Skating on Stilts

The Justice Department's National Security Division may be getting on the cyberspace attribution/retribution bandwagon -- and in the process, reshaping US strategy for deterring cyberespionage.

First, NSD is creating a new liaison position in US Attorney offices across the country -- the National Security Cybersecurity Specialist, or NSCS (rhymes with "discus meniscus" for you knee trauma buffs).  The idea is that companies across the country are suffering from cyberespionage, much of it state-sponsored, and there need to be cleared, cyber-smart prosecutors in each federal prosecutor's office who can work with local victims, not to mention the FBI, which already has specialists in each field office who deal with local victims of cyberespionage.

This is a good thing, and part of NSD's coming of age.  But what's most important is this simple fact:  the Justice Department doesn't designate prosecutors to give speeches, or to hold industry's hand and offer sympathy.  It designates prosecutors to prosecute. 

So, implicit in this new initiative is a new willingness to prosecute cyberespionage cases -- a development very much fueled by the growing body of attribution evidence accumulating in federal files.

In fact, John Carlin, a top NSD official, has more or less declared that the Department will start prosecuting cyberspies, perhaps soon.

Well big whoop, you might say.  Why should a foreign government cyberspy care that he's being investigated by some prosecutor from the Northern District of Minnesota?  Maybe it is mildly embarrassing to be indicted, but it won't make a real difference in his life. He can just give Justice the finger.

But Justice isn't limiting its focus to the guys stealing the data.  The real targets are the guys consuming the stolen data:

  Carlin said the best possible target for a prosecution might be a case where a company that uses stolen technology could be charged.

“Whether it is a state-owned enterprise or a state-supported enterprise in China — if you can figure out and prove that they’ve committed the crime, charging the company means they can’t do business in the U.S., or in Europe,” he said. “It affects their reputation and that then causes them to recalculate: ‘Hey, is this worth it?’”

I think Carlin is exactly right.  There's no point in stealing data from Exxon or Nortel if it's just going to sit in some military intelligence filing cabinet somewhere. It's only worth stealing if you can give it to Exxon's or Nortel's state-sponsored competitors, because those are the only people who can actually use it effectively. That simple observation drives a surprising conclusion: Most of the cyberspies now infesting US companies are very likely working in the end for state-owned enterprises that compete with Western commercial enterprises. 

And that's their vulnerability.  Those enterprises can't compete with Western companies unless they compete globally.  Which means doing business in Japan, Europe, and the United States. And companies that do business here can be prosecuted here.  They can't give prosecutors the finger, at least not if they want to stay in business here.

So if NSD is successful, it can force state-owned companies to choose between the value of cyberespionage and the value of their US business. There are a lot of uncertainties in this approach.  We'll have to take our newfound attribution capabilities another long step forward, identifying not just the thief but his customer.  But if we can pull that off, and I think we can, this is the first plausible strategy for deterring mass Chinese cyberespionage we've come up with in twenty years. 

Plus, think of the entertainment value.  What I really want is the popcorn concession at that first trial.

The Wall Street Journal thinks it's found another scandal in government.  It has, but the scandal isn't about privacy.  It's about how the government is slowly unlearning the lessons of 9/11.

DHS has passenger lists for flights in and out of the US.  It uses those lists to watch for terrorists.  The National Counter Terrorism Center also watches for terrorists.  So it asked for DHS's lists. The first rule of bureaucracy is never to share information with a rival. So it's no surprise that DHS didn't want to hand over its data to Matt Olsen's NCTC.

It's not even a surprise that DHS claimed it was fighting for Americans' privacy.  But, really, how silly is that?  Do you know anyone who resonates to this slogan:  "I''m glad Janet Napolitano has my travel records, but I will fight to the death to keep them out of Matt Olsen's hands"?

What's troubling is that DHS, born out of 9/11, is leading the effort to roll back the lessons we learned then. Its argument in the WSJ article sounds exactly like the arguments that prevented information sharing in the run-up to 9/11. Then, it was the intelligence community that didn't want to share its data or its turf with law enforcement.  The intelligence community persuaded the FISA court that keeping intelligence from law enforcement was a privacy issue, and the court bought in. 

In fact, the court enforced "the wall" between intelligence and law enforcement so harshly that the FBI was afraid to let its enormous and highly competent Cole bombing task force go looking for the 9/11 hijackers in the two weeks before the attack, even though the bureau knew al Qaeda leaders were in the country and up to no good.  As a result we lost our last, best chance to stop the attack before it happened. (I told this story in the third chapter of Skating on Stilts.)

