E-mail updates
Follow on Twitter
Subscribe to RSSThe past several weeks have seen an explosion of news about United States cybersecurity. First, stories about Chinese cyberattacks. Next, the president’s historic reference to cybersecurity in the State of the Union address. Finally, more stories about Chinese cyberespionage. If one is in the business of national security, these and other stories represent identifiable parts of a larger, cohesive story. But for the lay reader, discerning that larger story is more challenging. What is old news? What is new? And what lies ahead?
The old news: the scale, types, and sources of the attacks
According to a recent Washington Post article, a new U.S. government intelligence assessment describes the massive scale of cyberattacks by nation states (most notably, by China), criminal organizations, and individuals. Although it is fair to say that the scale, scope, and sophistication of such attacks have increased over the past several years, the basics have largely remained the same. The U.S. government and affected commercial sectors have been well aware of these threats. All too many industries — information technology, defense, energy, advanced manufacturing, healthcare, agriculture, law, non-governmental organizations, and the media, to name a few — have been attacked, and in the most sophisticated cases the perpetrators have been traced back to China. Even the most technologically able of companies, such as Google and defense contractors, have found Chinese cyberattackers resident in their networks. Intruders have been able to steal enormous amounts of sensitive and valuable information. The combined result of this U.S.-to-China illicit exfiltration is what one official has called “the greatest transfer of wealth in history.”
Also in the “old news” category is that not all attacks are about stealing. In less common but more immediately disruptive cases, state-sponsored cyberattackers — most notably from Iran — have caused significant harm to computer networks. Specifically, last fall attackers disrupted U.S. financial institutions’ networks, making some websites temporarily inaccessible. Even more destructively, Iranian cyberattackers rendered inoperable 30,000 computers at the world’s largest oil company, Saudi Aramco. These attacks illustrate what cyber professionals have long known: cyberattacks — especially against critical infrastructure — can easily turn from silent burgling to serious disruptions or destruction.
The new news: exactly who is attacking us, and presidential action
The past several weeks have also highlighted new developments in cyberwarfare, most significantly exactly who the attackers are and more forceful executive branch efforts to combat cyberattacks.
On the first, a report this week by the network security company Mandiant concluded that a significant number of sophisticated attacks originated not just from China, but likely were perpetrated by the Chinese military. Although this may not be new to many “on the inside,” the public attribution to the People’s Liberation Army (PLA) with a highly detailed description of their modus operandi as well as individuals involved is something we have not seen publicly before. There are real risks to this disclosure, as it will undoubtedly drive the PLA to pursue new tactics to avoid detection, but Mandiant (and many others) clearly believe that those risks are outweighed by the value of highlighting China’s efforts.
On the second point, there has indeed been a flurry of presidential activity over the past two weeks. Most significantly, the president’s executive order sought to maximize what federal departments could do absent legislation. The executive order specifically seeks to improve classified and unclassified information-sharing between the government and private sector, prioritize the protection of critical infrastructure (e.g., our electrical grid), and develop voluntary private sector standards for cyberdefense. The administration has also announced a government-wide effort to combat the theft of trade secrets from U.S. companies. This is significant in that it is the first high-profile and consolidated public statement — quite clearly focused on China — that contemplates more forceful legal and trade action against China should it not alter its behavior.
What lies ahead: legislation, confrontation, destruction?
Where then does this leave us? I expect major developments on at least three fronts.
First, legislation. Although the executive order is a first step, most recognize that legislation is necessary to enhance our cyberdefenses. Specifically, only legislation can provide companies immunity for providing cybersecurity-related information to the government. In addition, only legislation can clarify who in the government — the Departments of Defense, Justice, Homeland Security, and Intelligence Community, among others — should or must have access to the private sector information that is provided to officials. There are, of course, difficult questions embedded in these high-level issues: Will such information sharing affect the privacy of ordinary citizens? How will the federal bureaucracy (and federal workforce) keep pace with rapid technological change? More broadly, will the focus on information-sharing provide enough defense against a smart, determined adversary for whom economic espionage is a national imperative?
Second, confrontation. Assuming — and I think it is a very solid assumption — that cyberdefense can never do enough to protect networks, to what degree will the U.S. (and other nations) confront China (and other large-scale cyberattackers) to convince them to limit their use of cybertheft? Although the new administration strategy suggests greater forcefulness, the proof will be in the pudding. Neither the United States nor other nations can afford to view China through a singular cyberlens given our deep economic ties and reliance on their support for global hotspots like North Korea. In addition, to what degree will private companies who look to China as a massive emerging market be willing to proclaim publicly that their secrets have been stolen by China or others? I expect to see continued confrontation with China over these matters, but I’m less sanguine that we will be able to seriously alter its current cybercalculus.
