Nation-states are extricating intellectual property from U.S. government entities and private corporations, reports David Cotriss.
Espionage is a craft that has been practiced for thousands of years. It plagued the United States throughout the Cold War and provided audiences with dapper heroes and nefarious bad guys in a multitude of James Bond films.
But the digitalization of information offers an entirely new dimension to the practice of espionage. In cyber space, foreign actors can sit at a computer and glean huge amounts of information quickly, remotely and often with no consequences. The attacker can make it look like someone else is perpetrating the attack simply by altering a digital signature and disguising the data path. And, they can do this without detection for months or even years.
Most agree that companies that believe they are immune from cyber attacks are deluding themselves. Any organization with something of value is a potential target. Those with especially valuable information can sustain dozens of attacks each week, most of them successful. U.S. Army Gen. Keith Alexander, director of the National Security Agency and commander of the Pentagon’s United States Cyber Command, has called cyber crime “the greatest transfer of wealth in history.”
According to Phil Ferraro, VP and CISO at The Las Vegas Sands, a resort operating company based in Paradise, Nev., about one-third of foreign cyber espionage attacks emanate from China. The Department of Defense has characterized China as “the world’s most active and persistent perpetrator of economic espionage.” It is motivated by a desire to close the gap with Western countries in science and technology. Of the seven cases of cyber espionage prosecuted in the U.S. in 2010 under the Economic Espionage Act, six were linked to China. Russia, looking to modernize and diversify its economy, is right behind in the number of attacks, according to the National Intelligence Estimate, classified documents produced by 16 U.S. intelligence agencies for the Director of National Intelligence (DNI), an adviser to the president, the National Security Council and the Homeland Security Council on security issues.
Kelly Bissell, a principal at Deloitte, and the leader of its information and technology risk management and global incident practice, says the objective of nation-states is to learn what U.S. plans are and turn that information into a competitive advantage. As for China, he says it wants to skip over costly and time-consuming R&D and bring products to market using U.S. trade secrets, technology and IP. Because so many Chinese companies are state-owned, the government focuses heavily on economic espionage. But it also wants U.S. technology for military purposes. For instance, when China released pictures of its new stealth aircraft, the J-20, the plane looked similar to the U.S. Air Force’s F-22.
“When companies are run by the government, they have many more resources to conduct cyber espionage,” says Jeremy Demar, senior threat analyst at Damballa, an Atlanta-based solution provider. In the commercial sector, intellectual property and M&A information is the most coveted data, he says.
But, while the prime targets of cyber espionage are defense, aerospace and energy, all industries are at risk. Dual use (military and commercial) technologies are also among the most valuable. China is interested in energy companies and marine systems because the nation needs a deep-water navy with access to advanced materials. Pharmaceuticals are of interest because it is a fast-growing industry. If a foreign adversary cannot penetrate the network of its ultimate target, it will go after the suppliers, consultants, law firms and accounting firms that serve them.
A simple spear phishing attack can provide a path to cyber espionage. The email can appear to come from one of the trusted partners, exhibiting insider knowledge of the recipient and the company. Once the recipient opens the email, malware is installed on the network, and the actor has access to sensitive company data. Traditional defenses, such as anti-virus software, typically can’t detect the intrusion.
What’s at risk? National security, privacy of personal data and resilience of U.S. critical infrastructure, particularly information and communications technology (ICT) systems.
Cyber espionage disrupts normal business operations. It challenges the ability of U.S. companies to maintain a competitive advantage in the global marketplace. In fact, public utilities have been shown to be vulnerable to cyber attacks.
In dollar terms, the U.S. government characterizes the damage from economic espionage as “large but uncertain,” with estimates of losses ranging from $2 billion to $400 billion a year. Symantec estimates that industrial espionage costs U.S. businesses more than $250 billion each year. Others have calculated that cyber espionage costs the U.S. economy from 0.1 percent to 0.5 percent of gross domestic product.
In February, on the same day he gave the State of the Union address, President Obama issued an executive order aiming to improve cyber security for critical infrastructure. His document requires the secretary of defense to identify critical infrastructure “where a cyber security incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.” The order also directs government agencies to increase the sharing of cyber threat information with the private sector. However, the order does not require private firms to report cyber threats to the federal government.
