Published January 22, 2010
It isn't just Google, and it isn't just China. Security experts say there's a raging, worldwide cyberwar going on behind the scenes, and governments and businesses across the globe need to be on alert.
Security analysts say 20 countries, in addition to China, are actively engaged in so-called asymmetrical warfare,a term that originated with counterterrorism experts that now commonly refers to cyberattacks designed to destabilize governments. Countries engaged in this activity range from so-called friendly nations, such as the United Kingdom and Israel, to less friendly governments like North Korea, Russia, Kazakhstan, and Uzbekistan.
"There are least 100 countries with cyber espionage capabilities," warns Alan Paller, director of research at the SANS Institute, an information security and training firm. Today there are thousands of hackers working on such programs around the world, "including al Qaeda cells that are acting as training centers for hackers," he said.
"It's been a widespread problem for some time," says University of Texas at San Antonio professor and cyber security researcher Ravinderpal Sandhu. Paller and others agree, adding that the recent Google incident -- in which the Internet giant discovered e-mail and corporate sites had been extensively hacked by programmers on the Chinese mainland -- represents just the tip of the iceberg.
The Google Incident
"The Chinese air force has an asymmetrical warfare division" charged with developing cyberwarfare techniques to disable governments' command and control systems, says Tom Patterson, chief security officer of security device manufacturer MagTek Inc.
"They are fully staffed, fully operational and fully active. And when you aim a governmental agency that size against any company, even the size of Google -- well, it's an overwhelming force," Patterson says.
"It's been going on in China since at least at least May 2002, with workstations running 24 hours a day, 7 days a week," Peller says.
Google has been unable to conclusively tie the Chinese government to the recent attacks, but it did trace the source of those attacks to mainland China. Experts say the sophistication of the hackers indicates government support, or at least approval.
Such virtual attacks represent a very real danger. Government and security-firm sources say over 30 other companies were attacked in this latest hack, from software firms like Adobe and Juniper Networks to Northrop Grumman -- a major U.S. defense contractor and manufacturer of nuclear-powered aircraft carriers and the Global Hawk unmanned drone.
It's just part of a battle that's been getting increasingly belligerent:
-- In 2007, Britain's security agency, MI5, issued a secret warning to CEOs and security leaders at 300 banks and legal firms that they were being attacked by "Chinese state organizations." The letter was later leaked to the media.
-- Late in the 2008 presidential campaign, FBI and Secret Service agents alerted the Obama and McCain camps that their computers had been hacked. The source of the attacks: hackers in China.
-- Earlier that summer, in testimony before the House Armed Services Committee, James Shinn (assistant secretary of defense for Asian and Pacific security affairs at the time) and Maj. Gen. Philip Breedlove (of the Joint Chiefs of Staff) warned officials about China's asymmetrical warfare capabilities.
Follow the Money
While many cyberattacks have been traced to sources with ties to China's People's Liberation Army, such attacks are not limited to government targets or to a single country. When there's an economic interest, even countries friendly to the U.S. may deploy asymmetric warfare techniques to gain an advantage.
"Some countries are friendly [toward the U.S.], but the fine line between using those departments for military or economic gain is getting thinner," Patterson says. In other words, countries may use cyberattacks to further the interests of local companies competing for global contracts.
According to sources who requested anonymity, a large law firm in New York was recently informed by the FBI that it had been hacked. The intruders didn't just steal passwords or account numbers. Rather, the thieves took every single document the firm had stored. Gaining such information could give competitors an advantage in bidding for contracts and allow them access to corporate intellectual property and secrets.
Finding the Source
Often, the criminals or spies are never found. One reason: victims don't like to admit they are vulnerable.
"In spite of data breach laws, the general tendency of companies is to clam up," Sandhu said. "So not every attack is reported, and for ones that are there's little follow-up investigation." He pointed out that Google still hasn't provided many details about its case. He also said that a seemingly innocuous recent problem with AT&T network in which people were able to view personal (so-called secure) information on strangers' Facebook pages could be a sign of a more serious cyberattack.
Even when companies are forthcoming, tracking the criminals can be difficult.
"Nobody attacks directly from their own computers anymore," Sandhu said. Hackers typically invade computers in other countries and then launch incursions remotely. Consequently, the trail typically leads through several different countries.
"We do see activity from different places in Africa, but those computers are being used as relay stations," says Amichai Shulman, the CTO of security firm Imperva. Shulman says asymmetric warfare techniques often exploit systems that may be less secure in other countries.
"Usually, these guys use an anonymizing [Web] service in another country, like Thailand or Russia," says Jacques Erasmus of security firm Prevx. Such services explicitly hide users' identities and are not subject to the laws of the United States. It's a real problem, because it then requires international, cross-border collaboration that doesn't really exist," Erasmus says.
The real danger, however, is from computer attacks that remain invisible. In scenarios that read like a cyber version of The Manchurian Candidate,computer experts say that current asymmetric warfare is focused on clandestine operations that plant the equivalent of a mole inside an organization's computer network.
"So much worse things can happen," Sandhu says. A program designed to disrupt a financial institution or government department can sit undetected and dormant within a network for a decade. Then, when a conflict or war breaks out, the virus is triggered, disrupting communications and destroying an organization's infrastructure.
"We may call it espionage, but it's really warfare," Paller says. "They're planting logic bombs." He says much of what is being discussed now in classified national security briefings revolves around these sorts of stealth attacks. He declined to answer questions as to whether such secret programs had been detected in any major governmental or infrastructure networks, but he emphasized that a major vulnerability is the nation's power grid.
How to Win the Cyberwar
Taking counter measures against such cyber attacks is problematic. Microsoft issued an emergency patch for its Internet Explorer browser this week that it said addressed a vulnerability exploited in the Google hack. The previous week, Google beefed up its own Gmail security by automatically encrypting its e-mail sessions. The Electronic Frontier Foundation said the move was a "significant step to safeguard user's privacy and security."
But scientists, security experts, and researchers say this is no longer enough.
No matter what happens in the standoff, we haven't heard the end of these attacks, say experts. "We're going to see these types of attacks again and again in 2010," says Michael Sutton, vice president of security research at Zscaler. All the experts agree that more needs to be done in both the public and private sectors to protect against future cyberattacks.
"One thing is you've got to presume that there is a persistent, hostile, insider embedded in your network," says Sandhu. Such threats cannot always be eliminated, so organizations have to learn how to deal with such eventualities. Defense experts refer to this as "working to ensure the mission, not the network."
"You have to start running your systems as if they are contested territory," says Paller. "Don't assume you can control who's on your system." He believes the only way to do this is to use highly skilled teams whose sole focus is looking for computer attacks and ferreting them out. Paller estimates that the U.S. is woefully understaffed in this area, with only about a tenth of the needed experts available to conduct such security work. Sandhu agrees: "Our infrastructure is very fragile right now."
"But finally, with Howard Schmidt, the new National Cybersecurity Coordinator, Obama's got the right guy," says Patterson. Schmidt has an extensive background in computer security in both the public and private sector (he was once a security director at Microsoft). The question remains, however, if Schmidt or anyone at the federal level will be able to commit the necessary funds. Patterson, for one, remains optimistic.
"We may get some proactive leadership on this front," he said.