Secure Information Sharing Has Never Been More Important

Stephen DeAngelis

February 20, 2013

If you are concerned about cybersecurity, you probably read the New York Times‘ article about the Chinese military carrying out hacking operations. [“Chinese Army Unit Is Seen as Tied to Hacking Against U.S.,” by David E. Sanger, David Barboza, and Nicole Perlroth, 19 February 2013]. Sanger, Barboza, and Perlroth report:

“Mandiant, an American computer security firm, [has tracked] for the first time individual members of the most sophisticated of the Chinese hacking groups — known to many of its victims in the United States as ‘Comment Crew’ or ‘Shanghai Group’ — to the doorstep of the military unit’s headquarters. The firm was not able to place the hackers inside the 12-story building, but makes a case there is no other plausible explanation for why so many attacks come out of one comparatively small area. ‘ Either they are coming from inside Unit 61398,’ said Kevin Mandia, the founder and chief executive of Mandiant, in an interview last week, ‘or the people who run the most-controlled, most-monitored Internet networks in the world are clueless about thousands of people generating attacks from this one neighborhood.’ Other security firms that have tracked ‘Comment Crew’ say they also believe the group is state-sponsored, and a recent classified National Intelligence Estimate issued as a consensus document for all 16 of the United States intelligence agencies, makes a strong case that many of these hacking groups are either run by army officers or are contractors working for commands like Unit 61398, according to officials with knowledge of its classified content.”

If you assume that the Chinese military is only going after government and military secrets, you would be wrong. The writers report that the “Comment Crew has drained terabytes of data from companies like Coca-Cola.” Of even greater concern is the fact that the Comment Crew and other such groups are increasingly focused “on companies involved in the critical infrastructure of the United States — its electrical power grid, gas lines and waterworks.” They note that “one target was a company with remote access to more than 60 percent of oil and gas pipelines in North America.” More on that story below.

Not surprisingly, Chinese government spokesmen deny that China is engaged in cyber espionage. The truth, of course, is that China and many other governments (including the U.S.) have active cybersecurity units. To make that point, Sanger, Barboza, and Perlroth report, “Working with Israel, the United States has used malicious software called Stuxnet to disrupt Iran’s uranium enrichment program. But government officials insist they operate under strict, if classified, rules that bar using offensive weapons for nonmilitary purposes or stealing corporate data.” Plausible deniability has always been an important tool in any government’s kit. The Mandiant report makes such deniability a lot harder for the Chinese government to sell. The article reads like a best-selling “whodunit” novel whose prime suspects are named UglyGorilla and DOTA. The tale takes readers down dark cyber alleyways that lead to the streets of Shanghai and the murky ties with Chinese military.

As noted above, however, military and state secrets are not the only targets of Chinese hackers. Coca-Cola databases were attacked as its “executives were negotiating what would have been the largest foreign purchase of a Chinese company.” During that time, the “Comment Crew was busy rummaging through [the company’s] computers in an apparent effort to learn more about Coca-Cola’s negotiation strategy.” The tale continues:

“The attack on Coca-Cola began, like hundreds before it, with a seemingly innocuous e-mail to an executive that was, in fact, a spearphishing attack. When the executive clicked on a malicious link in the e-mail, it gave the attackers a foothold inside Coca-Cola’s network. From inside, they sent confidential company files through a maze of computers back to Shanghai, on a weekly basis, unnoticed.”

As a result of all of this activity, “Obama administration officials say they are planning to tell China’s new leaders in coming weeks that the volume and sophistication of the attacks have become so intense that they threaten the fundamental relationship between Washington and Beijing.” That’s not a good thing. When the world’s two largest trade elephants start charging one another, the earth is going to shake. As Sanger, Barboza, and Perlroth write, “Mr. Obama faces a vexing choice: In a sprawling, vital relationship with China, is it worth a major confrontation between the world’s largest and second largest economy over computer hacking?” The answer is likely to be in the affirmative given that Comment Crew has attacked organizations holding vital information about critical infrastructure. Sanger, Barboza, and Perlroth explain:

