Cybersecurity and Cyberwar (16 page)
Read Cybersecurity and Cyberwar Online
Authors: Peter W. Singer Allan Friedman,Allan Friedman
Even if data were available, defining the costs of cybercrime isn't that simple. Direct costs fall not only on the direct victims but also on intermediaries like banks and ISPs that have to handle spam volume. These indirect costs can really add up. By 2013, an average firm of 1,000 employees or more was spending roughly $9 million a year on cybersecurity, whether it was a
bank or paint maker
. One can think of these costs as a collective tax we all pay, resulting from the infrastructure that supports criminal enterprises, like the costs of cleaning up botnets, and the ancillary harms of an untrustworthy cyberspace, including the reduced use of money-saving online services. This is in addition to the money, time, and effort spent mounting a defense, from technical defenses at the organizational level to the cost of law enforcement, all of which could be put toward
more useful endeavors
. When viewed holistically, cybercrime imposes a substantial cost across society, and defending against it requires an appreciation of modern cybercriminals' true sophistication.
A different way of looking at cybercrime is not the costs, but the size of its business. One approach is to examine cybercriminal income, but here too it gets complex, setting aside few report their incomes. The money can certainly be good. According to prominent cybersecurity expert Jim Lewis, “Cybercrime pays well. One pair of cybercriminals made $2 million in one year from click fraud on Facebook. Another pair created those bogus malware warnings that flash on computer screensâthe FBI says those cybercriminals made $72 million from people paying to have the phony threats âremoved.' A gang in Russia extracted $9.8 million from a U.S. bank over Labor Day weekend in 2008.â¦
Million-dollar crimes
probably happen every month, but are rarely reported.”
Other attempts do a great deal of harm but yield little reward for the criminal. Rogelio Hacket Jr. was convicted in 2011 of stealing credit cards linked to $36 million in fraud. Although his crimes spanned seven years, this criminal mastermind was not about to retire on his ill-gotten gains. According to court filings detailing his nefarious deeds, “In all, the defendant personally received over $100,000 from his
credit card fraud scheme
.”
The point is that most types of cybercrime require organization for execution as well as profitability. Each successful fraud requires many different steps that are often individually worth relatively little.
So the scale of cybercriminal activity is another way to approach cybercrime. Investigators and researchers have had the opportunity to study the organization of cybercrime by infiltrating digital “black markets,” where criminals trade the necessary components of their schemes. Forum sellers post offers for spam, credit card numbers, malware, and even usability tools. When we started writing this book, a twenty-four-hour denial-of-service attack was listed on a major black market for only $80, while
a mere $200
would pay for “large projects.”
In any market, even black markets, customer relationships are important. As one criminal posted, “Price for a million of delivered mails is starting at $100, and drop real fast, practically to $10, for regular clients.
Selection of countries is free
.” These independent brokers don't represent the entire threat, though. More enterprising criminals vertically integrate; that is, they control the entire process from top to bottom. Security expert Eugene Spafford describes this as the far more daunting cybercriminal threat: “It is well-funded and pursued by mature individuals and groups of professionals with deep financial and technical resources, often with local government (or other countries')
toleration if not support
.”
As in weighing cybercrime's costs, scale also matters more in indirect ways. In the same way that a drug den opening up in a neighborhood will drive away customers from other local businesses, a growth in these cybercrime organizations and black markets can undermine trust in the broader digital systems that make all business more efficient. If we come to believe that every e-mail claiming to be from our bank is a phishing attempt, for instance, then our banks can no longer effectively communicate via e-mail.
The ultimate risk is that the ever-growing scale of cybercrime will undermine the broader system. If banks decide that the fraud rate from stolen banking credentials is greater than the cost savings and customer service benefits of online banking, they may just turn it off.
Yet this is where cybercriminals differ from more traditional crooks; they, too, have a stake in the system. The vast majority of cybercriminals are parasites, interested in leaching off as much
value as they can rather than destroying the system. And that may be the fundamental difference between cybercrime and other types of online harm we explore later, like espionage, war, and terrorism.
Fortunately, this “world of tomorrow” playing out today is not all bad news. The old books about the future may have predicted “computer crime,” but they also depicted how we would solve it. The scary future criminals would be chased down by futuristic policemen armed with ray guns.
“Nevertheless, a computer criminal may succeed now and then and the detectives of the future will have to be highly skilled computer operators. There will probably be police computer-fraud squads, specially trained to deal with computer crime. Here you can see a squad arriving at the home of a computer criminal and arresting him as he makes a dash for it. He is
clutching a computer cassette
that contains details of his computer crimes, and the police will need this as evidence to prove that he is guilty.”
We'll get to this in
Part III
, where we explore the path to a more secure cyberspace, which fortunately doesn't require ray guns.
In 2011, Dmitri Alperovitch and a team of threat researchers at the cybersecurity firm McAfee cracked the logs of a command-and-control server that they suspected had been part of a series of cyberattacks. The attacks were like many other APTs. They went after specific targets, often using spear-phishing e-mails aimed at particular individuals with the right level of access inside an organization. Once downloaded, malware communicated back to a command-and-control server. Live intruders then remotely jumped onto the infected machine and used their new access to move across the network, implanting even more malware and
exfiltrating key data
. So, in many ways, “Operation Shady RAT,” as it came to be called (after the notion of a Remote Administration Tool), was rather unremarkable.
But as it began to analyze the logs, the McAfee team pieced together that something much bigger was going on. This wasn't a case of hacktivists seeking attention or cybercriminals pursuing monetary gain. The attackers, as Alperovitch described, had bigger things in mind; they seemed motivated by “a massive hunger for
secrets.” This one group had spent five years targeting files everywhere from governmental national security agencies to solar energy companies. One major US news organization saw its New York headquarters and Hong Kong bureau compromised for over twenty-one months, while the World Anti-Doping Agency's internal files were cracked right before the
2008 Beijing Olympics
.
