International Espionage: It’s Time to Get Real
For years news stories and postings have focused on the disproportionately high percentage of attacks on US government and other systems that appear to have originated from the Peoples Republic of China (PRC). I have seen firsthand systems that appeared to have been attacked and taken over by individuals within this country. In one case a Web server for a site that distributed data related to nuclear physics research had very obviously been compromised by someone from the PRC. The source IP address of traffic sent to this server was one registered to a host in the PRC (which in and of itself was not by any means conclusive proof), the destination of many outbound connections initiated by that server was addresses in this country, and the intruder had downloaded many files written in Chinese. Interestingly, this and a number of related attacks within a relatively small period in time occurred at the time a US military aircraft had collided with one belonging to the PRC over PRC air space.
Over the last few years US State Department computers have apparently been targeted by the PRC. Attackers exploited vulnerabilities in programs such as Microsoft Word to craft attachments that if opened caused malware to be installed in the victim machine. Destination addresses of connections from the victim machines were traced to the PRC. Earlier, the UK Home Department experienced a rash of attacks (including “spear phishing” attacks), once again apparently from the same origin.
Has the PRC launched a massive espionage effort, and if so, is this country the only one involved in such an effort? Joel Brenner, US National Counterintelligence Executive and Mission Manager for Counterintelligence in the Office of the Director of National Intelligence, recently said “no” to the later question. He asserted that attacks against US government computing systems originate from many nations, certainly not exclusively from the PRC. Brenner pointed out the fact that spoofing source IP addresses of Internet attacks is commonplace.
But what about the answer to the first question above? Is the PRC involved in international espionage? In my mind, there is little doubt that this is true. At the same time, however, it is important to realize that many other countries, the US included, gain intelligence information in a wide variety of ways. Gaining unauthorized remote access to systems and/or installing malicious code and then copying files and sniffing keystrokes comprise a rather easy, low risk, and low cost method of obtaining needed intelligence information. My hunch is, therefore, that virtually all the world’s largest countries as well as many others are actively involved in computer-related espionage efforts.
The real question thus is what can be done about such attacks, given that the probability of apprehending and bringing those who perpetrate international espionage attacks is nearly zero? What many senior managers of corporations and heads of other organizations such non-profit research institutions and universities do not realize is that their computing systems are just as likely to be attacked by perpetrators of international espionage as are government systems. Gaining proprietary, state-of-the-art information about technology is, for example, extremely advantageous to a country. So what is the solution? The solution is developing a program that results in an adequate or better security posture, one that manages security-related risk to an acceptable level. Too many organizations, government organizations very much included, have not achieved this goal; many are not even conscious of the need for doing so. In many ways, therefore, the practice of information security is still in the “dark ages.” Perhaps the realization that one’s computing systems and information stored therein are often the targets of proficient and sustained espionage efforts will help serve as a wake-up call that motivates senior management to start taking information security seriously.