In the best of times, the federal government and private-sector companies work in a delicate synergy to make the products and services required to sustain government operations, develop advanced systems, and enhance systems currently in use. The government also looks to the private sector to support military dominance on the battlefield and protect closely held information. But that arrangement can lead to serious risks when contractors fail to protect their operations adequately from cyber-attacks.
Many of the contractors working with government handle terabytes of data peppered with personally identifiable information, including medical data covered under Health Insurance Portability and Accountability Act (HIPAA) provisions, as well as financial information related to civilian and military personnel. The prevalence and scope of cyber-attacks on this information via contractors is significant, as is the potential danger.
US-CERT reports the number of incidents reported by federal agencies in 2012 was 48,562, up more than 700 percent since 2006. In general, within government, we simply cannot wrap our minds around this problem because it is both very large and highly pervasive.
What’s troubling is that in a number of cases, these companies have had prior indications, warnings and even outright formal notices before or immediately after these attacks, leaving little to the imagination regarding what happened. All that is left afterwards is to assess the damage, build the wall higher, and find innovative ways to track down and neutralize the culprits’ abilities to gain access and “exfiltrate” data.
For three years, one defense contractor was compromised by an advanced persistent threat attack. As InformationWeek reported, investigators hired by the contractor company said that despite ongoing warnings from numerous organizations, including NASA and the Naval Criminal Investigative Unit, the contractor's networks had been compromised. They also found that company officials failed to realize that attackers were maintaining a persistent presence in their network and react accordingly.
The attackers allegedly captured cutting-edge US military drone and robot weapons-systems design and technical specifications and brought competing products to market, according to a subsequent report from Bloomberg. The report cited several firms hired by the defense contractor to investigate apparent intrusions. Investigators told Bloomberg that the ongoing attacks were launched by the Shanghai-based Comment Crew.
Earlier this year, security firm Mandiant reported targeted attacks had compromised 141 businesses, none of which it named, across 20 industries. According to Mandiant, the attackers weren't just supported by China, but were actually part of the People's Liberation Army (PLA) Unit 61398, which is an elite military hacking unit. Chinese officials have denied these allegations.
The threats had reached the point that the Pentagon, in its annual report to Congress, accused the Chinese military of mounting cyber-attacks on the US government and various defense contractors. It marked the first time that the Obama administration has explicitly blamed Chinese officials for the country's offensive cyber-activities, according to a May 7, 2013, report in Foreign Policy. The report, which called the cyber-attacks a "serious concern," said that US government computer systems "continued to be targeted for intrusions, some of which appear to be attributable directly to the Chinese government and military."
China's primary objective appears to be the theft of industrial technology, but according to the report the information gathered by Chinese hackers could easily be used for "building a picture of U.S. network defense networks, logistics, and related military capabilities that could be exploited during a crisis." The diplomatic, economic, and defense industrial sectors that form the basis of US defense programs are all being targeted, the report said. China rejected the accusations saying that it "resolutely oppose[s] all forms of hacker attacks."
But a 2012 Defense Security Service report found that many of these computer network exploitations (CNE to cyber-professionals), were targeting critical systems, including unmanned vehicles (air and ground); networks and sensors; command, control, communications, and computers (C4I) systems; aircraft systems; ground combat systems; and nanotechnology.
Also of concern were the methods used by adversaries, including encryption of data and masking of data to get around both the built-in security systems and to limit the ability of investigators to track down the specific attacker.
Defense contractors are given guidelines that clearly lay out the rules, policies, and procedures for reporting suspicious network contacts. However, many such reports contain too little information to classify the nature of the attack and the targeted technology of such attacks appropriately.
Given the lack of full and complete information in the reporting provided by the contractor community, we in the military do our best to figure out exactly who is coming after critical program information and how successful those adversaries are in capturing targeted research, design, and technical information, as well as associated documents, such as training, security classification guides, operating manuals, and other information.
What should the government, and more specifically the Department of Defense, do in response to the growing threat and perceived lack of serious efforts to curb the intrusions?
Moving email to the cloud has lowered IT costs and improved efficiency. Find out what federal agencies can learn from early adopters. Also in the The Great Email Migration issue of InformationWeek Government: Lessons from a successful government data site. (Free registration required.)
The time may have come to hold the contractor companies accountable for inadequate safeguards and lack of security measures which will protect critical program information, sensitive information, and even classified information.
But of even greater concern for our community is its continued reliance on current methods and processes for protecting networks, enterprises, and information. What is needed is a quantum leap to new and innovative approaches that will change the systems, environments, and networks to make them capable of recognizing malware, intrusion attempts, infected software copies, and other common tools of the cyber-attacker's tradecraft.
With real innovation and a drive from senior leaders to find and test new solutions, rather than permutations of the same old solutions, the government could get ahead of our adversaries and create the time gap necessary to allow for even more innovation and structural shifts that could frustrate adversaries and provide our country with a competitive advantage in the future.
Our economic well-being and our ability to dominate the battle space of tomorrow hinge on this effort. It is imperative for companies to protect their internal networks and systems, to sequester government information more effectively, and to redouble efforts related to insider threats. If we do not fix this, we could find ourselves overpowered economically and militarily in the future.