A Case of Cyber Espionage Conspiracy?

The 2013 case of North Korean espionage against South Korea is likely a working example of Project 863 and what may be referred to as the “axis of cyber evil,” a realignment of nations embracing on the basis of need.

The end of the Cold War marked the disintegration of the nations of the Soviet bloc, the nations that were subject to the control and direction of the Soviet Union. In the post–Cold War era, those nations sought independence, and some of them have become technologically competent. Unfortunately, some have also become centers of cyber crime and supportive of nation-state espionage. In fact, many cyber breach investigations reveal close linkages between China and Russia as well as other Eastern European countries.

There's an interesting realignment that has taken place. It isn't a Soviet bloc model. That wouldn't work today. But there is a more loosely configured strategy, one that does not require a Soviet-like occupation of aligned states. A Cold War model would be less likely to work today. Whereas the model during the Cold War was driven by politics, this new era of the axis of cyber evil is based on the Internet and is a far more enduring framework, one driven not by dogma but by economics and the lure of growth and power through market dominance. The Internet is an empowering and irresistible aphrodisiac. At its most basic level, it is simple, easy to use, inexpensive, and absorbing. Becoming digital is becoming part of the future. And becoming part of the future requires a lot of information from a lot of sources.

China, Russia, Syria, Iran, and North Korea, long-established cyber threats, are evolving into this post–Cold War axis of cyber evil, which is escalating in intensity and should be taken seriously by any entity, government or private-sector, that possesses valuable proprietary information. The stakes are getting higher.

This realignment or axis of cyber evil provides China the ability to operate with the protective public policy veil of plausible deniability. Assume China wants to acquire a specific technology. Rather than steal it directly over the Internet in a cyber attack, one of its axis of cyber evil partners could do it. This is an important element of China's doctrine, since it is a global economic competitor against the United States, but is also an investor in the U.S. commercial and financial markets. While this dual status of competitor and investor does not in any way diminish China's appetite for valuable U.S. technology, it does make direct and obvious cyber theft against U.S. targets somewhat more sensitive. With the U.S. government continuously challenging China diplomatically for targeting U.S. proprietary interests in this economic cyber war, China is increasingly likely to work through its partners in the axis of cyber evil.

For an industry requiring clean rooms for manufacturing, cyber theft is a dirty business. Often it is difficult to determine exactly who did what, who attacked whom. But in the arena of public perception—and reality—China clearly stands out. Unless some cyber warfare counterintelligence group at the National Security Agency knows otherwise and is keeping it secret, the United States doesn't fully understand the absolute cyber capability of China. It works both ways, too; China probably does not fully understand U.S. cyber capabilities. After the defection of former NSA systems administrator Edward Snowden, China and Russia know a lot more, but there is also a lot neither nation knows.

Is it possible that Snowden's disclosures will embolden China? Perhaps. From China's point of view, such classified data should be protected at all costs. Yet Snowden was able to access tremendous volumes of data. Coworkers saw him do so but never said anything because he was a systems administrator, certainly not a senior-level position, but one with great access, and one that should have been more tightly monitored. Those issues are cited openly in the press, and China has no doubt been watching with great interest.

Given China's success in stealing U.S. information, and given the bumbling errors committed in the classified defense community, China will almost certainly escalate its quest for more information, believing such pursuits to be relatively low-risk and carrying relatively inconsequential penalties. From China's perspective, given the risk-reward calculus, there seems to be little incentive not to pursue information acquisition.

There is another downside. When other countries are witness to the level of cyber theft from U.S. targets, it signals vulnerabilities and makes a statement about the will of the United States to defend itself against cyber attack. While China can demand that its industries practice strong security, such demands in the United States and many other countries are not possible, other than regulatory requirements. And regulatory compliance by companies is overall quite low. In capitalist systems, companies need to see the financial value in protecting information. That level of clarity is sorely lacking, especially, though not exclusively, in unregulated markets.

It comes down to this: If China wants to continue its diplomatic and commercial business with the United States, it makes more sense for it to in effect outsource some of its cyber espionage to its participating axis of cyber evil nations, which need the infusion of Chinese capital. This does not necessarily mean that China will reduce its direct cyber assaults. But it does suggest that plausible deniability will enable China's expansionary quest in support of more proprietary information collection.

