Saturday, July 09, 2016

First Chinese-Built Passenger Jet Goes Into Service

On June 29, 2016, the Wall Street Journal's Chun Han Wong reported "First Chinese-Built Passenger
Jet Goes Into Service. China's first home-built passenger jet entered commercial service on Tuesday... the Jet, the ARJ21 developed by the Chinese State-owned Commercial Aircraft Corporation of China, Ltd (COMAC) was originally due out in 2006 but was delayed by over ten years because of repeated production setbacks... " 

Normally I'd look at the piece and think to myself... I'd never invest in a company that was 10 years behind the market, but at the same time, I'm forced to wonder if those setbacks paralleled the increase in the security posture of COMAC's suppliers. And I'd have to wonder if another speed bump was dropped in the production plan with the 2014 creation of the Aviation ISAC...  At which point I'm betting ARJ21 project managers crapped themselves while their airplane sat in the red zone, staring, dreaming of that first taxi out to the runway, while they awaited final tech to come in from Bombardier, Rockwell, GE, Sukhoi, Antonov and others. 

Did I forget to mention? According to the WSJ, The COMAC ARJ21 competes directly with these companies --in a very crowded market --Canada's Bombardier, Brazil's Embraer SA and Russia's Sukhoi Civil Aircraft Company and was heavily influenced by foreign technologies including the McDonnell Douglas MD-90, avionics from Rockwell Collins, engines from General Electric, and wing designs by Ukraine's Antonov State Co.  I know for a fact that Bombardier, Embraer, Rockwell, GE and others have been harvested systematically for aircraft (and other) technologies. I'd bet a dollar that the state sponsored Chinese intelligence apparatus fed directly the creation of the state owned aircraft manufacturer in China --COMAC, and the development of the ARJ21... and I'm betting we'll see more airframes out soon.

Certainly the thought isn't completely out of the realm of possibility. There've been hundreds, if not
thousands of news pieces and blogs written over the last fifteen years calling out China (government and private) attackers as being the culprits behind a ton of illegal technology transfer.  The picture to the right shows a Chinese J-31 stealth aircraft that's essentially a knockoff of the Lockheed Martin built F-35. From Buick knockoffs to drones to satellite communication systems to toaster ovens and consumer electronics.  The shortest path to production isn't through the lengthy process of R&D, it's to use someone else's... Heck ever wonder why you find a Burger King within a mile of every McDonalds? McDonalds has a better research department! And stealing technology is no different. 

I guess, and as you're probably wondering (like I am), exactly how much of the designs were purchased from each of those vendors and how much was stolen?  With the company entering a crowded market ten years late... with design features coming from so many other airplane OEM's, and knowing damn well that each of the companies mentioned have suffered enormous losses directly related to Chinese cyber exploitation --heck, Boeing built the Aviation Information Sharing and Analysis Center (A-ISAC) to protect the aircraft OEM and industry writ large from prying eyes of Chinese state sponsored cyber espionage that had been occurring in their industry for over a decade.  

I read the Wall Street Journal every morning. I have since I was an Ensign in 1996. I've never been so surprised by lack of attention to detail as I was in this piece. Why would the author not do the work to identify the deeper story. Was this a success story? A competition story, or simply empty intellectual calories? Why would they not explore the idea that the industry's been getting their clocks cleaned while technologies looking very much like competitive technologies (and not just US technologies) are coming out of China on a daily basis --from warships and drones to knock-off cars to commercial aircraft. 

Who cares if it's ten years late when R&D cost almost nothing... right?

BT

I've been writing about intelligence and APT for roughly the last five years --almost every weekend over my first coffee on Saturday morning, and while I'll admit, you get it a little rough, it's almost therapeutic. They say one of the best ways to relieve stress is to write a letter to yourself explaining the stressors that you're feeling --or write to a person who may have wronged you. In this case however, I've watched our space (the information security space) mature into a hodgepodge of technologies and vendors selling everything from snake oil to some amazing technologies, yet, I have to wonder why it is that when I ask a company how they ingest intelligence into their systems, they tell me they don't!

And when I look across the spectrum of governmental organizations, commercial companies (large and small), healthcare organizations, energy producers, and others --in every corner of the world, the realization is simply this.... we're losing this battle. Network defenders are getting CRUSHED by the sheer volume of attacks --successful and not --but those that are successful are costly in a big way. And as a result, we see folks like the banking CISO that I mentioned in my previous paragraph who are forced to simply rely on their managed security service to ensure their safety.

Why? Because CISOs still have a hard time talking to their management. Some simply haven't cracked the code on communicating the danger versus security versus ROI.  To help, we've added a couple of new offerings to our lineup, starting with the Executive Read Board.

The Executive Read Board is a low cost subscription offering that offers technical analysis stories converted to easy readers by our on-staff journalist. Nancy had been an Air Force Journalist, turned news paper columnist and now works for us turning our stories into something that your executives can understand in a quick read --and everything is based on technical or intelligence analysis written in the lab.

I'd encourage you to have a look. We just completed the transition over from an old proof of concept site, and because of it's popularity, we took it mainstream. You'll find short pieces suitable for pushing directly to your management. If you need indicators, pull them from our indicator database --ThreatRecon.co. Need more? Call us. We have a number of options from STIX/TAXII to an API to PDF reports. 

In the mean time, I'll be heading to the MD/DC area this week, home plating for a ton of travel over the next two weeks, but I can be found occasionally at Shelly's, smoking a cigar, drinking a great bourbon. If you'd like to join me and shoot the sh*t, drop me a note. If you'd like more information on Red Sky Alliance or the intel group, Wapack Labs, drop me a note. 

Until then, have a look at the Executive Read Board. There's a 14 day free trial, so please, have a read.  We'll be pushing more and more up there this week, but there are a couple of hundred articles already populating the new site.

Enjoy, and Have a great weekend!
Jeff