National-security infrastructure faces relentless cyberespionage campaign BY AUSTIN WRIGHT Each day, millions of suspicious activities are Jirccti'd at Northrop Grtimman's cybcrperimeter — a collection of firewalls, access lists and antivirus software. Most of these potential Intrwsions never penetrate the virtual border. But some do. U.S. government and defense-industry networks face a relentless onslaught from cyber-spies u^ho seek some of the nation's most heavily guarded secrets: the technical specifications of US, weapons systems. As of 2(X)7, hackers had stolen at least 10 terabytes of sensitive data from Defense Department networks, according lo an Air Force estimate. Experts believe these hackers work for foreign govemmonls — a suspicion that's easily assumed but nearly impossible to prove, A report released in October by the U.S.-Cbina Economic and Security Review Commission describes an unseen cyber-war in which hackers — most of whom appear to reside in China — constantly bombard l_J.S, agencies and defense contractors with malicious software designed to steal data only a nation-state would want. They seek defense-engineering specifications, military operational information and US,-China policy documents, according to the report, which was prepared by Northrop Grumman. T h e depth of resources necessary to sustain the scope of computer network exploitation targeting the L'.S. and many countries around the world ,.. is beyond the capabilities or
LI. U S T R A T t O N
BY
DREAMSTIME
profile of virtually all organized cyber-criminal enterprises and is difficult at best without some type of state-sponsorship," the report says. Conversations with industry leaders, analysts and govemment officials reveal a cyber-security infrastructure that's plagued by vulnerabilities, personnel shortages and an enemy with little to lose. Moreover, individual govemment agencies and private companies are tasked with defending against these near-constant and ever-changing threats — a sharp contrast from other national-security operations, which rest firmly in the hands of the federal govemment. And unlike the Cold War era, when foreign spies risked their lives to infiltrate US. agencies, the cyber-spies of today can wreak havoc without ever leaving their living rooms Hackers can hide their whereabouts and may have loose connections to tbe governments that condone their attacks, "Law-enforcement guys all over the globe — I'm sure — are trying to track down these cyber-criminals," said Greg Rattray, a security advisor at the Internet Corporation for Assigned Names and Numbers and a former cyber-security official under the Bu.'^h administration, "But we've created an ecosystem where attribution is very hard." Greg Schaffer, the Department of Homeland Security's assistant secretary for cyber-security and commtmlcations, said that in recent years the threat has become stealthier, better organized and more harmful. "Cyber-security, like all security, is an exercise in risk management," Schaffer said. "It's about assessing the value of what's at stake and the cost
DECEMBER
2009
• NATIONAL
DEFENSE
29
THu ig(U.'»e9B.-W AM
Dear Sony to cSsturtï you sudöenly I am a cofrespondent (Frank Sanerjtram me Assoaated News We are planning to do some special repofls on you Just mail to see if you are willing to accepi oui inlerview The questions lo be ashed are pfepareö in the attachment Could you please share some time reatSng it and lei us know your feply Thanh you very much Regards
A Screenshot o f an email containing a maiicious a t t a c h m e n t NOHTHHOP GHUMMAN
of protecting it." For Schaffer, the government's most pressing challenge is hiring enough specialists to protect its online infrastructure. DHS, which defends many federal-government networks, announced in October it plans to hire an additional 1,000 cyber-security employees over the next three years. Its cyber-security division, which until this year had a staff of fewer than 50, will grow to 260 workers by next September. But the federal govemment is unable to match private-sector salaries for a highly skilled job that grows more valuable to employers every year. Also, the federal government's security-clearance
Simulator and Training System Omvélopmetrt Man In The Loop Hardware In The Loop Air/Land/Sea Modernization and Refurbishment Concurrency Obsolesces Logistics Support Test and Evaluation (T&E) Hardware and Software Development Systems Integration Verification and Validation Computer Based Training Classroom Training Aids Individual Instructional Systems Information Engineering Multi-Media CD or Net Distribution Providing Engineered Solutions for Simulation end Modeling We are a small business.
Hai Simulation Systems and Applications, Inc. (SSAI) 10460 Roosevelt Blvd.. PMB#301 Depi WB St. Petersburg, Florida 33716-3821 USA +1 727 544-4673 • +1 727 544-6154 (fax)
[email protected] • www.sinisvsinc.com
process can drag on for months, ä high price to pay for a potential employee who could have spent that time in a private-sector job. "We know that our internal processes to get people on board once they are selected can take a long time, and we are focused aggressively on shortening that amount of time while making sure we continue to maintain an appropriate process for vettitig people," said Schaffer, who noted that DHS officials are seeking the authority to increase the salaries of govemment cyber-work-
eis.
