Jeffrey Carr, founder and CEO of Taia Global Inc., discusses why information security (InfoSec) companies are quick to blame China – often with little evidence – for hacking/espionage operations; Mandiant’s weak case against Chinese hacker group “A.P.T. Number 12” for infiltrating the New York Times; and why critical thinking leads to the truth more often than the “gut feelings” of experts.
Podcast: Play in new window | Download
The Emergency Committee for Israel, Brookings, Heritage, AIPAC, WINEP, GINSA, PNAC, CNAS, the AEI, FPI, CFR, and CSP.
It sure does seem sometimes like the War Party's got the foreign policy debate in DC all locked up.
But not quite.
Check out the Council for the National Interest at councilforthenationalinterest.org.
They put America first, opposing our government's world empire, and especially their Middle Eastern madness.
That's the Council for the National Interest at councilforthenationalinterest.org.
All right, y'all, welcome back to the show.
Next up is Jeffrey Carr.
He is the founder and CEO of, I meant to ask him how to pronounce it, Taia, Taia, something global.
How do you say it?
Taia.
Taia.
Oh, okay, good.
Silent A. That's easy.
Taia Global, author of Inside Cyber Warfare, Mapping the Cyber Underworld.
TaiaGlobal.com, with a silent A there.
Also check out his blog at jeffreycarr.blogspot.com.
Welcome to the show.
How are you doing?
I'm doing fine, recovering from a trip to the RSA event yesterday.
A trip to the where?
To the RSA Security Conference.
It's really pretty much the biggest security conference in the world for information security companies.
Plenty of tax money available there, huh?
As far as some good consulting gigs?
Well, it was really more just an eye-opening thing because you've got 300 companies all claiming to have solutions to this problem, and yet every year the problem gets worse.
So it really makes you sort of sit back and wonder what's going on with this industry.
Well, you know, I once knew a computer security guy who said that, well, there's really no such thing.
There's only ever the best we can do on any given day, and you've got to keep trying tomorrow because it's an ever-evolving set of threats.
That's right.
Yeah, I would agree with that.
You can only try to raise the stakes so that it costs an adversary more time and money to attack you, and eventually, like running away from the bear, they'll just go after a slower target.
Running away from the bear, yeah, that's a good way to put it.
Exactly right, yeah.
Well, you hit right on the thing there when it comes to the money, especially when it comes to the national security state, and not just security companies for hire by corporations, but security companies for hire by the U.S. government, but really I guess the entire industry one way or the other.
There are a lot of vested interests there, and it seems as though perhaps part of all the recent scandal about Chinese hacking really just comes down to the experts who've identified that Chinese hackers have an interest in protecting or selling their services to companies and governments to protect them from Chinese hackers.
It's a conflict of interest, if not a dastardly plot.
It seems like maybe a problem.
I think so.
I mean, I think that there are implications and there are influences at work.
So, you know, companies are in a business to make money, and InfoSec companies, I'm speaking of, are in the business to make money.
So if your business is, for example, threat intelligence, the number one bad actor right now in the world that the U.S. government is interested in buying information about is China.
If you've got threat intelligence on Chinese hacking activities, you've got a buyer at the U.S. government.
So there's that motivation.
When a company has been breached, lately it's almost a badge of honor to hear that you've been breached by China versus, let's say, Anonymous or some hackers from Slovakia.
You know, it's really sort of an odd phenomenon that CEOs feel like somehow they have status if the culprit is China.
Well, that would make sense, right?
Pardon me?
It makes sense in a way that, yeah, our company is so important they want our secrets.
Exactly.
Yeah, it makes perfect sense.
But that's one of the factors at play here, right?
So, you know, so you have sort of a self-perpetuating cycle.
The U.S. government has definitely, the administration and the Department of Defense for sure, have decided a major focus area is going to be China.
And they can't really produce reports like this because the information is classified, and they don't want to deal with leaks.
