Urgent Need To Tackle Cyber-Espionage: Accelerating Arms Race in Cyberspace
London, UK - 1st February 2010, 00:55 GMT
Dear ATCA Open & Philanthropia Friends
[Please note that the views presented by individual contributors are not necessarily representative of the views of ATCA, which is neutral. ATCA conducts collective Socratic dialogue on global opportunities and threats.]
As a result of C3 -- The China Cold Conflict -- coming into the open in 2010, major governments, corporations and individuals are confronting a new era of relentless cyber-espionage, yet many don't realise the full extent of the emerging new threats they now face. We are entering the brave new world of an accelerating arms race in cyberspace. It is now clear that the human spy on the scene -- with or without a license to kill -- is being replaced by cyber-sleuths at a computer terminal. Governments and corporations need to acknowledge the digital asymmetric threats more fully and to step up their defences significantly in 2010 and beyond to protect their citizens, stakeholders, accumulated knowledge-base, digital capital and competitive advantage. Worldwide, USD 1 trillion in intellectual property was stolen online in 2008, according to one study.
A Chinese Ghostnet?
In 2009, a North American Ghostnet investigation revealed a large-scale Chinese cyber spying operation. The command and control infrastructure of Ghostnet is based mainly in the People's Republic of China and has infiltrated high-value political, economic and media locations in 103 countries. Computer systems worldwide belonging to diplomatic missions, ministries of foreign affairs, government offices, international organisations and the Dalai Lama's Tibetan exile centres in India, London and New York City were found to be compromised by Ghostnet. Computer systems compromised by the Chinese Ghostnet cyber-espionage operation were discovered in the embassies of a number of prominent countries in Europe and Asia.
Real-Time Ghost Rats
The Ghostnet system controlled mainly out of China works as follows: eMails are sent to target organisations that contain contextually relevant information. These emails contain malicious attachments. When opened, they drop a Trojan horse on to the system. This Trojan connects back to a control server, usually located in China, to receive commands. The infected computer then executes the command specified by the control server. Occasionally, the command specified by the control server causes the infected computer to download and install a Trojan known as "Gh0st Rat" that allows attackers to gain complete, real-time control of computers. Such an infected computer can be controlled or inspected by attackers, and it even has the ability to turn on camera and audio-recording functions, if present, enabling monitors to perform surveillance.
Multi-Polar, Multi-Dimensional and Multi-Variable
It is critical to understand the dynamic complexity of the accelerating arms race in cyberspace:
. Cyberspace has become the latest battle arena for intense military and corporate competition.
2. Nation States
. Many countries are now developing offensive cyber-warfare capabilities, including targeted espionage;
. Other countries are less open about such intentions, but no less ambitious;
. Some recent cyber-espionage events worldwide point to nation states as aggressive cyber-actors; and
. Many successful cyber-attacks and cyber-espionage operations remain completely covert and below the radar.
3. Non-Nation State Actors
. Many actors in this new intense arms race are not nation states;
. Such actors are profiting from cyber-attacks, cyber-crime, and cyber-fraud;
. Cyberspace allows anyone with the intent and skill-sets to exploit computer-net vulnerabilities; and
. There are many trans-national criminal syndicates operating in the multiple ecosystems of cyberspace.
. Cyber criminal syndicates offer "Cyber-Privateering" services for hire, giving the actual actors excellent cover and plausible deniability;
. Cyber-Privateering or the use of cyber-mercenaries has become one of the most exploited ways to avoid being caught; and
. This is a major reason why establishing the precise source of complex cyber attacks can become very difficult.
5. Cloud Computing
. ATCA recently published a briefing on Cloud Computing risk titled, “Digital Capital and Cloud Computing's Asymmetric Risks”;
. There are fundamental changes to the character of cyberspace as a result of the proliferation of Cloud Computing; and
. Cloud computing platforms and social-networking have become the primary vehicles through which most people experience and interact with the Internet in 2010 exposing their digital identities and vulnerabilities in countless ways.
6. Social Networking
. Social networking sites create three inherent risks:
a. Wide spectrum of new security vulnerabilities;
b. Multiplicity of ever-evolving vectors or carriers via which victims can be targeted plus sophisticated attacks mounted; and
c. Capacity to take advantage of trust relationships between peers causing them to lower their guard, for example, by receiving a link in a Facebook message or Tweet from someone they know.
7. The Multiplier
. Vulnerabilities multiply as networking increases as pointed out by the mi2g Intelligence Unit in 1999 and that is happening automatically in 2010 as:
a. Multiple countries and entities rush to embrace new information and communication technologies without attention to proper security protocols; and
b. Private, sensitive, and highly classified documents that were once kept safe now circulate through proprietary clouds and pass between memory sticks.
8. Sophistication and Scope
. Recent common attack techniques include:
a. Scattering pocket memory sticks with the company logo in the parking lot of a corporation. Employees place them in their computers to see what's on them and inadvertently load hidden -- Trojans -- spy viruses, which spread throughout the network swiftly and in stealth mode; and
b. Rapidly changing viruses and malware that anti-virus systems can no longer detect or remove, some changing every hour leaving most defenceless against this cyber threat.
. What do these elite cybercriminals typically want? Mostly trade secrets and technical know-how. Industrial espionage has moved from the real world to the cyber-world. The identities of the attackers can be hard to trace, but many are likely to be governments or their sponsored surrogates. Any country that wants to support and to develop an indigenous new emerging technology industry may very well use cyber-espionage to help achieve that. Organised cybercriminals are beginning to operate much in the fashion of trans-national drug cartels, with elaborate international ties.
. Many senior executives from the oil and gas industry as well as alternative energy admit off the record that there have been real, targeted attacks on C-suite executives. This suggests that one of the motives for this sustained cyber-espionage is to do with understanding the dynamics of energy production, marketing and distribution both in the traditional and alternative energy sectors.
The mi2g Intelligence Unit believes:
. Targeted cyber attacks against governments, corporations and individuals are growing in frequency as cyberspace becomes more heavily contested;
. The number one defence against cyber-attack and cyber-espionage is awareness: educating the public and employees about the techniques and methods used and measures that can be taken to protect their machines. The number one vulnerability is ignorance which can be addressed via education;
. Solutions require widespread and comprehensive public and corporate policy changes and greater awareness of network security practices;
. There has to be a collective understanding by governments, corporations and individuals worldwide that an arms race in cyberspace will eventually serve no bonafide entity’s strategic interest;
. Attacked entities should be encouraged to be more transparent and willing to share information about attacks on their infrastructure and less concerned about the down side of doing so. Google’s actions are exemplary in this regard and may set a new standard of disclosure;
. The defence of last resort, yet somewhat easy to implement would be to disconnect traffic coming from regions or countries in which the cyber attackers may be based, however this could affect global commerce in billions of dollars and the free flow of information. It would also not solve the problem of compromised machines forming zombie botnets spread across many regions that can be controlled from anywhere; and therefore
. "Countries or individuals that engage in cyberattacks should face consequences and international condemnation," as declared by the US Secretary of State recently.
We welcome your thoughts, observations and views. To reflect further on this subject and others, please respond within Twitter, Facebook and LinkedIn's ATCA Open and related discussion platform of HQR. Should you wish to connect directly with real time Twitter feeds, please click as appropriate:
. ATCA Open
. mi2g Intelligence Unit
. Open HQR
. DK Matai