Think about it this way: The origination point or epicenter of an attack is not always immediately obvious, at least not initially. It is technically feasible to do what is known as redirect an attack. Suppose that China wants to launch an attack to acquire restricted information from the United States. In one actual case, in an attempt to sneak into U.S. cyber space, it launched an attack but routed it through a U.S. university. The goal was to trick people working in the defense industry and the military to click on a link, which would then download into the user's computer a malicious software program that would enable China to capture any keystrokes made by the user, such as passwords that would then give greater access into computer systems.

By rerouting or redirecting a cyber attack, China can make the claim of plausible deniability, allowing it more time in which to deny the attack and divert investigative efforts directed against the attacker. This is why plausible deniability is important, and it is also why the alignment of nations forming an axis of cyber evil is important to the strategic interests of China. Also, given the U.S. and international sanctions levied against Iran and North Korea, for example, additional economic sanctions for engaging in cyber attacks against the United States are minimally threatening. However, this raises the specter of how the United States may respond to a cyber attack by one of the countries mentioned. Already, Iran and the United States have tangled in the cyber arena, and this can be expected to continue, if not escalate, as tensions heighten in the Middle East.

Look for China and Russia to more actively engage the axis of cyber evil for technology and economic espionage, cyber disinformation, cyber disruption, and cyber confusion in the marketplace. Each of these kinds of cyber attacks creates uncertainly and has the capability to instill a loss of confidence, perhaps in a company's stock price. Such attacks can also serve as distractions to shield cyber espionage. The fact is, these nations are expert at using the Internet, and they have strong experience in attack strategy and in yielding results.

One reason the axis of cyber evil may be an appealing strategy in support of Project 863 is that China already denies that it launches cyber attacks against the United States, and it wants to be able to continue to do so. Attacks coming from Iran, Syria, North Korea, or elsewhere against U.S. interests make the perfect cover for China because of the poor state of relations between these nations and the United States. That these foreign powers would launch aggressive attacks against U.S. interests is easily understandable, even predictable.

Every company in every country engaged in some form of electronic commerce—which is virtually every enterprise in every developing or developed nation—should be alert to any cyber attack. Every CEO, every member of the audit and risk committee of the board of directors, every executive with fiduciary responsibility needs to know about this risk to the enterprise. Unfortunately, far too few are aware of it.

Consider the Syrian Electronic Army, or SEA, thought by many to be funded by the Bashar Hafez al-Assad regime. Until recently, the media and diplomatic focus on Syria has been on the deployment of deadly chemical weapons against its own people. But now we are witness to cyber attacks on the institutions that have been critical of Assad and Syria: the New York Times, the BBC, the Qatari government, National Public Radio, even Al Jazeera. The attacks have caused various levels of cyber disruption, and are believed to have begun with very sophisticated phishing attacks.

Iran has been engaged in attacking U.S. bank web sites for more than a year, creating operational disruption in the form of denial-of-service attacks while demonstrating that U.S. targets are not by any measure immune.

China's cyber attacks are well known, despite its diplomatic protestations. Transnational organized crime is equally well established. But North Korea's recent attacks against South Korean targets are particularly interesting, because North Korea is an element of the axis of cyber evil.

The attacks, recently made public by antimalware company Kaspersky Lab, are of concern for two reasons: first, because of the selection of attack targets, and second, because of North Korea's relationship with China. The targets included the Sejong Institute, a South Korea think tank specializing in national security strategy and Korean reunification. This seems to be a clear case of political espionage. The Korea Institute for Defense Analyses is a national security and defense quasi-governmental organization, so it too is an understandable target for North Korea, as is the South Korean Ministry of Unification. One of the more intriguing espionage targets was South Korea's Hyundai Merchant Marine Co. Ltd., part of the Hyundai Group, a diversified corporation.

While the other targets are logical, given North Korean unification and national security concerns, the Hyundai information theft may not be as immediately understandable. It is true that North Korea maintains a merchant marine operation, yet it seems unlikely that this rogue nation-state would benefit substantially and directly from cyber espionage against Hyundai Merchant Marine. South Korea ranks number eight in the global merchant marine market sector, with 1,144 vessels. North Korea, which ranks 34th in the world, maintains a fleet of only 150 vessels, many of which are said not to be seaworthy and reportedly do not stray far from their home ports. (To put this in perspective, Greece is ranked number one, with 3,768 vessels.) It seems improbable that North Korea would steal information for its own competitive positioning, given its anemic economy, deficient fleet operational status, and its maritime scrutiny by many law-abiding nations. The South Korea shipping and global logistics industry possess critical information regarding environmentally clean transport, which is crucial to competitive positioning. In addition, it possesses important trade secrets regarding advanced materials and design.

