Cyber espionage

A Cold War has emerged with adversaries on a new battleeld.

Sponsored by

The new Cold War

Instead of traditional military assaults, todays adversaries hire code-writers to create attacks that can run autonomously for years, reports Stephen Lawton.

Cyber espionage

istory books tell us that the Cold War ended in roughly 1991 after the dissolution of the Soviet Union. But, todays security practitioners say the Cold War has simply morphed from a threat of armed conict among major world powers into a battle of computer-savvy troops ghting from the comfort of ofces. Instead of countries spending billions of dollars to create new weapons, supply massive armies and spend millions of dollars (or rubles, francs or yuan) ghting conventional attacks against political, economic, religious or commercial foes, todays adversaries hire code-writers to create attacks that can run autonomously for years with little or no human intervention. By repurposing code to spawn new attacks, the cost of cyber warfare can be a fraction of the cost of a conventional war. While China and Russia generally are considered by industry experts to be the leaders in state-sponsored cyber attacks against the United States, they are not the only countries to have sophisticated espionage infrastructures in place, says Richard Bejtlich, chief security ofcer at Alexandria, Va.-based Mandiant. Other nations with sophisticated capabilities include North Korea, Iran, France, Israel and, of course, the United States. North Korea, Bejtlich says, primarily uses technology against its neighbor, South Korea, and to make political statements against the West, generally resulting in attacks against the United States, he says. Iran primarily uses its cyber weaponry to suppress internal dissidents. In the past, he says, U.S. politicians spoke in general terms about cyber attacks, choosing not to name those believed to be respon-

sible. That all changed late last year when the Ofce of the National Counter Intelligence Executive released a report, Foreign Spies Stealing U.S. Economic Secrets in Cyber space, which specically identied China and Russia as key participants in cyber espionage. However, the report also said U.S. allies are actively involved. Certain allies and other countries that enjoy broad access to U.S. government agencies and the private sector conduct economic espionage to acquire sensitive U.S. information and technologies, the report states. Some of these states have advanced cyber capabilities. It cited four factors that will shape the cyber environment over the next three to ve years. These are: n A technological shift, including the use of smartphones, laptops and other internetconnected devices; n An economic shift that will change the way corporations, government agencies and other organizations share storage, computing, networking and application resources; n A cultural shift in the U.S. workforce where younger employees begin to mix personal and professional activities; and n A geopolitical shift as globalization of the supply chain and worker access will increase the ability for malicious individuals to compromise the integrity and security of computing devices. Jared Carstensen, manager of enterprise risk services at Deloitte in Dublin, Ireland, likes to differentiate between cyber crime and cyber espionage because the end goals differ signicantly. For an attack to be considered a cyber crime, he says, the adversary will be doing so for nancial gain. This includes attacks designed to obtain credit card or bank data, or intellectual property, all for nancial gain. Cyber espionage, meanwhile, is designed to disable or attack critical infrastructure. It often is performed for political purposes.

15

years in prison for Dongfan Chung, an engineer with Rockwell and Boeing, convicted of transferring data to China

www.scmagazine.com | Copyright 2012 Haymarket Media Inc.

Cyber espionage

Spying has been around since the dawn of man, Carstensen says. Early tribes spied on other tribes to learn where they found food. Todays spies also are looking for the same competitive advantage over their enemies and even their allies. In some countries, such as North Korea, students believed to have a propensity for math or technology are trained at an early age as cyber warriors. These academies provide the students with respectability and good pay. In China, for example, the Communist Party codied cyber warfare in 2010, and President Hu Jintao deemed cyber war a priority. Author and retired U.S. Marine Corps Lt. Col. William Hagestad says in an upcoming book that China bases its policies on the Art of War, Sun Tzus doctrine written around 500 B.C., one of whose tenets is: Keep your friends close, but keep your enemies closer. China regularly denies such allegations.

Typically, security comes at the price of convenience.

