blog that security policy and economic policy are tightly linked, but it's worth taking a second look a this paper's recommendations and perhaps tweaking them. Especially in light of US Government actions against Huawei, which demonstrate a clear path towards US power projection. 

But our path probably runs more efficiently in a different direction - protecting Intel, AMD, Synopsys, ASML, TSMC, and other firms key to building the chips China desperately needs, and which the US has recently restricted via export control. Because TSMC and ASML are not US companies, we would need to flesh out policy that would enable US "Hunt Forward" teams to operate on their networks proactively, instead of reactively.

And offensive cyber operations could be levied against the fusion centers distributing stolen IP, and against companies that receive that IP. "Hacking the hackers" is flashy and sounds good in terms of defensive operations that USCC can do, but as a long term strategy, it might simply be training up the hackers to have better OPSEC. Deploying an intelligence capability against the fusion centers, or the companies LIKELY to receive stolen information maybe have better return on investment, especially if that intelligence capability can be turned into a deterrent effort with the push of a button (something we also need to build policy around).


No comments:

Post a Comment