What is more likely is that either (1) North Korea was hired by China to breach South Korean interests, perhaps the political components of the breach providing strategic cover; (2) North Korea, acting independently, believed that it could sell the information to China; or (3) China launched the attack against South Korea but made it look like the attack was originated by North Korea.

Geography played a part in the cyber attack against South Korea. Ten of the IP address ranges, according to Kaspersky, originated in the Jilin Province network and the Liaoning Province network. Situated in the northeastern region of China, Jilin and Liaoning are near the North Korean and Russian borders. The Internet service providers that serve the region are believed to maintain communication lines into parts of North Korea.

Once a center of heavy industry, with strong Russian, Chinese, and North Korean influence, this region of China has in recent years not fared well economically, and its population exceeds 100 million. Industry sectors include steel, automotive, shipbuilding, aircraft, petroleum, and manufacturing. There are about a dozen key universities in the region, many of them with strong science and technology programs.

And here is the point: China has an aggressive revitalization plan that was developed by its National Development and Reform Commission (NDRC). The NDRC economic development report, translated from Chinese, states that “China's participation in international competition, the use of domestic and foreign resources and markets to accelerate the pace of expansion of trade…to create more opportunities” is part of its strategy. The report also states that “economic development is not sufficient.”

However, there is a more direct link that suggests China is the beneficiary of the Hyundai information. Citing that its “high tech industries [are] inadequate,” the report documents the need for China to significantly improve its “international level of shipbuilding” and “accelerate the development of [its] high-tech industry.” Perhaps most indicative of China's involvement is its stated objective to pursue, as part of its regional economic strategy, an upgrade of its “logistics management, logistics and distribution facilities,” and its “integrated logistics system in Northeast China.” Of course, global integrated logistics is the business of Hyundai Merchant Marine.

Regardless of specifics—and we may never know exactly what occurred— it is obvious that North Korea has global reach. It is also obvious that it has an important relationship with China. Given China's voracious appetite for an extraordinary range of information that it will use to fuel its global economic leadership, companies possessing intellectual property and trade secrets are at extreme risk. And because most proprietary information is unregulated and is therefore not subject to basic protections, the risk of compromise is heightened.

This is not a call to regulate proprietary information. But every audit and risk committee member of the board of directors, every CEO and general counsel should ask questions about the entity's ability to protect the information that is anticipated to contribute to current and future corporate revenue streams and enhance value. This is not just a security problem. It is an issue of critical corporate governance, clarity of mission, and long-term reputation and market competitiveness. It is, equally, a national economic security imperative.

The Internet has both complicated and simplified technology espionage. It has simplified spying by making it easier to steal secrets through cyber attacks. A tremendous amount of sensitive information is undersecured or, in many instances, is not secured at all. Some cases clearly illustrate the lack of security, which led to breaches.

In one case, a company managing another company's sensitive regulated data had no antivirus software in place. Two variants of a cyber attack easily breached the firm's information system. Upon forensic examination, two specific Internet protocol (IP) types were identified in the system, both originating in China, and others from Eastern Europe. There were authorized IP addresses, and then there were unauthorized IP addresses, which were the attack vehicles. These unauthorized or toxic IP addresses were the true threat. But they can be hard to distinguish from authorized IP addresses. The majority were from China. The authorized IP address is a label that gets assigned to each computing device attached to the Internet. Knowing that address enables tracking (there are exceptions). In the case referenced, the breached company had an IP address in its computer environment that was unauthorized; it was not supposed to be there. That unauthorized IP address basically served as a communications beacon, broadcasting from inside the company's network. There was no antivirus software in place, so the unauthorized IP address was able to identify sensitive information and communicate that information back to China.

But there was another type of IP address in the company's computer environment, and here's what makes the predicament more complicated. This type of IP address was actually authorized to be in the client environment. However, because there was no software that could identify the IP address as risky, these IP addresses too were broadcasting protected, regulated data back to China. This second type of IP address was authorized because it was actually transmitted to the company by its corporate customer.

