PREFACE TO THE PAPERBACK EDITION
RETURNING TO THE private sector after service in two intelligence agencies, I find myself advising companies about security and counterintelligence threats that hardly existed a decade earlier. Security measures that used to be relevant only to a few government agencies, the military, and defense contractors are now urgently required by most businesses. Counterintelligence questions—Who’s stealing my information? Why do they want it? What will they do next?—face every organization with secrets to keep. Companies are bleeding the intellectual property and technology that create jobs and wealth and on which our future prosperity depends—even if a dismaying number of corporate executives prefer to ignore what’s happening. And the government, even as it overclassifies all sorts of anodyne information, struggles to stop leaks of its most legitimately held secrets. Meanwhile, personal information continues to be for sale on the criminal market by the boatload. As my title indicates, we are living in a glass house, or a series of glass houses: at home, at work, and in public places. These pages explain in lively and nontechnical terms how and why this has happened—and what could happen next.
The state-sponsored theft of Western intellectual property urgently requires a more robust response from governments as well as companies. In February 2013, a private cyberforensics firm called Mandiant revealed irrefutable evidence that China’s People’s Liberation Army has been systematically stealing a wide range of technology from scores of Western companies. This wasn’t news to our intelligence agencies, or indeed to anyone who’d been paying attention, but never before has such detailed proof been laid before the public. Those who claim the threat has been hyped must now confront the evidence.
China is the worst offender but it is hardly alone. Russia and Iran are also large-scale practitioners of state-sponsored espionage against private companies, and the Iranians aim at disruption as well as theft. In August 2012, the information systems of Saudi Aramco, a leading oil producer, were attacked from Iran. About thirty thousand computers were wiped clean of all data and had to be junked. Later that month, RasGas in Quattar suffered a similar attack. As I write these words, many American banks are under relentless attack from computers from Iran—almost certainly by cut-outs for Iranian intelligence services. These attacks have thus far taken the form of distributed denial of service attacks—the computer equivalent of engineered traffic jams—but at a level of intensity never seen before. The attacks disrupt service and cost millions to defend against. If attackers can wipe all content from thirty thousand computers at a Saudi oil company, they could also do it to many Western companies—or perhaps to your bank. Our financial system is based on information. It’s simply a system of accounts—records of who owes what to whom—and that system is electronic. If big pieces of it were wiped out or corrupted, the resulting economic wreck would be felt around the world and would make the economic consequences of 9/11 look trivial. Like our electric grid, which has also been infected with advanced persistent computer viruses, financial systems are critical to the country, and they are vulnerable.
This struggle for the security of essential institutions and infrastructure, like the struggle for the privacy of your personal information and the security of commercial trade secrets, is evolving as you open this book.
Washington, D.C.
April 2013