Now it looks as though we're headed down the same road, but with DHS taking the role of the intelligence community. Funny, you'd think three thousand deaths would resonate longer in our government's memory.

I’ve thought for a while that attribution of hacker attacks was improving rapidly. Now we have confirmation from a Ken Dilanian scoop in the LA Times. Dilanian reports that “the U.S. intelligence community is nearing completion of its first detailed review of cyber-spying against American targets from abroad, including an attempt to calculate U.S. financial losses from hacker attacks based in China.” And the intelligence estimate shows just how far the US has come in identifying the source of particular intrusions:

Intelligence analysts disagree over the extent to which the intrusions are organized by Chinese authorities, but the CIA and National Security Agency have traced cyber-attacks and thefts to Chinese military and intelligence agencies…. "We know much more about who is doing this than we did even two years ago," one official involved in the effort said. "We have traced attacks back to a desk in a [People's Liberation Army] office building."

Nice work, intell community.

For those who think I’m a little paranoid on the subject of cybersecurity, I suggest this story – a nightmare made in China for a small US businessman. Brian Milburn’s parental control software was pirated and used in a China’s infamous Green Dam software. 

When he sued, hackers tied to the Chinese government attacked his networks relentlessly, nearly destroying his business:

 

For three years, a group of hackers from China waged a relentless campaign of cyber harassment against Solid Oak Software Inc., Milburn’s family-owned, eight-person firm in Santa Barbara, California. The attack began less than two weeks after Milburn publicly accused China of appropriating his company’s parental filtering software, CYBERsitter, for a national Internet censoring project. And it ended shortly after he settled a $2.2 billion lawsuit against the Chinese government and a string of computer companies last April.

In between, the hackers assailed Solid Oak’s computer systems, shutting down web and e-mail servers, spying on an employee with her webcam, and gaining access to sensitive files in a battle that caused company revenues to tumble and brought it within a hair’s breadth of collapse.

There are two particularly interesting, and troubling, aspects of the story. First, the hackers immediately attacked Milburn’s law firm as well as his company.  This tactic is now part of the standard playbook for China’s hackers, but US law firms have not fully adapted to the threat. Second, I’ve long wondered when the Chinese hackers would go from stealing information to sabotaging networks.  According to Milburn, that’s exactly what they did here:

While bulk sales and orders over the phone were up, 60 percent of Solid Oak’s business depended on users buying the $39.95 program directly from the website. As the network problems continued, so did the fall in sales. Milburn wouldn’t provide month-to-month sales figures, saying it could aid competitors, but he says the normally profitable company dipped into the red after a big drop in web sales the month the lawsuit was filed. Net losses averaged $58,000 a month after that, even as Milburn slashed expenses, he says.

Tracing the drop, he could see that customers were coming to the website to buy the software like always. They’d type in credit card numbers and click submit, but most of the orders -- on some days 98 percent -- weren’t going through, Milburn says. He replaced servers and tried other fixes. Nothing worked.

He went without pay, and DiPasquale agreed to forego her salary for a few months too. She and her husband, a professional chef, drew down their savings, but by the summer of 2010, the money was running out.

…

Examining the script that controlled the payment processing function in November that year, he noticed that a single character was missing from the string -- an apostrophe. That was enough to cause the page to time out, rather than to complete the credit card transaction. Customers were leaving in frustration.

The apostrophe was sometimes there and sometimes not, so some payments went through. There may have been other ways that the hackers were sabotaging his sales, but Milburn was sure he had found at least one.

“A hacker could certainly edit the script and break it so it wouldn’t work,” says Stewart, the DellSecureWorks threat expert. “That would be a great way to do it without calling attention to the fact that they were in the system.”

If this is a harbinger of future Chinese conduct, the silent cybersecurity crisis is going to become very public, and very ugly.

Photo credit:  Wikipedia

Security professionals probably spend too much time and money securing their systems and too little checking to see whether their security measures have failed.  After putting a new security solution in place at great cost, it’s only natural to think that you’ve, well, solved your security problems. But the history of computer security, not to mention the history of humanity, tells a different tale.  While you’re basking in a sense of achievement, your adversary is working to overcome your new defenses. Sooner or later, he will. How will you know?  Today, most companies figure it out when the FBI or someone else shows up to tell them their systems are spewing data to known bad sites.

That’s a little late, and a little random. Ideally, we’d all have automatic security checks to tell us that we’ve been compromised, just as a good accounting system has backend checks to flag suspicious transactions.  In the network security world, one of the more developed tripwire technologies are honey traps – irresistible targets for hackers that, among other things, let you know when some or all of your defenses have been penetrated.  Gloria Gaynor pretty much summed up the strategy:  hackers come for the honey and end up getting stung.

