History may one day reveal that as the United States fretted over the possibility of a “cyber Pearl Harbor” — a catastrophic attack that would take down electrical grids — its economic lifeblood was being slowly drained away by a massive hacking enterprise located in the People’s Republic of China.
Cyber Command Commander Army Gen. Keith Alexander last year called the cyber-espionage being conducted against U.S. companies the largest transfer of intellectual property from one nation to another in the history of the world.
Eric Rosenbach, deputy assistant secretary of defense for cyber policy, said the nation is not as focused on intellectual property theft as it should be. A catastrophic cyberwar is important to prepare for, but an unlikely scenario. Stealing data important to the nation’s economic security, meanwhile, is occurring here and now.
“It is the day-by-day cut that is bleeding us — the death by a thousand cuts to watch out for,” he said at the Air Force Association’s CyberFutures Conference recently.
Experts describe a large, technologically advanced and well organized enterprise coming out of China that is going after businesses large and small. Any firm that has a trade secret, or could be used as a stepping stone to a larger company, is a potential target. Intellectual property theft has the potential to erode a company’s profits or even bankrupt it. There is no magical software that can stop every intrusion attempt, but even companies with few resources can take steps to mitigate the risk, experts told National Defense.
To thwart the Chinese cyber-espionage enterprise, it is important to characterize it. In the world of network security, it was once called the “advanced persistent threat.” But government officials have done away with using that euphemism: it’s China, they now say. The October 2011 “Foreign Spies Stealing U.S. Economic Secrets in Cyberspace” report, produced by the FBI’s office of the national counterintelligence executive, acknowledged that the attacks came from China, but stopped short of blaming the Chinese government, which routinely denies involvement.
These espionage enterprises seem to have the full force and resources of the Chinese government behind them, analysts said.
Jason Lewis, chief technology officer of Looking Glass Cyber Solutions, said, “In general, when you have a situation where the state runs everything, you have to assume that the state is involved in any enterprise.”
How much intellectual property, trade secrets and business intelligence is being exfiltrated across the Pacific every day?
It is almost impossible to estimate the losses for several reasons. Companies have a hard time putting a monetary figure on their intellectual property’s value. They are often reluctant to publicly disclose that someone has stolen their crown jewels. And in many cases, they are completely unaware that they have been compromised and valuable data that could be used to put them out of business has been stolen.
In order to describe what is happening, it is important to break down the “advanced persistent threat” phrase.
As far as “advanced,” targeted companies are facing teams of cyberspies that are not unlike a well-oiled military operation. There are experts in reconnaissance and surveillance, who will gather all the intelligence they can before launching an attack. Others take that information to plan the attempt to penetrate the network. And then come the experts in maneuvering around to find what they are looking for, and yet another team skilled in taking data unnoticed.
The “scouts” doing the reconnaissance are increasingly using social media websites to gather personal information to use in phishing attacks, said Dave Papas, chief operating officer of Cyveillance, a subsidiary of QinetiQ North America that provides security for Fortune 500 companies.
Friends, hometowns, hobbies, anything that can be placed in the email to make the target believe it is a legitimate message, can be used.
“Every piece of information is a means to an end,” he said.
Lewis said: “In some instances, executives involved are alarmed at how accurate the information about them is.”
The second step, the attack, will be an attempt to infiltrate a network in the form of an phishing email, a well-crafted letter that seemingly comes from a friend or business associate. This tactic has not changed in years, but is growing more sophisticated and frequent. Why? Phishing attacks work and, “it is a lot easier to control humans than the technology,” said Rick Doten, vice president of cybersecurity for DMI, a firm that does work for the U.S. government.
Don’t count on it being written in anguished English like the common scam letters purportedly originating from Nigerian princesses. Experts interviewed agreed that native speakers of English are helping compose the phony emails.
Once an attachment or a link to a fake website is opened, specialists in moving around a network without being detected take over and probe for other vulnerabilities. This may mean taking over an email account in order to generate more trusted, fake emails.
Smaller companies, particularly in the defense industrial base, may be used to go after bigger companies — big prime contractors — higher in the food chain.
Once the cyberspies have located the information they want, another team takes over to exfiltrate it. It is ideally ferreted away in normal traffic without being detected.
How advanced, and how large, is this Chinese enterprise? The FBI report pointed out that the victims are not just U.S. firms. Almost every industrialized nation — Japan, Germany, South Korea, France, the U.K., are reporting similar attacks.
As far as “persistent,” companies that are being targeted can’t ever let their guard down. If one tactic doesn’t work, the teams will return and keep trying until they find a way in. They may hold off for a week or two, but they will be back. It only takes one employee to open one email for the spies to penetrate a company’s defense.