When this condition occurs—an IP address belonging to a customer is toxic—there is often great reticence by the breached company to bring this to the attention of its corporate customer for fear of alienating that customer. But the fact is that a customer's toxic IP address is no less malicious than any other type of malicious IP address. Hesitation, or even refusal, to alert the customer to the presence of that toxic IP address likely elevates that customer's risk as well. In effect, no one wants to tell the emperor that he is dressed in a toxic IP address. This allows the breach to occur.

Eventually, though, the customer is likely to discover the toxic IP address in any case. That can happen in several ways. The customer may itself be subject to data theft. Or if customer data is breached while at the company managing its data, the service provider may have to notify the company that its data was breached, perhaps by IP addresses in its own network.

Though the Internet has in many ways simplified information management, there's the complexity of it to deal with. The complexity in the equation comes with protecting restricted information. The Internet makes it easier to illicitly acquire information. In principle this sounds straightforward, even obvious. Yet many companies—somewhat unbelievably—do not seem to accept that the threat is real and that the risk is critical to their value proposition. Some executives do not accept that their company is likely to be targeted by transnational criminal networks or by nation-states engaged in espionage. Many small and medium-size companies assume that they are simply not on anyone's cyber attack radar. “No one knows who we are, we're too small,” they say. They seem to think they are invisible, and therefore invulnerable to cyber attack and cyber espionage. This is not the case now. Maybe at one time it was, but not anymore. It's a new world.

They are not invisible. Social media, third-party vendors, mobile devices, e-mail, and the Web all have made sure that invisibility is a condition of the past. The Web and the Internet have proven to be the great democratizers of competitive presence. A one-person enterprise has the capability today to incite, incent, invite, and inspire global markets, largely without the traditional boundaries and restraints of a generation ago, or even a decade ago, before the wildfire of social media.

While many nations conduct cyber espionage against the United States and its economic allies, there is no doubt that China reigns supreme among them. Twenty-first-century China has tremendous cyber capabilities. History, timing, culture, the economy, changes in industry, global competition, sheer will, plausible deniability, deception, denials, and technology have coalesced to place China at the forefront of proprietary information theft. Its capabilities seem unmatched. China seems to see the theft of intellectual property in pursuit of its own economic security as a form of its own manifest destiny. Perhaps what Americans in the nineteen century saw as westward expansion and the building of a new nation, China envisions as its own emergence into a highly competitive landscape, one dominated by a number of technologies critical to sustainable competitive positioning.

Some years ago a company wanted to test the quality of its third-party data management vendors. The company possessed a significant number of trade secrets, which made up a significant amount of its current and future financial value. Cyber attacks against its vendors in three countries were authorized. After several weeks of effort, the company was presented with the cyber attack study results. A data management vendor in Europe had been easily penetrated, as had one in the United States. The one data center that was virtually impenetrable, locked down securely, was in China, managed by China Telecom Corporation Limited, which is owned by the state and maintains subsidiary operations in 31 Chinese provinces.

There is another disturbing development in cyber espionage. A form of hacking, it is more insidious than a team of hackers in a foreign nation stealing proprietary corporate or government information. The reason it is more insidious is that the victim is actually purchasing hardware and software that broadcasts data out of the purchasing organization's information and communications system. The threat is in the global telecommunications supply chain. This has become a serious controversy between the United States and China. While China denies that its companies are spying on the United States, either through traditional cyber attack methods or through the same of hardware and software configured to capture information and send it back to China, the United States believes otherwise.

In late 2012, the House Permanent Select Committee on Intelligence issued its findings on China's telecommunications spying in a report called “Investigative Report on the U.S. National Security Issues Posed by Chinese Telecommunications Companies Huawei and ZTE.”⁵ The report is damning. The investigation, which focused on China's top two telecommunications manufacturers., was a supply chain risk assessment consisting of two principal parts. The first part was basically a discovery and analysis program. The goal was to evaluate the companies on the basis of open-source materials in order to assess their corporate histories, operations, financial information, and ties to the Chinese government and the Chinese Communist Party. The second part of the study looked at the capability of the U.S. intelligence community in “appropriately prioritizing and resourcing for supply chain risk evaluation.”

