Locking Private Sector Shields Against Cyber Attacks

From: Security Debrief, a joint project of Adfero Group and George Washington University’s Homeland Security Policy Institute

by  Justin Hienz

Information travels through America’s cyber networks at the speed of light. The legislation that will be used to govern some aspects of network security is traveling at the speed of bureaucracy. The Senate has been debating two cybersecurity bills that will impact U.S. cybersecurity standards, and the issue might be brought to a floor debate in July. Meanwhile, hackers are enjoying a leisurely stroll though America’s digital world, perusing intellectual property, critical infrastructure and defense technology.

To be sure, it’s not just inaction in Washington that is allowing this to happen. Often, poor choices in online activity expose critical aspects of national security and technological innovation, and cyber criminals around the world are making off with competitive advantages America has worked hard to create.

Whatever Congress eventually decides, the onus is on U.S. citizens and businesses to step up their individual security efforts. That means being educated about cyber threats and taking proactive steps to stop them. Make no mistake – the United States is under constant cyber attack, not just to penetrate sensitive government networks, but to access business secrets, personal credentials and a litany of other data that can be sold to America’s competitors or manipulated to cause damage to the country. All American’s are responsible for the country’s cybersecurity.

I spoke with fellow Security Debrief contributor Steve Bucci to identify some of the important steps citizens and businesses can take to improve our country’s cyber readiness. His insights are included in my two-part article on the cyber threat to America, published on Defense Media Network.

A final note, to the skeptics: Some in the media and the public have said the cyber threat to America is being exaggerated. Since writing this two-part article (excerpt below), more than one person has commented, “you’re being paranoid,” or “hackers don’t care about me,” or even “you can’t prove all these hackers are in China.” That is exactly the kind of mentality that is allowing people from all over the world (many in China) to step right into our national databases and take whatever they want. The threat is severe; hackers are directly targeting our businesses and personal information; and the buck stops with you – with all of us. We have the capability to prevent this unparalleled theft of intellectual property, but we have to recognize our individual obligation to defend our collective security.

Locking Private Sector Shields Against Cyber Attacks – Defense Media Network

There is a severe and growing cyber threat to the U.S. private sector, stemming largely from hackers in China. Part 1 of this article revealed how the ongoing hacking of U.S. business networks is robbing America of its hard-earned intellectual property and innovation. The attacks are lining hackers’ pockets and allowing Chinese corporations and the government to quickly and illegally catch up to U.S. technological capabilities. This needs to end, and to achieve it, all U.S. businesses need to get serious about cybersecurity.

While cyber threats can be technologically sophisticated, there are some basic approaches all companies can take to elevate their security posture. Dr. Steven Bucci is a senior research fellow for defense and homeland security at the Heritage Foundation, previously working as a cybersecurity consultant to IBM. (He also has had a distinguished military career, including service in special operations forces, and was a civilian appointee to a deputy assistant secretary of defense.)

Given the onslaught of cyber attacks on American businesses, Bucci noted important steps for elevating private sector cybersecurity. One, he said, is awareness and education, and this goes beyond a “one-pager on threats or once-a-year cyber training.”

“I could go to almost any company in America and the majority of the employees would not be able to articulate the threat their company is under,” he said, adding that despite company security policies, threatening programs are still found throughout business networks.

“This means something is wanting in their programs – if not in substance, then in execution,” he said. “Businesses need dynamic education that changes with the changing threat.”

Employees must know what to look for when deciding if an e-mail, link or website poses a threat. Updating software, attending to computer security notices, being selective in surfing the Internet, and approaching unfamiliar communications with caution are things every employee can and should do. Many of the attacks noted in Part 1 originated with one poor choice that compromised the entire network. With up-to-date knowledge and training, these errors can be avoided.

Chinese Cyber Attacks Are Looting U.S. Private Sector

‘Death by 1,000 Hacks’ – Part 1

For centuries, there was a form of execution in China where a condemned person was methodically and slowly cut with a knife until their eventual death. The Chinese word for that torture is Ling Chi, which translates to “Death by 1,000 cuts.” China invented it. Today, U.S. businesses are suffering similar abuse through cyber attacks originating in the People’s Republic.

