The Dogs of Cyberwar
The day began like any other day. Lauren arrived at work ahead of her boss, put her lunch in the refrigerator down the hall, poured a cup of coffee, and settled into her cubicle.
She turned on her computer, opened her email and began her daily ritual of triaging her messages so that she could take care of any quick turnarounds or potential brushfires before her boss arrived.
In her message queue was a note from her boss advising her that a new patch to her operating system needed to be installed immediately and that she should click on the blue text link in the message to install it. Like any dutiful employee, Lauren clicked the link, received a confirmation and continued on with her daily activities, unaware of the horror she’d unleashed.
Halfway across the globe, someone might as well have quoted Marc Antony’s “Cry ‘Havoc,’ and let slip the dogs of war!” Lauren’s ill-fated click most assuredly let slip the dogs of cyber war. The message she believed to be from her boss was expertly crafted to appear legitimate, a hallmark of a “spear-phishing” attack. Within microseconds, highly sophisticated malicious software, or “malware,” seized control of her computer and propagated across the corporate network, probing defenses, collecting intelligence, mapping resources and, most importantly, erasing its tracks.
In such an attack, terabytes of information—password files, trade secrets, intellectual property, research-and-development initiatives—are then collected, encrypted and shipped to the command-and-control system that operates this particular attack mission. The malware also installs multiple back doors and well-hidden “time bombs” to ensure continued access over the long term.
If Lauren’s company happens to be in the supply chain of a larger corporation, which in turn provides critical materiel and support to the United States defense and intelligence communities, the cyber attack could have national security consequences. An expert analysis of the stolen information could provide the necessary intelligence to launch subsequent attacks on Lauren’s company and others in the supply chain, eventually leading to the successful infiltration of a large corporation that supports our national security apparatus.
The foregoing scenario, rendered generic to protect the embarrassed, has occurred many times throughout the past decade, and it continues today. It’s called Advanced Persistent Threat (APT). The short description of APT is that it’s a very sophisticated attack on a select target with the intent to gather information of great strategic importance. Advanced Persistent Threats are conducted by nations that have the resources and the motivation to gather sensitive information regardless of the defensive measures in place to protect that information.
At any given time, hundreds of such attacks are being orchestrated against targets in the United States and other Western countries. The information is gathered and analyzed and then used in planning subsequent attacks against increasingly valuable targets. The difference between traditional hacking and APT is stark: APT is highly advanced and employs the full spectrum of computer intrusion. APT is extremely persistent—the attackers never stop gathering intelligence until the mission is accomplished. APT is a true threat—the difference between typical hackers and APT attackers is like the difference between a street gang and SEAL Team Six.
The chief information security officer in any particular enterprise is conditioned to greet each day with an anticipatory wince, because he or she is charged with protecting the enterprise’s most important information resources. It’s a thankless existence, with successes rarely acknowledged, while breaches add to the crescendo of alarmist headlines. Success in this business is defined as not being excoriated above the fold on the front page of today’s newspaper, at least not today. Because of APT and other malicious cyber attacks, information security officers do not enjoy a peaceful existence.
“No industry is safe, and they are not only attacking large corporations, they are attacking small to medium-sized companies as well,” says Phil Ferraro, the chief information security officer of Las Vegas Sands Corporation. “Typically the smaller company’s security posture is lower than the larger corporation’s, making it easier to penetrate and exploit their networks.”
A common method of operation is to attack a small supply chain vendor, Ferraro says, “then use that company as a pivot point to gain entry into a larger target. This was the method used in the breach of security company RSA a couple of years ago.”
Eddie Schwartz, chief information security officer at RSA, says, “If there’s one thing we’ve all learned from events such as the attack on RSA, it’s that we have to take the fight to the adversary through better analytics. That means we have to change from a model where we are sitting back and waiting for bad things to happen to us to one in which we go out and look for attacks on our most critical information assets.” Bottom line: Schwartz is telling us to get proactive.
Who’s Conducting Attacks?
In February 2013, the security firm Mandiant made headlines with its extensive exposé on China’s APT capability, which has been employed in a broad range of attacks against the United States and other Western nations since at least 2006. The report contends the Chinese government office called People’s Liberation Army Unit 61398 conducted APT attacks against 141 organizations spanning 20 industries, stealing hundreds of terabytes of information. Although Mandiant focused its assessment on Unit 61398, it also noted that more than 20 other APT units are also active within China. The APT attack infrastructure uncovered by Mandiant extends to hundreds of people and thousands of servers behind tens of thousands of compromised systems around the world.
So what should a Fortune 1000 company be concerned about when it comes to APT? Chris Lew, Mandiant’s principal threat intelligence analyst, says it depends on how China perceives the company’s value. “Consider whether your company has a role in any supply chains that develop a technology, product, or service related to Beijing’s economic, social, or political priorities,” Lew says. “If your company provides any component of one of these supply chains, then you should be concerned about APT network intrusions aimed at monitoring your activities or stealing your proprietary data.”
“The most important aspect of risk to consider with APT groups,” Lew adds, “is that, since they typically possess close ties to a nation-state, their resources, reach and persistence may be much greater than those of a hacking group interested mainly in short-term profit. For this reason, losses resulting from a network compromise by an APT group may not be immediately quantifiable, but the long-term effects of an APT operation could be devastating.” An APT attack that gains access to a company’s computing infrastructure may steal massive amounts of data for months before being detected. “At that point,” Lew says, “it can be difficult to determine what information was stolen. Therefore, active security procedures that detect threat activity as early as possible become especially important.”
