Blame game: Cyber espionage
Blame game: Cyber espionage

Nation-states are extricating intellectual property from U.S. government entities and private corporations, reports David Cotriss.

Espionage is a craft that has been practiced for thousands of years. It plagued the United States throughout the Cold War and provided audiences with dapper heroes and nefarious bad guys in a multitude of James Bond films.

But the digitalization of information offers an entirely new dimension to the practice of espionage. In cyber space, foreign actors can sit at a computer and glean huge amounts of information quickly, remotely and often with no consequences. The attacker can make it look like someone else is perpetrating the attack simply by altering a digital signature and disguising the data path. And, they can do this without detection for months or even years.

Most agree that companies that believe they are immune from cyber attacks are deluding themselves. Any organization with something of value is a potential target. Those with especially valuable information can sustain dozens of attacks each week, most of them successful. U.S. Army Gen. Keith Alexander, director of the National Security Agency and commander of the Pentagon's United States Cyber Command, has called cyber crime “the greatest transfer of wealth in history.”

According to Phil Ferraro, VP and CISO at The Las Vegas Sands, a resort operating company based in Paradise, Nev., about one-third of foreign cyber espionage attacks emanate from China. The Department of Defense has characterized China as “the world's most active and persistent perpetrator of economic espionage.” It is motivated by a desire to close the gap with Western countries in science and technology. Of the seven cases of cyber espionage prosecuted in the U.S. in 2010 under the Economic Espionage Act, six were linked to China. Russia, looking to modernize and diversify its economy, is right behind in the number of attacks, according to the National Intelligence Estimate, classified documents produced by 16 U.S. intelligence agencies for the Director of National Intelligence (DNI), an adviser to the president, the National Security Council and the Homeland Security Council on security issues.

Kelly Bissell, a principal at Deloitte, and the leader of its information and technology risk management and global incident practice, says the objective of nation-states is to learn what U.S. plans are and turn that information into a competitive advantage. As for China, he says it wants to skip over costly and time-consuming R&D and bring products to market using U.S. trade secrets, technology and IP. Because so many Chinese companies are state-owned, the government focuses heavily on economic espionage. But it also wants U.S. technology for military purposes. For instance, when China released pictures of its new stealth aircraft, the J-20, the plane looked similar to the U.S. Air Force's F-22

“When companies are run by the government, they have many more resources to conduct cyber espionage,” says Jeremy Demar, senior threat analyst at Damballa, an Atlanta-based solution provider. In the commercial sector, intellectual property and M&A information is the most coveted data, he says.

But, while the prime targets of cyber espionage are defense, aerospace and energy, all industries are at risk. Dual use (military and commercial) technologies are also among the most valuable. China is interested in energy companies and marine systems because the nation needs a deep-water navy with access to advanced materials. Pharmaceuticals are of interest because it is a fast-growing industry. If a foreign adversary cannot penetrate the network of its ultimate target, it will go after the suppliers, consultants, law firms and accounting firms that serve them.

A simple spear phishing attack can provide a path to cyber espionage. The email can appear to come from one of the trusted partners, exhibiting insider knowledge of the recipient and the company. Once the recipient opens the email, malware is installed on the network, and the actor has access to sensitive company data. Traditional defenses, such as anti-virus software, typically can't detect the intrusion.