"There is no question that the people we have would, on any given Tuesday, be able to step outside and get a higher paying job in the private sector doing similar work," he added. "They are dedicated individuals who are supportive of a mission that tliey recognize is critical to the country." Timothy S. McKnight, Northrop Grumman's chief information security officer, is skeptical of DHS' plan to hire 1,000 people. "Where are you going to get them?" McKnight said. "We re not producing that many cyber-workers as a nation." China, on the other hand, has been recruiting its own cyber-militia, a group of academics and industry professionals who can carry out offensive and defensive measures, according to the U.S.-China report. "The [People's Liberation Army] is reaching out across a wide swath of [the] Chinese civilian sector to meet the intensive personnel requirements necessary to support its burgeoning [information warfare] capabilities," the report states. The P 1 J \ is "incorporating people with specialized skills from commercial industry, academia, and possibly select elements of China's hacker community." McKnight recently oversaw the development of Northrop Grumman's Cyber Security Operations Center, a 6,300-square-foot Maryland facility that opened in .luly. Analysts there examine millions of cyberevents each day. The center provides network security for the company s 10,000 Internet servers, along with several of its clients' servers. It employs nearly 50 workers. Northrop Grumman also operates a cyber-facility for the govemment that is off-limits to the public. "For the vast majority of cyberattacks that go on, the public is never made aware," said analyst Rafal Rohozinski, whose organization. Information Warfare Monitor, released a report in March that details a China-based cyberespionage scheme called GhostNet that had infected at least 1,295 computers in 103 countries. Chinese officials have vehemently denied taking part in thLs or other cyberespionage activities. "The extent to which these things are now penetrating corporate and govemment networks has not been determined," Rohozinski said. "I think that in many cases, even within an organization, the full risk and liability that come with cyberattacks are never made known because it's difficult for technical people to express properly these issues to senior management or policymakers." Since 1991, tlie federal govemment and the private sector have had an official venue for sharing data on incidents that affect their networks: the Network Securit)' Information Exchange. Companies send the govemment information on intrusions, and the govem30
NATIONAL DEFENSE • DECEMBER
2009
CybeMVar
ment distributes that information to members, so they can better protect themselves from such attacks. But by tlie time the federal govemment relea.ses the reports, it's olicn too late. Two years ago, defense-industry firms formed a sec. >iui alliance, the Defense Security Information Exchange.They send oach other immediate data on cyberattacks. "What's happening to Lockheed Martin today may happen to us by the end of the wet.'k," said Bill Russell, a manager at Northrop Cinimman's cyber-security center. "We've found that we get just as good quality information from our competitors as we are providing to them." Northrop Grumman's analysts recreated a recent cyberattack in a demonstration for National Defense. Roughly 40 such attacks penL'trate the company's networks each year. The attempted intrusion began with a tactic called spear phishing, which is when hackers target specific people in an organization. The email in question, which had made it past the company's first lines of defense, claimed to be from a reporter, and it was sent to employees who regularly deal with members ofthe news media. The email caught the attention ol the analysts — who spend their dLiy.s scanning dizzying lines of code, looking for anomalies, such as large data transfers, suspicious email attachments and files that communicate with outside servers. The analysts opened the email's attachment in a closed network that they created as a way to examine potentially maliciou-s files without putting company data at risk. "If you construct an environment where an adversary can operate and you do so safely, you can leam more about the adversary," Russell said.
The file — a gibberish-filled document — opened, closed and then opened again. Meanwhile, network-secuiily software indicated to the analysts that it was communicating with an outside ser\'er, A hacker on the receiving end ofthat communication could have used infected computers for a number of damaging purposes, and most likely would have tried to steal company intormaiion. But the analysts quickly disabled outgoing web trafi^ii: to the hacker's server for all ofthe company's 105,000 computer accounts. Within 10 minutes, the attack was tliwarted. Simitar attacks havt- had more success. The U.S.-China report details an event that occurred several years ago at an unidentified company. Attackers — who originated from or came through China — penetrated the company's network-security system and stole "significant volumes of data. " The attack targeted specific files, required months of planning and involved a team of highly skilled hackers working in shifts. "Tht'y did not open any files to review tlie content prior to exfiltradon, .suggesting they already knew the contents or at minimum the file names ofthe data they were tasked witli stealing," the report says. "The type and specifidty of data stolen in this case aLso suggests that the end users were already identified and that they likely had deep science and technology resources al their disposal tt) make use ofthe stolen information." McKnight declined to say whether such an attack has ever succeeded against Northrop Grumman. He conceded, however, that protecting netvi/orks h a fluid process that evolvi^s al a slower pace than the tlireat itself 'We're never going to have bulletproof software, " he said. "It's really risk management, and obviously we're at
NOfTTHROP CRUMMAN
The threats are simulated. Your reactions won't be. www.northropgrumman.com/range
EW TRAINING RANGE The key to preparing for combat is realistic simulation. And as the makers of some of the world's most advanced EW systems—including the Joint Threat Emitter (JTE) — Northrop Grumman is highly qualified to simulate combat with the most cost effective means possible. Our Amherst Systems group provides affordable range modernization, alLowing warfighters in operational aircraft to experience the realities of facing hostile fire, while learning the latest in tactics and countermeasures. What's more, our systems include all ofthe components to set up and operate a training range that integrates with the newest available systems. Reducing costs. While saving lives.
