.
Cybersecurity is now a topic worthy of presidential debates and boardroom agendas. Counting back from last month's revelations of the largest breach to date with over 500 million Yahoo accounts, consider this short list of big names that have come forward over the past 12 months to reveal they have been targets of cyberattacks: The Internal Revenue Service, Dropbox, LinkedIn, Snapchat, Oracle, and Verizon. By now it should be no surprise that nation-states have developed an enormous appetite for information. And the sheer concentration of information systems has led to a massive uptick in nation-state hacking. Information is, after all, political. But why would a nation-state want to hack Yahoo, for instance? Scale is key. The company was sitting on one of the juiciest targets: hundreds of millions of email accounts and related user data. Such data can be all encompassing, as people freely share their entire lives through the Internet, very often reusing passwords and other crucial details. Furthermore, in a story that has received little attention, one researcher noted that Yahoo provides email services to over 560,000 domains, which include legal firms, pharmaceutical and medical companies, churches and other potentially valuable sources of sensitive information. As in the Yahoo case, some might wonder why it could take a company years to discover and reveal such breaches. The simple answer is that in many instances companies may not have taken cybersecurity seriously enough in the first place. Running fast and loose with security may be considered normal operating procedure in commercial entities that seek growth at all costs or feel that they must always show growing numbers of users to appeal to shareholders. Additionally, malware may reside on networks for years in what cybersecurity experts call "advanced persistent threats." Such stealthy methods are often created and deployed by nation-states and are likely to continue to surpass the abilities of many targeted entities. To complicate matters, as with banks and their unflagging worry that knowledge of thefts might reduce trust in their offerings, large service providers like Yahoo fear mass defection of users will result should details of breaches be made public. And perhaps that is not an unwarranted anxiety. Yahoo especially, appears to have been a poor guardian of its users’ data. Consider, for instance, that not only were passwords stolen years ago and are just now coming to light, but answers to security questions such as your mother's maiden name or favorite pet—which are typically nigh impossible to change—were also taken. By contrast, after the Chinese PLA attack dubbed Operation Aurora was discovered in 2010, Google went on the offensive by "hacking back" and also is widely credited for having committed considerable resources to securing users’ data and their infrastructure. For both commercial and government entities, heterogeneous IT environments, messy cybersecurity internal policies—if any exist—and outdated legacy systems are just some of the challenges that today's information officers and executives are dealing with. A recent GAO report noted that maintenance and upgrades to legacy systems account for some 75% of the total budget for IT systems in the U.S. federal government, with some systems using components that are over 50 years old. By one account, spending on cybersecurity will rise to over $1 trillion USD by 2021. However, the amount of money spent may still produce dwindling returns against nation-states and their proxies. State-sponsored hackers are a truly motivated bunch, often buying zero-day exploits or deploying tools that are purpose built. So, against these foes, don't count on any quick improvements to the situation soon. While many companies might think to shield themselves from liability by claiming that their cybersecurity breaches were actually the work of nation-states, it is worth bearing in mind some characteristics of state-sponsored versus purely criminal hacks when digging into the headlines. In general, if a breach results in a rapid attempt to present data for sale on the Dark Web, or if a blackmail scheme appears to be at work, the breach is most likely the result of a criminal gang. Of course, there are always exceptions to the rule. For example, a state-sponsor might commit the breach for specific information or to target a group for political purposes and then cover their trail by selling off the data through a cutout gang. Russia and China—Together, Apart Attribution remains a challenge, but many companies and governments have improved their ability to find the perpetrators of hacks. Perennially, China and Russia lead the pack when it comes to nation-state sponsored cyber hacking. China's efforts usually hew closely to economic espionage, exploiting gaps in networks and security to produce economic accelerants through the theft of intellectual property. China's military hacking apparatus is so vast and successful in targeting U.S. companies that the U.S. Department of Justice has called it a national security emergency, amounting to hundreds of billions lost and over two million American jobs. It is worth remembering that the same week that President Obama was set to press China on its persistent hacking for economic gain, the former Booz Allen Hamilton