Thousands of U.S. businesses are routinely penetrated by cyber criminals who make off with proprietary information and sensitive data. There are several culprits in the cyber onslaught against U.S. business, but hackers in China are the most prolific and present the most urgent need for action. At least one expert has said that all major U.S. companies have had their networks penetrated at some point by hackers in China.

If this criminal enterprise and espionage was conducted in person rather than via a computer, citizens and businesses might better understand what is happening to the United States in the cyber realm. The private sector is being robbed of intellectual property and spied on by America’s biggest competitors.

Imagine lines of industrial and corporate spies walking unfettered out of U.S. businesses, pilfered company secrets in hand. This is no different than what hackers are doing digitally at an increasing rate. With viruses, phishing e-mails and other tactics, hackers access detailed R&D and business data. The U.S. private sector is facing thousands of cuts that are slashing away the competitive advantages hard-earned through American innovation.

Daggers are Already Drawn

There is unfortunately a good deal of public uncertainty about the severity of the cyber threat. Hacktivist groups (like Anonymous), while capable and often discussed in the media, are somewhat less interested in capitalizing on corporate and industrial secrets. Chinese hackers, however, are focused on stealing profitable business data, and they operate within a country aggressively pursuing a strategic policy of catching up with the United States and other Western nations, particularly in terms of technological capabilities. Begun in 1986, Beijing’s Project 863 gives funding and guidance to “clandestinely acquire U.S. technology and sensitive economic information,” according to a report from the National Counterintelligence Executive’s Office. Chinese hackers fit perfectly within this state objective.

There seems an obvious link between China’s national strategic and economic goals and the relentless cyber attacks originating in the country. Tracing an attack to an exact country and machine is difficult; however, ongoing analysis and strong circumstantial evidence (coupled with several confirmed attacks) show a clear, deliberate, and focused effort on the part of Chinese hackers to penetrate U.S. businesses and government networks. And the specter of the Chinese industry and government looms in the shadows behind many of these attacks. Some examples:

  • In February this year, representatives from Huawei Technologies Co. Ltd. spoke at a security and intelligence conference in Dubai, discussing how the company used a technology called Deep Packet Insertion (DPI) to hack into U.S. and other telecommunications networks, intercepting “malicious” data. Huawei – suspected to have ties to the Chinese army and government – operates in 140 countries and is the second-largest supplier of mobile telecommunications infrastructure equipment in the world. Huawei equipment can mirror (aka, intercept) any and all data they transfer.
  • In 2011, an employee of RSA Security clicked on a phishing e-mail and downloaded an attached spreadsheet. This allowed hackers – later traced to China – to breach RSA’s networks. RSA security products are used by the White House, the CIA, the NSA, the Pentagon, DHS, defense contractors (like Lockheed Martin and Northrop Grumman), and Fortune 500 corporations.
  • NASA testified to Congress that in 2011, hackers using Chinese IP addresses gained full system access to the agency’s Jet Propulsion Laboratory with the ability to modify, copy, and delete files, upload hacking tools, and steal 150 employees’ personal credentials.
  • In 2009, Chinese hackers exploited Internet Explorer vulnerabilities to penetrate Google’s source code. McAfee Labs determined the goal was to access and modify source code repositories at technology, security and defense companies. The hackers also stole some of Google’s intellectual property. The attacks were highly sophisticated, and a diplomatic cable from the American Embassy in Beijing (later revealed via Wikileaks) noted a Chinese source, who said China’s Politburo directed the attack.
  • Beginning in November 2009, a wave of attacks originating in China targeted international oil, energy and petrochemical companies, using phishing e-mails, vulnerabilities in Microsoft Windows, remote administration tools (RATs) and other methods. The attacks targeted “sensitive competitive proprietary operations and project-financing information with regard to oil and gas field bids and operations,” according to a McAfee report.
  • Beginning in 2006, specific targets began receiving phishing e-mails that included a link to a Web page that loaded a RAT onto the user’s computer. This gave automatic, live computer access to a hacker, who could then penetrate the user’s network and steal data. The RAT e-mail reached more than 100 high-profile targets, including a U.S. Department of Energy laboratory, a U.S. real-estate company, four U.S. defense firms, and U.S. state and county government organizations, as well as companies and government agencies throughout the world. The RAT did not target any organization in China, and most (if not all) of the targets held data in which the People’s Republic has interest. McAfee said the operation was “an unprecedented transfer of wealth in the form of trade secrets and I.P., primarily from Western organizations and companies.”

