Costly cyberespionage on 'relentless upward trend'

Defense Security Service report says attacks were up 75% in one year, with new focus on space and military technology

Cyberespionage is nothing new. So a report from the Defense Security Service (DSS) about efforts in foreign countries to steal U.S. technology, intellectual property, trade secrets and proprietary information might sound like just more of the same.

DSS Director Stanley L. Sims said it is more of the same -- problem is, much, much more. And in some cases, old cyberespionage technology is now more sophisticated. The agency's annual report, "Targeting U.S. Technologies: A Trend Analysis of Reporting from Defense Industry," said industry reports of attempts to steal sensitive or classified information and technology increased by 75% from fiscal years 2010-11.

While the percentage of attacks from different regions of the world remained relatively stable, "the only stability in the data is the relentless upward trend," the report said.

"During fiscal year 2011, the persistent, pervasive, and insidious nature of that threat became particularly noteworthy, and the pattern became even more firmly established," Sims wrote in the introduction to the report.

It noted that attackers from East Asia and the Pacific, which includes Australia, China, Japan, North and South Korea, New Zealand, the Philippines and Taiwan, were particularly interested in military and space technology -- specifically "radiation-hardened" microelectronics - memory and other components that have been hardened to withstand radiation in high-altitude flight, space operations and near nuclear reactions.

How much this costs the U.S. is difficult to quantify. FierceGovernmentIT reported in July that the FBI had estimated that economic espionage had cost the nation $13 billion through the first three quarters of the fiscal year, which ended Sept. 30. That is obviously a significant amount of money, but in an economy with a gross domestic product of about $14.6 trillion, it is barely a rounding error.

But Joel Harding, a retired military intelligence officer and information operations expert, said he believes the FBI estimate is much too conservative. "Many corporations invest millions of man-hours in proprietary products, only to have them copied and stolen by foreign agents, who can share with their corporations," he said.

"By the time the American corporation completes final testing and ramps up for production, a foreign product may already be on the market at a far cheaper price," he said. "The cost to American corporations is devastating. It has transcended criminal actions, it is de facto, economic warfare, and we are being beaten badly."

Jacob Olcott, a principal at Good Harbor Consulting and former counsel to U.S. Sen. Jay Rockefeller (D-WV.), added that the report is mainly about national security information from contractors involved with the Defense Department, and doesn't cover espionage trends against American businesses generally, "which is as significant and less understood."

Some critics contend that the U.S. is as much a villain as a victim. Some comments on an article posted last month by James Lewis in Foreign Affairs, "China's Economic Espionage," accused Lewis of "Western propaganda" and "bordering on racism." Several comments said the U.S. and Israel are among the worst of nations committing economic espionage.

[See related: Chinese cyber-espionage threatens U.S. economy, DoD says]

Jason Healey of the Atlantic Council and a former White House and Goldman Sachs security official, said there is some truth to such claims, but no context. "The U.S. and Israel do steal prolifically but only to feed national security programs, with an emphasis on political and military targets," he said.

"Yes, the CIA or NSA might spy on a factory making aircraft engines, but this is to learn how to defeat aircraft with those engines in combat," Healey said. "The Chinese -- sorry, East Asians and Pacific-ers -- are spying on engine factories so they can reproduce those engines themselves, or feed the secrets into their own R&D process."

Some of the efforts to get American technology and military secrets are not online. The FBI says they involve everything from recruiting insiders, often from the same national background, bribery, seemly innocuous business relationships -- even dumpster diving.

But the report said the most common online method of attack is through spear phishing emails with malicious attachments. And there are ways to combat them.

"The best way to counteract this is through the use of certificates, which prove the authenticity of the sender, primarily through a verification process," Harding said. "But we're human and lazy, it takes a few seconds to set this up -- too long for many."

Spear fishing is targeted. Kevin McAleavey, cofounder and chief architect of the KNOS Project, said executives tend to be hunted because "they have direct access to exactly what enemies want to find."

"Most networks are fairly well secured against direct penetration for the purposes of espionage, and critical data is usually not available from the public-facing side of their networks," he said. "However it is available to their own executives and by getting them to install Windows, Linux or OSX-based malware, they have allowed the Trojan Horse into their systems with full access to all of their sensitive financials and technicals."

McAleavey said the spear-phishing emails contain zero-day vulnerabilities, which go completely undetected. "They sell very cheaply to these APT [advanced persistent threat] actors who use them and they're highly successful in delivering that payload," he said.

Healey said educating the workforce about spear phishing is not enough. "Regular businesses should stop blaming employees for clicking on links," he said. "Many of these phishing emails are exceptionally sophisticated."

Instead of "educate the user"-campaigns, businesses should ensure they are enforcing basic security controls, such as being fully patched and using up-to-date antivirus software. "Larger firms must go further, assuming the adversaries are in their systems already, and vigorously search for their presence to kick them out," Healey said.

The debate continues about whether businesses or the government should retaliate -- what is called "active defense." Opponents of such pro-active techniques cite the reality that "attribution," or determining exactly who launched the attack and from where, is still too difficult.

"[Attackers] conceal their activities behind various covers, such as third countries, front companies, and cyber identities," Sims said.

Harding said there are other solutions. "Perhaps a better alternative would be to attach payloads to outgoing stolen data that self-destructs upon arrival on the offending server," he said. "It could also report on whatever is held on that server. It could even completely wipe all data off that server."

"The possibilities are endless and the only person to blame is the one stealing the data," Harding said.

Copyright © 2012 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)