An invisible enemy (with related video)
One government employee opening an e-mail from an unknown sender can unleash a virus that unlocks the computer network to rogue forces set on stealing intellectual property and military secrets.
"It is cyber war and is another frontline battle for our country," said Joe Tedesco, managing partner at Maryland Cyber Investment Partners about the attacks.
Cyber threats to federal systems originate from hackers looking to do mischief to state-sponsored foreign intelligence services (FIS) looking to steal sensitive data or launch a cyber attack that can cripple critical infrastructure. Such threats have become so pervasive that the U.S. published a report last November about the current state of the cyber war. Released by the National Intelligence Council, "Foreign Spies Stealing U.S. Economic Secrets in Cyberspace" specifically identified China and Russia as frequent attackers against U.S. networks.
"We have nation states that threaten the security of our economy and safety of our people," Tedesco said about the report's findings.
In the report, intelligence officials discussed how China and Russia are stealing high-tech data, including IT, military and civilian technologies, to bolster their economic development. It also pointed to Russia's intelligence services as conducting a range of activities to collect economic information and technologies from U.S. targets.
"We judge that the governments of China and Russia will remain aggressive and capable collectors of sensitive U.S. economic information and technologies, particularly in cyberspace," the report said.
Specifically, the report accused China of a particular interest in stealing marine technologies as the country desires to jumpstart development of a navy needed to control the Taiwan Strait and defend maritime trade routes. Aerospace is another area of interest, with cyber spies stealing blueprints for unmanned aerial vehicles (UAVs) because of their recent successes in intelligence-gathering operations in Afghanistan and Iraq.
The report also noted that while many nations are using internal resources to attack networks, they also are employing hackers-for-hire who augment their capabilities. One example in the Middle East is the Iranian Cyber Army, a hacker group linked to the Iranian government. The group was rumored to be involved in the capture of an intact RQ-170 Sentinel spy drone last December that reportedly monitored Iran's nuclear program — a significant loss for the U.S.
The report acknowledged that while it is tough to determine who exactly is behind a cyber attack, U.S. companies have reported intrusions into their computer networks that originated in China. However, Tedesco is confident that nations such as Russia and China — and their military partners, including Iran — are attacking the country daily.
"Russia and China's cyber spying is beyond serious," Tedesco said. "It is happening every day."
The U.S. is not sitting by idly in the cyber war. In fact, America's cyber-war agents have been using hacks as a way to infiltrate and control enemies. Details are difficult to ascertain for obvious reasons, but one rumor that has been circulated in cyber circles is that the U.S. partnered with Israel to launch Stuxnet, which shut down an Iran nuclear plant in June 2010. Stuxnet, a highly sophisticated computer worm, initially spreads indiscriminately but includes a highly specialized malware payload that targets only supervisory control and data acquisition (SCADA) systems that are configured to control and monitor industrial processes.
The Russian computer security firm Kaspersky Lab concluded that the sophisticated attack only could have been conducted "with nation-state support."
The current activity isn't the first time that China has been accused of hacking U.S. systems. In August, McAfee released a report that said targets included corporate networks, the International Olympic Committee, the U.N. secretariat, a U.S. Energy Department lab and a dozen U.S. defense firms, among others. The report, "Revealed: Operation Shady RAT," is an investigation of targeted intrusions during the last five years.??
It's not only major targets that are vulnerable. Small and medium-sized first-responder agencies are as well. In southeast Missouri, the Cape Girardeau County Sheriff's Department found itself among the more than 70 law-enforcement agencies that were cyber-attacked by an infamous global group of hackers known as Anonymous. The group reportedly stole massive amounts of confidential information. ??
Network intruders can collect data quickly and with little risk because they are difficult to detect. That becomes even truer with the explosion of mobile devices. Devices that can connect to the Internet and other networks are expected to double in just five years, going from about 12.5 billion in 2010 to 25 billion in 2015, a Cisco study found. That means more avenues through which FIS or corrupt insiders can obtain sensitive information, Tedesco said.
Once they get into the network, hackers are an advanced persistence threat, meaning that they can monitor data for months — even years — undetected.
"They want to get into the network and sit there unnoticed," Tedesco said. "Those are the ones to worry about."
To take control of a network and steal information, hackers often use botnets. A botnet is a collection of malware-infested computers connected to the Internet. Control is given when a person clicks on an attachment or a webpage that then installs the malware. The software bug then reports back to the endpoint to give control over to the user, or botmaster, said Ari Schwartz, the National Institute of Standards and Technology's senior Internet policy advisor.
A botnet lets hackers control computers undetected, Schwartz said. He referred to it as an army of computers that people use for criminal behavior.
