ASPI ICPC's Cyber Maturity in Asia-Pacific region 2014 report: a review

The International Cyber Policy Centre of the Australian Strategic Policy Institute’s (ASPI-ICPC) released its inaugural “Cyber Maturity in the Asia-Pacific Region 2014” report. Like all such endeavours it has its warts, but it should be congratulated for tackling a significant challenge. The report is a mix of quantitative and qualitative approaches and tries to devise simple metrics for a complex issue.

It’s a great start that can only get better, and in light of that here are my few comments (mostly on methodology).

Research Questions

1. Governance

Metric 1A talks about effectiveness, metric 1B doesn’t. Including and attempting to measure effectiveness of activities is a better indicator of maturity than just recording that activities take place.

b) Is there existing legislation/regulation relating to cyber issues or internet service providers (ISPs)? Is it being used? What level of content control does the state conduct or support?

State views on ISP regulation are suggestive of the state’s perspective on the regulation of content, governance and the involvement of the private sector in cyberspace.

The view from the business and civil society is that the government should stay out of regulating ISP's as providers of connectivity.

an understanding of the state’s views on content control is important to all other stakeholders when engaging with it.

Absolutely. And there needs to be a measure for this. Is censorship good or bad? Plus or minus points? Can't have it both ways, or just indicating the content control is important but not specifying why, how, and how it affects the maturity.

c) How does the country engage in international discussions on cyberspace, including in bilateral, multilateral and other forums?

This is a subjective indicator; countries that have a different approach to the one assumed by Western reviewers will automatically rate lower than those with similar views and approaches to ours, no matter how much the rest of the world may disagree. Instead, the metric should be around the engagement regardless of how. Some will always have an opposing view and a different approach. Doesn't make it any less valid.

d) Is there a publicly accessible cybersecurity assistance service, such as a CERT?

And is this service widely known to the constituency? Australia's own JSOC, (Gov)CERT.Au, etc were all at one time assistance services that no one in the industry even knew about. I remember at least three events where various industry-facing services were mentioned by Australian Government representatives. Government cyber security services that majority of the people in the room (all representatives of critical national infrastructure organisations) never heard or before.

2. Military application

e) What is the military’s role in cyberspace, cyber policy and cybersecurity?

A specialised organisational cyber structure within the military indicates some awareness of cyber issues in the armed forces, and possibly the military’s perspectives on the use of cyber operations capabilities.

Insufficient to measure. Should also ask:

  • how many different areas in the military are looking after 'cyber' issues (indicates too many cooks, spoilt broth - and infighting, etc.)
  • how well is the military prepared to protect its own installations
  • is military encroaching on civilian sphere
  • ...

3. Digital economy and business

a) Is there dialogue between government and industry on cyber issues? What is the level/quality of interaction?

High-quality public–private dialogue on cyber issues demonstrates a mature understanding within government and a good awareness of cyber risks in the private sector. This presents an opportunity either to engage in capacity building or to learn and implement similar strategies.

More importantly, what are the tangible outcomes? There is always some level of quality interaction, yet the outcomes just aren't there.

b) Is the digital economy a significant part of economic activity?

How has the country engaged in the digital economy? The state’s level of engagement with the digital economy indicates its ability to harness the digital sector for economic growth. State's level of engagement? Or state's encouragement, support and preparation of a free market that creates digital sector and related opportunities? State's level of engagement is very high in China, yet their metric is fairly low.

Components of the Methodology

There is absolutely nothing wrong with the approach to the methodology, but it needs a big “warning” sign there, because it applies a very WEIRD world-view to the area of the world that is extremely diverse and where Australia is the odd one out. With that out of the way, here’s specific comments that I had.

The final step was to rate each country against the nine factors, again on a scale of 1 to 10, with 10 being the highest level of maturity that could be awarded. These assessments were based on an extensive qualitative and quantitative open-source research package.

And yet the notes only list 12 references. Maybe all of the references should be included, even if they were just articles, journal papers, etc. because they most definitely influenced a number of ratings.

Appendix A: Scoring Breakdown

This, which should be the foundation of the otherwise good review of the maturity in the region, is sadly the weakest part of the report. The scale is from 0 to 10 (effectively giving 11 potential values), yet the criteria for each individual value is not set. Worse, scoring looks like this:

There are 3 values that can be assigned to “No organisational structure” but we don’t know what differentiates a ‘0’ from a ‘1’ or a ‘2’. Worse, there are no clear rules set that would help countries and other interested parties in seeing what they need to do in order to improve their maturity.

