Cyber Challenges – Focus on What Matters Most to the United States

The Internet has enabled a great many benefits, connecting people around the globe, along with the information people share with each other. But just as Albert Einstein discovered the means for splitting the atom, and never intended that this technological breakthrough would be used to eviscerate thousands with an atomic bomb, so too has evil intent emerged as a result of the enabling of the World Wide Web and connectivity.

An ever-expanding array of Internet-based applications has virtually replaced Encyclopedia Britannica, search engines such as Google have placed at our fingertips answers to virtually any question we may have, from the trivial to the scholarly. Yet alongside these virtuous educational tools of the past decade or so we’ve also witnessed a dark side to the Internet. [1]

●     in 2010, out of the million most popular (most trafficked) websites in the world, 42,337 were sex-related sites.

●     from July 2009 to July 2010, about 13% of Web searches were for erotic content.

Besides the preponderance of pornography, other activities of ill intent have cropped up including identity theft, industrial espionage, credit card fraud, phishing, child exploitation – criminal use of the Internet has flourished. The Internet has also been used to great effect by criminals to trade their cyber wares. Investigators have uncovered sophisticated black market operations such as DarkMarket and ShadowCrew who use the Internet to trade cloned credit card data and bank account details, hire botnets (infected networks of computers) and deliver hacking tutorials.[2]

Malicious viruses have made headlines over the past several years, but the economic hardship suffered by American businesses has been almost insignificant, making these attacks more annoying than truly disruptive and costly.[3] A virus in 2000 infected 1,000 computers at Ford Motor Company. Ford received 140,000 contaminated e-mail messages in three hours before it shut down its network. Email service was disrupted for almost a week within the company. Yet, Ford reported, “the rogue program appears to have caused only limited permanent damage.” None of its 114 factories stopped, according to the automaker.[4]

Increasingly sophisticated virus attacks on one or more computers have caused many problems for individuals, companies and public institutions. Stuxnet, Flame, Duqu, Red October, and Iran’s ongoing attacks against the US banking system have brought the phenomenon into the nightly news, but the pattern of attacks includes numerous older and less discussed programs such as Titan Rain, Ghostnet, and the attacks on Estonia and Georgia.[5]

Arguably the most successful known campaign against American oil and gas firms is one dubbed “Night Dragon” by McAfee, the cyber security firm that first disclosed its existence. According to McAfee, Night Dragon was a “coordinated, covert, and targeted” campaign by China-based hackers to obtain confidential data from five major Western energy companies, beginning around 2008 and extending into early 2011. Night Dragon was able to steal gigabytes of highly sensitive material, including proprietary information about oil and gas-field operations, financial transactions, and bid- ding data. It is difficult to tell if and how any of this information was used. One U.S. oil executive interviewed said he believed that on at least one occasion a rival national oil company appeared to know his firm’s bidding plans in advance of a lease auction, which resulted in his losing the bid. Security experts believe Night Dragon is only one of several similar attacks, of which oil and gas companies are either unaware or afraid to disclose publicly for fear of displeasing investors.[6]

On September 11, 2001, hijackers took control of several commercial airplanes, crashing them into the Twin Towers of the World Trade Center (WTC) in New York City, the Pentagon in Washington, DC, and a field in Somerset County, west of Pittsburgh, Pennsylvania. Almost 6,000 people in total were killed. Besides the human toll, the cost of rebuilding was estimated at over $100 billion (CNN Television News Report, October 5, 2001). Since this time the United States has reacted by defensively spending billions and billions more trying to ensure such a terrorist attack on our soil cannot be repeated.[7]

Is it possible that terrorists could develop a Cyber Terror program to attack our power grid, harm our drinking water, cripple our communication capability or neutralize our military? Of all the dark and sinister ways the bad guys have been using and abusing the Internet, combined with future potential doomsday scenarios, how do we determine those that matter the most in order to focus our resources and reduce the affect of real and present cyber dangers? Let’s start by debunking some of the unlikely candidates and myths that matter much less.

Within the United States there are tens of thousands of separate water systems, many operating with their own network infrastructure and software. To impact national water utilities would require a serial attack on each system, not easily undertaken. Physical assaults typically associated with extreme weather, have disabled some water utilities, but only for a matter of days and only to a very limited extent. System problems have not affected water availability to any significant extent.

Some have argued cyber-terrorists could attack and shut down our power grid. In fact the 3,000 or so utilities, public, private and co-operative are highly integrated and connected. But the various electrical power providers use mostly different software and MIS technologies to operate their controls for power generation and transmission. An attacker would have to settle for a few vulnerabilities identified in a minority of the thousands of providers and even then there is no evidence that disruption would be prolonged to any great extent.

Could a hacker get control of one of our commercial or military aircraft? Even though there is a lot of technology and hardware including microprocessors and communication equipment aboard today’s aircraft, the plane is still subject to the pilot’s control of it, so even this fear is unfounded. (One exception is recently Iran did manage to lock into the right frequency in order to land an unmanned US drone in their country).

