This development is not surprising, given that cyberespionage is a rapidly growing and serious threat.  Earlier this month, the Wall Street Journal published a story on cyberespionage attacks originating from China against the U.S. power distribution grid (reported earlier in this blog).  And yesterday the Journal reported that computers holding data concerning both the developmental F-35/Joint Strike Fighter (JSF) and the United States Air Force's air-traffic-control system had been breached.  In the case of the Joint Strike Fighter breach, it appears that hackers were able to copy several terabytes of design information on the aircraft, potentially including information relating to its electronics system.  Lockheed Martin, the lead contractor in the Joint Strike Fighter program, disputes the article's representation of successful attacks, claiming that "there has never been any classified information breach." 

The Defense Department's recent Annual Report to Congress on Chinese military capabilities, released in March, notes China's focus on the development of "Non-Contact" Warfare capabilities, including both offensive and defensive Computer Network Operations (CNO).  These capabilities might be used both to enable China's access to sensitive and highly-controlled dual-use technologies, and to enhance its development of offensive asymmetric/cyberwarfare capabilities against military and civilian networks - especially communications and logistics nodes. It should be noted that China has repeatedly denied involvement in cyberespionage attacks and has called the Defense Department's report "severely distorted facts, and was absolutely groundless."

Intelligence collection, including through espionage, against logistical, infrastructure, and non-military targets is nothing new.  And China is not unique in its efforts to develop cyberwarfare capabilities.  Indeed, computer network attack and defense are basic building blocks of United States Information Warfare Doctrine.  But the large volume of information concerning national infrastructure and even military logistics that remains in unclassified networks connected to the Internet is cause of stepped-up cybersecurity efforts.  The GhostNet example demonstrates that a cyberespionage effort can quickly compromise and exploit a tremendous amount of data, including dual-use (both military and civilian application) technologies and political information.  Corporations and other organizations should be concerned about cyberespionage threats even if they are not handling classified information.  While Lockheed Martin may be correct, in the case of the JSF attacks, that classified information was not compromised, that does not mean the cyberespionage attacks were benign. 

OPSEC – an acronym for Operations Security – is one of the cornerstones of counterintelligence strategy. The Department of Defense definition of OPSEC (.pdf) is “a process of identifying critical information and analyzing friendly actions . . . and other activities to (1) identify actions that can be observed by adversary intelligence systems, (2) determine indicators that hostile intelligence systems might obtain that could be interpreted or pieced together to derive critical intelligence in time to be useful to adversaries, and (3) selecting and executing measures that eliminate or reduce… the vulnerabilities of friendly actions to adversary exploitation.” But OPSEC does not just apply to military organizations. It should be a foundational principle for all security architecture. 

At the same time, federal investigators were looking into an entity called Bay Area Laboratory Co-operative (BALCO), which by then was suspected of providing steroids to a number of Olympic, NFL, and MLB athletes (including Barry Bonds). Approximately one week after the MLB steroid tests had been completed and the results reported, federal prosecutors served a subpoena for the results relating to 10 named MLB players. While the baseball players’ union (the MLBPA) moved to quash the subpoena, it could not destroy the tests results after having received the subpoena. Then, in 2004, the government’s BALCO investigation team obtained a warrant to search the premises of drug testing firms Comprehensive Drug Testing (CDT) and Quest Diagnostics, which had performed the 2003 MLB tests. Among the items seized in that 2004 search was a data file containing not only the results of all 1200 MLB players’ tests, but also those of numerous other people unrelated to baseball. Since then, the labs and the players’ union have been engaged in legal efforts to prevent the government from using the information in the data file to obtain additional warrants and to issue subpoenas based on those results. That is the issue currently before the Ninth Circuit. However, in February 2009 information that A-Rod was one of the 104 previously- unnamed players was leaked to the press from an unnamed source, and reported in Sports Illustrated.       

While the process that led to the A-Rod revelation has been received extensive press coverage, there has been surprisingly little focus on the week between the players’ union’s receipt of the 2003 tests and the subpoena. In its official statement (.pdf), the players union has explained that, while the destruction process was underway when the subpoena was served, it had not been completed and thus had to be suspended in light of the subpoena. But could destruction of the test result data and samples really have taken five days? Could it have required more than 5 hours?  

It is easy to miss the lessons of this story. After all, most of us sympathize with government officials seeking to root out use of performance-enhancing drugs in professional sports. And the "victims" here -- baseball players caught cheating -- are not entirely sympathetic. But what if, instead of steroid testing data disclosed to the government pursuant to a subpoena, this case involved hackers stealing personal medical information that, like the steroid testing data, was retained for longer than necessary? In both scenarios, effective OPSEC could have avoided the disclosure of this information altogether.  Using the steroid example, for instance, it is difficult to see why the players union did not recognize that the testing result were, to borrow from the OPSEC definition, “critical information” that could “be interpreted or pieced together to derive critical intelligence in time to be useful to adversaries,” especially in light of the then-ongoing investigation into BALCO and the widespread public suspicion that a number of MLB players were using steroids.  Identifying sensitive information and disposing of it when no longer necessary is an OPSEC principal that appears to have failed here.

Today, many corporations and other organizations are focused on e-discovery and classical business intelligence problems. To borrow terms from the intelligence cycle, these are primarily "collection" and "analysis" challenges. They involve management of information and data in support of efforts like business analytics or to improve a company's ability to comply with compliance/discovery obligations. The MLBPA's citation of the subpoena as justification for retaining testing information probably resonates with anyone handling similar responsibilities in a corporation.  

But the complimentary discipline of counterintelligence, including sound OPSEC practices, is not yet receiving enough attention. We measure the utility of data today in minutes and seconds where once we thought about days and weeks. Our OPSEC practices and tools should reflect that fact. And while OPSEC can be enhanced with the right expertise and technology, it is an enterprise-wide responsibility. It must become a mindset -- not an action item assigned to a single person or team. Emerging regulatory efforts at the state and federal level will have important implications on the structure and limits of future OPSEC efforts, but that is no reason to delay the adoption of sound OPSEC measures now.

Links:

• ESPN.com articles covering the A-Rod story and referred to in this piece can be found here, here, here, and here.
• The Department of Defense definition of OPSEC is contained in DoD Directive 5205.02, accessed from the Federation of American Scientists website here.
• The Internet Engineering Task Force's (IETF) discussion of OPSEC can be found here.
• Additional information concerning BALCO, CDT, and Quest Diagnostics (respectively) can be found here, here, and here. 
• Publicly-accessible copies of papers submitted to the U.S.Court of Appeals for the Ninth Circuit in the case discussed herein can be found on that Court's website here.
• The original Sports Illustrated article that broke the A-Rod story is located here. 
• The MLBPA official statement regarding the disclosure of drug testing results can be found here.