Despite the level of effort expended by the Select Committee, it concluded that neither company was cooperative. The committee claimed that the companies failed to provide sufficient evidence to satisfy its concerns about electronic spying. Disappointed in the level of cooperation from both Chinese telecommunications firms, the Select Committee determined that “neither company provided specific details about the precise role of each company's Chinese Communist Party Committee. Furthermore, neither company provided detailed information about its operations in the United States.”

But Huawei in particular “failed to provide thorough information about its corporate structure, history, ownership, operations, financial arrangements, or management. Most importantly, neither company provided sufficient internal documentation or other evidence to support the limited answers they did provide to Committee investigators.” The Select Committee did receive information from both current and previous Huawei employees and industry experts suggesting that the company was violating U.S. laws and international standards of business behavior.

There is apparent disagreement about how Huawei USA actually operates within the United States. With its U.S. headquarters in Plano, Texas, established in 2005, the company maintains that the “parent company does not require approval for individual contracts in the United States,” according to the report, signaling that Huawei operates independently in the United States. It did admit that the board of directors in China sets the general business operational guidelines. But there is no consensus on this subject relative to who actually sets the specific operational guidelines and who signs contracts. The Select Committee interviewed several former Huawei employees who told a significantly different version of the story. A number of sources told the Select Committee that business decisions require approval directly from China. Senior-level executives in the United States, according to an individual with firsthand knowledge, are not allowed to sign cyber security contracts in the United States without approval from China. In one case, according to testimony, such a contract signed by a Huawei USA executive was “repudiated,” or overturned, in China.

According to the report, “The investigation concludes that the risks associated with Huawei's and ZTE's provision of equipment to U.S. critical infrastructure could undermine core U.S. national-security interests.”

Under questioning by Congress, ZTE officials were very circumspect and were not forthcoming with regard to whether or not members of the Chinese government, military, or Communist Party were involved with ZTE and served on the board. For a time, ZTE refused to answer questions. It did, however, at a later date provide some information that is of concern.

A number of members of the Communist Party serve within ZTE, and two of these representatives appear to serve on the board of directors, where they would wield considerable influence. The concern is that the two board members may have a conflict of interest in their duties to the Communist Party and to ZTE shareholders. Independent ZTE director Timothy Steinert told the Select Committee that “in my experience and to my knowledge, no member of ZTE's Board of Directors has raised for consideration an interest on behalf of the Chinese Government, the People's Liberation Army or the Chinese Communist Party.”

This assertion, though, failed to allay concerns of Congress. “Since at least two members of the Board are also members of the Chinese State Party,” stated the Select Committee, “it is impossible to know whether the votes of the Board are conducted without influence by the Chinese Communist Party.”

The Select Committee was concerned enough about the inadequacy of the cooperation of the two companies that it issued an advisory to government agencies and to private industry as well. Use extreme caution, the committee advised. In general, the committee has stated that the United States should be suspicious of Chinese companies further penetrating the domestic telecommunications market.

It recommends that the intelligence community keep its private-sector classified contractors informed on the threat of the Chinese telecommunications companies. Given the threat to U.S. national security interests, the Select Committee wants the Committee on Foreign Investment in the United States (CFIUS) to make sure that neither Huawei nor ZTE be allowed to take over, acquire, or merge with any U.S. telecommunications company. In fact, the Select Committee has recommended legislative proposals that would expand the authority of CFIUS to include purchasing agreements.

No Huawei or ZTE equipment, or even component parts, should be used in any U.S. government systems, and especially not in any sensitive systems. Private-sector contractors working with the U.S. government are also discouraged from using equipment from these Chinese companies. But the Select Committee didn't stop there. It “strongly encourages” private-sector companies to consider the long-term security risks of doing business with either Huawei or ZTE.

The Select Committee concluded that “based on available classified and unclassified information, Huawei and ZTE cannot be trusted to be free of foreign state influence and thus pose a security threat to the United States and to our systems.” Additionally, the committee wants to see Congress and enforcement offices in the executive branch investigate unfair trade practices by the Chinese telecommunications sector, with specific attention to the continuing financial support for companies like Huawei and ZTE.

