The Russians are picking our pockets, the Chinese are stealing our most vital secrets, and there’s nothing we can do about it – and it’s all going to get worse.
That was the basic conclusion after Friday’s Air Force Association cyber-conference, where speaker after speaker drove home the utter futility and helplessness of today’s cyber climate, all the while warning that the problem will only grow.
Richard Bejtlich, chief security officer for the info-security firm Mandiant, said 100 percent of the high-profile intrusions his company tracks were done with “valid credentials” – meaning the cyber bad-guys had been able to steal a real user’s login and password, obviating the need for more complex attacks.
The typical time between an intrusion and its discovery is 416 days, he said – down from two or three years – and the way most companies find out about them is when they get a visit from the FBI.
The publicly available malware in the so-called “cyber underground” is now so good that you can do a lot of damage without a dedicated team of code-writers coming up with their own stuff, speakers said. In fact, the much-discussed cyber attack against Georgia was carried out mostly with publicly known tools – “there was nothing sacred here,” said National Defense University iCollege chancellor Robert Childs.
Cyber-intrusions and compromise are so endemic, Bejtlich said, that many attackers don’t even bother with the wholesale vacuuming of information that used to characterize cyber-snooping. Now hackers go after very specific pieces of information, often data that is useless on its own, he said.
He described how a company had approached Mandiant befuddled that someone would want to steal a certain proprietary device, because it only worked in combination with a specific chemical formula owned by another company. Naturally, it wasn’t long before the second company discovered it was compromised, and also befuddled because its chemical formula would only be useful to someone who had information about the device manufactured by the first.
Online miscreants are also becoming more sophisticated at a strategic level, Bejtlich said: He described how they might target small companies that were merging with larger ones, to avoid trying to attack the bigger firm’s online security. Instead, by compromising a small company’s computer networks, the bad guys can then get into the new common network after a merger.
This can have profound financial as well as security implications, Bejtlich said – if you’re an aerospace giant and you want to acquire a small firm because its widget is worth $10 million, but then you discover it’s been cyber-stolen and no longer proprietary, the technology might only be worth $10,000, and that could put your shareholders and Wall Street in a bad mood.
And you can’t do anything about any of this. Government officials won’t talk about offensive cyber-attacks, so we can’t go there. Private sector clients in crisis with Mandiant often ask, how can we get back at these guys, or at least, can we destroy the data they’ve stolen, Bejtlich said.
“I’ve never seen somebody execute this, because of legal concerns,” he said. “The CEO says, ‘I wanna get these guys,’ but if there’s a lawyer in the room, what does he say? ‘Absolutely not.’”
Going after data that has been stolen from your network is like following a thief who has stolen your television and then breaking into his house to steal it back, Bejtlich said – “not authorized by our legal code.”
And the law can’t catch up with cyber, as we’ve seen so many times. And by the time the feds knock on your door to tell you about your compromise, it’s too late. And even though officials have been warning about cyber-dangers for more than a decade, the cyber-world has basically just been treading water this whole time, another speaker argued.
“I’ve been at this conference for 15 years,” said Jason Healey, an analyst with the Atlantic Council. He showed government reports warning of “computers at risk” from 1991 and before, and said although the technology involved has gotten much more advanced since then, the cyber doctrine, for lack of a better term, has not.
Healey argued that the U.S. can’t afford to keep being coy with China. It must build a coalition of cyber-victims and formally call out Beijing on the world stage, citing specific examples of Chinese hacking. Healey said Washington has never laid out its cyber-grievances in this way, and suggested that threatening to embarrass China might be one first step.
He also said the cyber-world must dispense with its worries over “attribution” – tracing the origins of attacks. Healey repeated the factoid that 178 countries were “involved” in the 2007 cyber-attack on Estonia: “Who cares?” he said. “That is completely meaningless.” In those situations, if the U.S. is affected, “the president needs to pick up the phone and call the Kremlin.”
(For what it’s worth, Bejtlich said the lines between Russian government and organized-crime cyber-mischief were so blurred as to be nonexistent. As for China, he said that if you want to know if you’ll be a cyber-target, see where your company falls on Beijing’s regular 5-year “industrial priorities” plans – it tracks very closely with hacking victims.)
An audience member’s question Friday crystallized all the speakers’ points at the cyber-conference: The much-feared “Cyber Pearl Harbor” has already happened, he said. Global cyber crime is more profitable than the drug trade. America’s onetime technological advantage is gone; much of its intellectual property secrets have been stolen.
“People just haven’t realized it yet,” the questioner said.
It’s a depressing thesis, but from all the public statements about cyber-losses, it sounds plausible. Unless a true “Cyber Pearl Harbor” -- in which bad guys knock out the power grid or the financial system or our telecommunications -- happens tomorrow. Even if it doesn't, Healey proposed a new set of parallels: A "Cyber-Vietnam," i.e. a prolonged campaign, rather than a single sneak attack; or a "Cyber Battle of Britain," in which the government appeals to -- or impresses -- private citizens for help in responding to a major crisis.
Can anything be done? Healey called for “cyber-mindedness,” for users to be that much more careful when they use the network, and for military cyber-units to study their forebears as airmen study MiG Alley or Operation Linebacker.
Maj. Gen. Suzanne Vautrinot, commander of the 24th Air Force, said military networks must be “proactive in defense,” able to monitor intrusions and irregularities and turn them against attackers. She showed the infamous clip of New York Giants bruiser Lawrence Taylor tackling Washington Redskins great Joe Theismann – crushing his leg and ending his career. That’s what cyber-defense has to be, she said.
Bejtlich left attendees with perhaps the most hopeful metaphor: The best organizations turn cyber-security “into a manageable situation,” he said – “they go from being a volunteer fire department to a continuous business process.”
In other words, governments and businesses must treat cyber-security like a chronic disease, a condition that will always be there, but can be managed and even suppressed. Bejtlich said if he could, he’d mandate that everyone did an inspection every 30 days to see where their networks were compromised, then act appropriately once discovering the details.
Turning to the inevitable cyber-football analogy, Bejtlich said defenders have to stop permitting attackers to complete touchdown passes every time. Instead they’ve got to pressure the quarterback and defend downfield, forcing attackers to try for field goals instead.
“The bad guys are going to complete passes, they’re going to compromise your systems, get to your data, try to aggregate it, encrypt it, exfiltrate it, and you want to prevent them from getting to the point of the extrusion,” he said. “If you have fast identification, fast containment, if you can get to them before they complete their mission, it may not matter as much that they’re in your system.”
That, it appears, is the best diagnosis we can hope for. Congress can’t act – which means it can’t pass its own laws or ratify a theoretical international cyber-treaty. If the military and government are getting better at cyber-defense, the private sector remains more or less on its own. Here’s how Twitter user @hal_999999999 put it in a response to @DoDBuzz on Friday:
“It’s the old west, the Roaring Twenties, and the Cold War all rolled into one, w/some wires and CPUs... We’re gonna have to earn it.”