When Mandian, who has been focusing on China ever since the company was formed, produces a report, it's a gift really to the government because they can now point to this and say, we agree, you know, this is exactly what we see.
Unfortunately, the public report never really made the, you know, approved conclusively that it was the People's Liberation Army that was involved in these attacks against many U.S. companies.
It certainly could very well be Chinese hackers, absolutely.
It could also be companies that are, or countries that are operating through China, you know, through their servers to make it appear to be China.
Well, now, before we get into the technical aspect of this, because I do want to go over all that and we've got plenty of time for it, but I just wanted to say here after reading through your original piece and your follow-up, and I guess your New York Times piece too, it becomes very clear that you have a lot of respect for these guys.
You know them personally, some of them anyway, and this is far from, you know, a declaration of war by you and your group against their group or anything like that.
You kind of all do respect, just say, hey, you know, I think you guys are ignoring some possible other explanations for what you seem to be so sure about here.
That's exactly right.
Yeah, I know some of the folks at Mandiant.
I have a great deal of respect for their work at Incident Response.
They're certainly one of the leaders in that area.
So if you've been breached, you can't go wrong by hiring Mandiant.
My only argument is the conclusions.
In fact, have they phrased the conclusion, you know, we believe that it's likely to be China, or that China should be considered high on the list of possible culprits.
There's nothing that I could really find wrong about that.
You know, China is a possibility.
The PLA is a possibility.
It's just when you decide, you make a conclusive statement, when the facts don't warrant it, then I think it's responsible for people like myself or others.
And I'm not the only one.
You know, others have also looked at this and said, hey, you guys did improve your case.
Well, yeah, and that's another thing that you brought up there, too, is you're not arguing the case that China is innocent of hacking anybody's computers.
You're just, again, this is a very specific case.
But I don't know.
In fact, could you elaborate a little bit?
I mean, what is the extent?
Because we hear this all the time, right?
It's like Iran's mythical nuclear weapons program or something.
It seems like China's always hacking everybody's computers.
Yeah.
So I know for sure that China does it because, you know, my company, Thai Global, provides some security consulting services to companies that do business in China.
And in one case, the company had suffered a breach right after a visit of their CEO to China.
So you could say that might have been coincidental.
But then we, a month later, after the network had been cleaned of that attack and restored to a safe state, we gave one of their executives a clean laptop to take with him on another trip, on a follow-up trip to China.
And when that executive came back, we took the laptop from him and we did a forensic review, and it turned out the laptop had been compromised in his hotel room in Beijing at 4 in the morning.
So that's pretty, you know, conclusive when you have a case like that.
It's pretty cut and dry that it was China.
Unfortunately, of course, you know, this was all done under NDA, so we couldn't take it to the New York Times.
NDA?
Under a nondisclosure agreement.
Ah.
You know.
So I know it happens, and it happens a lot.
The government really sometimes builds its policy on these types of announcements.
So when you have irresponsible disclosure, you know, or when everybody in the world just starts piling on, that's bad business for trying to build some type of working relationship with a country that you really depend on.
And, unfortunately, the U.S. and China are so, you know, our interests are so connected that we're very limited in terms of what we can do, you know, offensively.
Right.
Yeah, of course.
Well, and, you know, I don't know.
You cited a couple examples there, but what about all the accusations?
I guess I'm trying to figure out how far you think the Chinese would go or have gone already when it comes to hacking American computers.
Years ago they said they'd been hacking the Pentagon.
They're trying to, I don't know, steal our nuclear codes or who knows what.
Right?
I don't know.
Well, the goal, you know, so China basically has two goals.
One goal is to improve its own technological infrastructure, and so it does that by inviting foreign companies to open R&D labs in China.
See, you know, while it's possible, you know, to breach a network from a foreign company, you risk certain things and it costs time and money, and you may not even get what you're looking for.
It's much easier to invite that company to come to China, open an R&D lab there, right, hire Chinese engineers to work there, and then what the company gets in return is access to the Chinese market, which is, you know, a massive market.