In fact, Congress concluded in its study that ZTE failed to provide any answers about its compliance with U.S. intellectual property laws and export control restrictions. Nor did the company provide any information about its infrastructure projects in the United States. It also failed to answer questions “that would explain whether ZTE purposely bids on projects below cost and how the company is able to sustain these losses.” The implication, of course, is that ZTE is buying U.S. business at a loss in order to be able to install its equipment in U.S. infrastructure for the purpose of acquiring proprietary information and reporting it to Chinese government authorities as part of a technology and economic espionage program.

Under questioning by Congress, ZTE did make some interesting comments, which provide insight into the company's, and China's, intent. ZTE, which employs approximately 300 people in five U.S. research and development centers, stated that basically it was here to help the United States by assisting in what it referred to as rural infrastructure and broadband communications needs. ZTE was engaged in public service. However, company officials finally admitted that there was nothing charitable in the ZTE presence. They even admitted that the intent of ZTE was to get a “foothold” in the United States and increase their knowledge of U.S. technology. ZTE stated that it was willing to provide equipment below cost in order to better understand the market. Naturally, that information is funneled back to the Chinese government.

According to the Select Committee…

Interestingly, it is being recommended by the Select Committee that one way for Chinese companies to become more open is to have them listed “on a western stock exchange with advanced transparency requirements, offering more consistent review by independent third-party evaluators of their financial information and cyber-security processes.” This would also result in “complying with U.S. legal standards of information and evidentiary production, and obeying all intellectual-property laws and standards.” Huawei in particular, the Select Committee says, “must become more transparent and responsive to U.S. legal obligations.”

China continues to deny all allegations of impropriety, a position it has been adopting for decades.

U.S. government systems, particularly systems containing sensitive and restricted information, should not include Huawei or ZTE equipment, including component parts. Similarly, government contractors, particularly those working on contracts for sensitive U.S. programs, should exclude ZTE or Huawei equipment from their systems. This is a simple precaution, but it is leading to delicate conversations between the two governments, with considerable economic and diplomatic impact.

The Select Committee extended its warning to the private sector in the United States, noting that the long-term security risks of doing business with Chinese companies are considerable. “U.S. network providers and systems developers are strongly encouraged to seek other vendors for their projects,” according to the report. In its closing recommendation, the Select Committee made it clear that Congress needs to consider legislation that more adequately addresses “the risk posed by telecommunications companies with nation-state ties or otherwise not clearly trusted to build critical infrastructure. Such legislation could include increasing information sharing among private sector entities, and an expanded role for the CFIUS process to include purchasing agreements.”

China and the United States are at odds. China steals U.S. information and the United States has sold encryption to the Chinese military. China is the third largest export market for U.S. goods. The United States is China's single largest export market. The United States and China have announced measures to strengthen macroeconomic cooperation, promote open trade, enhance global cooperation and international rules, and foster financial stability and reform.

The word from the U.S. Department of State is that “China and the U.S. work closely with the international community to address threats to global security, including North Korea and Iran's nuclear programs.” But the problem is far more complex. While it may reasonably be argued that China, given its surface level of cooperation with the United States, as well as its significant financial investment in the United States and in other Western economies, would be an unlikely participant in a massive military cyber strike against the United States, China should never be underestimated. It is clear that China ultimately wants to dominate the global economy. The country will continue to steal commercial and government information until such time as defenses are adequate to the task of defeating China's cyber attacks. And China will not launch a major disruptive cyber strike against U.S. interests until such time as it may serve a strategic purpose to do so. When that happens, the task will likely be outsourced to an axis of cyber evil country, providing China with its great wall of plausible deniability.

Much will be written in the coming months and years about China's economic espionage and the charges that have been filed by the U.S. Department of Justice. A grand jury in the Western District of Pennsylvania indicted five members of the Chinese military on charges that included economic espionage and computer hacking. It is too soon to determine how serious the U.S. government is about pressing China on the issue, but this much is clear: China will never allow its military to stand trial in the United States. A number of strategies are available to the United States to make economic espionage against it costly to China. Whatever strategy adopted by the United States, there must be an appetite to play hardball. And that willingness remains unclear at this point.

Said Benjamin Dubuc, who formerly taught English in China after graduating from college, “While accessing my GMail account…[some] e-mails would never be sent/received, others would periodically disappear from my inbox. Cyber theft entails every station of an assembly line, every ingredient of prescription medicine, every line of a novel, every minute of your favorite movie.” China will not ease up voluntarily. It has too much at stake, and U.S. vulnerability is high. So whose undoing will this be?