The Department of Defense’s relationship with cleared defense contractors (CDCs) exemplifies difficulties in establishing an effective framework to improve the understanding of foreign cyber threats and promote threat awareness. Defense companies conduct $400 billion in business with the Pentagon each year and hold an enormous amount of government information and IP on their unclassified networks. Although CDCs are required to file reports of suspicious contacts indicating foreign threats to their personnel, information and technologies, only 10 percent of CDCs actually provide any sort of reporting.
The executive order also expands the Enhanced Cyber Security Services program that disseminates classified and other threat information to defense contractors and others with security clearances. The program replaces the Defense Industrial Base pilot program. However, the executive order is not a law and cannot mandate any agency action.
Also in the way of meaningful progress in this area: Cumbersome bureaucracy is at odds with the need for swift and decisive action. Bruce Brody, former CISO for both the federal Department of Energy and the Department of Veterans Affairs, takes a dim view of past efforts to combat cyber espionage. “We have not made it all that difficult for the foreign entity that wants to collect intelligence about us,” says Brody. “Our government systems are porous. We don’t have the right kind of legislative framework in place to make those systems as safe as they should be. We are our own worst enemy. Our systems have wide open doors.”
The legislation that was put in place in 2001 and 2002 was extremely weak, he adds, pointing out that the federal government spent a great deal of money doing the “wrong” things. “The Federal Information Security Management Act (FISMA) put in place a framework that measured the wrong things and in the wrong way,” Brody says. “No agency in the federal government was required to change its culture or made accountable, except on an emergency basis. Now we are doing more progressive, proactive processes. But we are way behind the offensive capabilities of our adversaries in our defenses.”
Brody goes further, suggesting that all executive bonuses be withheld until every system and network under the White House’s purview is declared secure. He believes that agency cultures have not been sufficiently disrupted to make this happen.
The people problem
Further compounding the problem is the fact that insider threats are a key element of cyber espionage. While some employees will provide information for money or because they seek revenge, citizens or individuals with an ethnic heritage can be recruited by foreign government to work as spies.
“In our universities that teach IT and IT security, you will find young foreign students from over 100 countries,” says Brody. “We are training them, and when they graduate and go back to their countries, they can be used in a cyber espionage role.”
Russia, China and Iran have people who have trained on American soil, he adds. They learn about tactics, techniques and procedures, and countries with state resources can take advantage of these skills. “And if U.S companies hire foreign nationals, their governments may approach these individuals to perform espionage,” Brody says. “Background checks are important.”
For example, a few years ago, a Chinese national product engineer at Ford Motor Co. was sent to prison for copying more than 4,000 corporate documents to an external hard drive and then giving the data to Chinese car company Beijing Automotive.
Even when a company knows an insider has stolen its sensitive information or that its computer networks have been penetrated, it may choose not to report the event to the FBI or other law enforcement agencies because of fear of lawsuits or reputation damage. This withholding of information prevents the United States from knowing how much economic espionage is accumulating. “In the past, it was thought that DoD and defense contractors were the only targets,” Ferraro says. “Now, publicly traded organizations have to report breaches [under Securies and Exchange Commission rules], and that has shown us that industries across the board are being targeted.”
While government agencies seek to learn the source of cyber espionage attacks, in addition to halting them, private companies too often show less concern for where an attack originated. Rather, they just want to sanitize their networks and get on with business. “Attribution is one of the most difficult things in cyber forensics,” says Ferraro. “It’s hard to find the original IP address.”
But, it would benefit companies to know the source of espionage because it would allow them to anticipate future attacks. For instance, The New York Times reported that it believed that an attack on its network that emanated from China was in retaliation for articles it published on the personal lives of Chinese leaders, leading the paper to expect more attacks if it continues to print such articles.
Supply chain issues
“The supply chain is the weakest link and the easiest to get to,” says Deloitte’s Bissell. “If a company is vigilant about protecting itself from cyber attacks, actors will go after their suppliers, as there is likely to be a weakness. Suppliers aren’t always as secure and don’t provide the appropriate level of control, especially the smaller ones.”
For instance, American automobile and aircraft manufacturers use thousands of foreign parts. The supply chain can easily be compromised. “If products are manufactured in other countries, there is little control over what is going into the product,” says Damballa’s Demar. A 2012 Senate Armed Services Committee investigation cited instances of suspect parts identified in U.S. military systems and accused China of being “the dominant source country for counterfeit electronic parts that are infiltrating the defense supply chain.” As well, counterfeit computer chips have been found in American fighter aircraft. Too, the Chinese stole a new radar system that the U.S. Navy spent billions of dollars to develop. China has also accused – and even arrested – individuals on charges they spied for the United States.