These breaches threaten national security and business competitive advantages, and they are but a handful of examples among many other cases that have been found and reported. There are more hacker penetrations, however, that even now are unknown, leaking sensitive and proprietary data like a sieve.

“There are only two types of companies,” Dmitri Alperovitch of McAfee told Vanity Fair. “Those that know they’ve been compromised and those that don’t know. If you have anything that may be valuable to a competitor, you will be targeted, and almost certainly compromised.”

Hackers in China work independently or in loose groups. U.S. intelligence agencies report there are at least 17 China-based cyber espionage operations. Hacking in China is a profitable (albeit technically illegal) endeavor, with corporate and probably government customers paying handsomely for stolen data on U.S. technologies. Though Beijing did toughen hacking laws and punishments last year, enforcement is weak. There are other hackers working within the People’s Liberation Army who focus on securing business and defense intelligence, and still other groups operating more fully under government direction. All of these hacking elements in China can and in many cases have struck U.S. targets. If that smacks of a conspiracy for the country and its businesses to illegally secure U.S. trade and state secrets, it’s because it basically is.

Taken in full, the focused effort to steal U.S. private sector intellectual capital is blatant. The advantage for the hackers is direct profit; for Chinese and other corporations (in which the government often holds a stake), buying stolen data is far cheaper and faster than going through the laborious process of creating and advancing technological innovation. It feeds the country’s strategic goals of rapidly acquiring its competitors’ technologies, but the stolen information necessarily decays the technological and product advantages U.S. businesses worked hard to create.

The Senate is debating legislation that will set some standards for private sector cybersecurity, but businesses should not wait for a gridlocked Congress to mandate how to mitigate cyber threats. It is in the private sector’s best interest to be proactive. There are a number of steps business leaders and their employees can take independently that will go a long way toward stemming the flow of stolen information. The larger challenge is committing to a consistent, widespread effort and recognizing that cyber complacency is slowly killing the U.S. private sector’s competitive advantages.

Locking Private Sector Shields Against Cyber Attacks

‘Death by 1000 Hacks’ – Part 2

There is a severe and growing cyber threat to the U.S. private sector, stemming largely from hackers in China. Part 1 of this article revealed how the ongoing hacking of U.S. business networks is robbing America of its hard-earned intellectual property and innovation. The attacks are lining hackers’ pockets and allowing Chinese corporations and the government to quickly and illegally catch up to U.S. technological capabilities. This needs to end, and to achieve it, all U.S. businesses need to get serious about cybersecurity.

While cyber threats can be technologically sophisticated, there are some basic approaches all companies can take to elevate their security posture. Dr. Steven Bucci is a senior research fellow for defense and homeland security at the Heritage Foundation, previously working as a cybersecurity consultant to IBM. (He also has had a distinguished military career, including service in special operations forces, and was a civilian appointee to a deputy assistant secretary of defense.)

Given the onslaught of cyber attacks on American businesses, Bucci noted important steps for elevating private sector cybersecurity. One, he said, is awareness and education, and this goes beyond a “one-pager on threats or once-a-year cyber training.”

“I could go to almost any company in America and the majority of the employees would not be able to articulate the threat their company is under,” he said, adding that despite company security policies, threatening programs are still found throughout business networks.

“This means something is wanting in their programs – if not in substance, then in execution,” he said. “Businesses need dynamic education that changes with the changing threat.”

Employees must know what to look for when deciding if an e-mail, link or website poses a threat. Updating software, attending to computer security notices, being selective in surfing the Internet, and approaching unfamiliar communications with caution are things every employee can and should do. Many of the attacks noted above originated with one poor choice that compromised the entire network. With up-to-date knowledge and training, these errors can be avoided.

The execution of cyber policies and programs must be matched with company leadership that makes the needed investments in technology and training, said Bucci. There are security programs that protect networks and human resources that can actively guard the company data. These are important investments. Business leaders need to understand the threats, follow their own security best practices and ensure they are enforced throughout the organization.

