Finding of China's involvement in recent hacks in U.S not an act of war because it's cyberespionage, says proponent of active defense
Security vendor Mandiant's 60-page report on Chinese cyberespionage, which offers proof that it is coming from a Chinese military unit housed in a building in the Pudong district of Shanghai, adds new fuel to two hotly debated cybersecurity questions.
First, does this mean the quest for 100% certainty in "attribution" of intrusions has been achieved? And second, does that mean the U.S. is justified in taking what government officials like to call "active defense" measures -- what most others call "retaliation" or "offense"?
Security experts are divided on the issue. Gary McGraw, CTO at Cigital and a vocal opponent of active defense, notes that Mandiant finding the source of advanced persistent threats (APT) in real time is good, but vastly different from being able to pinpoint the source of a cyberattack that takes place in a fraction of a second.
McGraw also urged that it is a gross exaggeration to call these attacks acts of war. "This is not cyberwar," he said. "That involves blowing things up, or taking things down for an extended period. This is espionage. There is a big difference, and we should not be conflating the two."
James Arlen, a senior consultant with Leviathan Security Group, said most organizations are not remotely prepared to launch any kind of effective attack against a perceived adversary. "We've spent the last decade of infosec riding around the driveway in training wheels, and people are talking about how awesome we're going to be at piloting M1A2 tanks across the battlefield," he said.
Arik Hesseldahl at All Things D wrote in "Cyberwar with China is here, like it or not" that since China has been hacking companies involved in remote access tools that are used to control SCADA (supervisory control and data acquisition) systems, they are preparing to attack the nation's critical infrastructure.
Joel Harding, a retired military intelligence officer and information operations expert who says he is a longtime believer in active defense, thinks a proportionate response is perfectly reasonable. "Why not find a way to infiltrate it and turn the tables?" he said, given the U.S. knows the building where the attacks have been originating. "We can infiltrate virtually or in the real world. We can target it with viruses, Trojans, worms -- all kinds of APTs, and continue to make life miserable for them."
Stewart Baker, first assistant secretary for policy at the Department of Homeland Security under President George W. Bush and now a partner at the law firm Steptoe & Johnson, wrote last fall: "We will never defend our way out of the current cybersecurity crisis. That's because putting all the burden of preventing crime on the victim rarely succeeds. The obvious alternative is to identify the attackers and punish them."
Mandiant's report contends that it is certain about the location and source of what it calls the "most prolific" of more than 20 APT groups originating in China. "APT1 (also labeled "Comment Crew") is a single organization of operators that has conducted a cyber espionage campaign against a broad range of victims since at least 2006," the report said.
Mandiant has observed attacks since then against nearly 150 victims in a broad range of industries, that it has stolen terabytes of data from companies like Coca-Cola, and that it manages this campaign because "it receives direct government support."
It is not just commercial firms that are targets either. Mandiant said one was a company with remote access to more than 60% of oil and gas pipelines in North America. It said APT1 also attacked computer security firm RSA, which protects confidential corporate and government databases.
And while there was no proof yet of China being behind it, Apple said today that unknown hackers had infected the computers of some of its workers when they visited a website for software developers that had been infected with malware.
"In seeking to identify the organization behind this activity, our research found that People's Liberation Army (PLA's) Unit 61398 is similar to APT1 in its mission, capabilities, and resources. PLA Unit 61398 is also located in precisely the same area from which APT1 activity appears to originate," the Apple report said.
China's defense ministry issued a carefully worded denial that it was behind the attacks, calling any such accusations "unprofessional and groundless ... without any conclusive evidence."
But the government reacted very quickly when a BBC crew started taking video of the 12-story building where the Mandiant report said Unit 61398 is housed. Andrew Pugh, writing for the Press Gazette, said the Chinese military detained the crew and confiscated their video footage.
Even assuming the attribution is accurate in this case, however, doesn't mean the overall problem has been solved. John Worrall, chief marketing officer at Cyber-Ark, calls attribution "a very difficult task."
"Very few organizations are up to the task. If you don't do it completely, you're on thin ice," he said. "And the bigger challenge is that very few have the ability to launch a counter attack, even if they've got the right target."
Other experts note that Mandiant has been investigating APT1 and other groups for years, and most organizations don't have the time or expertise to do even that much. And several posts during the day on Twitter said they expect other hacking groups to launch attacks using APT1 methods, to make it look like it comes from them.
Harding said that should not be a problem. "Our analysts are smart enough to use other indicators to tell the script kiddies from 61398," he said.
How should the U.S. respond?
Still, the debate rages on over how the U.S. should respond. U.S. Rep. Mike Rogers (R-Mich.) chairman of the House Intelligence Committee, told the New York Times that, "right now there is no incentive for the Chinese to stop doing this. If we don't create a high price, it's only going to keep accelerating."
Gary McGraw agrees that there should be a high price, but said it should be done through what he calls "proactive defense."
"If we in the U.S. build our systems better so these sorts of attacks don't work very well, or people get caught, then that can be a deterrent," he said. "But it involves heavy lifting security engineering. We need to spend the money and time to harden our systems -- build them right."
Aaron Higbee, CTO of PhishMe, said companies that try to counterattack might be inviting retaliation themselves. "The worry is there are attackers in our most trusted networks right now," he said. "This is the persistent part of APT. We do not know what offensive retaliation will do."
Arlen said there is yet another reason the U.S. should be careful about counter attacks: The U.S. itself does not have entirely clean hands. He and others note that the U.S. and Israel were behind the Stuxnet worm used to attack Iranian nuclear facilities.
"What Mandiant does not say, and which I think is important for readers to remember, is that APT0 is the United States of America," he said.
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.
Copyright 2009 IDG Magazines Norge AS. All rights reserved
Postboks 9090 Grønland - 0133 OSLO / Telefon 22053000
Ansvarlig redaktør Henning Meese / Utviklingsansvarlig Ulf Helland / Salgsdirektør Tore Harald Pettersen