So that's a much easier way to get the information that they want, you know, from any given company, whether it's Dell or Microsoft or GE.
Sure, you know, there are hacking attempts against all of these companies, but China doesn't really need to do that.
All of those companies already have a presence.
The New York Times already has a presence in China.
It's, you know, the Chinese government monitors all communications from every, that are emanating out of China.
So they do that by, it's a matter of law.
So if you do business there or even if you're visiting there and you're using your cell phone or you have a contract with China Telecom or China Unicom or China Mobile, all that traffic is all collected.
If you're engaging with vendors that operate out of China, you know, then you're at risk for a vendor stealing your information, you know, and selling it or turning it over to Chinese authorities.
The threat landscape is really much larger than just a hacking attack.
And the PLA either is not responsible for all of these hacks that are blamed on China or they're the most incompetent, sloppy, poor excuse for a military, you know, in the world.
Because there must be dozens of countries engaging in cyber espionage and we only ever catch China.
So that's just sheer incompetence if in fact that's true, which is why I don't believe that it is true.
Right.
Well, now, why is everybody else so good?
We never catch anybody else.
What does that mean?
Right.
Well, exactly.
I mean, and the fact is, is that, you know, if you were a bad actor and you were trying to disguise your operation so that you're not caught out or found out, the best way to do that is to make it appear to be somebody else.
And with the Internet, the way that the Internet has been designed, it's very easy to do that.
Well, and I guess if you're going after the Americans and you know how hell bent they are on wanting to see China behind every hack, then better find a proxy near Beijing somewhere.
That's exactly right.
I mean, if I were a foreign intelligence service and I wanted to run an espionage campaign against any other country, I would just set up an office in Beijing or in Shanghai, you know.
Or you wouldn't even need to, right?
You could be in Austin, Texas and hack into UT and then do like, you know, Matthew Broderick in that one movie and hack into the other thing, right?
You wouldn't even have to really be in China.
No, you don't have to be in China.
You can take over a computer using a botnet.
You can actually buy server time on one of China's ISPs.
And for all intents and purposes, it'll look like you're sending email and setting up websites in China.
Well, now, are you telling me that this Mandiant report that, as you said, everybody piled on, every news agency, Reuters and all the rest of them had great fun with this and, you know, congressmen started harping about it.
Is it as sloppy as you're talking about in general here where you just take one look at it and say, yeah, but guys, it could have just been a proxy server.
Come on.
Well, you know, the report contains a lot of good information.
So it contains, you know, accurate information about the PLA.
But that's just like describing the house that you live in.
You know, you can just accurately describe the house.
But if the claim is that Elvis is living in the house, you know, then you have to actually prove that part.
So the fact that you describe the house accurately doesn't establish that Elvis is living there.
And that's what the report does.
You know, it quotes a lot of information about the PLA, about this particular unit.
It quotes a lot of information about attacks that are done, which Mandiant believes is all done by this one group that they've named APT1 or Common Crew.
That information is all good.
It's when they try to put the two together that the report fails.
And if you just jump, if you have a copy and it's a free download, you just jump to the end of the report where you look at the table that they've set up to make their case.
You have column one, column two, and column three.
And, you know, and it just doesn't add up.
You know, you provide your own table, right?
Or you just add an extra column to the table that says, geez, I don't know, here's another explanation that I came up with that could be, you know, just as well.
Exactly.
Every one of those characteristics has alternative explanations.
And, in fact, if you jump down to the comments, there are a lot of comments to that article.
Some of the readers did their own analysis of alternative scenarios, you know, that it could have been the Ministry of State Security and not the PLA.
The Ministry of State Security in China is sort of their equivalent of the CIA.
They're just, you know, the IP address, the entire IP address argument that was made by Mandiant has really been mischaracterized.
I've seen it reproduced in the press that Mandiant narrowed it right down to the very building or to the very block, you know, that the building is on, which is just utter nonsense.
Nobody has done that.