contractor Edward Snowden had fled to Hong Kong to make the first of his revelations about NSA spying efforts. Given the response at the time, which undermined the U.S. moral position and was clearly exploited by the Chinese government, President Obama largely left China's hacking out of the discussions. To date, China's cyberattacks on U.S. companies continue essentially unabated, often barely masking the near one-to-one correspondence to economic interests. Russia, on the other hand, is widely known to use cyberspace to gain political leverage through hacking of personal and government accounts, and to unleash criminal organized gangs to do the state's bidding. The emphasis is less on economic gain and more on attempts to alter policy, destabilize or punish countries, as was seen in the attacks against Estonia, Georgia, a particularly noteworthy attack against the Ukrainian power grid and efforts to undermine politics in Germany and the United States. Dependency on the Internet for all manner of services, including the delivery of energy, has made the work of their state-sponsored cyber gangs easier and revealed vastly richer targets. While Russia has also suffered some at the hands of cyber gangs, recently with the mail.ru hacks, and has even brought some criminals to justice, it more often will argue that the U.S. is responsible for hacks and various attacks and only seeks to blame Russia for problems of its own making. Most recently, much news has been written about the successful efforts of two Russian intelligence-affiliated gangs—identified by the company Crowdstrike as COZY BEAR and FANCY BEAR and their intrusion into the Democratic National Committee's network. To date, there have been only muted responses from the U.S. to these cases largely because any reaction comes with its own complications. Hack Back vs. Name and Shame Shadow wars between intelligence agencies and the proxies of nation-states are almost certainly being waged; with authorities hacking back state-sponsored gangs. Additionally, citizen warriors and other groups have taken on terrorists and others, using many of the same hacking-back techniques. In the nation-to-nation cases of hacking back there remains persistent concern, however, over the potential for escalation from the cyber realm to possible kinetic warfare.  That concern increases each year, as developments such as the Internet of Things blur the lines between what constitutes cyberspace and the physical world. But there is another—public—approach that many in policy are advocating and that could be successful: shaming. "Name and shame" is a tactic that seeks to censure nation-states that engage in the criminal enterprises of intellectual property theft and political manipulation. The proponents argue that by naming these entities publically—much as was done by Crowdstrike in the instance of the Russian sponsored hack of the DNC—nation-states would have a harder time hiding behind the challenges of attribution and will lose face in the court of public opinion. Considering the political sensitivities at work, private enterprise is doing some of the best work here, with many companies in Europe and the United States engaged in deciphering the locations and potential motives of state-sponsored groups. Of course, commercial entities have their own interests at heart and exposure of one gang or another is usually peacocking intended to drive new business opportunities. In the non-commercial space, many transparency groups have their unique political agendas, leaving it to academics to present the best, most neutral cases. Particularly where governments are using malware or breaches to violate civil rights, Citizen Lab at the University of Toronto regularly produces some of the very best work. But name and shame comes with its own attendant risks.  First and foremost, it isn’t entirely clear when a country might consider a breach to be a matter of national interest.  For example, was the Sony attack really a matter of U.S. national security, sufficient to get President Obama involved in naming the perpetrator? Were economic sanctions to be employed after a state-sponsor is named, might that not increase the risks of violence or other reprisal?  While the devil is in the details, in addition to clarity on what attacks matter most, what should be considered off limits and what should be done in response, a consortium approach would help. Several countries that have suffered notable breaches and economic losses should be encouraged to come together to publically air their grievances and put forward a meaningful strategy to name and shame perpetrators.  Such an effort—ideally working with a global alliance—would help improve understanding and serve as a model for international cooperation. Clearly name and shame is not a panacea, but if done well it is likely to help. Until such an agreement for cooperation can be made, countries and many of their most important resources will continue to be plundered at will in cyberspace by nation-states and their proxies.   About the author: Sean S. Costigan is an independent consultant and serves as a Professor at the George C. Marshall European Center for Security Studies. His most recent work is a novel cybersecurity curriculum, to be published and made freely available by NATO later this month.

