In a historic turn, the U.S. government is asking for help in fighting an increasingly sophisticated cyber enemy, reports Deb Radcliff.
In an ironic twist, the director of the National Security Agency (NSA) and commander of United States Cyber Command (USCYBERCOMM) recently stood before thousands of hackers asking for their help. This was the scene in July at the 20th annual DefCon hacking conference in Las Vegas.
Relaxed in jeans and a black T-shirt, U.S. Army Gen. Keith Alexander told a rapt audience about an escalating cyber war now fully underway on multiple sectors and fronts. During his speech, he laid out a five-step process asking for the private sector's help on many levels, particularly emphasizing the need for organizations to instantaneously share their threat information with the Department of Homeland Security in order to spot larger, orchestrated attacks on the infrastructure. But, the talk was also ironic, given that the NSA has been outed as the agency behind Stuxnet – which caused collateral damage on unintended targets in multiple countries, while the United States provided no intel to system operators that may have needed protection.
“Power, water, manufacturing, chemical and gas companies are all over this,” says Don Fergus, chair of the IT Security Technology Council at the American Society of Industrial Security and senior vice president of services at infrastructure security company Patriot Technologies. “There are questions: ‘Was Stuxnet just a practice run?' ‘What will come next?' The recipe's been made. Stuxnet is out in the wild.”
As with Stuxnet, cyber war starts out ‘cold,' with the theft of information that can lead to larger-scale attacks. In that instance, information about targets (Siemens control systems at Iranian enrichment facilities) was collected in preparation for stage two and three of cold war – to disrupt and cause damage. The final stage is when attacks against the national infrastructure and military operations make it impossible for the target nation to respond to a physical assault.
Stuxnet is one of only a few cases of actual cyber warfare with intent to damage physical systems, says Martin Libicki, senior management scientist at the RAND Corp., a government advisory think tank. He says cyber war is different in many ways, and a lot of it depends on the vulnerabilities of the target and the organization's ability to respond.
“Cycle times are short for cyber attacks if the attacks are noticed early,” he says. “Often, it takes a long time between when espionage starts and when it is discovered.”
On the other hand, a good example of mitigation and containment through fast response time is the March 2011 exfiltration of RSA SecurID code. The attack had only been in the network for days when EMC's security team discovered the compromise and took action.
The attack started with reconnaissance and information gathering that led to a targeted spear phishing attack on an RSA-EMC employee who thought that, when he clicked a link, he was responding to a legitimate business partner.
RSA never directly attributed the attack to anyone in particular, but publicly stated that the attack had all the signs of a nation-state incursion. Its disclosure led many organizations to implement compensating controls recommended by RSA and replace existing tokens with new SecurID tokens.
“RSA is fortunate to have a good EMC [its parent company] Critical Incident Response Center,” says Eddie Schwartz (left), who took the role of RSA's CISO shortly after the breach announcement. “So RSA was able to catch the event quickly and move with an aggressive program to replace tokens where needed.”
Threats that affect more than one company can also lead to systemic improvements in entire vertical industries, such as what happened with Stuxnet. When the worm broke out of its bounds and spread from Iranian facilities to Indonesia, India, the United States and beyond, control system operators the world over began taking a close look at their networks, says Doug Powell, manager of security privacy and safety at BC Hydro in Canada, and chair of the critical infrastructure working group at ASIS, an organization for security professionals.
“We were all concerned about the unintended damage Stuxnet would cause once it propagated outside of the Iranian nuclear environment with respect to its targeting Siemens controllers,” he says. “So control system operators started checking their systems to see if they could be impacted.”
As a result of Stuxnet, vulnerabilities are being patched, awareness is being raised, and holistic changes are being made at infrastructure operators around the globe. For example, while BP Hydro had no such systems in place, they still used the experience to raise awareness, plug vulnerabilities, improve authentication and implement better management of its control systems.
Mitigating new threats
Further, while a number of experts consider Stuxnet a form of cyber war due to its destructive capacity, the cold war part of the Stuxnet attack began with reconnaissance and information gathering. Harry Sverdlove (left), chief technology officer of Bit9, a Waltham, Mass.-based company that offers advanced threat protection, points to the Duqu malware and the Flame virus to emphasize how intelligence gathering is most often used for cyber espionage purposes. Sverdlove was able to track pieces of Flame dating back to last October and realized it included components that predate Stuxnet.
Military data, patents, new paint formulas, negotiations contracts for the international Olympic committee – Sverdlove's research team has tracked a lot of this type of data leakage back to China, where the theft of IP is a common part of doing business.
And, while breaches threaten companies and result in unwelcome expenses, sorting out how to mitigate the challenge is still a work in progress. “Espionage – or the act of spying to gather others' intellectual property – is not illegal under international law, although it violates a host of domestic laws,” Robert Clark, operational attorney for U.S. Army Cyber Command, told the crowd at the Black Hat conference in July.