Appendix C: Engagement Opportunities Indicators

Further complicating things, and in my view diminishing, rather than adding value to, the report is the distinction between maturity and engagement opportunities. The two really should be combined. A high maturity infers high engagement because high maturity is measured by outcomes, not activities. Plenty of activity but no visible improvement is a sign of low maturity. Some would say that if we measured by improvements then the countries that are now rated as mature in the report would get a low to moderate maturity rating.

On the positive side, the Engagement Opportunities table shows in greater detail what should be done, or is expected to be in place. Still not sufficient to be actionable, but at least it gives a good foundation for what is expected.

My 2 bits

Overall, the courage to produce it, and the rule of thumb country results are a very good, informative read. There is a wealth of information hidden in there, which is let down by the poor maturity matrix for the quant wonks amongst us. That the authors decided to reveal their methodology shows that this fairly new centre (6 months?0 in a fairly new think tank is looking for feedback and looking to improve the service they provide, and there’s no doubt that the next year’s report is going to be even better.

China: c-c-changes

This article on unintended consequences of China's President's Xi Jinping's drive to purge the China's Communist Party of corruption is likely to go unnoticed by most. Which is a shame, because it shows most clearly just how divided CCP is and how many different factions there are.

Some key quotes:

Chinese leader Xi Jinping in fact says no one is immune from his corruption probes and that he is going after both “tigers” and “flies,” party lingo for officials high and low. Few in China actually believe that Xi is trying to rid China of that evil, however. After all, the Communist Party has become completely infested, and the president appears to be targeting only political adversaries, such as the infamous Zhou Yongkang, the former security czar, using “corruption” as an excuse.

Matter of fact, the purges have gone so far that

that former leaders Jiang Zemin and Hu Jintao are now asking him to slow the effort, in part because he is threatening their extensive patronage networks and also because his investigations could shake the foundations of the party itself.

And that, the last part, is why Xi Jinping could be the biggest game changer in China after Deng Xioaping's opening up of China and economic reforms that have set China on its current course.

How all this is relevant to cyber security and risk management is left as an exercise to the reader.

Cyber war and Russian view

Keir Giles’ wrote a good paper that you really should read on the Russian view of the information warfare/operations (cyber warfare) legality. This is a fairly neglected aspect of information warfare studies and is completely ignored by cyber warfare experts in the West, who consider the Western view to be the sole view. It is because they are largely WEIRD. The West is largely in introspection around diversity, where diversity now means that everyone has the same values, shares same culture and is working towards the same goals in the similar fashion. Indeed, that’s not diversity at all.

Cyberspace, cyber war and international law

US and allies (EU, Australia, NZ, …) share the view that ‘that existing international law and international commitments are suficient to regulate cyber conlict.’ The Tallinn Manual and other widely accepted legal view on international and customary law assumes that this view is universal.

However, nothing could be further from the truth. China, Russia and others with similar approach to information security (where the term includes propaganda, control over information flow by the government, etc.) disagree with the idea that the current international laws are sufficient.

This position may be surprising, but it is a rational position from Russian and Chinese perspective. Both Russia and China feel threatened in the current environment. Threatened by the lack of clearly defined rules, laws and treaties that would show what is and isn’t allowed.

Both China and Russia are sticklers for rules: rules present lines that are not meant to be crossed. Rules also present opportunities. Opportunities to find loopholes, opportunities to follow the letter of the rule whilst blowing raspberries at the spirit of the rule. Opportunities to dance on the line whilst never actually crossing it.

In short: the west is happy with slight uncertainties and fluid state of customary law because they are all singing from the same song-sheet. China and Russia want to have a fresh set of rules that are specific for cyberspace: this way they will have the certainty and the ability to continue with their merry ways without actually breaking any rules.

Not everyone is WEIRD

If you are told that you are WEIRD don't take it as an offence. It likely means that you belong to about 12% of the global population that is Western, Educated, Industrialised, Rich, and Democratic *. Good as it may sound, it also puts you in the disadvantage when dealing with people from different cultural backgrounds.

Problem reliance on studies that were done solely with WEIRD participants is that it skews the results and, worst of all, assumes certain cultural background in the decision makers:

[M]any studies have shown that Americans, Canadians and western Europeans rely on analytical reasoning strategies — which separate objects from their contexts and rely on rules to explain and predict behaviour —substantially more than non-Westerners. Research also indicates that Americans use analytical thinking more than, say, Europeans. By contrast, Asians tend to reason holistically, for example by considering people’s behaviour in terms of their situation.

That WEIRD has had a significant negative effect on a range of social sciences is not surprising. That it isn't sufficiently accomodated for in risk management theories and decision making theories during the last decade, though, is.

