Raising the Cost to Chinese Hackers

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://blogs.cfr.org/cyber/2015/03/03/raising-the-cost-to-chinese-hackers/


The Director of National Intelligence released his annual threat assessment
last week, and cyberattacks top the list. There were at least three
headlines in Clapper’s written and oral statements. First, while a “cyber
armageddon”—a destructive attack that debilitates wide swathes of U.S.
infrastructure—might be possible, it is very unlikely. Instead, the risk is
from an “ongoing series of low-to-moderate level cyber attacks,” which will
“impose cumulative costs on U.S. economic competitiveness and national
security.” Second, China may get most of the press coverage, but Russia is
a serious challenge. In fact, Clapper admitted that the “Russian cyber
threat is more severe than we’ve previously assessed.” Third, Clapper
accused Iran of hacking the Sands Casino and warned that the next wave of
attacks could change or manipulate information, impairing decision making
by government officials, corporate executives, or investors.

As several other U.S. government officials have done over the last several
months, Clapper also claimed that attribution has become easier. Hackers
can no longer assume that their attacks will be undetected and they can no
longer expect that when attacks are unmasked, their identities will remain
anonymous. With enough time and resources, attacks can be attributed. This,
however, has not created deterrence. Breaking into networks remains easy,
the gains of the attacks high, and the relatively long delays between
attack and attribution create a permissive environment.

This seems to be especially true in the case of China. Clapper notes that
Chinese cyber espionage continues despite “detailed” private cybersecurity
reports attributing attack on U.S. companies and government agencies,
“scathing” public denouncements, and “stern” U.S. government demarches.
Clapper does suggest one way of limiting attacks. Because Chinese hackers
use relatively simple tools and techniques, improving defenses would force
them to develop more sophisticated, expensive, and time consuming methods.
The costs of economic espionage would go up.

Coincidentally, I was at a conference last week in Washington focused on
this exact question: how do you raise the cost to Chinese hackers? There
was a great deal of skepticism that the United States would be able to get
China to accept a norm against the cyber-enabled theft of intellectual
property, trade secrets, or business strategies. Other states do not
believe the United States actually adheres to the norm, and many friends of
the United States actively engage in cyber-enabled economic espionage. One
participant, for example, noted an uptick in attacks on U.S. companies
coming from South Korea.

There was also little sense that big technology companies would be
interested in pursuing trade or other sanctions against the Chinese firms
that are thought to be benefiting from the theft. Smaller firms might have
the stomach for a fight, but the larger firms, with sizable investments in
the market, are already overexposed to retaliation from the Chinese
government. Things are already bad, with foreign technology being removed
from government procurement lists and a draft counterterrorism law that
would require firms to hand over encryption keys and install backdoors, and
they fear that it will only get worse.

Instead of raising the costs by engaging in active defense where small
groups of U.S. hackers with highly detailed intelligence disrupt attacks in
China before they hit U.S. networks, the one idea that generated any
enthusiasm was to lower the value of the information Chinese hackers stole
through deception. Here the model is the Farewell Dossier. In 1981, French
intelligence obtained the services of Col. Vladimir I. Vetrov, “Farewell,”
who photographed and supplied 4,000 documents on KGB efforts to obtain
scientific and technical secrets. President Mitterrand offered the
information to President Reagan, and the CIA discovered that the Soviets
had already stolen radar, computer, machine tool, and semiconductor
technology. In an effort to conduct its own version of economic warfare on
Moscow and poison the collection efforts, the CIA fed fake information to
Soviet agents that would later fail. (Fans of The Americans will recognize
this plot line. Elizabeth and Phillip send stolen plans of propellers that
cause a submarine to sink.)

A strategy of poisoning the well would require cooperation from industry.
Companies would have to help design fake but attractive data and maintain
it on their networks (and make sure it was not used by mistake internally).
This might be too high a bar for many companies, but even a failed cyber
Farewell Dossier, or just the suggestion that companies are adopting such a
strategy, could raise costs for Chinese hackers. Once there was a doubt
about the veracity and usefulness of data, all information taken would be
subject to much higher levels of scrutiny which may force a slow down in
collection. Hackers might become more cautious, afraid of supplying faulty
goods to their customers and superiors.

Last year’s worldwide threat assessment contained no reference to making
hacking more difficult for China but we shouldn’t read too much into one
section of this year’s assessment. The United States will continue being
detailed, scathing, and stern with China on cyber industrial espionage, and
one U.S. government official at the meeting insisted that he was “not
convinced that the boat had sailed on norms.” But Clapper’s brief mention
of defensive measures may signal a small tilt away from developing a norm
toward inflicting cost.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!