IP addresses are notoriously inaccurate.
And the best that anybody can do is say it's somewhere in this section of Shanghai, which has 5 million people and who knows how many thousands of businesses, all sharing a communications infrastructure that's owned by China Unicom and China Telecom.
When you say in this, I guess in your follow-up here at jeffreycar.blogspot.com, that if we follow the same standard, you could actually prove that this was all done at Wright-Patterson Air Force Base.
That's right.
That's right.
It's pretty funny, really.
Somebody who ever did this had a sense of humor.
When they were registering IP addresses, they picked one that was, I think it was, what, 10 or 13 miles away from the Air Force Base where they train Air Force cyber warriors.
I mean, you know, how funny is that?
You've got to admit somebody has a sense of humor, you know, when it comes to picking false domain registration data.
Well, and now, are you certain that it was completely just forged or maybe this is where it really did originate, you know?
Yeah.
I'm not that much of a conspiracy theorist where I'm going to accuse the Air Force of...
Hey, it's just a training exercise.
All right.
Well, so now let's talk about the New York Times hack because nothing in there, I guess maybe I was just being lazy at the time, but I don't remember being suspicious of their conclusions at all.
It seemed like they were just reporting that they were hacked by the Chinese.
As best I could tell, it sounded just right, but something really jumped out at you about that story not adding up either.
Well, you know, it could have been the Chinese.
I mean, and honestly, it's likely, in the case of the New York Times, the article itself was a little confusing because one person was quoted in the article saying that nothing was taken.
I think that was the managing editor or whoever it was.
The official at the Times that was quoted said that nothing was taken.
On the other hand, later in the article, it said that e-mails and files were accessed.
So I'm not sure which is accurate, right?
And the article never really explained how they conclusively proved that it was China.
If they had said, we believe that it's China or it's likely to be China, I would not have had a problem with that.
But when you make a claim of attribution and it's 100% attributable, and especially because Mandiant was involved and Mandiant has this very severe China sort of focus on their work, to the exclusion of most other countries, although they're starting to step away from that historical perspective now, I understand.
Then it made me a little bit suspicious, and that's why I wrote the article.
Where exactly was the proof on this?
Because interest in what China is doing or interest in what the New York Times is writing about is not exclusive to China.
Right.
And see, that's why I guess we're lucky that we have you and other experts who can say, well, actually, I know a little bit about the ex-Kung Fu script or the ghost rat or whatever these things are.
Because, again, I'm more familiar with the Iranian nuclear program or something.
If David Albright is the go-to expert on Iran's nuclear program, I know enough about that to be able to disagree with his conclusions.
But this I don't.
Correct.
This I need somebody else to step in and explain that.
Well, actually, anybody can download the ex-Kung Fu script if they want.
And the other so-called evidence that's been thrown against China is that these hackers operate like a normal workday, according to the Beijing time zone.
Well, the Beijing time zone covers all of China.
Not only all of China, but everything in a similar time zone.
Well, that covers a vast amount of countries.
So you can literally be in Estonia and operating near exactly the same workday as somebody in Beijing.
You know, it's just ridiculous.
Well, plus some people work the night shift.
And I wouldn't have to be a computer expert to figure that out.
I was just lazy.
I didn't do that much investigating.
I think anybody could see through that.
Wait a minute, the hack starts at 8 a.m.
Beijing time.
So that's part of your conclusion?
Yeah.
That's your closing argument before the jury?
I'm not sure.
You see, you got it.
That's what I'm talking about.
Well, that's just silly.
And so, but now you said besides you that there are others who were kind of speaking up on this.
And, you know, we're a little, you know, whatever.
But I didn't see anything about this.
And I only heard of you because it's just Raimondo wrote this article at antiwar.com where he mentioned your work on this.
It doesn't seem, I mean, to the layman out here who reads a lot of headlines anyway, that there is much pushback on this.
Did Reuters seek out your comment for the other side of the story, that kind of thing at all?
No.
I had some journalists seek me out for an alternative perspective.
