Costly cyberespionage on 'relentless upward trend'

Cyberespionage is nothing new. So a report from the Defense Security Service (DSS) about efforts in foreign countries to steal U.S. technology, intellectual property, trade secrets and proprietary information might sound like just more of the same.

DSS Director Stanley L. Sims said it is more of the same -- problem is, much, much more. And in some cases, old cyberespionage technology is now more sophisticated. The agency's annual report, "Targeting U.S. Technologies: A Trend Analysis of Reporting from Defense Industry," said industry reports of attempts to steal sensitive or classified information and technology increased by 75% from fiscal years 2010-11.

While the percentage of attacks from different regions of the world remained relatively stable, "the only stability in the data is the relentless upward trend," the report said.

"During fiscal year 2011, the persistent, pervasive, and insidious nature of that threat became particularly noteworthy, and the pattern became even more firmly established," Sims wrote in the introduction to the report.

It noted that attackers from East Asia and the Pacific, which includes Australia, China, Japan, North and South Korea, New Zealand, the Philippines and Taiwan, were particularly interested in military and space technology -- specifically "radiation-hardened" microelectronics - memory and other components that have been hardened to withstand radiation in high-altitude flight, space operations and near nuclear reactions.

How much this costs the U.S. is difficult to quantify. FierceGovernmentIT reported in July that the FBI had estimated that economic espionage had cost the nation $13 billion through the first three quarters of the fiscal year, which ended Sept. 30. That is obviously a significant amount of money, but in an economy with a gross domestic product of about $14.6 trillion, it is barely a rounding error.

But Joel Harding, a retired military intelligence officer and information operations expert, said he believes the FBI estimate is much too conservative. "Many corporations invest millions of man-hours in proprietary products, only to have them copied and stolen by foreign agents, who can share with their corporations," he said.

"By the time the American corporation completes final testing and ramps up for production, a foreign product may already be on the market at a far cheaper price," he said. "The cost to American corporations is devastating. It has transcended criminal actions, it is de facto, economic warfare, and we are being beaten badly."

Jacob Olcott, a principal at Good Harbor Consulting and former counsel to U.S. Sen. Jay Rockefeller (D-WV.), added that the report is mainly about national security information from contractors involved with the Defense Department, and doesn't cover espionage trends against American businesses generally, "which is as significant and less understood."

Some critics contend that the U.S. is as much a villain as a victim. Some comments on an article posted last month by James Lewis in Foreign Affairs, "China's Economic Espionage," accused Lewis of "Western propaganda" and "bordering on racism." Several comments said the U.S. and Israel are among the worst of nations committing economic espionage.

[See related:Chinese cyber-espionage threatens U.S. economy, DoD says]

Jason Healey of the Atlantic Council and a former White House and Goldman Sachs security official, said there is some truth to such claims, but no context. "The U.S. and Israel do steal prolifically but only to feed national security programs, with an emphasis on political and military targets," he said.

"Yes, the CIA or NSA might spy on a factory making aircraft engines, but this is to learn how to defeat aircraft with those engines in combat," Healey said. "The Chinese -- sorry, East Asians and Pacific-ers -- are spying on engine factories so they can reproduce those engines themselves, or feed the secrets into their own R&D process."

Some of the efforts to get American technology and military secrets are not online. The FBI says they involve everything from recruiting insiders, often from the same national background, bribery, seemly innocuous business relationships -- even dumpster diving.

But the report said the most common online method of attack is through spear phishing emails with malicious attachments. And there are ways to combat them.

"The best way to counteract this is through the use of certificates, which prove the authenticity of the sender, primarily through a verification process," Harding said. "But we're human and lazy, it takes a few seconds to set this up -- too long for many."

Spear fishing is targeted. Kevin McAleavey, cofounder and chief architect of the KNOS Project, said executives tend to be hunted because "they have direct access to exactly what enemies want to find."

"Most networks are fairly well secured against direct penetration for the purposes of espionage, and critical data is usually not available from the public-facing side of their networks," he said. "However it is available to their own executives and by getting them to install Windows, Linux or OSX-based malware, they have allowed the Trojan Horse into their systems with full access to all of their sensitive financials and technicals."

McAleavey said the spear-phishing emails contain zero-day vulnerabilities, which go completely undetected. "They sell very cheaply to these APT [advanced persistent threat] actors who use them and they're highly successful in delivering that payload," he said.

Healey said educating the workforce about spear phishing is not enough. "Regular businesses should stop blaming employees for clicking on links," he said. "Many of these phishing emails are exceptionally sophisticated."

Instead of "educate the user"-campaigns, businesses should ensure they are enforcing basic security controls, such as being fully patched and using up-to-date antivirus software. "Larger firms must go further, assuming the adversaries are in their systems already, and vigorously search for their presence to kick them out," Healey said.

The debate continues about whether businesses or the government should retaliate -- what is called "active defense." Opponents of such pro-active techniques cite the reality that "attribution," or determining exactly who launched the attack and from where, is still too difficult.

"[Attackers] conceal their activities behind various covers, such as third countries, front companies, and cyber identities," Sims said.

Harding said there are other solutions. "Perhaps a better alternative would be to attach payloads to outgoing stolen data that self-destructs upon arrival on the offending server," he said. "It could also report on whatever is held on that server. It could even completely wipe all data off that server."

"The possibilities are endless and the only person to blame is the one stealing the data," Harding said.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags cyberespionageapplicationsData Protection | Malwarelegalsoftwaredata protectioncybercrime

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place