In addition to the Mandiant report, notes Ferraro, “a separate 2011 report by McAfee revealed that in a single attack the APT command-and-control server carried out more than 70 successful breaches in dozens of industries from government to insurance to hospitality to real estate and many others that you would not think would be a target.” Operation “Shady Rat,” as identified by McAfee, was surprising based on the enormous diversity of the victim organizations and the audacity of the perpetrators.
The Pentagon went straight to the core of the issue in its annual report to Congress, in which it describes China as having highly sophisticated cyber warfare capabilities and directly accuses China of targeting U.S. computer systems for intrusions. As if that news weren’t bad enough, in its annual must-read “Data Breach Investigations Report” for 2013, Verizon provides extensive analysis of more than 47,000 reported security incidents and 621 confirmed data breaches from the past year. Over the entire nine-year range of this study, that tally now exceeds 2,500 data breaches and 1.1 billion compromised records. These numbers are staggering, further highlighting the magnitude of risk posed to organizations. The impact is still unknown. “Nation states are all very patient, well funded and willing to delay gratification of their thefts,” says Patti Titus, former chief information security officer at the U.S. Transportation Security Administration. “We have no idea if they’re even still present in the networks that were compromised.” Titus also notes that U.S. government systems are not the only targets of these attackers. “Operation Aurora was an APT that targeted several California Bay Area companies, exposed by Google,” she says. “According to McAfee, the primary goal of the attack was to gain access to and potentially modify source code repositories at these high-tech, security and defense contractor companies.” As a result of these and similar attacks, she says, APT has evoked reactions from America’s business leaders “that were akin to the crash of the stock market.”
Left of Boom
Which leads back to Schwartz’s point about the need to be proactive. In military circles, it’s called “left of boom.” The phrase is derived from the work performed in the Department of Defense where “boom” is a bad event, like a roadside bomb, and “left” refers to the program management timeline leading up to the event. Left-of-boom activities contribute to preventing the event from occurring. Right-of-boom activities come after the event—the unfortunate cleanup, reconstitution and forensics activities that consume resources and highlight left-of-boom failures.
In his August 10, 1798, letter to James McHenry, George Washington wrote: “It is much easier at all times to prevent an evil than to rectify mistakes.” The father of our country might not have known much about cyber security, but he certainly understood left of boom. Applying the left-of-boom concept to managing risk can be both enlightening and rewarding. Left-of-boom processes are proactive and thus help prevent bad events. There is a calculable return on investment for the resources expended on left-of-boom capability. If cyber security centers on managing risk, it is also about assuring the business lines and essential processes of an organization, which in turn help to define risk. If those processes can be strengthened so that they operate with confidentiality, integrity and availability, then cyber security can be a palpable and measurable contributor to the business. Right-of-boom activities, on the other hand, consume enormous resources.
Most companies would like to cover right-of-boom activities—they are, for the most part, unexpected, unwanted and unsatisfactory—with some type of cyber insurance. AIG first began selling cyber insurance in 1999, and today cyber insurance is a billion-dollar industry. In recent years, the threat of APT has caused the risk to spike dramatically. Because much of the information pertaining to APT has been closely held and highly classified by the national security community, it is not yet known how well understood this dramatic increase in risk has been in corporate risk assessments and corresponding cyber insurance. Moreover, Richard Betterley of the Betterley Report, has often pointed out that state-sponsored attacks such as APT are not covered by commercial cyber insurance.
Howard Schmidt, former cyber security coordinator for the Obama administration, acknowledges the severity of the threat. “Business schools do a good job in teaching financial and business risks,” Schmidt says, “but do not treat the cyber risks to businesses very well.”
He notes new guidance by the Securities and Exchange Commission requests cyber risk be included in the annual filing. The guidance issued by the SEC’s Division of Corporate Finance mentions six potential areas where obligations exist to disclose cyber risks and/or cyber incidents, and Schmidt views that as a very positive development. More companies are entering the cyber insurance market. Hartford Steam Boiler (HSB), historically a company that provided equipment-related insurance, was providing insurance for data loss from physical accidents a few years ago and then sensed a need for a new offering. Tim Zeilman, vice president of HSB’s Strategic Products Group, says, “HSB noticed an underserviced market for specialty data breach coverage for small and mid-sized companies.” The product, called CyberOne, deals with exposures from loss of data at small companies. “HSB partners with carriers who insure the small and mid-sized companies, and those carriers assess the cyber risk in the entire risk portfolio for those companies,” Zeilman says.
“As an endorsement,” he notes, “the HSB CyberOne coverage attaches to policies that include a typical war exclusion, but the CyberOne coverage itself doesn’t contain an exclusion for computer attacks that are in some way state-sponsored. Given the lack of historical precedent, it remains an open question as to whether a major state-sponsored cyber attack would trigger a war exclusion.” This much is clear: Cyber security-related products are becoming more mature, but the threat posed to companies is skyrocketing to levels never seen in the brief history of information technology. Understanding the enormity of this cyber risk and blending sound left-of-boom cyber security efforts with progressive new insurance products are important steps in the right direction. Regardless of potential terrorism exclusions, insurance products that cover the theft of intellectual property and trade secrets are becoming more essential.