Another thesis of fear promulgated is how China (for example) could disrupt our banking system (Iran seems lately to be working on this very thing, although thus far without too much damage to banks’ data and data security) and bring about economic collapse in the United States. Possible, but unlikely, and here is why: China holds US$1.3 in United States Treasury Bonds. If the yield on these bonds was impacted by adverse economic conditions in the United States, China’s own sovereign wealth would be severely and negatively impacted. Most large economies around the world are hurt economically whenever the US economy suffers.

Of all of the possible challenges we face with Cyber Crimes, most can be managed, and the costs of the negative impacts are far outweighed by the many benefits our interconnected information superhighway provide to people around the world. But there remains one rather significant issue that we must address with a variety of ways and means, utilizing every possible tool at our disposal. This is the problem of Cyber Espionage. The legacy of the United States is its inventiveness, its innovation, and technological breakthroughs — the “knowledge” that has been created — especially in the past 50-100 years. All of this is protected by a variety of legal sanctions whether trademarks, patents, copyrights, with a huge accretive economic impact in the form of royalties and licensing fees.

If a rogue country is sanctioning cyber espionage in order to glean technology, learn trade secrets, understand and reverse engineer drugs, electronics, or radar-evading aircraft, that country gets an unfair leapfrog jump without having had to pay for it.[8] We measure the costs of Cyber Espionage in terms of direct costs (lost sales and market share), indirect costs (increased competition and related disadvantages caused by competitors learning trade secrets) plus defensive costs (increasing the robustness of the firm’s firewalls and security to prevent a future breach).

It has been estimated that Cyber Espionage costs the United States at least $100 billion per year. But that is only the direct and measurable costs.[9] The indirect and defensive costs are certainly much larger. Companies invest heavily in Internet safeguards such as firewalls and other security systems to prevent an unwanted breach of their company network. Yet, smart hackers continue to upgrade their capability and find ways to circumvent increasingly robust computer systems. This in turn leads to more company investment to continuously improve upon and strengthen and protect the company data.

Knowledge management focuses on capturing and sharing knowledge. Because of this, KM researchers tend to focus on issues related to knowledge capture, storage, and sharing. However, because knowledge is valuable, it is a target needing to be protected. KM researchers and practitioners need to think security and explore how important security skills are to KM practitioners and researchers. Increasingly new KM job postings are showing up and MIS departments are investing in and making knowledge security a corporate priority.[10]

The indirect costs are far greater however. Within the United States companies spend a total of almost half a trillion dollars each year on research and development. This is the investment that leads to new breakthrough technologies, novel, less expensive, and qualitatively superior products, and drugs and medical equipment to treat or even cure various diseases. If a rogue country such as China can glean this technology for themselves and for free, they have an immediate an unfair advantage, gaining knowhow they spent almost nothing to acquire, utilizing this free knowhow as a platform to move their own technology further along.[11]

Recently President Obama has spoken out to directly implicate China conducting Cyber Espionage, going so far as to name the location in Shanghai allegedly housing the prolific hackers: the computer security firm Mandiant, that identified P.L.A. Unit 61398 near Shanghai has been named as the likely source of many of the biggest thefts of data from American companies and some government institutions. [12]

China’s extensive cyber research activities and allegations over cyber espionage have put the United States on high alert.

XI’AN, CHINA—The leaflet posted in the school of information engineering here at Xi’an Jiaotong University was brief but enticing, offering computer-savvy graduates a hefty stipend and the chance to serve their motherland. “I was curious,” says Liu, who asked that only his surname be used in this article. It was the spring of 2007, and Liu, then 24 years old, was wrapping up a master’s degree in computer algorithms. Encouraged by his supervisor, Liu called the number on the leaflet; that summer, he joined an elite corps of the People’s Liberation Army (PLA) that writes code designed to cripple command-and-control systems of enemy naval vessels.

PLA writings call the electromagnetic spectrum “the fifth domain of battle space,” putting cyberspace on an equal footing with ground, air, sea, and space. Cyber conflicts “threaten national security and the very existence of the state,” two scholars with the Academy of Military Sciences wrote in China Youth Daily in 2011. State media regularly tout PLA activities in cyber defense, a catchall term encompassing everything from surveillance and espionage to weapons such as electromagnetic pulse generators that disable computer networks and malware designed to take down power grids or contaminate water supplies. Augmenting PLA efforts is a legion of civilian researchers and hackers whose efforts ostensibly are directed at repelling electronic intruders. In 2011, more than 8.5 million computers in China “were attacked by rogue programs every day,” a 48% increase over the previous year, says Li Yuxiao, a cyber law expert at Beijing University of Posts and Telecommunications.[13]

“Only three months ago, we would have violated U.S. secrecy laws by sharing what we write here—even though, as a former director of national intelligence, secretary of homeland security, and deputy secretary of defense, we have long known it to be true,” write Mike McConnell, Michael Chertoff and William Lynn.[14] “The Chinese government has a national policy of economic espionage in cyberspace. In fact, the Chinese are the world’s most active and persistent practitioners of cyber espionage today.”