They are “slow, methodical and organized,” Doten said. “They are taking their time.”
A typical Eastern bloc cybercriminal out to steal credit card numbers is like a smash-and-grab burglar, Doten said. He comes in, rifles through drawers, knocks over the lamps, takes what he wants and gets out. A Chinese hacker tries to move within a network undetected for as long as he needs to before he reaches his objective.
Papas said, “Their persistency is I think why they have been as successful as they have … They don’t give up easily until they get what they want.”
So what is the “threat?”
For a company, it can be its very existence. Experts often cite two examples: a German bus manufacturer, and a U.S. furniture maker, who are now both out of business because their proprietary designs were stolen and Chinese companies sold copycat products at cheaper prices.
Rosenbach said: “The [intellectual property] goes out the door and they never know it. So maybe five years later, a firm from a certain country has the same product, but it will be even better because they have been able to leap frog ahead.”
Smaller firms can have their intellectual property stolen. Or they can risk their business relationship with those they are supplying if they are used as a stepping stone, Papas said.
“A lot of those small companies have not educated themselves on the vulnerability of doing business with large companies and they become a vector of attack,” said Papas.
Rosenbach sees a bigger threat. The nation’s economy and competitiveness is at risk. Like the “death of a 1,000 cuts” torture, the victim is alive until the numerous small wounds do him in.
China is undergoing its own industrial revolution, and any piece of information or technology that can help it catch up is useful, Doten said.
Advanced military technology for China, and other adversaries, is of obvious value.
But spies may be interested in knowing how a particular industrial system works, how business is conducted, or any number of things, he said.
Even stealing a business contract has value. Attorney fees cost thousands of dollars. It is much easier to steal and copy the language in a contract.
The FBI report noted a number of different sectors that the Chinese are keenly interested in. Among them are information technology, marine systems, aerospace, clean-energy technologies, advanced materials and manufacturing, healthcare and pharmaceuticals, agriculture and business information.
The latter can be used by criminal organizations to manipulate futures markets. Find out how much natural gas energy U.S. companies are planning to buy, for example, then they can make some money playing the market with inside information, Doten noted.
Papas said: “There is no doubt that the people in the Chinese area are good at what they do. They have had years of practice, years of experience to hone their skills. There has to have been a lot of planning that goes into their enterprises to be able to do this, and do it as effectively as they do.”
So how can companies large and small halt unrelenting attempts to drain away the very lifeblood of their companies? There are many steps they can take, security experts said.
First and foremost is making senior executives understand that this is a serious problem. A study by the Carnegie Mellon CyLab showed that there is a disconnect in global corporations between the presidents, CEOs and their chief technology officers. Company leaders don’t believe network security is their concern.
The key finding of the survey was that “boards and senior management still are not exercising appropriate governance over the privacy and security of their digital assets.”
Less than one-third of those surveyed take responsibility for basic cybergovernance in their companies, the survey found. And only one-third received regular reports from their IT professionals about their firms’ security risks.
Papas said: “Once the top executives are educated, then it trickles down and everyone takes it seriously.”
Companies also have to play hardball with their employees, particularly when it comes to using social media and free email accounts on corporate computers and mobile devices. They have to impose strict social media policies, Papas added.
“Make sure it is enforced and people take it seriously,” he said.
Corporate policies need to be in place, training should be available, and the employees should be held liable if they do something that puts the business at risk.
If that sounds extreme, consider the potential costs to a company if intellectual property or proprietary information is leaked, he said.
As for training and technology, the experts differed. All of it is necessary, but none of it is a panacea. Filters at gateways scanning for malware can catch a lot, but not everything. At the end of the day, it only takes one employee to slip up.
Lewis said: “I’ve been doing this for a long time, and I don’t know if I have seen any program where 100 percent of the users decided that this might be something bad to click on. It really boils down to: do you have to have something that filters your email and makes sure you don’t accept attachments?”
Assuming that a persistent attacker will eventually make it inside a network, the most important data must be protected better, Doten said. Senior executives have a duty to ask: What are the biggest risks that could put them out of business?
If proprietary data or intellectual property falls into the hands of a competitor, will that bankrupt them or erode profits?
And then they must identify the most important data that needs to be protected. A company can’t put the most stringent controls and encryption on everything, but it must protect its vital intellectual property, he added.
“What do you have to protect? How valuable is it? Where is it located? Who has access to it?” All these fundamental questions must be answered, Doten said.
Lewis said: “A lot of companies are looking to outsource this, because it is a lot of money, and they just can’t handle it themselves.”