To steal the designs for America's advanced weapons systems, as Chinese hackers are} , you don't necessarily have to break into classified Department of Defense systems.
Many of America's military secrets can be stolen by exploiting the networks over which unclassified information is shared by military contractors and subcontractors. While these contractors, like the government, have improved their cyber-security over the past decade, many still do not have systems in place to quickly discover whether a hacker in Beijing, or elsewhere, is harvesting information off the computer of a staffer in Virginia, according to cyber-security experts interviewed for this story.
On Monday, the Washington Post reported that Chinese hackers are believed to have stolen the designs for "more than two dozen major weapons systems," potentially weakening the U.S. military advantage over China. While we don't know precisely how the information was accessed, cyber-security experts say it did not necessarily come from the Department of Defense itself.
"I just don't think that's necessary," said Richard Bejtlich, the Chief Security Officer for cyber-security company Mandiant. "You can get what you need from the contractors."
While no computer networks are impenetrable, federal agencies like the FBI, DOD and NSA devote significant resources to guard their computer networks, and also have in place rules to protect sensitive data. Many of the contractors who build parts for U.S. weapons systems, however, do not have that level of resources. That makes them more vulnerable to attacks from hackers in China and elsewhere, who often use sophisticated "spear phishing" attacks to infiltrate a system and harvest data. By piecing together stolen information from various contractors, hackers can recreate U.S. systems even if they don't have the entire design in one place.
James E. Harris Jr., a senior specialist for cyber-security at Obsidian and former FBI cyber-division official, said that while "we may protect a final design," important aspects of it go to vendors for fabrication. Those vendors may order parts from another supplier or subcontractor, potentially exposing sensitive information to a network with a lower level of security than the contractor itself. "Nobody produces anything from soup to nuts," he said.
While spear-phishing attacks involve email, they are far more sophisticated than the clumsy, implausible email appeals you've most likely gotten from an alleged Nigerian prince or other scammer. A hacker may spoof or break into the email of a friend or colleague - they might use Facebook to figure out your connections - and send along a link or attachment that downloads malware onto your computer; when you click it installs malware can then record your keystrokes, turn on your camera, and go through your windows registry for sensitive information. These emails are often well-written and believable: The National Association of Manufacturers recently received an email ostensibly from a Bloomberg reporter with a link to an Excel spreadsheet relevant to a story. The email had actually come from Chinese hackers seeking proprietary information.
Indeed, U.S. weapons systems are just one of the many targets of hackers, who are equally (if not more) interested in industrial secrets and intellectual property. And the Chinese government is far from the only game in town: There are organized criminal gangs, other state actors and other autonomous groups constantly trying to break into systems. Christopher Ling, executive vice president at Booz Allen Hamilton focusing on military intelligence and cyber-security, said that Russia and Israel are among the countries (along with the United States) that have excelled in the "cat and mouse" game of cyber-warfare, though he added that there is now a black market for sophisticated malware that allows less sophisticated nations to mount serious attacks. And the threat isn't just to military and industrial secrets: Some hackers are also interested in terrorism, with the Department of Homeland Security reporting 198 attacks on critical U.S. infrastructure in fiscal year 2012.
But China is "the most active and prolific" state player in the hacking game, according to Ling. "It is a national focus agenda item for the Chinese to be active in this way," he said. "It's not a small group of people who just decided they want to do this on their own accord." While the United States was reticent to specifically accuse China of hacking until relatively recently, the Office of the National Counterintelligence Executive said in 2011 that U.S. firms and cyber-security specialists had reported "an onslaught" of network intrusions from China, and in March President Obama's national security advisor, Tom Donilon, warned of "cyber intrusions emanating from China on an unprecedented scale."
According to Bejtlich - whose company, Mandiant, made international headlines when it released a detailed report on China's cyber-espionage efforts in February - Chinese hackers take a decentralized approach to stealing U.S. secrets. Mandiant tracks 20 different hacking groups, which range in size from dozens of hackers to thousands. The groups may have specialties or receive specific instructions on what to target from China's Ministry of State Secrecy, but they can be in competition with each other. "We have seen cases where they are six or seven independently operating groups inside a single target," said Bejtlich.
Harris said that "[i]n any-nation-state sponsored attack, where you have a lot of resources available to you, you might have different tiers of hacker."}
"You might give them general tasks and say, 'I want to know about this, or I want to know about anything you can get your hands on,'" Harris said. The goal, he added, may simply be to "find out where you can get into something, and push things up to where they can be analyzed."
The hacker wants to remain undetected - while a full-on assault on a corporate system can be picked up quickly, a spear-phishing operation can potentially fly below the radar for months. And that means more information. If hackers can steal the username and password of a staffer, along with his remote access credentials, they can simply log into the system under his identity. To avoid raising red flags, they can route their connection through an infected zombie computer at the staffer's home, so that a hack from Beijing appears to be coming from the staffer's residence. Part of the challenge in countering hacks is tied to the flexibility of modern life: Hackers can use smartphones or work laptops accessing the Internet from "soft" locations, such as the WiFi network at a coffeeshop, to get into a system that would be hard to access from an employee's workstation.
The game isn't just online - Bejtlich said that traditional spy tactics also come into play. That can mean recruiting American students who travel to China, convincing visiting professors to talk about classified research while working at Chinese universities, or accessing proprietary information gleaned during joint ventures between Chinese and American companies.
When it comes to countering spear-phishing efforts, one strategy involves "whitelisting," which essentially means that your computer can only run approved programs. "The unknown bad things outnumber the known bad things one million to one," said Harris. Whitelisting programs, which can be frustrating for users, "stop bad code from executing. If it's not known and not trusted it will not run."
"If you're dealing with anything sensitive like weapons systems, I don't understand why they're not running it," he said.
Broadly, however, cyber-security experts say efforts have shifted from trying to keep everyone out - which is viewed as a virtually impossible task - to trying to be sure you know as soon as they get in. The problem is that because building the necessary protections is expensive and time-consuming, it is far from a universal practice. "I would expect most of the military, the top tier defense contractors, have it," Bejtlich said, "but outside of that I really start to worry."
Experts say it is rare for the U.S. government to directly work with a private company to improve its cyber-security, though the FBI has been known to notify a company of a breach and the DOD has shared classified threat vector information. "If they know there is a certain vulnerability in software that is not well published that foreign nations may be using to gain military secrets, then they'll share that particular vulnerability with defense contractors," said Ling.
Ling added that the DOD is aware that there are vulnerabilities within the industry, though it remains unclear how they will be addressed - in part because the hacking game moves so fast that sophisticated cyber-security efforts can quickly become outdated. Asked how small defense contractors could afford to establish and maintain sophisticated systems to keep sensitive data out of hackers' hands, he replied: "How can you afford not to do it?"