“The most troubling attack to date, security experts say, was a successful invasion of the Canadian arm of Telvent. The company, now owned by Schneider Electric, designs software that gives oil and gas pipeline companies and power grid operators remote access to valves, switches and security systems. Telvent keeps detailed blueprints on more than half of all the oil and gas pipelines in North and South America, and has access to their systems. In September [2012], Telvent Canada told customers that attackers had broken into its systems and taken project files. That access was immediately cut, so that the intruders could not take command of the systems. … Security researchers who studied the malware used in the attack … confirmed that the perpetrators were the Comment Crew. ‘This is terrifying because — forget about the country — if someone hired me and told me they wanted to have the offensive capability to take out as many critical systems as possible, I would be going after the vendors and do things like what happened to Telvent,’ [Dale]. Peterson of Digital Bond said. ‘It’s the holy grail.'”

The New York Times is not the only media outlet that been writing about Chinese hackers. Bloomberg Business published an interesting video and article on the subject as well. That’s really the point of this post: No organization is completely safe from serious hacking efforts. “In an ever-increasingly digital world,” writes John Casaretto, “many have become immune to the news of ongoing threats that persist on the internet, breaches, privacy, attacks happen every day and once in a while one of them is significant enough to hit the news.” [“One World Labs Takes on Data Leaks in the Dark Web,” SiliconANGLE, 18 February 2013] He continues:

“Sadly, even organizations fall under this false sense of security, feeling their risk and their security is solid, that all that is going on with their information is known and secured. The bare truth is that the breaches and data leaks we hear about form only the tip of the iceberg of what is really going on out there. The ‘Dark Web’ is probably the best way to describe this, the places where search engines do not go and things you can only find if you are looking for it; it includes botnets, anonymous networking, C&C networks – in places all over the world, including the U.S.”

Casaretto warns that “once your data is out there, you are at risk.” He explains:

“For anyone that thinks that their four-walls are secure, think again. No amount of egress security, DLP, predictive security models if you were even that far ahead of the pack can account for everything given so many variables for data leakage. Among the many vectors are smartphones, web browsing, social engineering, the risk of leaked information may even come from your own IT staff. As it turns out that time and time again, information is accidentally exposed even in the most innocent of circumstances.”

Technology can help. Casaretto reports that “One World Labs (OWL) has developed a one-of-a-kind software engine that seeks, indexes and collects information on a platform called Open Source Intelligence Gathering (OSINT).” He continues:

“With 1% of the deep web accessible to the common person, it goes where no one else can, indexing deep into the nether reaches of the net. These are the kind of places where information is incoming, largely never even seen, much less shared by Google and typically unbeknownst to the company whose information has leaked. From countless forums, file-sharing sites, listservs, IRC channels, ftp servers and more there is a constant, nefarious publishing and sharing of information that could have your name on it. … OSINT is a fascinating engine, comprised of analytics, semantics, and Big Data elements. The platform is built on a distributed clustered framework. As you can imagine, the index itself is distributed, encrypted and built with the utmost security layers throughout. Access to the system is tight. Network design comes into play as many, many sites are not appreciative of an index that could be scraping their information. The operation engages its tasks through a complicated and non-static web of anonymous networking and thousands of running proxy configurations designed to avoid detection and maintain access to sometimes super-secretive environments. If a company were to assign a human to engage in this type of discovery, they could quickly after some training, find and discover at a rate of about 1 page per minute. The OSINT engine scrapes 75 pages per second and is tuned to detect across the semantics of the most prevalent languages, complete with variations.”

Another technology that can help involves Secure Information Sharing (SIS). Enterra’s Secure Information Sharing technology can be utilized to facilitate the sharing of information across partner communities. This framework is founded on an automated rules management process that monitors source policies and the environment where they are applied (i.e., situational awareness) and an Attribute Based Access Control (ABAC) model that coordinates information/data sharing across a federated group environment. The SIS framework applies policy-driven automated rules to ensure individuals are able to quickly and securely access their data resources to effectively perform their missions. It strengthens existing layered security solutions that are often not enough protection from cyber attacks, especially when orchestrated and/or aided by foreign governments like Russia and China.