And the logs showed the attackers had been hugely successful, ultimately penetrating seventy-two major targets around the world. The data they made off with included national security secrets, product design schematics, and negotiation plans. As he added up the scale of what “had fallen off the truck” in terms of overall national and economic security value, Alperovitch realized he had just watched one of the biggest thefts in history unfold in slow motion on his computer screen. While he declines to explicitly identify the attackers, preferring to speak only on known specifics, Alperovitch does say the effort had all the hallmarks of a state-related campaign, given the range of secrets targeted, and that the state likely behind the efforts certainly had a strong interest in Asia. If this was a Harry Potter novel, China was Voldemort, the large Asian cyber power that “shall not be named.”
Shady RAT illustrates an important change in the art of stealing secrets. Before the computer came along, governments and other actors would keep their secrets in locked file cabinets, behind a locked door, in a locked building, and behind high walls. Today, though, if that information is to be useful in any way, it's stored in a digital form on a computer that is connected to a network. Even in organizations as secretive as the CIA, analysts must use computers (invisible ink has gone the way of the shoe phone) to send and receive classified information across offices and agencies, especially if they ever want to do something like connect the dots needed to stop a terrorist attack.
The problem, as we explored earlier, is that many of these networks are not as secure as their users may think. And so while computer networks are allowing groups to work more efficiently and effectively than ever before, they are making it easier to steal secrets. We have entered what one security organization calls the “golden age” of intelligence. As one report notes, “Nations don't need expensive ground stations, satellites, airplanes or ships to spy. Global intelligence capabilities now just need a few laptops and a
high-speed connection
.”
Cyber espionage is the use and targeting of computers to obtain a secret of some sort. Much like other forms of espionage, it is clandestine (i.e., not using open means) and usually involves a government agency. This digital form of intelligence gathering dates at least to 1982, when Soviet KGB spies reputedly stole a Canadian firm's software that had been laced with a logic bomb secretly planted by the CIA. It is in the twenty-first century, however, that
digital espionage
has truly taken off. Every intelligence agency in the world operates in this realm, and every country has been targeted. As an example, in 2009 researchers uncovered a network of 1,295 infected host systems in 103 countries. This “GhostNet” had targeted foreign affairs ministries, embassies, and multilateral organizations in places from Iran and Germany to the Tibetan government in exile. While the origin of the operation was never confirmed, researchers pointed out that the servers utilized were all located on
Hainan Island in China
. But before we point too many fingers at China for operating in this realm, remember that the United States is just as active; indeed, large parts of its intelligence apparatus, like the aforementioned CIA and NSA, are dedicated to this same mission; the 2013 Snowden leaks showed 213 of these operations in 2011 alone.
One of the big changes from past espionage, though, is not just the global scale of cyber operations but their increasingly economic quality. In many circumstances, the advantage a state gains from stealing such secrets is fairly direct and obvious. Examples range from the theft of several Western governments' preparatory documents for the G-20 summit in 2011, which would have given the other sides an edge in international negotiations, to a spate of attacks targeting the
F-35 fighter jet's design
and manufacturing process. Intended as the West's next-generation, highly computerized, stealthy plane, the F-35 program's computer networks have instead been penetrated at least three times. In one instance, intruders compromised the plane's onboard systems responsible for diagnosing mid-air maintenance problems. The attackers gained access as the plane was literally in the
midst of a test flight
!
And as with Shady RAT, these losses affect both national and economic security. The data taken from the F-35 program, for instance, has to be weighed both in terms of the billions of dollars of research that the attacker gained for next to nothing as well as of the informational edge it might have on a future battlefield. Jason Healey, a
retired US Air Force officer, was a “plankholder” (founding member) of the Joint Task ForceâComputer Network Defense, the world's first joint cyberwar-fighting unit. He compares the strategic impact of this kind of theft to cancer. “You can't see it, but
it will kill a lot of us
as we get older.”
But many see a broader espionage campaign that is not just about traditional security per se, but economic competitiveness. Today's modern economy is driven by innovation, while cyber theft provides a low-cost shortcut. As Greg Garcia, assistant secretary for cybersecurity at the US Department of Homeland Security, puts it, “Any country that wants to support and develop an
indigenous industry
may very well use cyber espionage to help do that.” Indeed, Dmitri Alperovitch believes the scale of such theft is even more significant than the large but lone Shady RAT operation he uncovered. “I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact. In fact, I divide the entire set of
Fortune Global 2000 firms
into two categories: those that know they've been compromised and those that don't yet know.”
This cross between digital espionage of a political and business nature is why fingers typically get pointed at China. A key concern in Beijing, which has more state-run and state-affiliated corporations than its trading partners, is how to keep China's economy growing at its incredibly fast pace. But its challenge is not just a matter of continued growth, but of capturing more of that growth's value. Over the last generation, China's economy primarily produced goods using foreign intellectual property. It worked to jump-start the Chinese economic boom, but it is not the most attractive approach in the long term; the Chinese factory that made early model iPhones, for example, earned only about $15 per phone for assembling a
$630 iPhone
.
As it tries to become the world's largest economy, experts argue that the Chinese government is increasingly turning to cyber espionage to maintain its expansion. “They've identified innovation as crucial to future economic growthâbut they're not sure they can do it,” says Jim Lewis, an expert at the Center for Strategic and International Studies. “The
easiest way to innovate
is to plagiarize.”
Accusers cite disconnected sales of high-tech computer software (China is oddly the world's second-largest market for computer hardware sales but is only the eighth-largest for software sales) to more mundane illustrations, such as the manufacture of a certain type of
furniture in China
, shortly after the cyber theft of its design.
