Reported cybersecurity incidents at federal agencies have risen 680 percent in six years, the Government Accountability Organization testified today — and note that key word “reported,” which means that’s just the ones we know about. Nor is the current threat merely the malicious “script kiddies” of yesterday: It’s increasingly hardened criminals and even nation-states, including China, which Cyber Command chief Gen. Keith Alexander has publicly called out for hacking internet security giant RSA. So as much as the reported incidents have increased, with the more sophisticated bad guys, you may never even know that you’ve been hacked.
“State-sponsored attacks [are] characterized by avoiding any kind of activity that is going to make unncessary noise,” said security consultant Eric Friedberg, a former Assistant US Attorney specializing in cyber-crimes. “The attackers test all of their special exploits, all their special malware, against commercial anti-virus and commercial anti-spyware programs. So if commerial anti-virus such as Mcafee or Symantec throws up flags when a particular exploit is [tested], then attackers go back to the drawing board”: They won’t even use a particular technique against their real target until they’re confident it won’t trigger alarms.
Today’s hackers aren’t adorable kids that would be played by Matthew Broderick in the movie. “When I started prosecuting computer crimes in the mid-1990s, the prevalance of ‘script kiddies’ pulling off prankish computer hacking was high,” said Friedberg. “Folks aren’t so much worried about script kiddies anymore because there’s just hundreds of millions of dollars of real damage being driven by the more serious groups. 2011 was just a banner year for both state-sponsored agents and hacktivists.”
Conditions in China in particular are so bad that some companies don’t even issue laptops to employees travelling there, just “thin clients,” Friedberg said, “just a dumb screen that connects back to the US server” but which doesn’t even have the capacity to store any sensitive data (which might be stolen) or download programs (which might be malware). But moving computing functions from your own computer to some central server via “the cloud” can sometimes create as many security problems as it solves, Friedberg warned. “I’m doing a cloud incident response right now, [where] the company’s servers are at some cage in upstate New York… When we are showing up to do the incident response there’s nobody at the cloud provider to help us gain access to anything, [and] they’re throwing all sorts of roadblocks up in our face.” Nor is that a unique case: “A lot of times what we’re finding is the cloud provider is not set up to help [with incident response,” he said, “and you can’t do a lot of that as quickly when you’ve outsourced it all.”
In the federal IT world, the intelligence agency approach to cybersecurity is to unplug, putting sensitive data on networks that physically can’t connect to the internet at all. (The term of art is that these networks are separated from the internet an “air gap”). But there are some less radical solutions out there.
The largest network in the world is actually US government-run, the massive Navy-Marine Corps Intranet (NMCI). Once a paradigm of government IT megaprojects gone amuck, NMCI is now a functioning system with over 800,000 users and, at least according to lead contractor Hewlett-Packard, a security record as good as many “airgapped” Defense Department networks that don’t connect to the internet at all.
“In the nineties, the way you defended a network was to build firewalls to keep people from penetrating the outer defenses,” said Bill Toti, a retired Navy captain who now handles all Navy and Marine Corps business for HP. But once an attacker gained access — or if they were a disgruntled insider who had legitimate access from the start — the system was wide open. Today, said Toti, the key is “monitoring behavior of applications [i.e. programs] and of users, and you have systems that look for something that doesn’t look right,” like a user accessing files they normally wouldn’t need to do their job. That’s the kind of “defense in depth” that’s going to become increasingly necessary in both the federal and the commercial world.