Each day, millions of suspicious activities are directed at Northrop Grumman’s cyber-perimeter — a collection of firewalls, access lists and antivirus software. Most of these potential intrusions never penetrate the virtual border.
But some do.
U.S. government and defense-industry networks face a relentless onslaught from cyber-spies who seek some of the nation’s most heavily guarded secrets: the technical specifications of U.S. weapons systems. As of 2007, hackers had stolen at least 10 terabytes of sensitive data from Defense Department networks, according to an Air Force estimate.
Experts believe these hackers work for foreign governments — a suspicion that’s easily assumed but nearly impossible to prove.
A report released in October by the U.S.-China Economic and Security Review Commission describes an unseen cyber-war in which hackers — most of whom appear to reside in China — constantly bombard U.S. agencies and defense contractors with malicious software designed to steal data only a nation-state would want. They seek defense-engineering specifications, military operational information and U.S.-China policy documents, according to the report, which was prepared by Northrop Grumman.
“The depth of resources necessary to sustain the scope of computer network exploitation targeting the U.S. and many countries around the world … is beyond the capabilities or profile of virtually all organized cyber-criminal enterprises and is difficult at best without some type of state-sponsorship,” the report says.
Conversations with industry leaders, analysts and government officials reveal a cyber-security infrastructure that’s plagued by vulnerabilities, personnel shortages and an enemy with little to lose.
Moreover, individual government agencies and private companies are tasked with defending against these near-constant and ever-changing threats — a sharp contrast from other national-security operations, which rest firmly in the hands of the federal government.
And unlike the Cold War era, when foreign spies risked their lives to infiltrate U.S. agencies, the cyber-spies of today can wreak havoc without ever leaving their living rooms. Hackers can hide their whereabouts and may have loose connections to the governments that condone their attacks.
“Law-enforcement guys all over the globe — I’m sure — are trying to track down these cyber-criminals,” said Greg Rattray, a security advisor at the Internet Corporation for Assigned Names and Numbers and a former cyber-security official under the Bush administration. “But we’ve created an ecosystem where attribution is very hard.”
Greg Schaffer, the Department of Homeland Security’s assistant secretary for cyber-security and communications, said that in recent years the threat has become stealthier, better organized and more harmful. “Cyber-security, like all security, is an exercise in risk management,” Schaffer said. “It’s about assessing the value of what’s at stake and the cost of protecting it.”
For Schaffer, the government’s most pressing challenge is hiring enough specialists to protect its online infrastructure. DHS, which defends many federal-government networks, announced in October it plans to hire an additional 1,000 cyber-security employees over the next three years. Its cyber-security division, which until this year had a staff of fewer than 50, will grow to 260 workers by next September.
But the federal government is unable to match private-sector salaries for a highly skilled job that grows more valuable to employers every year. Also, the federal government’s security-clearance process can drag on for months, a high price to pay for a potential employee who could have spent that time in a private-sector job.
“We know that our internal processes to get people on board once they are selected can take a long time, and we are focused aggressively on shortening that amount of time while making sure we continue to maintain an appropriate process for vetting people,” said Schaffer, who noted that DHS officials are seeking the authority to increase the salaries of government cyber-workers.
“There is no question that the people we have would, on any given Tuesday, be able to step outside and get a higher paying job in the private sector doing similar work,” he added. “They are dedicated individuals who are supportive of a mission that they recognize is critical to the country.”
Timothy S. McKnight, Northrop Grumman’s chief information security officer, is skeptical of DHS’ plan to hire 1,000 people. “Where are you going to get them?” McKnight said. “We’re not producing that many cyber-workers as a nation.”
China, on the other hand, has been recruiting its own cyber-militia, a group of academics and industry professionals who can carry out offensive and defensive measures, according to the U.S.-China report.
“The [People’s Liberation Army] is reaching out across a wide swath of [the] Chinese civilian sector to meet the intensive personnel requirements necessary to support its burgeoning [information warfare] capabilities,” the report states. The PLA is “incorporating people with specialized skills from commercial industry, academia, and possibly select elements of China’s hacker community.”
McKnight recently oversaw the development of Northrop Grumman’s Cyber Security Operations Center, a 6,300-square-foot Maryland facility that opened in July. Analysts there examine millions of cyberevents each day. The center provides network security for the company’s 10,000 Internet servers, along with several of its clients’ servers. It employs nearly 50 workers.
Northrop Grumman also operates a cyber-facility for the government that is off-limits to the public.
“For the vast majority of cyberattacks that go on, the public is never made aware,” said analyst Rafal Rohozinski, whose organization, Information Warfare Monitor, released a report in March that details a China-based cyberespionage scheme called GhostNet that had infected at least 1,295 computers in 103 countries. Chinese officials have vehemently denied taking part in this or other cyberespionage activities.
“The extent to which these things are now penetrating corporate and government networks has not been determined,” Rohozinski said. “I think that in many cases, even within an organization, the full risk and liability that come with cyberattacks are never made known because it’s difficult for technical people to express properly these issues to senior management or policymakers.”
Since 1991, the federal government and the private sector have had an official venue for sharing data on incidents that affect their networks: the Network Security Information Exchange. Companies send the government information on intrusions, and the government distributes that information to members, so they can better protect themselves from such attacks.
But by the time the federal government releases the reports, it’s often too late. Two years ago, defense-industry firms formed a second alliance, the Defense Security Information Exchange. They send each other immediate data on cyberattacks.
“What’s happening to Lockheed Martin today may happen to us by the end of the week,” said Bill Russell, a manager at Northrop Grumman’s cyber-security center. “We’ve found that we get just as good quality information from our competitors as we are providing to them.”