“Evidence of China’s economically devastating theft of proprietary technologies and other intellectual property from U.S. companies is growing. Only in October 2011 were details declassified in a report to Congress by the Office of the National Counterintelligence Executive. Each of us has been speaking publicly for years about the ability of cyber terrorists to cripple our critical infrastructure, including financial networks and the power grid. Now this report finally reveals what we couldn’t say before: The threat of economic cyber espionage looms even more ominously.”

What will be needed to combat this seemingly intractable problem? A multi-pronged solution has recently been proposed, providing complete coverage of how to ensure the protection of company proprietary information and assets, including how to develop an effective corporate counterespionage program. Written by a former veteran of the Office of Naval Intelligence, the program provides guidelines to determine the current threat level to an organization’s proprietary assets as well as the physical security countermeasures, policy, and procedures that must be in place to establish an effective counterespionage program. This comprehensive approach is what is called for, a systems approach, multi-faceted to address protecting sensitive data and trade secrets in a corporate security setting, organizations that have proprietary information and assets to protect, businesses that have operations or partner with companies overseas such as China, organizations that work with the federal government on classified projects, security and counterespionage professionals, and university degree programs in Homeland Security and intelligence. [15]

We need to move beyond simply calculating explicit direct costs of Cyber Crime, as mentioned earlier, approximately $100 billion in the US annually and $400 billion worldwide.[16] This is only a relatively small part of the cost involved. A broader more complex solution must be aggressively undertaken to protect our national interests and the knowledge and knowhow our country’s organizations have spent so much time and capital developing. The sense of urgency cannot be overstated and besides the prophylactic systems-approach aimed at reducing the problem, a head-on confrontation demanding rogue states halt their state-sanctioned hacking immediately, must be met with very serious consequences if compliance is not forthcoming.

 

 

 

 

[1] Ogas, O., & Gaddam, S. (2011). A Billion Wicked Thoughts: What the Internet Tells Us About Sexual Relationships. Penguin.

[2] Home Affairs Committee, & Great Britain. Parliament. House of Commons. (2013). E-Crime: Fifth Report of Session 2013-14 [electronic Resource]: Report, Together with Formal Minutes, Oral and Written Evidence.

[3] Axelrod, R., & Iliev, R. (2014). Timing of cyber conflict. Proceedings of the National Academy of Sciences, 111(4), 1298-1303.

[4] Lewis, J., & Baker, S. (2013). The Economic Impact of Cybercrime and Cyber Espionage.

[5] Sliva, A. (2013, August). A Policy Analysis Framework for Cybersecurity Operations. In Social Science, Computer Science, and Cybersecurity Workshop Summary Report (p. 26).

[6] Clayton, B., & Segal, A. (2013). Addressing Cyber Threats to Oil and Gas Suppliers.

[7] McGavran, W. (2009). Intended consequences: regulating cyber attacks. Tul. J. Tech. & Intell. Prop., 12, 259.

[8] Nakashima, E. (2013). US Target of Massive Cyber-Espionage Campaign. Washington Post.

[9] Benny, D. J. (2013). Industrial Espionage: Developing a Counterespionage Program.

[10] Jennex, M., & Durcikova, A. (2014, January). Integrating IS Security with Knowledge Management: Are We Doing Enough to Thwart the Persistent Threat?. In System Sciences (HICSS), 2014 47th Hawaii International Conference on (pp. 3452-3459). IEEE.

[11] Polatin-Reuben, D., Craig, R., Spyridopoulos, T., & Tryfonas, T. (2013, October). A System Dynamics Model of Cyber Conflict. In Systems, Man, and Cybernetics (SMC), 2013 IEEE International Conference on (pp. 303-308). IEEE.

[12] Sanger, D. E. (2013). U.S. Blames China’s Military Directly for Cyberattacks. The New York Times.

[13] Stone, R. (2013). A Call to Cyber Arms. Science, 339(6123), 1026-1027.

[14] McConnell, M., Chertoff, M., & Lynn, W. (2012). China’s Cyber Thievery Is National Policy—And Must Be Challenged. The Wall Street Journal.

[15] Benny, D. J. (2013). Industrial Espionage: Developing a Counterespionage Program.

[16] Anderson, R., Barton, C., Böhme, R., Clayton, R., van Eeten, M. J., Levi, M., … & Savage, S. (2013). Measuring the cost of cybercrime. The Economics of Information Security and Privacy, 265-300.

Rodd Mann, Doctor of Education candidate (Ed.D.) at Concordia University 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s