Erin Nealy Cox, managing director and deputy general counsel, Stroz Friedberg, LLC
In the United States, the military is also shifting its war strategy to further prioritize cyber efforts. The soldiers who pilot military drones over Pakistan and Afghanistan actually sit in control rooms at Creech Air Force Base in Nevada. After putting in their shift at work, they are able to go home to their families. This, Carstensen says, is not unlike cyber attackers who might work out of a hotel to conduct assaults and then go home. However, the level of expertise of foreign cyber attackers varies widely from so-called script-kiddies, who download exploit software that is available on the internet, to experienced computer engineers who have either religious or political reasons for staging actions. Some of these attacks are advanced persistent threats (APTs) that are designed to enter

a computer system and perhaps sit dormant for a period of time. These sophisticated attackers aim to maintain their anonymity, he says, so the intrusions are designed not to be noticed. This tactic varies signicantly from those of hacktivists, who attack websites with the expressed purpose of drawing attention to the site being breached. Some groups, such as Anonymous and LulzSec, have claimed credit for damage to sites they have compromised. Unlike hacktivists, cyber spies are so concerned about ying under the radar that once they successfully enter a target system, they install security patches to ensure that other attackers are unable to access the system using the same vulnerability, says Daniel Teal, founder and chief technology ofcer of Austin, Texas-based CoreTrace and a former ofcer at the Air Force Information Warfare Center (AFIWC). By installing security and software patches, he says, the attacker will have the compromised systems all to themselves and will not have to worry about a sloppy rival alerting the IT manager that the system has been breached. The IT manager might actually see their network performance improve while the attacker ensures that others are unable to compromise the environment, Teal says. Because the attacker does not want to draw attention, they simply can leave a back door open so that the malware payload is not accidentally identied by the target network. Toney Jennings, CEO of CoreTrace, adds that companies might have the equivalent of a cyber atomic bomb in the server that is not doing anything bad today. That bomb could be set off by an intruder at a later date, well after the initial breach took place. Additionally, he says companies purchasing mission-critical hardware should spot check the guts of the new systems, including all device drivers, for malicious code before putting them into production. Most hardware and software today is developed outside U.S controls, so ensuring

15

months in prison for Valspar chemist David Yen Lee for stealing company data he planned to use in a new job in China

www.scmagazine.com | Copyright 2012 Haymarket Media Inc.

Cyber espionage

it is safe is a good business practice. Its a valid bit of paranoia, Jennings says. Underscoring this concern, an FBI presentation last year detailed how China had counterfeited Cisco Systems network routers, switches, gigabit interface converters and WAN interface cards. In total, the FBI said some 400 devices, worth an estimated $76 million, were seized. Among the purchasers of the fake equipment were the U.S. Naval Academy; U.S. Naval Air Warfare Center; U.S. Naval Undersea Warfare Center; U.S. Air Base at Spangdahelm, Germany; the Bonneville Power Administration; the General Services Administration; and defense contractor Raytheon. The FBI did not say if cyber espionage code was found on the devices. Teal says he once discovered, by accident, a malicious device driver for a keyboard he purchased for his daughters computer. The driver was sending personal information off his home network. He contacted the system manufacturer, Hewlett-Packard, and discovered that the kernel driver was written by a third party. Further investigations by Teal and HP determined that the manufacturer was sending data off the network simply to ensure an internet connection a task that easily could have been accomplished by sending random data bits without using personal information. Mandiants Bejtlich emphasizes that despite the best intentions of CISOs and IT staffs, it is nearly impossible to keep a network of a 1,000 or more endpoints safe from outside attacks. Even companies that are required by law or regulation to meet a certain level of compliance generally will have some systems that could be compromised. Its become almost impossible to have every system in the enterprise fully patched and have all software upgraded to the latest build, so be protected against every adversary, he says. When Bejtlich was the director of incident response at General Electric, the company had an estimated half million computers,

10 reasons how China may be conducting cyber espionage

1. Planting information mines 2. Conducting information reconnaissance 3. Changing network data 4. Releasing information bombs 5. Dumping information garbage 6. Disseminating propaganda 7. Appling information deception 8. Releasing clone information 9. Organizing information defense 10. Establishing network spy stations Source: Cyber War: The Next Threat to National Security and What to Do About it, Richard A. Clarke, HarperCollins, 2010

and no shortage of defensive technologies and staff. Even still, he says, with the full resources of a sophisticated IT team and a corporate leader who recognized the need for IT security, he still was unable to maintain 100 percent effectiveness against intruders or persistent threats.

