ARCHIVED 1/18/10

January 18, 2010

CHINESE ATTACKS BRING CYBER SPYING INTO THE OPEN

William Matthews, Denfense News, 01/18/2010

Chinese cyber attacks against Google and more than 30 other companies are part of a cyber espionage campaign against the United States that has been growing in intensity for at least several years, U.S. cyber experts say.

What’s different is that this time, at least a few companies are willing to disclose their vulnerability.
It’s time to recognize that “the private sector is on the front lines of the cyber war,”said Larry Clinton, president of the Internet Security Alliance. And “it’s a very hot war if you’re talking about stealing technology,” said Alan Paller, director of research at the SANS Institute cybersecurity training school.  But it’s a war in which the civilians will probably be responsible for their own defense.

Google revealed Jan. 12 that in mid-December, it and other companies had been hit by cyber attacks that originated in China. Software maker Adobe and network equipment maker Juniper Networks said they, too, had been attacked.  Google accused Chinese attackers of breaking into e-mails sent by human rights activists over Google’s Gmail service. The company also said that attackers stole intellectual property.

Adobe and Juniper reported “sophisticated” attacks against their computer systems. Paller said those attacks were part of a coordinated effort to steal source code and intellectual property. Similar attacks against companies, including top U.S. defense firms, “have been going on for at least three years. They’re very broad and very effective,” he said.

Companies often don’t realize they have been attacked until investigators, such as the FBI, stumble across caches of proprietary data in remote servers, he said. On a company blog, Google said it regularly comes under cyber attack, but “this incident was particularly notable for its high degree of sophistication.”

Attackers broke into Google computer systems by first infecting personal computers with malicious software, the company said. “Any computer connected to the Internet can fall victim to such attacks,” the blog said. In addition to the three companies that acknowledge they were hit, major corporations in finance, technology, media and chemicals were also victims, Google said.

Although the attacks were tracked back to China, it is impossible to tell whether they were carried out by the Chinese government, by individuals operating with government approval or by rogue hackers.

A U.S. State Department spokesman said Jan. 15 that the department “will be issuing a formal demarche in Beijing” demanding that Chinese officials explain the attacks. Government-sponsored cyber assaults against U.S. companies could raise “all sorts of diplomatic issues,” Clinton said, including human rights concerns, business partnerships, relations between governments, and possibly even the potential for cyber war. The State Department should protest the attacks if it can confirm that they indeed came from China, said Larry Wortzel, vice chairman of the U.S.-China Economic and Security Review Commission. But there is a limit to what the U.S. government should do. For example, the cyber attacks do not call for a U.S. military response, he said.

Is Espionage Cyberwarfare. Paller called the break-ins “espionage at the highest level,” but said there is no clear point at which such activity escalates to cyberwarfare. Rather than focus on the fog of diplomacy, Clinton said, vulnerable companies should focus on defense. “Virtually every corporation in America has worked into its business plan the upside of cyber — marketing on the Web, managing inventory more efficiently and so on. But what they have not done generally is an enterprisewide analysis of cyber risk,” Clinton said. “If Google, with all its tech expertise and power, is having difficulty assuring their cyber systems, then probably we all need to take a new look at that problem and maybe come at it from some different directions,” he said. One new direction might be to “protect data rather than systems,” Paller said. Even if systems can be broken into, greater use of encryption could keep data from being read. Another would be to beef up U.S. cyber defenses.

China has 30,000 to 40,000 people “who can fight in cyberspace,” Paller said. These are cyber experts able to detect and defeat attacks even as they unfold. The United States has only about 1,000 such experts, he said. China has built up its cyber force by running an aggressive recruiting program that features hacking competitions. A U.S. counterpart, U.S. Cyber Challenge, is just getting underway, Paller said.

“It’s not just China,” Clinton said. Other nations, criminals, hackers and others are a threat to U.S. companies and organizations,he said. But the picture isn’t entirely grim. Clinton cited congressional testimony by top U.S. cyber officials that 80 percent of cyber attacks can be prevented with current technology and better training.

“We can do it,” he said. “We just don’t.”