I ran into this question while preparing for June 27th’s episode of Security Weekly News in a BBC article. I’m not going to rehash the article like I did on the podcast, but I think it’s worth reading. The question the BBC poses is interesting and in some circles would be very provocative. After all, isn’t it unfair that politicians, media, and others in the west complain about Russian, Chinese, and other countries attacking them, but ignore our own countries’ attacks against these other nations?
We Are in Conflict
I’ll just start out with my basic opinion. It isn’t fair coverage and it doesn’t bother me that it is one sided. We are in an adversarial relationship with Russia, China, and other nations. These countries have ideologies that I’m completely opposed to and I don’t want them to gain primacy in the world. They have a history of strongly limiting personal freedoms and being very coercive with their own people to get what they want. These efforts are on-going and very active. Their offensive cyber operations are meant to support and promote these ideologies.
Do we need to give equal air time to Russia air their grievances as they try to take over Ukraine? Should China be given a sympathetic ear while they operate re-education camps? I don’t believe so.
In addition, organizations and people in the west are under steady attack by our adversaries. Of course our media is going to focus on those attacks. My father-in-law had a security clearance before he passed away. He was very upset when when the Office of Personnel Management was breached by attackers sponsored by the People’s Republic of China. He felt attacked personally. I don’t think he was ever targeted from that breach, but he was extremely unhappy about it.
We Can’t Report What We Can’t See
The BBC’s article makes this point, and I also think this is also interesting to note here. Cyber security companies based in western countries don’t have much of a customer base in Iran, Russia, China, North Korea, etc. The PRC isn’t about to call up CrowdStrike or Mandiant to ask for incident response help. These companies have little visibility in countries that western intelligence and military organizations would target. It’s extremely difficult to report on an intrusion that you’ve seen no data for.
And If They Did Find a US Intrusion?
First off, an incident response or threat intelligence firm would have to find enough information to do attribution back to the US government. The limited visibility they likely have would make attribution very difficult.
However, let’s say a US based company finds an intrusion that they think has been conducted by the NSA. How much incentive would these firms have to report on this publicly. The US government is an important customer (or potential customer) to technology and security firms and it makes little sense to poke a finger in a customers eye.
Even major media outlets like the Washington Post, New York Times, or Wall Street Journal may not be interested in running such a story. “Aww, Vladimir Putin is upset at the US for penetrating their power grid? Well, hopefully that keeps Russia from destroying our grid.”
In the End
I think the BBC article was worth being written and read. But I can’t get too worked up the lack of coverage of western cyber attacks against eastern countries. I analyze intrusions every week that were performed by our adversaries against their targets. It’s hard for me to feel sympathetic for the aggressor in these intrusions.