And now, mobile devices and cloud Today, Bejtlich says, it is even more challenging, as IT staffs need to address not only the needs of a companys primary computer systems, but also non-standard systems, such as smartphones and other mobile devices. While cyber espionage is normally thought of as an attack against a large computer system, many corporate executives and engineers have condential data on their devices that might be useful to attackers. The use of these machines, which carry their own various risk proles, compounds the security staffs ability to protect critical data. Standardizing on cloud storage or applications does not necessarily improve a companys defensive position, Bejtlich adds. Citing Chinas attacks on Googles servers two years

25b

smartphones and laptops in operation worldwide by 2015 Cisco Systems

www.scmagazine.com | Copyright 2012 Haymarket Media Inc.

Cyber espionage

ago, he says persistent state- or private-sponsored attackers will go after data, regardless of what platform and security enhancements are in place. Companies that believe that they are too small or insignicant to be targeted are wrong, and do not necessarily understand how and why attacks work, says Erin Nealy Cox, managing director and deputy general counsel at Stroz Friedberg, LLC and a former federal prosecutor and assistant U.S. attorney. While technology rms are obvious targets for attackers after intellectual property, small companies could be viewed as stepping stones.

If you have a malicious insider, you can have the best controls in the world and you wont stop the espionage.
Jared Carstensen, manager of enterprise risk services at Deloitte
Cox says security education is essential in companies of all sizes. Large organizations with established policies and procedures need to educate their employees on a regular basis not only about good computing practices, but also about data and ofce security policies. For example, she says employees need to be reminded not to insert thumb drives they nd in the parking lot or those handed to them at a trade show into a company computer. Such devices could be plants with malware on them. Often, she says, spear phishing attacks are successful because users click on a link or attachment that appears to be valid. Typically, she says, security comes at the price of convenience. Even data security companies can fall prey to sophisticated attacks, she says. Within the past year there have been several online raids on companies that specialize in data security. The reasons for the success vary, she says, but it generally falls into the category of an exploit where someone was not paying

attention to details. It might have been faulty website code or a miscongured network, but generally these are vulnerabilities that could have been caught. Scott Crawford, research director for security and risk management at Enterprise Management Associates, agrees that companies of all sizes could be targets. While smaller entities might not provide the breadth of information that a multinational corporation might offer, it still could have secrets worth stealing, he says. If it costs $50 million to develop a product, but only $2 million to steal it, some will opt for the less costly approach. This is particularly true for emerging nations that might have technical resources, but are not necessarily competitive enough to develop their own intellectual property. Crawford views this kind of cyber theft, be it from a state-sponsored or industrial source, to be similar to espionage conducted during the Cold War. There could be value in stealing information, he says, but you dont want to kill the market. One purpose for this type of espionage is to build a countrys or companys own ability to compete against existing players in the eld. Its all about managing a companys or a countrys risk, Crawford says. Some organizations look for fast xes to potential weaknesses without fully understanding their risk prole or the impact of their actions. A layered approach to security one that includes both perimeter and internal defenses, is necessary. Often, Crawford says, problems occur when guidance or regulations do not match the threat. The Payment Card Industry Data Security Standard (PCI DSS) is prescriptive and species to security ofcers how to maintain compliance, but compliance is only a point in time, he says. A companys compliance can be pass or irrelevant immediately after passing the audit. In other cases, some states have laws that leave privacy adherence to the individual

$71b

per year lost from German companies due to foreign economic espionage German government report

www.scmagazine.com | Copyright 2012 Haymarket Media Inc.

Cyber espionage

organization. If privacy is breached, then the state looks to see if the company lived up to its own standards. The challenge, Crawford says, is that in some cases, one might have privacy laws that are enforceable, but are not realistic for the companies or the data they protect. In other cases, one might have laws that are realistic, but not enforceable. It all comes down to the human element, says Deloittes Christensen. If you have a malicious insider, you can have the best controls in the world and you wont stop the espionage. Companies defending against cyber attacks need to put a major emphasis on stafng. Not only is it important to ensure that new hires in all departments understand corporate security, but companies need to make sure they can recognize the signs of a disgruntled employee so they can act before an insider becomes a security threat.

Sanctioning cyber espionage Cyber espionage is not a one-way street with all attacks incoming to the United States. In March 2000, James Woolsey, ve years removed from his service as director of the CIA, spoke at the State Departments Foreign Press Center and defended the use of cyber espionage by the United States government. In that talk, he said the federal government uses spying to ensure foreign governments are not violating economic sanctions. He also said it was necessary for the government to monitor dual-use technologies to ensure that they are being used appropriately and not to build weapons of mass destruction.