"Computers are secretly infected with malware and then remotely controlled by spammers, hackers or criminals," he said. "Even nation states use them. Over the past several years, botnets have increasingly put computer owners at risk."
Networks of these compromised computers are often used to disseminate spam, to store and transfer illegal content, and to attack the servers of government and private entities with massive, distributed denial-of-service attacks.
Last September, the departments of Commerce and Homeland Security issued a request for information through the Federal Register asking for strategies to combat botnets. NIST's part is to find ways of improving threat detection, to enable swifter notification when a network's been compromised, in order to prevent hackers from controlling computers undetected, Schwartz said.
"We are working to encourage more companies to voluntarily create a code of conduct that will promote best practices in notifying customers [of the botnet] so they can take the proper steps to remediate the problem," he said.
The aforementioned reports confirm what many cybersecurity experts already know: Network operators should expect to be hacked, especially with the advent of cloud computing. The movement of data among multiple locations will increase the opportunities for theft or manipulation, Tedesco said.
While some companies focus on firewalls, federal agencies are letting hackers in and tracking them. Advanced software programmers now set up a honeypot, a trap set to detect, deflect or counteract hacker attempts. Generally, it consists of a computer, data or a network site that appears to be part of a network but actually is isolated and monitored.
Fake networks are built to confuse hackers into thinking they are accessing real data, Tedesco said. He added that governments use the technique to trap people into a fabricated network in order to monitor who is attacking, while not actually losing sensitive information.
"Honeypotting lets IT professionals determine what kind of data is leaving the network and where it is going," Tedesco said.
In addition, the U.S. government wants to legislate against cyber espionage. For instance, Senate Commerce Committee Chairman Jay Rockefeller (D-W.Va.) currently is pressing colleagues to approve the Cybersecurity Act of 2012 — co-sponsored by Joseph Lieberman (I-Conn.) and Susan Collins (R-Maine) — that would give the DHS regulatory authority over companies with computer systems crucial to the nation's economic and physical security.
"The threat posed by cyber attacks is greater than ever, and it's a threat not just to companies like Sony or Google, but also to the nation's infrastructure and the government itself," Rockefeller said at a Senate Intelligence Committee hearing. "Today's cyber criminals have the ability to interrupt life-sustaining services, cause catastrophic economic damage, or severely degrade the networks our defense and intelligence agencies rely on."
However, IT firms are concerned about the DHS's possible control over federal contractors whose security precautions are found lacking, as well as the implied power the DHS would have to seize control of systems owned by private firms and cloud providers. Others fear that the bill would impose a regulatory burden on contractors, hurt job growth and handicap innovation, according to Capitol Hill sources.
But supporters of Rockefeller's bill insist that the provision applies only to sensitive government data on contractor computers. Also, rumors that the bill includes a presidential "kill switch" to take over the Internet is not true, Lieberman said at a Senate hearing in February.
At a hearing about the bill, Sen. John McCain (R-Ariz.) aired a laundry list of concerns. He and five other republican senators since have introduced a rival bill. The Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology (SECURE IT) Act would use more incentives, such as immunity to privacy lawsuits, rather than regulation, to spur companies to adopt cybersecurity measures.
What the bill doesn't address is the recruitment and retention of talent needed to stave off cyber attacks. In fact, part of the reason the U.S. isn't winning the cyber war is the shortage of IT soldiers, Tedesco said.
Indeed, the U.S. is struggling to recruit talent, according to a Government Accountability Office (GAO) report on human capital. For instance, in June 2010, the DHS inspector general reported difficulties filling vacant positions at the department's National Cyber Security Division. In March 2011, the U.S. Cyber Command found that the military did not have enough highly skilled personnel to address the current and future cyber threats to the nation's infrastructure.
In the same report, more than one-third of field agents interviewed for an audit said that they lacked sufficient expertise to investigate the national security-related, cyber-intrusion cases they had been assigned.
Part of the reason for this, according to Tedesco, is that U.S. school children have fallen behind other nations when it comes to interest in and then the education to make a career based in math and science.
"Our country has a science and technology issue, specifically getting our kids motivated to do that," he said. "And that is something to work on. It's a huge problem to get an educated work force to do [cybersecurity]."
While cybersecurity bills are debated, more U.S. systems may fall victim to nation-state attacks. IT professionals are the frontline defense and will find themselves battling hackers until the industry addresses mitigation and counterattack strategies to reduce the loss of sensitive, national security data.
"The truth is, time is not on our side," Lieberman said. "We are not adequately protected at this moment and the capabilities of those attacking us … just grows larger and larger."