The views presented in this article are the author’s own and do not necessarily represent the views of any other organization.

a global affairs media network

www.diplomaticourier.com

2016: The Year of The State-Sponsored Breach

October 14, 2016

Cybersecurity is now a topic worthy of presidential debates and boardroom agendas. Counting back from last month's revelations of the largest breach to date with over 500 million Yahoo accounts, consider this short list of big names that have come forward over the past 12 months to reveal they have been targets of cyberattacks: The Internal Revenue Service, Dropbox, LinkedIn, Snapchat, Oracle, and Verizon. By now it should be no surprise that nation-states have developed an enormous appetite for information. And the sheer concentration of information systems has led to a massive uptick in nation-state hacking. Information is, after all, political. But why would a nation-state want to hack Yahoo, for instance? Scale is key. The company was sitting on one of the juiciest targets: hundreds of millions of email accounts and related user data. Such data can be all encompassing, as people freely share their entire lives through the Internet, very often reusing passwords and other crucial details. Furthermore, in a story that has received little attention, one researcher noted that Yahoo provides email services to over 560,000 domains, which include legal firms, pharmaceutical and medical companies, churches and other potentially valuable sources of sensitive information. As in the Yahoo case, some might wonder why it could take a company years to discover and reveal such breaches. The simple answer is that in many instances companies may not have taken cybersecurity seriously enough in the first place. Running fast and loose with security may be considered normal operating procedure in commercial entities that seek growth at all costs or feel that they must always show growing numbers of users to appeal to shareholders. Additionally, malware may reside on networks for years in what cybersecurity experts call "advanced persistent threats." Such stealthy methods are often created and deployed by nation-states and are likely to continue to surpass the abilities of many targeted entities. To complicate matters, as with banks and their unflagging worry that knowledge of thefts might reduce trust in their offerings, large service providers like Yahoo fear mass defection of users will result should details of breaches be made public. And perhaps that is not an unwarranted anxiety. Yahoo especially, appears to have been a poor guardian of its users’ data. Consider, for instance, that not only were passwords stolen years ago and are just now coming to light, but answers to security questions such as your mother's maiden name or favorite pet—which are typically nigh impossible to change—were also taken. By contrast, after the Chinese PLA attack dubbed Operation Aurora was discovered in 2010, Google went on the offensive by "hacking back" and also is widely credited for having committed considerable resources to securing users’ data and their infrastructure. For both commercial and government entities, heterogeneous IT environments, messy cybersecurity internal policies—if any exist—and outdated legacy systems are just some of the challenges that today's information officers and executives are dealing with. A recent GAO report noted that maintenance and upgrades to legacy systems account for some 75% of the total budget for IT systems in the U.S. federal government, with some systems using components that are over 50 years old. By one account, spending on cybersecurity will rise to over $1 trillion USD by 2021. However, the amount of money spent may still produce dwindling returns against nation-states and their proxies. State-sponsored hackers are a truly motivated bunch, often buying zero-day exploits or deploying tools that are purpose built. So, against these foes, don't count on any quick improvements to the situation soon. While many companies might think to shield themselves from liability by claiming that their cybersecurity breaches were actually the work of nation-states, it is worth bearing in mind some characteristics of state-sponsored versus purely criminal hacks when digging into the headlines. In general, if a breach results in a rapid attempt to present data for sale on the Dark Web, or if a blackmail scheme appears to be at work, the breach is most likely the result of a criminal gang. Of course, there are always exceptions to the rule. For example, a state-sponsor might commit the breach for specific information or to target a group for political purposes and then cover their trail by selling off the data through a cutout gang. Russia and China—Together, Apart Attribution remains a challenge, but many companies and governments have improved their ability to find the perpetrators of hacks. Perennially, China and Russia lead the pack when it comes to nation-state sponsored cyber hacking. China's efforts usually hew closely to economic espionage, exploiting gaps in networks and security to produce economic accelerants through the theft of intellectual property. China's military hacking apparatus is so vast and successful in targeting U.S. companies that the U.S. Department of Justice has called it a national security emergency, amounting to hundreds of billions lost and over two million American jobs. It is worth remembering that the same week that President Obama was set to press China on its persistent