Third, destruction. While the present focus has been largely on economic loss, we must not lose sight of the very real risk of destructive cyberattacks. As already noted, Iranian-sponsored cyberattacks effectively destroyed computers in Saudi Arabia, as well as computers at RasGas in Qatar. Using cybertools, determined adversaries can disrupt industrial control systems that govern our critical infrastructure, to include electrical, water, telecommunications, and air traffic control systems. In an armed conflict with a country like Iran, we will have to be prepared for such attacks; if Iran is willing to disrupt U.S. banking institutions today, then we would be foolish to think they would not be willing to do more in the midst of a hot war. And although Iran may not possess sufficiently skilled cyberwarriors to cause serious harm, we must remember that other, non-state actors might well be willing to assist in the fight if the price is right. Warning of a “cyber Pearl Harbor” is in my view a bit too alarmist, but we must nevertheless recognize — and mitigate — what is a clear, nationwide vulnerability today.
Michael Leiter was director of the United States National Counterterrorism Center under Presidents George W. Bush and Barack Obama, serving from 2007 through 2011. He is a counterterrorism, cybersecurity and national security analyst for NBC News.
Leave a Comment:
We owe China so much money that their answer to the allegations are, "So what?". That's what really, really matters.
While that is certainly a problem, what really matters is that anyone who would desire to destroy us knows that military action against us would be very difficult and costly. But, we are so dependent on computers, for everything, that disabling our computer system would instantly cripple us. No power, no food, no money and no communications. We will be dead! Contrary to popular belief, we are not the smartest beings in the universe.
China isn't the only threat. There are plenty of others out there that hate us.
This moaning about owing "China so much money" that we can't do anything has got to stop. it is nothing more than an excuse for inaction. Japan holds about the same amount of US debt as China, yet no one has ever gone around saying that we can't defend our interests in trade disputes with Japan. And, so what if we owe them money? US debt isn't callable.
But, your concern about what to do if their answer is "so what" is valid. It would exist regardless of whether they held a single dime of our debt. They're a big country with massive economic influence (but, then, so is the US). But, it wouldn't really matter if the country happened to be Russia, India, Brazil or any other large nation. The fact of the matter is that our direct options would be, and are, limited. But, that's where American "soft" power comes into play. Although dismissed by some, it is our soft power, our moral authority that enables us to marshal other countries into a united front that could get China to change its ways.
Having worked (and still working) in the Electric Utility business for the better part of 40 years now, I understand full well, exactly, what is at stake. U.S. Industry IS NOT READY nor do they (accountants) want to spend the money needed to bolster our protection with computer protections suggested by our government or the redundant systems needed to help thwart a sustained cyber threat against the "Nuts and Bolts" Industries which make this country run and keep it running.
The Russian generals, after the fall of the old Soviet Union, told us that the very first strike against the U.S. in any war, would be for the Russians to launch an atomic attack aimed at our technologies at the time. To take out these systems, the Russians would launch nuclear weapons and explode them OVER the U.S. which would create an EMP or electromagnetic pulse which would instantly fry every electrical system east of the Mississippi if exploded some 300 kilometers over Ohio. ONE nuclear detonation would do the job! Now, they won't have to. The same devastation can occur with the click of a computer mouse. In fact, it's happened already in several central and South American countries where their electric grids have been taken out by 'someone" testing their capabilities.
It's coming folks. I can almost guarantee it. The only thing I can't tell you is when, but if our ass hole Congress doesn't get their thumbs out of their asses it will come a lot sooner. We are vulnerable.
Bit one side aren't we?
Do you really think that the US is sitting on the sidelines and does nothing? Never heard of ECHELON I suppose. A communication spy network that monitors all communications around the world already for a long, long time.
What about the the American and Israel's joint effort in developing Stuxnet that wrecked a whole bunch of centrifuges in Iran.
Now we start hearing that Stuxnet migrated around the world and was one of the reason why the controllers of the Fukushima nuclear plants did not work. I seems that the controllers at the Fukushima plant and the Iranian nuclear facility were made by Siemens.
So don't blame China alone. I have no doubt that they are the biggest offenders but do not automatically absolve the rest of the world.
http://www.nuc.berkeley.edu/node/5230
We should have started that along time ago just on the basis of fairness and because of their blatant and widespread theft of proprietary rights.
Not to mention that it would produce a sizable amount of cash to help keep things in balance with them.
