Published by Al Saikali

February 2013

Cyber attacks and cyber espionage have been the focus of media attention (again) lately. In addition to the news of Apple, Facebook, the New York Times, the Wall Street Journal, and Twitter all suffering cyber attacks,  two important documents were released this past week.  The first, a report by the data forensic investigation firm, Mandiant, is an in-depth analysis of the threats that Advanced Persistent Threats (APTs) pose to major U.S. companies.  The report received a significant amount of media attention, including this very good New York Times article.  The second document released this week was a report by the Obama administration outlining its strategy in response to the APT threats and the individuals/governments who engage in theft of U.S. trade secrets and cyber espionage.

Mandiant’s Report on Chinese Cyber Attacks

On February 18th, Mandiant issued a report in which it accused the Chinese military of years of cyber attacks (APTs) against over 140 companies, a majority of them American.  The report’s conclusions were based on hundreds of investigations Mandiant conducted, which convinced Mandiant that the groups engaging in these security breaches are based primarily in China and are known by the Chinese government.

Mandiant tracks dozens of APT groups around the world.  APT1 is the most prolific of these groups in terms of quantity of information stolen and has engaged in a cyber espionage campaign against an array of victims since 2006.  APT1 is able to wage such a sustained and extensive cyber espionage campaign because it receives direct government support, Mandiant found.

Here are some other conclusions from Mandiant’s report:

  • APT1 is believed to be a part of the Chinese People’s Liberation Army identified as Unit 61398, which is staffed by hundreds or thousands of people.  The personnel in this unit are trained in computer security and computer network operations.  APT1’s activity has been traced to four large networks in Shanghai.
  • APT1 has systematically stolen hundreds of terabytes of data from at least 141 organizations in 20 major industries, and has demonstrated the capability and intent to steal from dozens of organizations simultaneously.
  • APT1 maintained access to victims’ networks for an average of 356 days, with the longest time period being four years and ten months.
  • APT1 focuses on compromising organizations across a broad range of industries in English-speaking countries.  APT1’s targets are industries that China has identified as strategic to their growth.
  • APT1 maintains an extensive infrastructure of computer systems around the world, with 937 command and control servers hosted on 849 distinct IP addresses in 13 countries.  The majority of these IP addresses are registered to Chinese organizations.
  • Mandiant has released more than 3,000 indicators (domain names, IP addresses, and MD5 hashes of malware) to help victims and potential victims bolster their defenses against APT1 operations.  These defenses can be downloaded here.

Why did Mandiant expose APT1?  Even though exposing APT1 would likely interfere with Mandiant’s ability to secretly collect intelligence on that particular group, Mandiant claims that it exposed APT1 in an effort to arm and prepare security professionals to combat the threat effectively and provide information that would lead to increased understanding and coordinated action in countering APT network breaches generally.  Mandiant “expect[s] reprisals from China as well as an onslaught of criticism” as a result of the report.

The Obama Administration’s Report On Trade Secret Theft

On February 20th, the U.S. Attorney General released a report entitled “Administration Strategy on Mitigating the Theft of U.S. Trade Secrets”, which outlines the Obama Administration’s strategy to promote improved coordination within the U.S. government to protect U.S. trade secrets. The report sets forth the following five-pronged strategy:

  1. Focus diplomatic efforts to protect trade secrets overseas – the Obama administration promises to continue applying sustained and coordinated diplomatic pressure on foreign countries to discourage trade secret theft.
  2. Promote voluntary best practices by private industry to protect trade secrets – examples of areas where private industries could consider voluntary best practices include research and development compartmentalization, information security policies, physical security policies, and human resources policies.
  3. Enhance domestic law enforcement operations – the Department of Justice and FBI will prioritize investigations and prosecutions of corporate and state sponsored trade secret theft.  Law enforcement and intelligence will share information regarding the number and identity of foreign governments involved in trade secret misappropriation, the industrial sectors and types of information and technology targeted by such espionage, the methods used to conduct such espionage, and the dissemination, use, and associated impact of information lost in trade secret misappropriation.
  4. Improve domestic legislation – increasing the criminal penalties for those who engage in economic espionage and other trade secret crimes.
  5. Public awareness and stakeholder outreach – encouraging all stakeholders, including the general public, to be aware of the detrimental effects of misappropriation on trade secret owners and the U.S. economy.  To this end, the administration will conduct educational and outreach efforts through the internet, forums for the private sector, and public outreach by the FBI.