hacking for economic gain, the former Booz Allen Hamilton contractor Edward Snowden had fled to Hong Kong to make the first of his revelations about NSA spying efforts. Given the response at the time, which undermined the U.S. moral position and was clearly exploited by the Chinese government, President Obama largely left China's hacking out of the discussions. To date, China's cyberattacks on U.S. companies continue essentially unabated, often barely masking the near one-to-one correspondence to economic interests. Russia, on the other hand, is widely known to use cyberspace to gain political leverage through hacking of personal and government accounts, and to unleash criminal organized gangs to do the state's bidding. The emphasis is less on economic gain and more on attempts to alter policy, destabilize or punish countries, as was seen in the attacks against Estonia, Georgia, a particularly noteworthy attack against the Ukrainian power grid and efforts to undermine politics in Germany and the United States. Dependency on the Internet for all manner of services, including the delivery of energy, has made the work of their state-sponsored cyber gangs easier and revealed vastly richer targets. While Russia has also suffered some at the hands of cyber gangs, recently with the mail.ru hacks, and has even brought some criminals to justice, it more often will argue that the U.S. is responsible for hacks and various attacks and only seeks to blame Russia for problems of its own making. Most recently, much news has been written about the successful efforts of two Russian intelligence-affiliated gangs—identified by the company Crowdstrike as COZY BEAR and FANCY BEAR and their intrusion into the Democratic National Committee's network. To date, there have been only muted responses from the U.S. to these cases largely because any reaction comes with its own complications. Hack Back vs. Name and Shame Shadow wars between intelligence agencies and the proxies of nation-states are almost certainly being waged; with authorities hacking back state-sponsored gangs. Additionally, citizen warriors and other groups have taken on terrorists and others, using many of the same hacking-back techniques. In the nation-to-nation cases of hacking back there remains persistent concern, however, over the potential for escalation from the cyber realm to possible kinetic warfare.  That concern increases each year, as developments such as the Internet of Things blur the lines between what constitutes cyberspace and the physical world. But there is another—public—approach that many in policy are advocating and that could be successful: shaming. "Name and shame" is a tactic that seeks to censure nation-states that engage in the criminal enterprises of intellectual property theft and political manipulation. The proponents argue that by naming these entities publically—much as was done by Crowdstrike in the instance of the Russian sponsored hack of the DNC—nation-states would have a harder time hiding behind the challenges of attribution and will lose face in the court of public opinion. Considering the political sensitivities at work, private enterprise is doing some of the best work here, with many companies in Europe and the United States engaged in deciphering the locations and potential motives of state-sponsored groups. Of course, commercial entities have their own interests at heart and exposure of one gang or another is usually peacocking intended to drive new business opportunities. In the non-commercial space, many transparency groups have their unique political agendas, leaving it to academics to present the best, most neutral cases. Particularly where governments are using malware or breaches to violate civil rights, Citizen Lab at the University of Toronto regularly produces some of the very best work. But name and shame comes with its own attendant risks.  First and foremost, it isn’t entirely clear when a country might consider a breach to be a matter of national interest.  For example, was the Sony attack really a matter of U.S. national security, sufficient to get President Obama involved in naming the perpetrator? Were economic sanctions to be employed after a state-sponsor is named, might that not increase the risks of violence or other reprisal?  While the devil is in the details, in addition to clarity on what attacks matter most, what should be considered off limits and what should be done in response, a consortium approach would help. Several countries that have suffered notable breaches and economic losses should be encouraged to come together to publically air their grievances and put forward a meaningful strategy to name and shame perpetrators.  Such an effort—ideally working with a global alliance—would help improve understanding and serve as a model for international cooperation. Clearly name and shame is not a panacea, but if done well it is likely to help. Until such an agreement for cooperation can be made, countries and many of their most important resources will continue to be plundered at will in cyberspace by nation-states and their proxies.   About the author: Sean S. Costigan is an independent consultant and serves as a Professor at the George C. Marshall European Center for Security Studies. His most recent work is a novel cybersecurity curriculum, to be published and made freely available by NATO later this month.

The views presented in this article are the author’s own and do not necessarily represent the views of any other organization.