China-Based Cyber Attacks on US Military Are ‘Advanced, Persistent and Ongoing’

Another day, another news item about state-backed Chinese-based cyber attacks. This time Trend Micro has released a comprehensive report detailing how China-based cyber attacks on US military targets are “Advanced, Persistent And Ongoing”:

In its blog announcing the paper, Trend Micro stated that “Operation Iron Tiger is a targeted attack campaign discovered to have stolen trillions of bytes of data from defense contractors in the U.S., including stolen emails, intellectual property, and strategic planning documents.” The report further details that targets of Iron Tiger included military defense contractors, intelligence agencies, FBI-based partners, and the U.S. government. The private entities were tech-based government contractors in the electric, aerospace, intelligence, telecommunications, energy, and nuclear engineering industries.

Iron Tiger was observed exfiltrating up to 58GB worth of data from a single target, more than was stolen in the Sony attack. It could have potentially stolen up to terabytes of data in total, Trend Micro reports. It is highly environmentally adaptive and otherwise sophisticated and well organized, potentially merely an arm of a larger, multi-teamed operation with various targets.

China is convincingly Iron Tiger’s home base

The primary situs of China as the operatives’ home base was convincingly evidenced by the facts that the operatives used virtual private network (VPN) servers that only accepted China-based registrants, used Chinese file names and passwords, and operated from China-registered domains, according to the report. Some of Iron Tiger’s actions were also attributed Iron to an individual physically located in China.

DoD CIO Says There Is a Need to Make It Cost Prohibitive for Hackers to Conduct Cyber Attacks

DoD CIO Terry Halvorson is talking tough on cyber, stating there is a need to make it cost prohibitive for hackers to conduct cyber attacks:

“We are on the wrong side of the cyber economic curve,” he said at the summit. “We need to raise barriers to attackers’ entry, making it more expensive to play.”

But how? The answer is multifold, but at least one aspect is automation, mechanizing some of the basic actions and response involved in cybersecurity maintenance, Halvorsen said.

Automation is key to turning around the economics and coping with the speed of the threat, he said at the summit and on the call.

“Automating eliminates the basic [adversarial] players, makes it so you have to raise your game to play,” Halvorsen said. “It reduces the benefit hackers will see and makes it more expensive for hackers to play.”

Another key part is establishing a pervasive, standard-operating-procedure culture of cybersecurity throughout entire enterprises and communities. It’s a worry that Halvorsen said keeps him up at night.

“How do I get a cyber discipline culture, how do I get a cyber economic culture and how do I get a cyber enterprise culture? I think those are the three things that if we got those, almost everything else comes after,” he said. “If I get to the cyber enterprise culture, I’ll start doing integrated, layered defenses, I’ll use automated tools — [joint regional security stacks are] the cornerstone for that — I’ll get the right level of accountability and I will understand the money.”

The only way DoD will get to where it needs to be in cyber security is through a cultural shift. Once senior DoD leaders recognize they are the biggest threat to the enterprise network, and thus stop asking for unnecessarily risky exceptions to DoD policy simply because they are who they are, then DoD may finally realize the type of discipline needed for the future.

US Cyber Command Designing System to Stay Ahead of Hackers but Will Require Manual Data Entry

United States Cyber Command is designing a system to stay ahead of hackers but apparently they are currently incapable of acquiring technology to automate this functionality:

U.S. Cyber Command is building a massive, electronic system to provide an overview of the vulnerabilities of the military’s computer networks, weapons system and installations and help officials prioritize how to fix them, its deputy commander said on Thursday.

Lieutenant General Kevin McLaughlin told Reuters officials should reach agreement on the framework within months, turning the system into an automated “scorecard” in coming years.

McLaughlin said the effort grew out of a disturbing report released earlier this year by the Pentagon’s chief weapons tester, Michael Gilmore. The report warned that nearly every major U.S. weapons system was vulnerable to cyber attacks, and an escalating number of attacks on U.S. computer networks by Russia and China.

Cyber Command staff would do the initial data entry by hand, but the goal was to create a fully automated system that would help defense officials instantaneously detect and respond to any attacks, McLaughlin said after a speech at the annual Billington Cybersecurity Summit.