i Cyber-War
the high end ofthat risk because of what we do." McKnight, a former special agent with the Federal Bureau of Investigation, said that preventing malicious software from infecting machines is only half the battle. Government agencies and companies face another threat: the machines themselves. Many of the computers and software used in offices across the United States are manufactured abroad, often in China, There are few options for ensuring that the products haven't been compromised. "What's in tlie code that we're buying oiT tlie sheif is a major issue for Defense Department customers," McKnight said. "If you want to subvert the supply chain, you don't need to target Northrop Grumman. You just need to target someone smaller down the supply chain." Microsoft Corp., which produces some of the world's most widely used software, develops many of its products in China. Several cyber-security analysts contacted by National Defense expressed concern that the company's million of lines of software code could have been embedded with viruses by rogue programmers. This would be dif-
1-877-224-7708 www.drivesquare.com
SIMPLE • PORTABLE DRIVING SIMULATORS A portable, versatile in-vehicle simulator solution for driver safety training and demonstrations. It can be used with any military or privately owned vehicle in the field.
See us at I/ITSEC'O9
ficult to detect, because of the sheer volume of coding in Microsoft's products, the analysts said. A Microsoft spokesman declined to comment on the company's security procedures and instead referred to company guidelines that say its code must undergo a thorough security-scanning process. "1 think more and more customers will start demanding that technology companies go back and review their code," McKnight said. "Whether cost will bear on that equation, we'll find out." McKnight said Northrop Grumman contracts for products and services with about ]6,tX.)0 companies, and that it's difficult to ensure that all of them uphold high standards of security during the manufacturing process. A Rand Corp. report released in October discussed this threat. "Many in the defense community worry that China's growing presence in component manufacturing provides it plenty of opportunities for mischief^" the report states. "Unless and until purchasers get access to all the code in the electronics they buy, a supply-chain attack is difficult to defend against." The report noted, however, that such an attack would be detrimental to the Chinese economy, because countries likely would boycott Chinese products until security issues were resolved. The Defense Department's more than 5 million computers have — or soon will have — a software-security package developed by McAfee, a California-based company. The package acts as a last line of defense against external threats and as a first line of defense against hardware threats. The package scans for specific malicious files and also for behaviors that would indicate the presence of malware. Schaffer said DHS is preparing for the third installment in a series of exercises, called Cyber Storm, that test the nation's abilit>' to recover from a massive cyberattack. The first exercise, which took place in February 2006, simulated an effort by hackers to disable the Intemet. The second exercise, which took place in March 2008, simulated an attempt to shut down the country's physical infrastructure, such as electric grids and command-and-control centers. Cyber Storm III will take place late next year. "It will be designed to really exercise the clear articulation of roles and responsibilities of the various players who are important to the process both in govemment, in the pri32
N A T I O N A L DEFENSE • DECEMBER
2009
We're never going to have bulletproof software. It's really risk management, and obviously we're at the high end of that risk because of what we do. Timothy & McKnight, Northrop Gnimman Chiei Information Security Officer
vate sector, state and local authorities, and international partners as well," Schaffer said. 'This is really going to be an exercise in which we're looking across the entire universe of what we do in the cyber-world, and it will take into consideration how a cyberattack might impact the various pieces of the economy and pieces of the infrastructure that are critical to our day-to-day lives." 'The United States likely is developing its own offensive capabilities that could be used to steal another country'.s protected data or shut down its critical infrastructure, though none of the public officials contacted by National Defense would comment on such measures. The Rand report, which was prepared for the Air Force, recommends that the service's information-warfare tactics remain a niche role, secondary to physical warfare. A cyberofFensive campaign could help the military achieve certain objectives, but it could never achieve those objectives alone, the report says. The Defense Department has established the US. Cyber Command, a centralized effort to protect military networks that is expected to be fiilly operational by next October. "There is wide recognition of the interconnectedness between our cTber-world and our physical world," Schaffer said. "There are sophisticated hackers out there witli incredible skills who are the highest order of concern for us as a govemment." ND EMAIL COMMENTS TO AWRIGHTürNDtA.ORG
Copyright of National Defense is the property of National Defense Industrial Association and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.