Now comes a good new report on honey trap technologies from the European Network and Information Security Agency, or ENISA, which is rapidly becoming my favorite European institution. (Granted, there’s not much competition.) ENISA’s report is a good practical evaluation of a host of honey technologies.  Among the things I liked was its discussion of “honeytokens” – fake files left on your system and watched carefully for any signs of access. I’ve experimented with crude versions of that approach myself, and I’m quite surprised that it is not a standard part of all security deployments.  Unfortunately, the report’s practical evaluation charts don’t actually evaluate commercial technologies using honeytokens, but it does cite a few additional publications in the footnotes (here’s one; here’s another; and another) for those who share my enthusiasm for the concept.

Photo credit: Stefan-Xp through Wikimedia commons

A few posts back, I told the story of how Trend Micro identified “Luckycat,” a Chinese hacker who had attacked the Dalai Lama, aerospace firms, and other targets. Based on what we know so far, it looks likely that the hacker is Gu Kaiyuan, formerly a student at Si Chuan University’s Information Security Institute and currently employed by Tencent, the huge Chinese instant message firm. Gu insists that two people used some of the credentials in question, and that he’s innocent.  According to the New York Times, the University issued what seem like a carefully limited statement that it never “hired any unit or individual to participate in Internet attacks or hacking activities.” Tencent’s statement is similarly cautious: “We have checked with our colleague Mr. Gu Kaiyuan, who denied he was involved in any hacking activities…..Nor was he named by the author of the report as a hacker.”

It’s clear that Trend Micro has taken attribution pretty far, but more needs to be done if we’re going to get to the bottom of the case.  The usual assumption in these cases is that nothing more can be done.  The Chinese government isn’t likely to help, and Gu isn’t likely to come to the US any time soon.

But it’s a globalizing world. And the US has more leverage than it’s using. Let’s start with Tencent.  It’s a big Chinese company, but it seems to do plenty of business in the United States as well. It has a joint venture in China with Groupon that might require CFIUS approval. It has a gaming company in Boston with 10 to 50 employees, so its executives are likely to want visas to come to the United States. Whether it’s seeking CFIUS approval or more visas, Tencent cannot afford to acquire a reputation for hiring hackers.  If the United States asks for more information about Gu, or a chance to interview him, Tencent cannot say no.

Or take Si Chuan University. We’ve got some leverage there, too.  The University sends plenty of students to the United States, and it accepts US exchange students as well. In fact, just three weeks after the Trend Micro report had fingered Si Chuan University for possible complicity in hacking American companies, the State Department sent a couple of consular representatives to the school to encourage its students to apply early for visas to study in the United States.

That of course was the wrong message for our diplomats to send, and it suggests that the State Department is still not taking hacker attribution and retribution seriously. Instead, the Department of Homeland Security, which has cybersecurity responsibilities as well as student visa authority, should open an investigation into Si Chuan University and its Information “Security” Institute.  Those institutions may or may not be complicit in the Luckycat attacks, but the public data about Si Chuan and its Information Security Institute isn't particularly comforting on that score.

The Information Security Institute was China’s first, established in December 1997. It doesn't just do research; it actually produces products, and it benefited from “Program 863,” a government research program to develop and acquire sophisticated technologies in a handful of high priority fields. (A Chinese spy was convicted last year of stealing US technology and giving it to Program 863-- and to a Chinese university.) Among the Institute’s products that have been highly praised in China are systems “to improve network attack and defense and network behavior regulation, strengthen information security management, real-time monitoring, tracking competitors , industry, government and other sectors dynamic, capture, analysis, favorable or unfavorable information.” (Emphasis added.) It would be wrong to condemn the institution based only on the Google Translate version of an Internet report, but it’s surely fair to ask Si Chuan University if its products really do improve “network attack” or facilitate “real-time monitoring” of people in public networks. (Readers who know Chinese are invited to offer their views in the comments.)

The answers to these questions are surely relevant to how welcome Si Chuan researchers should be in the United States. After all, if the University is a front for organized attacks on US institutions, or a handmaiden of Chinese repression, or if it just refuses to cooperate in an inquiry, why should the United States grant visas to its students or professors?

Indeed, you kind of wonder why American schools, where academic boycotts to show moral disapproval of apartheid South Africa and even of Israel have been widely mooted, aren’t reconsidering their ties to Si Chuan over its possible complicity in attacks on the Dalai Lama.  (If you'd like to ask them yourself, here’s a list of Si Chuan’s Western exchange program partners.)