Here we are in 2015 and US Cyber Command is developing a program designed to perform initial data entry manually. Seriously?

China Following US Lead, Tells US Tech Companies Operating in China to Sign PRISM-Like Cyber-Loyalty Pact

The Chinese government is following the US lead and is now telling US tech companies operating in China to sign a PRISM-like cyber-loyalty pact:

Much of the pledge document is focused on user privacy rights, outlining policies that would give users the right to know where their data was stored, to control how much of their personal data was collected, to opt out of the collection of personal data, and to “choose to install, or uninstall non-essential components [and] to not restrict user selection of other products and services.” The pledge also asks companies to “guarantee product safety and trustworthiness” by taking measures to build security into products, rapidly patch vulnerabilities, and “not install any hidden functionalities or operations the user is unaware of in the product.”

As part of the requirements for “security of user information,” the pledge would require tech companies to “employ effective measures to guarantee that any user information collected isn’t illegally altered, leaked or used.” All data collected from Chinese customers would have to be stored in Chinese facilities and not be moved outside the country “without expressed permission of the user or approval from relevant authorities”—meaning the government would have oversight over what data could be exported for corporate use (and potentially accessed by foreign intelligence organizations).

Finally, the pledge would also require companies to agree to “accept the supervision of all parts of society”—including third-party evaluation of all products to determine they are “secure and controllable…to prove compliance with these commitments.” It is this clause that the Times’ industry sources suggested could be used by the Cyberspace Administration of China to demand access to encrypted data stored in cloud computing services and to provide source code for review.

National Counterintelligence Executive Claims, “Not Our Job to Warn OPM of Cyber Threat”

In response to questions posed by Senator Ron Wyden, National Counterintelligence Executive William Evanina claims it is not the intelligence community’s job to warn OPM of cyber threats:

National Counterintelligence Executive William Evanina wrote a letter to Sen. Ron Wyden answering the Oregon Democrat’s questions about the landmark cyberattack, which has been blamed on the Chinese.

In the response to Wyden’s question of whether the intelligence community assessed the vulnerabilities of a database OPM maintained of highly sensitive background check information that OPM maintained or whether it offered any advice to OPM, Evanina pointed to bureaucracy.

“Executive branch oversight of agency information security policies and practices rests with the Office of Management and Budget (OMB) and the Department of Homeland Security (DHS),” Evanina wrote. “The statutory authorities of the National Counterintelligence Executive … do not include either identifying information technology (IT) vulnerabilities to agencies or providing recommendations to them on how to secure their IT systems.”

In the short letter, Evanina also defended the decision to maintain a database of the background checks going back as far as 1985, saying it offers the advantage of being able to “assess the ‘whole person’ over a long period of time.”

Obama Warns China on Cyber Spying Ahead of Xi Visit

President Obama warns China on cyber spying ahead of Xi visit:

A person briefed on the White House’s thinking said on Tuesday the United States does not plan to impose sanctions on Chinese entities for economic cyber-attacks ahead of Xi’s visit to avoid what would be seen as a diplomatic disaster.

The United States has emphasized to China that industrial espionage by its government or its proxies in cyberspace goes beyond traditional intelligence gathering, Obama said.

“That we consider an act of aggression that has to stop,” Obama told the Business Roundtable, a lobbying group.

Obama said the United States is preparing measures to show the Chinese “this is not just a matter of us being mildly upset, but is something that will put significant strains on a bilateral relationship if not resolved and that we are prepared to take some countervailing actions.”

White House spokesman Josh Earnest later said Obama was “intentionally non-specific” in the comments and said the US government is “hopeful” that it will not need to use sanctions or other measures against China for cyber-attacks on US commercial targets.

“It is clear that the Chinese government is being responsive to those concerns by at least engaging in a candid discussion of those issues,” Earnest told reporters.