It may not be illegal by international standards, but espionage is expensive. According to a legal review of trade secret theft in the United States published in the Gonzaga Law Review in 2010, theft of trade secrets costs U.S. companies as much as $300 billion per year.
Unfortunately, domestic law is not so easy on those taking action against cyber cold war actors. “Say you're a systems administrator and at 2 a.m. your IPS goes off,” Clark says. “An examination reveals large volumes of intellectual property data transferring out to an FTP server. So to save your job, you VPN from your home computer to the FTP server, elevate privileges and remove the files. You've just violated several counts of the Computer Fraud and Abuse Act.”
Even tracking back an IP address can violate domestic espionage laws, as well as laws of armed conflict, he adds, citing the National Defense Authorization Act of 2011, which advocates using all means necessary to follow the law of armed conflict to prevent escalation to cyber war.
Yet, numerous tools today offer retaliatory measures that can obfuscate and befuddle attackers, track them back to their origination and even break into their servers depending on how these tools are configured by their users.
Some experts call this process “intrusion deception,” while others refer to it as creating a hostile environment for the enemy. “The point is to confuse the enemy and provide them with false information and create operations that waste their resources,” says Shawn Henry (left), former executive assistant director of the FBI and now president of CrowdStrike, a computer security start-up that provides this type of service for its clients.
But, before using any of these tools or tactics, the U.S. Army's Clark suggests consulting a lawyer knowledgeable in computer crime, trespass and espionage laws. He also points to the need to improve laws that inhibit the private sector from following forensic and track-back processes.
However, even if there were better laws on the side of the private sector, a key concern of taking action against attackers is escalation into all-out cyber war, says Righard Zwienenberg, senior research fellow at security company ESET. He was the lead analyst on ESET's discovery in May of the Medre.A worm targeting industrial systems in South America.
“We saw this huge spike in intellectual property leaking from Peru to a recipient account in China,” he says. “Tens of thousands of blueprints and AutoCAD [architectural] drawings were leaking to this recipient with a China-based email address. This was clearly an industrial espionage attack, but had the possibility to be state sponsored if there was a target in there, which would make the remaining infections collateral damage.”
At last report, ESET received “some confirmation” from the Chinese National Computer Virus Emergency Response Center that the email addresses used for relay would be shut down. There were 63 email accounts the data could have used to relay and there was only one final recipient address.
Center of operations: DHS
Along with diplomatic efforts, federal agencies have been working on a multi-sector approach to holistic response programs to protect against escalation and damage-causing cyber attacks.
“We can't pay as much as the private sector, but the DHS is a cool place to work,” says Mark Weatherford (left), deputy undersecretary for cyber security for the National Protection and Programs Directorate (NPPD), part of the DHS. “Give us three years out of college,” he says, “it'll look good on your résumé.”
The DHS, with a mission to protect defense networks, is being positioned as the central clearinghouse of information between federal agencies and the public sector. This arrangement would be different than the vertically oriented Information Sharing and Analysis Centers (ISACs) that primarily share data to their memberships of sector-related organizations.
With no technology that could to this today, and with privacy issues about the information being requested, it is no surprise that the White House-backed Cyber Security Act of 2012 failed so quickly in Congress last month. However, the writing is on the wall. Cyber war is upon us, and organizations need better means of protecting themselves and sharing threat information to protect the larger infrastructure.
Advice: From the front lines
As cold war escalates to more confrontational activities, experts offer advice:
Train, educate and raise awareness. With numerous efforts at primary, secondary and college level, federal agencies are asking for help raising awareness around these issues to all communities. “What's of utmost importance to us is training our military and civilian forces of cyber warriors,” says Gen. Keith Alexander, commander of USCYBERCOM and director of the NSA.
Close vulnerabilities. The biggest single tactic for preventing intrusions is to patch and manage vulnerabilities, says Martin Libicki, senior management scientist for the government think tank RAND Corp.
Build better prevention. At DefCon, Alexander also called for better tools to prevent attacks from occurring in the first place. Although there are legal issues to consider, some tools and techniques coming to market practice deception as a means to shuttle attackers to a secure zone, observe their behaviors and even track them to their origins.
Improve visibility. SIEMs and other tools are also being used to sort through increasing volumes of log, security, vulnerability and operational information to detect threats faster and take action with more accuracy. “If someone gains access to aerospace machinery information, time to shut them down is critical in beating the criminals to market with the new design,” says Eddie Schwartz, CISO of RSA.
Share attack and threat information in real-time. Federal agencies are clearly in need of more information to predict larger-scale attacks against the infrastructure and DoD networks. Currently, Carnegie Mellon's Computer Emergency Response Team (CERT) operates at this level, but not in real-time, and it's not free either. “Making this data actionable to different environments speaking different languages is where the challenge comes in,” says David Koretz, general manager of Mykenos Software. – DR