The nation-state aspect of cybersecurity reads like something out of James Bond: it’s the stuff of a spy novel, where the weapons of espionage are worms and viruses, not shady operatives driving Aston Martins. Hacking has become a priority in almost every territory at the highest levels of government.
“Almost every country out there ignores that its citizens are hacking, or they’re aiding that activity, or they’re engaging in it directly, said Kevin Mandia, founder of Mandiant and president of FireEye (News - Alert), speaking at a company summit last week. “And there are, for now, no risks or repercussions to the attackers.”
He added that that military-grade cyber-attacks have become the norm, necessitating a transition to better global cooperation by government, especially on the attribution front, and better defense strategies.
There are, of course, some broad outlines to point to. According to FireEye’s threat intelligence information, 90 percent of the breaches come from China or Russia; Iran is a growing presence, and North Korea appears occasionally. In all, there are 800 or 900 advanced threat groups out there (up from just 30-40 in 2011), with about 20 of them doing the majority of the hacking. But beyond these basic outlines, it’s difficult to pinpoint exactly who’s behind an attack.
When it comes to the risk to the United States, the targets are well-known: corporate intellectual property, personal information on citizens, and government military plans are at stake. However, an agreement was hammered out between the Obama and Xi administrations last month in which the two superpowers agreed not to “conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”
In other words, spy stuff is okay; ripping off corporate trade secrets, not so much.
Nonetheless, such attacks continue: Chinese government-affiliated hackers have over the past three weeks attacked several U.S. firms, according to threat intelligence firm CrowdStrike.
“Seven of the companies are firms in the technology or pharmaceuticals sectors, where the primary benefit of the intrusions seems clearly aligned to facilitate theft of intellectual property and trade secrets, rather than to conduct traditional national-security related intelligence collection which the cyber-agreement does not prohibit,” said Dmitri Alperovitch, CTO of CrowdStrike.
“The intrusion attempts are continuing to this day, with many of the China-affiliated actors persistently attempting to regain access to victim networks even in the face of repeated failures,” he added.
A Rising Tide
The first major offensive nation-state attack went public with Stuxnet, in 2010-2012. That was a worm jointly developed by the United States and Israel to attack Iran’s fledgling nuclear program. It worked—but then the bug showed up in the hands of others, attacking U.S. oil and gas interests. Perhaps most importantly, it was the tip of the spear for nation-state hacking.
“The Stuxnet operation at the time was the most sophisticated state-on-state attack,” said David Sangar, national security correspondent at the New York Times, speaking on a media panel last week at FireEye’s annual Cyber Defense Summit. “It was very hard to find other major state-on-state actions. Now, you have China and OPM, North Korea and Sony, Iran against Saudi Aramco and RasGas. That tells you that this has moved from a story about criminal activity and fraud to a new weapon of war, one which countries could use for things that previously they would only do by covert action, such as bombing nuclear or scientific facilities.”
The pace of the activity cannot be overstated. “Five years ago an attack with 10,000 credit cards stolen would be a big story,” said Damian Paletta, reporter at the Wall Street Journal. “But now it’s every week that we hear about 10 million things stolen. The sheer numbers of these attacks is astounding. So governments now feel that they don’t have a choice: To survive, they feel that they need to build offensive cyber into their military organizations.”
Rules of Engagement
Establishing international rules of engagement is another developing arena for government policy. But even with cyber-agreements in place, such as the aforementioned U.S.-China pact, ambiguity persists.
“The China agreement says that intrusions will be limited to espionage activities,” Mandia said. “So universities are fair game. Whoever hacked OPM has been doing it a long time, they’re in China and they get paid for it. China may or may not be actively supporting it, but those records are useful for espionage and are fair game. Healthcare—they have information on all of us. That’s useful for espionage. So the targets remain the same. Then there will still be plenty of companies in the middle, which are victims of drive-by [cyber] shootings that build the infrastructure for carrying out the attack.”
President Obama has made it clear that a destructive attack against the U.S. infrastructure or that of its allies can be considered an act of war. But what constitutes a “destructive attack” is still up for debate.
“One of the few times the US named an adversary was [the] Sony hack—but that wasn’t against critical infrastructure,” said Michael Riley, a reporter with Bloomberg (News - Alert) and Businessweek. “We vowed to respond but…what happened? Obviously they didn’t let the missiles loose."
Part of the issue is the fact that hackers rapidly evolve their infrastructure, and more and more groups deploying nation-state-quality counter forensics. Often they use legitimate user names and passwords, or run attacks through anonymous infrastructure.
“Without attribution, there are no deterrents,” Mandia said, noting that the US has created by executive order a unit of 40 people to process threat intelligence and assess the threat actors. “And if we know who did it, we can figure out a proportional response.”
So the bottom line is that there is a “You can’t secure the whole private sector—and there’s an ambiguous line of where critical infrastructure starts and stops,” Mandia said. “So information-sharing between the public and the private sectors and the establishment of ISACs allows the alignment of threat intelligence, primarily by industry. The next phase from there will be determining the deterrent strategy, and how much will we rely on deterrents in cyber-space versus defensive measures.”