FBI Warns How to Keep Hackers From Causing Chaos at the Gas Pumps

The Federal Bureau of Investigation seems to be trying to get ahead of the so-called cyber attack business, and has issued some warnings about how to keep hackers from causing chaos at the gas pump and other similar tips:

The Defense Advanced Research Projects Agency in 2011 launched a program to help make “the code behind the physical control systems of an airplane or self-driving car,” for instance, “become mathematically, provably unhackable,” Carter said at a future technology forum hosted by the agency.

“DARPA’s already made some of that source code openly available online – it can give the Internet of Things a critical foundation of cybersecurity, which it’s going to need,” he said.

By 2020 there will be 250 million Internet-connected vehicles on the road, according to Gartner. A Wired journalist a few months ago had private researchers remotely kill the transmission of a Jeep on a St. Louis highway — while he was sitting in the driver’s seat.

Intel Establishes Automotive Security Review Board Possibly in Response to Recent Jeep Attack

Intel is attempting to take the industry lead in Internet of Things (IoT) cyber security, and as part of that effort has established a new automotive security review board:

The ASRB researchers will perform ongoing security tests and audits intended to codify best practices and design recommendations for advanced cyber-security solutions and products to benefit the automobile industry and drivers.

Gartner predicts there will be a 150 billion connected vehicles on the road by 2020. The transition to a more connected world is exciting and requires that cyber security be addressed.

“Just like with any connected system, there’s no perfect security. But we can raise the bar against cyber-attacks in automobiles,” said Chris Young, senior vice president and general manager of Intel Security. “With the help of the ASRB, Intel can establish security best practices and encourage that cyber-security is an essential ingredient in the design of every connected car. Together we can manage the complexity more quickly and deliver solid cyber-security solutions.”

Disclosure: I work for Intel Security.

OPM Response to Massive Breach Is Being Challenged by the Inspector General

The Office of Personnel Management’s response to their recent massive breach is once again being challenged by the Inspector General, who warns OPM is not doing enough corrective action to prevent future

It said that as a result, the process to identify existing systems, evaluate their technical specifications, determine requirements, and estimate costs of moving the data into a more secure environment still has not been completed. Nor is there support for OPM’s belief that some the cost of moving the data can be funded through discontinuing obsolete software, it said, calling OPM’s plan to find the rest of the funding from other accounts “inadequate and inappropriate.”

“Without this rigorous effort, we continue to believe that there is a high risk of project failure,” it said.

OPM also had rejected the IG’s recommendation to adopt industry best practices for planning such a project, saying it was following its own policies based on government standards. But the IG said that “based on documentation we have reviewed, we have determined that OPM is not in compliance with either best practices or its own policy.”

It noted that since the first report, former OPM director Katherine Archuleta had resigned under pressure and a Senate committee rejected a bid to add funding for the project even while backing extending the services to the victims. “In such a turbulent environment, there is an even greater need for a disciplined project management approach to promote the best possibility of a successful outcome,” it said.

Knowing how the government responds in these types of situations, I cannot say I am surprised. This sounds like business as usual.

DNI Suggests Conducting Cyber Attacks Leads to Little to No Penalties for the Perpetrators

US Director of National Intelligence James Clapper suggests the current global norms around conducting cyber attacks leads to little to no penalties for the perpetrators:

James Clapper (pictured), the nation’s top intelligence official, told the House intelligence committee that a muted response to most cyberattacks has created a permissive environment in which hacking can be used as a tool short of war to benefit adversaries and inflict damage on the United States.

“Until such time as we do create both the substance and the mindset of deterrence, this sort of thing is going to continue,” Clapper said, speaking specifically about the recently revealed hack of federal personnel information linked to China in which personal data Relevant Products/Services on some 22 million current and former U.S. government employees, contractors, job applicants and relatives was stolen. “We will continue to see this until we create both the substance and the psychology of deterrence.”

The administration has yet to act in response to the OPM hack.

Last May, the Justice Department issued criminal indictments against five Chinese military hackers it accused of cyberespionage against U.S. corporations for economic advantage. FBI director James Comey said at the time the spying was to benefit Chinese companies, but he neither named the companies nor took formal action against them.

Sounds like more deterrence talk, which as I discussed, is really pointless in cyber.