Bissell says that over the past five years, companies have been requiring more of suppliers in contracts – liability, auditability and accountability clauses. Deloitte has a dedicated team that reviews such contracts for large companies and this is taking up more and more of its time. However, it is expensive to dedicate the resources to actually monitor this.
In the private sector, the defense industry is the most advanced in terms of best practices, according to Brody. The costs of a breach within this sector could be the loss of government contracts. The Defense Security Information Exchange online portal accommodates sharing of attack information among security personnel without the government getting involved. Brody says the financial services industry also does a credible job of protecting networks, but the energy industry is weaker, with SCADA systems being at particular risk.
Andy Purdy, CSO of Huawei USA – whose parent company, Shenzhen, China-based Huawei Technologies, has itself been accused of tampering with the supply chain – says that companies have to watch for intentional insertion of malicious code in products. He recommends they identify best practices or standards within their industries to prevent and mitigate cyber espionage in a way that is financially reasonable. He also recommends that organizations conduct both internal and external audits. Third parties should be hired to perform penetration testing. Too, companies should periodically review employee’s compliance with security policies and practices. Further, he says companies would benefit from participating in public-private partnerships. ISACs (Information Sharing and Analysis Centers) are voluntary industry groups that do not share information with government agencies. They exist in IT, public transportation, financial services, higher education, state and local governments, and help members learn from cyber attacks.
If companies find that they have been breached, they need to immediately shut down the network and conduct a forensic exam, says Brody. The incident team has to find out what happened, while getting the operation of the company back up as soon as possible.
In addition, security experts recommend that companies learn which data is critical and which is not. They should then focus on protecting “the crown jewels,” rather than trying to shield everything.
However, state-sponsored malicious actors are too often competent at covering their tracks. According to Ferraro, the adversaries move laterally across the enterprise, collecting email addresses and passwords of everyone in the organization. Mitigation is expensive because it is time-consuming to shut down the entire network, sanitize it and bring it back in a clean state. Having a good incident response team is critical.
Ferraro recommends placing specific controls on data at rest and applying tools to prevent data leakage. Companies must be vigilant too about the insider threat, he adds, because this is a key element in cyber espionage. Foreign nationals or disgruntled employees can easily steal IP or trade secrets. Nation-states target these employees to exfiltrate information.
Meanwhile, Demar says too much attention is paid to host-based precautions, such as anti-virus and firewall protection. He recommends using “defense-in-depth,” multiple layers of security controls. He also suggests looking outside of traditional security measures and employing advanced threat detection.
Is the stigma gone?
At one time, no company that had been hacked would publicize the breach. These entities feared lawsuits, brand damage and an overall erosion of trust. The SEC now requires public companies that have suffered breaches to make that information publicly available. For example, when Chinese hackers attacked Google in 2009, the company was forthcoming about the event. In 2011, the International Monetary Fund, which holds sensitive economic information from countries around the world, announced that its network had been infiltrated. Even the federal government has disclosed agency attacks.
However, reputation damage is still a reason for companies to maintain a low profile when they have been breached. Stock values can be affected, and current and future contracts can be jeopardized, particularly government contracts.
Sometimes, companies are just embarrassed to admit they have been the victims of cyber attacks. But, with an increasing number of high-profile companies admitting it, the stigma may be fading.
Beyond Stuxnet: High stakes
Defending itself, China says it too is a victim of cyber espionage. And the United States has been cited as the creator of Stuxnet – targeting Iranian nuclear facilities – and Flame malware that attacks the Windows operating system. Flame spreads from one Windows machine to another by pretending to be a Microsoft Windows software update, using a forged Microsoft digital certificate. Some of the same code that was in the earliest version of Stuxnet has been found in Flame, according to Kaspersky Labs.
This malware has been deployed mainly in the Middle East, with governmental organizations in Egypt, Iran, Israel, Lebanon, Saudi Arabia and Syria the main targets. Flame can record audio, keyboard activity and capture network traffic.
Flame is very large – more than 20 megabytes in size – and intricate. There are more than 20 different modules that can be inserted to give the core program additional capabilities, such as using an infected computer’s camera and microphones to spy on occupants of a room, taking screenshots, turning on Bluetooth to spy on nearby cellphones, reading email and monitoring web traffic on infected machines. Flame can send the data gathered to command-and-control servers around the world. It has been operating at least since 2010, and possibly since 2007.