And I know I've gotten e-mails from people, even including people in the U.S. government, that felt like the Manning report did not prove its claims.
But these are people that were not going to be, you know, going public with their criticism.
So I was probably one of the few people that actually did go public.
But I know just because I know some of these people that have contacted me that I'm not, you know, the only one.
I may just be the only one that's publicly calling them on it.
Well, you know, I'm kind of surprised by that because, above all, you know, you computer geniuses are the most interconnected out of all of us.
And it seems like there would be, you know, a thousand different chat forums of computer geniuses all talking about this kind of thing and, you know, commenting on each other's sites and picking fights and that kind of stuff.
It's a very kind of checks and balances kind of a world, isn't it?
I tend to avoid forums.
They're just, when you've got too many people operating behind an alias, you know, I use my name.
When I criticize somebody, they know who I am.
Even when I'm in an online forum, I use my real name.
I don't hide behind an alias.
But, unfortunately, a lot of people do choose to, you know, to criticize under an anonymous, you know, name or alias of some type.
And it just gets vicious.
So, if you want to argue with me, that's great.
You know how to reach me by email or on Twitter.
And let's argue the facts.
But if you want to attack me under, you know, some assumed name and you're protected by anonymity, then I'm not interested in engaging.
Yeah, yeah.
No, well, and I wouldn't expect you, you know, I mean, dealing with one's own comment section can be a problem enough, you know, without going trolling around.
But I guess I just meant, I sort of just expect that the computer security community would be in an uproar about this major report coming out and, you know, really leading so many people wrong so obviously or, you know, at least so far short of proof.
A lot of them are on the side of, are on Mandiant's, you know, take Mandiant's position.
So there's, you know, by far the majority agree with Mandiant by far.
I'm certainly in the minority.
Based on the same arguments?
There aren't too many people that look at things, you know, with, you know, with, they tend to agree with things that they themselves feel are true, right?
So a lot of these, a lot of companies will have an economic interest in agreeing with Mandiant.
They might have, the government might, the federal government might be a customer or for whatever reason they know that blaming China is good business.
So, you know, they're just not going to criticize.
Sometimes it's just a matter of the facts feeling, yeah, yeah, that feels to me like it's correct.
There's no critical analysis, you know, with it.
And that's perfectly natural.
We all have gut feelings about things.
And, you know, Stuxnet, I mean, Stuxnet felt like it was the U.S., even though there weren't really any hard facts to verify that at the beginning.
But it just felt like it was the U.S.
Why I went against that, you know, I was completely wrong on Stuxnet.
I thought, in fact, if there was a likely candidate in that case, it was probably China.
And even, but what I did was I listed my reasons for that.
Here's why.
Here's six reasons why I think it might be China.
It turns out everybody who thought that it was the U.S., it felt like it was the U.S., were right.
It was the U.S.
So sometimes your feelings, you know, may lead you in the right direction.
I just prefer still to do the analysis and, you know, and let it, again, let that guide my decisions.
Right.
Well, and you have the honesty to say, oh, geez, so it turns out I was wrong about that once the new information came out, which is what a lot of people are lacking, you know, it seems like to me.
Right.
And especially.
You know, I related, I don't know if you gamble at all.
I used to love to play blackjack.
So, and I used, you know, basic strategy in blackjack, which are the rules.
For every hand, there's one correct way to play it, right?
Mm-hmm.
So I'd be really pissed off sitting around a table and people that were not following basic strategy would just make dumb bets, you know, and violate what I thought was the correct way to play the game.
They'd make a stupid bet, and then even worse, they'd win.
It doesn't, you know, so sometimes if you can, you go with your feelings and you're right.
But that doesn't mean that's the best way to make a decision, you know, across the board.
I still think critical thinking is still a valuable commodity.
Right.
Well, and, you know, especially when, like I was saying before about the ignorance of us regular laymen when it comes to subjects like this, we really like to believe that you super nerds with all your math and science aren't really going with emotions at all.