Great article Mr. Leiter. These are interesting times indeed. The US needs to do just as they do for military hardware. Have companies develop unique hardware and software for cyber use for our military. No more buying and using products that are readily available to civilian use. That is how we would have a tremendous edge over other nations.
cyberthreat=$$$ for security companies.
People that put their stuff on the street via the internet is asking for it and are responsible for the damages.
I am hacked daily by the FBI. They say, "Hey!" I say, "Hey!" back. They know they are acting unlawfully. But, I have no control over these people.
What're going to do.
The real unanswered question is will the hacking result in forceful urging to make companies secure their own networks, or will this give the government the excuse they want to be able to snoop on the internet use of every person in the US, without needing a warrant, just to keep everyone 'safe'.
And since the US does not have clean hands as regards cyberhacking, expect a more muted response to China.
People should stop posting offensive, a$$hole news comments, because the Thought Police from other countries might be looking over everything later on!
David Brin's 1990 novel, Earth, went into depth in predicting the current state of affairs in Cyber Warfare. He was right on many levels, and it has been interesting to observe the evolution of his postulations over the years.
It will continue to be a struggle to stay one step ahead of the bad guys. Thankfully, we also have a virtual army of hackers that are working to defend our digital freedoms.
Mr. Leiter: There is an obvious 4th track, and it's first recognizing that the US and other developed nations are the MOST vulnerable to cyberattack. There can be no winners, only losers. Therefore, the US should begin working on a Multinational Treaty Against Cyberwarfare and Cyber-espionage.
Peaceful coexistence should have occurred to you, Mr. Leiter. That's how we got through the Cold War without being destroyed.
The advantage is obvious: the Govt. will never be able to equally defend all the entities here in the US, and will put its resources into protecting the largest, most visible targets. The large corporations will be defended. However, the small companies are where the groundbreaking R&D are being done -- they have to be equally protected. 100,000s of them. This cannot be done.
Therefore, we should go for a Treaty, disallowing any state sponsored or sanctioned cyberattacks, and obliging all signatory nations to corporate fully in quashing non-state actors.
Treaties only work when everyone signs them AND obeys them. Let's say that Iran doesn't sign. What do we do then? It might be argued that non-signers get banned from external Internet connections. But, what if Israel doesn't sign? Domestic politics would probably prevent forceful action.
Even then, R&D on both defense and offense would have to continue, just as we continue to maintain a lethal stockpile of nuclear weapons despite the non-proliferation treaty.
31% of IT professionals don't even know the names or indications of current threats, according to a recent Symantic study.
You don't have be out of the fifth grade to know that highly classified data should never be available on line, ever.
This story is completely hogwash, aimed garnering public support for a redundant fed.gov-only Internet ... at huge taxpayer expense. The fed.gov's thirst for squandering your money never ceases.
Cut them off. Demand huge reductions in taxes from all governments. Based on history, they don't deserve a cent.
I suspect, and it won't ever be mentioned in such a story, that this country engages in these explorations in China and elsewhere, and if I had to guess, we're probably the most proficient in it. Which might be one reason why not much is said.
China is our landlord...entering into our living quarters, and take whatever they wish...
This is what the Statue of Liberty gets when she decides to sleep with everyone...
Truth...we reap what we sow...
The destruction section makes no mentioned of the Stuxnet worm apparently intended to cripple the Iranian nuclear enrichment industry. Although it is not publically known who created Stuxnet, it is widely believed in the software security industry that only a nation state, and a cybernet superpower at that, would have been able to craft such sophisticated attack. The only country with that capability is the United States.
One could consider this kind of cyberattack as legitimizing the use of sophisticated cyber weapons. The U.S. dropped the first atomic bomb and, apparently, has launched the first major cyber weapons attack also. War is war.
The underlying problem is the lack of sufficient resources built into computer security in the first place. Security is often an after thought and it shows. If the software companies made security first, cyber attacks would be much more difficulty to achieve. But, nobody wants to pay upfront for better security, so here we are, fighting a rear guard battle, or in computer speak, the backdoor is open.
Read it and weep.
http://www.nuc.berkeley.edu/node/5230
Omg im soo scared, There is no escaping terrorism its everywhere. We should build a big bubble over the country that keeps everything inside safe. I know that sounds crazy but we have to do something.
Yeah! Let's build big cities underground. It will be hard to grow food so we'll have to get another food supply.
How about we lure the surface dwellers into our liar and eat them! We'll just have to develop better night vision.
I have an easy deterrent . Make a law that any country doing business with the U.S.A. that steal information from the USA agrees to cancel all debt owed by the USA .
dhéanamh potus dom
I don't understand why all this data is on open networks. If it's not connected..