I highly recommend that in house counsel who are concerned about cyber espionage read the report in full.  It is filled with interesting vignettes of how major U.S. based companies have been the victims of cyber espionage, and it includes links to some very valuable resources including this one, which was one of the first major reports to outline the extent of cyber espionage affecting major companies in the U.S.  These resources can help your company learn more about the threats of cyber espionage and ways to minimize those risks.

The Takeaways

So what are the takeaways?  First, cyber espionage is an increasing threat to major U.S. companies, particularly those in the technology, science, pharmaceutical, and defense industries.  Second, a growing body of evidence shows us that the APT groups primarily responsible for cyber espionage are originating in China and may be supported directly by the Chinese government.  Perhaps most importantly, however, there are steps that companies can and must take proactively to limit the risks associated with APTs, including the adoption of administrative safeguards (policies, procedures, and employee training that limit the likelihood that APTs, particularly those that target social behavior, will penetrate a company’s network) and technical safeguards (like the resources provided by Mandiant in its report, the establishment of firewalls, and the installation of spam filtering, monitoring and anti-malware software).

Given the findings of the Mandiant report and the Obama administration’s steps towards fighting cyber espionage, businesses cannot close their eyes to this threat and hope it will go away or won’t happen to them.  They must begin defending themselves now.

UPDATE:  Demonstrating the timeliness of this subject, the NY Times just went to press with this important article about the political implications of this issue.

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

Yesterday, President Obama issued an Executive Order to improve critical infrastructure cybersecurity in the United States.  The Order attempts to facilitate sharing of important information between the federal government and certain critical infrastructure in an effort to protect that infrastructure against cyber intrusions.  The Order, which was formally announced and became effective during the President’s State of the Union address, requires the following:

  • Within 120 days, the Attorney General, the Secretary of Homeland Security (Secretary), and the Director of National Intelligence must each issue instructions to ensure the timely production and rapid dissemination of unclassified reports of cyber threats to the U.S. homeland that identify a specific targeted entity.
  • Within 120 days, the Secretary shall establish procedures to expand the Enhanced Cybersecurity Services program to all critical infrastructure sectors.  This voluntary information sharing program will provide classified cyber threat and technical information from the government to eligible critical infrastructure companies or commercial service providers that offer security services to critical infrastructure.
  • Define and identify critical infrastructure, within 150 days, where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.
  • The Secretary must expedite the processing of security clearances to appropriate personnel employed by critical infrastructure owners and operators.
  • The Secretary shall expand the use of programs that bring private sector subject-matter experts into federal service on a temporary basis, so that those individuals can provide advice regarding the content, structure, and types of information most useful to critical infrastructure owners and operators in reducing and mitigating cyber risks.
  • Establish certain privacy and civil liberties protections, requiring that agencies and the Department of Homeland Security coordinate activities under the Order to ensure that privacy and civil liberties protections are incorporated into their activities.
  • Information submitted voluntarily by private entities under the Order must be protected from disclosure.
  • The Secretary must establish a consultative process to coordinate improvements to the cybersecurity of critical infrastructure.

Within 240 days, the National Institute of Standards and Technology will publish a framework to reduce cyber risks to critical infrastructure.  By February 12, 2014, a final version of this framework shall be published. This framework must do the following:

  • Include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.
  • Incorporate voluntary consensus standards and industry best practices to the fullest extent possible.
  • Be consistent with voluntary international standards when such international standards will advance the objectives of the Order, and shall meet the requirements of certain federal legislation.
  • Provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk.
  • Focus on identifying cross-sector security standards and guidelines applicable to critical infrastructure.
  • Identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing organizations.
  • Provide guidance that is technology neutral and that enables critical infrastructure sectors to benefit from a competitive market for products and services that meet the standards, methodologies, procedures, and processes developed to address cyber risks.
  • Include guidance for measuring the performance of an entity in implementing the framework.
  • Include methodologies to identify and mitigate impacts of the framework and associated information security measures or controls on business confidentiality, and to protect individual privacy and civil liberties.
  • The Secretary must establish a Voluntary Critical Infrastructure Cybersecurity Program to support the adoption of this framework.

It will be interesting to see what standards are adopted by NIST as a result of this Order and how those standards are received by affected organizations; whether those security standards become the new method for measuring whether a company’s security measures are “reasonable”; and whether there will be any constitutional challenges to the order (i.e., that the Order is essentially legislation, within the purview of Congress, not the President).

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.