This comes down to numbers and letters and code that we don't even know how to make our keyboard make that weird symbol that you use for the code, guys.
So we want to believe, right?
It's almost a religious thing.
We want to believe with our emotions that you guys are just sticking with the numbers on the page, and math is always right every time kind of a thing, you know, but it's really not like that.
It's just like anything else.
That's correct.
A hundred percent right.
And especially, and this is as you're saying in the article, which is really your bottom line.
So we better be really careful when we're talking about accusing other major powers on Earth's militaries of doing this, that and the other thing to us and go jump in the gun and jump in conclusions and maybe creating bad policies based on bad information that's going off of some so-called experts gut rather than any real proof.
Exactly.
And look at the Iraq War.
It started over bad intelligence.
Everybody in the federal government was swearing up and down that Iraq had WMDs, and it turned out to be all based on faulty intelligence and lack of negative analysis and critical thinking.
They wanted to believe.
Yep.
All right.
Well, listen, great work here, and thanks very much for your time on the show.
I really appreciate it.
My pleasure.
All right, everybody.
That is Jeffrey Carr.
JeffreyCarr.blogspot.com to read his articles about the supposed Chinese hackings.
And then also check out TiaGlobal.
Did I say it right?
TiaGlobal?
T-A-I-A-Global.com.
Hey, all.
Scott Horton here inviting you to check out WallStreetWindow.com.
It's a financial blog written by former hedge fund manager Mike Swanson, who's investing in commodities, mining stocks, and European markets.
WallStreetWindow is unique in that Mike shows people what he's really investing in and updates you when he buys or sells in his main account.
Mike thinks his positions are going to go up because of all the money the Federal Reserve is printing to finance the deficit.
See what happens at WallStreetWindow.com.
And Mike's got a great new book coming out, so also keep your eye on writermichaelswanson.com for more details.
Hey, ladies.
Scott Horton here.
If you would like truly youthful, healthy, and healthy-looking skin, there is one very special company you need to visit, Dagny & Lane at DagnyAndLane.com.
Dagny & Lane has revolutionized the industry with a full line of products made from organic and all-natural ingredients that penetrate deeply with nutrient-rich ionic minerals and antioxidants for healthy and beautiful skin.
That's Dagny & Lane at DagnyAndLane.com.
And for a limited time, add promo code SCOTT15 at checkout for a 15% discount.
Man, you need some Liberty Stickers for the back of your truck.
At LibertyStickers.com, they've got great state hate, like Pearl Harbor was an inside job, the Democrats want your guns, U.S. Army, die for Israel, police brutality, not just for black people anymore, and government school, why you and your kids are so stupid.
Check out these and a thousand other great ones at LibertyStickers.com.
And of course, they'll take care of all your custom printing for your band or your business at TheBumperSticker.com.
That's LibertyStickers.com.
And everyone else's stickers suck.
Hey everybody, Scott Horton here, inviting you to check out the Future Freedom Foundation at FFF.org.
They've got a brand new website with new and improved access to more than 20 years worth of essays promoting the cause of liberty.
And FFF's writers, including Jacob Hornberger, Jim Bovard, Sheldon Richman, Anthony Gregory, Wendy McElroy, and more, aren't just good, they're the best at opposing and discrediting our corrupt overlords in Washington and their warfare-welfare regulatory police state.
That's the Future Freedom Foundation's new and improved site at FFF.org.
Hey y'all, Scott here.
First of all, thanks to the show's sponsors and donors who make it possible for me to do this.
Secondly, I need more sponsors and more donors if the show is to continue.
ScottHorton.org has all the links to use PayPal, Give.org, Google Wallet, WePay.com, and even bitcoins to make a donation in any amount.
You can also sign up for monthly donations of small and medium-sized amounts through PayPal and Give.org.
Again, that's ScottHorton.org/donate for all the links.
To advertise on the site or the show, email me, Scott at ScottHorton.org.
And thanks.