“The next thing the private sector should do is be a good partner to the public sector, particularly law enforcement,” said Bucci. “When a business does get hit with something, they need to report it and let forensics come in a figure out how they did, fix it and get the word out to other companies so they don’t get hit as well.”

Companies are worried about customer and investor confidence, as well as public image, and so sometimes sweep cyber attacks under the corporate rug. But this only perpetuates the illusion that businesses are not under frequent assault, ultimately causing more damage to the company because the existing vulnerability is not resolved.

“Way too many companies have their IT people – those who run the networks – separate from their security people,” said Bucci. “If they have a security breach that causes an attack on the network, the IT guys are running 100 mph to get it fixed and get the network back up. Meanwhile, forensics show up, and there’s no crime scene anymore.”

Bucci said there have been many examples like this where even after an attack, the company is as vulnerable as the day before. The absence of evidence prohibits forensics from analyzing how the penetration occurred.

Despite some U.S. private sector cybersecurity efforts, many businesses have been lax in recognizing and addressing the threats. To be sure, Congress is going to regulate cybersecurity standards. The questions being debated in Washington regard what shape those mandates will take.

“For a long time, everyone said, ‘just let the marketplace deal with it,’ and there are a lot of folks who have concluded the marketplace has failed in that regard, so we must do something,” said Bucci. “Anyone in business who thinks there’s not going to be some government regulation is crazy. It will happen, but we hope it happens in a way that doesn’t kill the goose that laid the golden egg.”

There are two pending cybersecurity bills that could come to a Senate floor debate in July. The Cybersecurity Act of 2012 (S. 2105) would give DHS authority for certain network security standards; the SECURE IT Act (S. 2151) focuses on information sharing and would give the intelligence community the lead.

“I am concerned that a regulatory solution might end badly,” said Bucci. “DHS is not a regulatory agency, but it seems to be the prime candidate to write and enforce the regulations. Given their lack of experience in an area like this, that could be problematic. Also, regulations do tend to be slow and static, which is the exact opposite of the pace in cyber, which is fast and highly dynamic.”

To explain the potential regulatory approaches, Bucci used an analogy to military maps, with arrows noting how a field attack presses forward. One is a line of advance (a stick arrow) that defines exactly how the subordinate proceeds. The other is a direction of advance (“a big fat arrow”), and the subordinate can advance anywhere within the broader area.

Regarding private sector cyber regulation, Bucci said: “We have to give them the general direction and the end point. But Congress also needs to give some degree of flexibility in how businesses get there, some room to make it fit into their system. With cyber, there are a lot of ways to address these problems. That’s the kind of guidance the government should give.”

A Collective National Imperative

No matter what regulation is ultimately handed down, the onus of meeting the rules will remain with the employees and business leaders working within their company network. Their day-to-day decisions play a significant role in maintaining the integrity of their company data security. The Internet has brought myriad advantages and opportunities for the private sector, but it has also put proprietary information in the crosshairs of unceasing and clever adversaries.

Effective homeland security demands widespread public participation. It is not sufficient to assume government agencies can prevent the escalating cyber threat to U.S. businesses on their own. The 21st century American workforce is on the front line of a tough cyber battle. Governments can write regulations and work to define international cyber laws; intelligence, law enforcement, and other security agencies can trace attacks and return the insult; but every citizen, employee, and business leader must understand their central role in protecting information, national security, and America’s economic potential.

Individuals and organizations in China (and elsewhere) are using digital capabilities to steal unearned advantages. The massive damage being done to American businesses is perhaps less glaring because it comes in smaller (sometimes unnoticed) cuts rather than in one fell swoop. But the competition for economic and global leadership began decades ago, and the contenders evidently have no qualms about cheating and stealing to catch up.

American business: Hackers in China are targeting you; they and their supporters (both governmental and corporate) want to steal what you have worked hard to build. The evidence for this and the ramifications of inaction are easy to find and study. All of us – from the smartphone user to the CEO – need to wake up, fast. The thieves are already inside the gates, and if we don’t start holding the line, they are going to cut our private sector and national security to pieces.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Leave a Reply

Your email address will not be published.

Please Answer: *