Progressive risk managers tend to look to behavioural economics, anthropology, psychology, sociology and communicology to improve their skills and their organisation's management of risk. But relying on studies that assumed a certain cultural background in the decision makers can, rather than improve their ability to help decision makers make the best decision under uncertainty, make things worse.

Remember, culture plays an important role. So do emotions, even if certain behavioural economists tend to ignore those.

Cyber and the art of conversation

Spurred by Justine Aitel’s talk at SOURCE Boston where she supposedly (not being there is a bit hard to confirm that) said that IT risk and/or security industry need to use the term “cyber” in order to reach the business audience more effectively.

Yes, security has a problem communicating. No, it is not what you think it is. Yes, using “cyber” can help. No, it’s not what you think it is.

Communication - listen!

Infosec people love to talk. Incessantly when it’s about something near and dear to them, sky falling or their latest gadget or … you get the idea. They also love to talk about listening, and how we’re not doing it right. And don’t interrupt us while we’re telling you how we need to listen more and talk less. :-) Yes, the secret to good communication is listening.

In corporate world that translates into knowing and understanding:

1. The industry you are in. Both locally and globally. Profoundly know local industry, keep tab on what leaders globally are doing, see how it translates to your local environment. How?

  • Read the industry magazines. There are plenty of online resources, papers, etc. Keep a cursory track.
  • Join a couple of industry bodies. There’s always one or two forums.
  • Ask in your company, but always be ready to also look outside.

2. What your organisation’s goals are. Not the stated ones, the real ones. The ones your organisation needs to take in order to make whatever it is they promised to the markets a reality. How?

  • Talk to people at the coalface, so to speak. Project/program managers, architects, developers, marketing and advertising, finance.
  • Establish good relationship early on with a few people in different areas. Look for people that you get along well personally, regardless of the perception of their position. Organisations leak bits of information everywhere - your role is to pull it all together for yourself.

3. What the department heads, the chief executives and others in the position of power need in order to meet their Key Performance Indicators. Sometimes this will be stated quite bluntly, other times you will need to put a lot of disparate data together in order to see the bigger picture. How?

  • Establish initial rapport, just offer to see if you can help people with anything.
  • Make a presentation of what you/your team are doing. Show how it is relevant to your audience. To get something you have to offer something.
  • Simply ask. Ask how you can help.

4. The type of conversations to avoid: Purely negative conversations that don’t offer “and this is how we can fix it” suggestions are a drain. Steer clear.

People say this is easier said than done, but the fact is that you need to talk to people at all levels.

  • It helps if you are naturally curious.
  • It doesn’t help if you are naturally extroverted: in that case you will need to work on your listening skills.
  • It doesn’t help if you are naturally shy: in that case ask someone you are at ease with to introduce you to those you want to talk, to break the ice.
  • It doesn’t help if you are: I'm not shy. I'm just very good at figuring out who's worth talking to. Most of you aren't.

Cyber here, cyber there, pretty soon there’s cyber everywhere

No, talking about cyber as “the big bad thing that will end us all if we don’t …” is not going to help anyone. Your company already navigates more risks that most infosec people can imagine, and does so on a daily basis.

Talk about “cyber” and explain to the decision makers and anyone that will listen (that’s a good way to get time with the decision makers, too) about what cyber really is and how it relates to current affairs.

Hint and a useful trivia to break the ice: explain that the term “cyber security” came to be as a response to countries spearheaded by Russia and China that consider “information security” at the national level to include propaganda, control of information flow within the country, etc. After Russia started pushing for a UN resolution on “information security” that covered, in some interpretations, dissent as an information security problem, the West started using the term “cyber security” in national conversations to distance themselves from the Sino-Russian definition.

If you’re in Europe, use the example of Russia and Ukraine. If you’re in the US, use the before example, but also the espionage from China and how the cultural differences (serious problem) make the discussion harder (draw analogies between IT and the rest of the organisation?) because of differences in understanding of the terms. No commonly defined terminology = mucho confusion.

And in the end, it helps if you know just what cyber really is. Trust me on this, you don't want to propagate the half definition of this phenomena.

Cyber espionage - the Chinese way

We reviewed the Chinese intelligence community structure, the way they collect data and, as a result of the first two, also tackled the monolith myth of China in order to explain why most things you hear about Chinese cyber activities do not make sense nor survive any closer analysis. Now it is time we have a look at Chinese cyber capabilities and their use.