Northrop Grumman’s analysts recreated a recent cyberattack in a demonstration for National Defense. Roughly 40 such attacks penetrate the company’s networks each year.
The attempted intrusion began with a tactic called spear phishing, which is when hackers target specific people in an organization. The email in question, which had made it past the company’s first lines of defense, claimed to be from a reporter, and it was sent to employees who regularly deal with members of the news media.
The email caught the attention of the analysts — who spend their days scanning dizzying lines of code, looking for anomalies, such as large data transfers, suspicious email attachments and files that communicate with outside servers. The analysts opened the email’s attachment in a closed network that they created as a way to examine potentially malicious files without putting company data at risk.
“If you construct an environment where an adversary can operate and you do so safely, you can learn more about the adversary,” Russell said.
The file — a gibberish-filled document — opened, closed and then opened again. Meanwhile, network-security software indicated to the analysts that it was communicating with an outside server. A hacker on the receiving end of that communication could have used infected computers for a number of damaging purposes, and most likely would have tried to steal company information. But the analysts quickly disabled outgoing web traffic to the hacker’s server for all of the company’s 105,000 computer accounts. Within 10 minutes, the attack was thwarted.
Similar attacks have had more success.
The U.S.-China report details an event that occurred several years ago at an unidentified company. Attackers — who originated from or came through China — penetrated the company’s network-security system and stole “significant volumes of data.” The attack targeted specific files, required months of planning and involved a team of highly skilled hackers working in shifts.
“They did not open any files to review the content prior to exfiltration, suggesting they already knew the contents or at minimum the file names of the data they were tasked with stealing,” the report says. “The type and specificity of data stolen in this case also suggests that the end users were already identified and that they likely had deep science and technology resources at their disposal to make use of the stolen information.”
McKnight declined to say whether such an attack has ever succeeded against Northrop Grumman. He conceded, however, that protecting networks is a fluid process that evolves at a slower pace than the threat itself. “We’re never going to have bulletproof software,” he said. “It’s really risk management, and obviously we’re at the high end of that risk because of what we do.”
McKnight, a former special agent with the Federal Bureau of Investigation, said that preventing malicious software from infecting machines is only half the battle. Government agencies and companies face another threat: the machines themselves. Many of the computers and software used in offices across the United States are manufactured abroad, often in China. There are few options for ensuring that the products haven’t been compromised.
“What’s in the code that we’re buying off the shelf is a major issue for Defense Department customers,” McKnight said. “If you want to subvert the supply chain, you don’t need to target Northrop Grumman. You just need to target someone smaller down the supply chain.”
Microsoft Corp., which produces some of the world’s most widely used software, develops many of its products in China. Several cyber-security analysts contacted by National Defense expressed concern that the company’s million of lines of software code could have been embedded with viruses by rogue programmers. This would be difficult to detect, because of the sheer volume of coding in Microsoft’s products, the analysts said.
A Microsoft spokesman declined to comment on the company’s security procedures and instead referred to company guidelines that say its code must undergo a thorough security-scanning process.
“I think more and more customers will start demanding that technology companies go back and review their code,” McKnight said. “Whether cost will bear on that equation, we’ll find out.”
McKnight said Northrop Grumman contracts for products and services with about 16,000 companies, and that it’s difficult to ensure that all of them uphold high standards of security during the manufacturing process.
A Rand Corp. report released in October discussed this threat. “Many in the defense community worry that China’s growing presence in component manufacturing provides it plenty of opportunities for mischief,” the report states. “Unless and until purchasers get access to all the code in the electronics they buy, a supply-chain attack is difficult to defend against.”
The report noted, however, that such an attack would be detrimental to the Chinese economy, because countries likely would boycott Chinese products until security issues were resolved.
The Defense Department’s more than 5 million computers have — or soon will have — a software-security package developed by McAfee, a California-based company. The package acts as a last line of defense against external threats and as a first line of defense against hardware threats. The package scans for specific malicious files and also for behaviors that would indicate the presence of malware.
Schaffer said DHS is preparing for the third installment in a series of exercises, called Cyber Storm, that test the nation’s ability to recover from a massive cyberattack. The first exercise, which took place in February 2006, simulated an effort by hackers to disable the Internet. The second exercise, which took place in March 2008, simulated an attempt to shut down the country’s physical infrastructure, such as electric grids and command-and-control centers. Cyber Storm III will take place late next year.
“It will be designed to really exercise the clear articulation of roles and responsibilities of the various players who are important to the process both in government, in the private sector, state and local authorities, and international partners as well,” Schaffer said. “This is really going to be an exercise in which we’re looking across the entire universe of what we do in the cyber-world, and it will take into consideration how a cyberattack might impact the various pieces of the economy and pieces of the infrastructure that are critical to our day-to-day lives.”
The United States likely is developing its own offensive capabilities that could be used to steal another country’s protected data or shut down its critical infrastructure, though none of the public officials contacted by National Defense would comment on such measures. The Rand report, which was prepared for the Air Force, recommends that the service’s information-warfare tactics remain a niche role, secondary to physical warfare. A cyberoffensive campaign could help the military achieve certain objectives, but it could never achieve those objectives alone, the report says. The Defense Department has established the U.S. Cyber Command, a centralized effort to protect military networks that is expected to be fully operational by next October.
“There is wide recognition of the interconnectedness between our cyber-world and our physical world,” Schaffer said. “There are sophisticated hackers out there with incredible skills who are the highest order of concern for us as a government.”