Cyber espionage can also ght corporate bribery abroad, and to ensure that American companies are not violating the Foreign Corrupt Practices Act, a law that forbids U.S. companies from bribing foreign companies or ofcials to gain benet and contracts. I hope that the United States government continues to spy on bribery, Woosley says. During the second Gulf War in Iraq, cell phones used by senior ofcers of the Iraqi military went silent just prior to the U.S. invasion, says CoreTraces Teal. As the U.S. troops began to move into Iraq, operatives called the wives of Iraqi generals at their homes, telling them to tell their husbands to surrender to the U.S. forces. While this kind of action is hardly on par with a cyber attack that is designed to damage a countrys infrastructure, it did demonstrate the psychological effect it can have, Teal says. As in traditional warfare, cyber attacks can be used as a ruse to distract an enemy. Cyber espionage experts like to work in the darkness, but it is not unlikely that they use hacktivist tactics as subterfuge, he says. Using a blatant, highly visible attack on a highprole target might simply be a misdirection in order to pinpoint someone else. As it was in the Cold War, the United States is probably as active as any other nation in terms of cyber espionage, Teal says. If we werent, it would be irresponsible. n For more information about ebooks from SC Magazine, please contact Illena Armstrong, editor-in-chief, at illena.armstrong@haymarketmedia.com.

86%
of large Canadian enterprises hit by cyber espionage in 2010 Canadian government report

www.scmagazine.com | Copyright 2012 Haymarket Media Inc.

Building Trust Around The Globe

When you want to establish trusted relationships with anyone, anywhere on the internet, turn to Thawte. Securing Web sites around the globe with: strong SSL encryption expansive browser support multi-lingual customer support recognized trust seal in 18 languages Offering outstanding value, Thawte is for those who know technology. Secure your site today with a Thawte SSL Certificate.

www.thawte.com

2012 Thawte, Inc. All rights reserved. Thawte, the Thawte logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Thawte, Inc. and its subsidiaries and affiliates in the United States and in foreign countries. All other trademarks are property of their respective owners.

CAN YOUR BUSINESS SEE BETWEEN THE DOTS?

You have to be able to see a threat to avoid it. Thats why Verisign iDefense services provide around-the-clock visibility into the latest cyber intelligence related to vulnerabilities, malicious code and global threatsall gathered by our elite team of security experts from around the world. Let our experience running .com and .net for more than a decade help you stay ahead of emerging threats, and discover how we can help protect your business between the dots. See the Verisign iDefense 2011 trends by downloading our free report at VerisignInc.com/see.

2012 VeriSign Inc. All rights reserved. VERISIGN; the Verisign logo; and other trademarks, service marks and Verisign designs are registered or unregistered trademarks of VeriSign Inc. and its subsidiaries in the United States and foreign countries. All other trademarks are property of their respective owners.

Sponsors

Thawte is a leading global Certication Authority. Our SSL and code signing digital certicates are used globally to secure servers, provide data encryption, authenticate users, protect privacy and assure online identies through stringent authentication and verication processes. Our SSL certicates include Wildcard SSL Certicates, SAN /UC Certicates, SGC SuperCerts and Extended Validation SSL Certicates For more information, www.thawte.com.

VeriSign is the trusted provider of internet infrastructure services for the networked world. Billions of times each day, VeriSign helps companies and consumers all over the world connect between the dots. Additional news and information about the company is available at www.verisigninc.com

Masthead

EDITORIAL VP, editorial director Illena Armstrong illena.armstrong@haymarketmedia.com executive Editor Dan Kaplan dan.kaplan@haymarketmedia.com managing Editor Greg Masters greg.masters@haymarketmedia.com DESIGN AND PRODUCTION ART DIRECTOR Brian Jackson brian.jackson@haymarketmedia.com Senior Production Krassi Varbanov krassi.varbanov@haymarketmedia.com

U.S. SALES VP, sales director David Steifman (646) 638-6008 david.steifman@haymarketmedia.com EASTern REGIOn sales manager Mike Shemesh (646) 638-6016 mike.shemesh@haymarketmedia.com wesTern REGION sales manager Matthew Allington (415) 346-6460 matthew.allington@haymarketmedia.com Account Executive Dennis Koster (646) 638-6019 dennis.koster@haymarketmedia.com sales/editorial assistant Roo Howar (646) 638-6104 roo.howar@haymarketmedia.com

www.scmagazine.com | Copyright 2012 Haymarket Media Inc.