This is Part 4 of the four part series:

  1. Chinese intelligence structures
  2. The Chinese way of collecting data
  3. China: the monolith myth
  4. This post

Rapid rise, asymmetric going on symmetric and information warfare

China has in a quick succession went from the underdog on the cyber scene to one of the leaders of the pack. In 1996, when public internet was allowed in China, there were only 2 million users. Now, in April 2014, there are about 620 million internet users in China. For comparison: that’s twice the total population of the USA. Chinese quickly grasped that the internet is the new way to do business, whatever business they’re in. PLA recognised the power of the internet and in 1998, two short years after internet became publicly available, two Chinese colonels wrote a seminal work for the time: Unrestricted Warfare. At the time of its publishing the book caused a stir in the US because it identified US military’s dependence on ICT networks as its major vulnerability - something that PLA could target and exploit in asymmetric warfare.
PLA’s strategy for use of electronic and cyber warfare has since evolved dramatically. First, because it is no longer an underdog:

The PLA is pursuing a highly ambitious cyber-warfare agenda that aims to link all service branches via a common ICT platform capable of being accessed at multiple levels of command and has created three new departments of Informatisation, Strategic Planning and Training to bring this agenda into being.

Moreover, PLA took the opposite direction on cyber, technology and information superiority to the US since late 1990s: US started with the information warfare concept in the 1990s, then slowly rejected the softer aspects of it and focused solely on network-centric warfare and electronic warfare. PLA started with network-centric warfare and electronic warfare and started incorporating information warfare concepts to arrive at information confrontation concept today.

Cyber espionage and conflict

A lot of available information in China deals with cyber warfare (to use Western term), but there’s precious little talk about cyber espionage. Cyber espionage is the topic is tightly linked with China in the Western sphere of influence, thanks to operations such as Titan Rain, Aurora (with later revelation that it was, in fact, counter-intelligence job) and Ghost Net.

Like Russia, so too China considers war to be the final stage on the conflict continuum. Stages on the conflict continuum can be roughly divided into:

  • meddling in other country’s internal affairs via purely informational means (including meeting Dalai Lama, supporting Tibetan independence, supporting Uighur plight, …)
  • social conflict (increased terrorist, ethnic separatist, extremist activity);
  • armed conflict;
  • war.

What this means for Chinese understanding of cyber conflict is that “support for separatist movements”, I.e. Tibetans, Uighurs, etc. ranks on the conflict continuum, whereas industrial espionage is a simple legal issue. To China industrial espionage, even state-sponsored, is just way of conducting business, if illegal. Hostile information activity on the other hand is squarely on the conflict continuum. The West takes the opposite view, but there aren’t enough people versed and understanding both views to build a bridge.

Industrial-scale industrial espionage

There is no doubt that entities in China are indulging in large scale industrial espionage of a variety of industries across the globe. But,

the overall picture is reminiscent of China’s earlier humint-driven efforts to collect foreign science and technology. There is still a significant ‘Wild East’ aspect, characterised by an apparent absence of effective co-ordination and the involvement of a multiplicity of actors with different motivations.

Two distinct groups of targets of Chinese espionage are:

  1. Covert science and technology (RSA, Lockheed-Martin, etc.)
  2. Political and economic intel on foreign governments and NGOs and opposition groups outside China.

The former is focus of 3/PLA, whilst the latter is traditional MSS ground. Since China’s intelligence services maintain a distinct culture of isolationism from other services it is not unthinkable that both 3/PLA as well as MSS have developed their own cyber espionage capability.

Former head of NSA, General Alexander said that China operates an industrial-scale cyber espionage aimed at the US government and US industries. So far Chinese spies have yet to show that it has the ability to actually process and put to its own benefit all this stolen information. In the end, the two cases that are used as examples of Chinese industrial espionage (yes, only two well documented cases after all this time) the AMSC wind turbine affair and the Nortel long-term espionage serve best to explain the difference. In the AMSC case the industrial espionage was performed by the erstwhile business partner that managed to steal not just the code but also the coder. This dealt a significant blow to the organisation and it all happened in a really short period of time.

In the Nortel case the adversary had access to the internal network and all the information Nortel had for at least a decade with no significant impact to Nortel stemming from the breach and espionage itself. It was Nortel’s poor business practises and lack of competitiveness that did it in.

It is unknown how much China’s Standing Committee (and the Party bureaucracy) can do about the cyber espionage undertaken by Chinese intelligence services and other parties in China.

The two top priorities for the Chinese Community Party are maintaining economic growth and domestic stability and averting any challenges to the leadership of the Party. Reigning in cyber and other espionage, if it is contrary to the top two priorities, is out of the question.