Vous êtes sur la page 1sur 12

Is Online Theft of Intellectual Property the Biggest Threat to National Security? By Andy Purdy and Nick Hopkinson 1 I.

Introduction

Much of the public discussion about significant threats in cyberspace has focused on national security threats, cyber crime, and short-term malicious activity for economic, political, or public relations gain. Too often each threat is seen as a discrete problem that is approached in a reactive manner geared to the intended targets rather than as a larger, interconnected problem really a continuum of malicious activity-- that requires a strategic and proactive approach by key government and private sector stakeholders working together, both nationally and internationally. It is in the national security interests of the alliance between the United States and the European Union to address this problem forthwith.

Despite the best efforts of policy makers and strategists, the current approach encourages a range of tactical responses to the most immediate and visible problems. This can result in less attention being paid to some significant but longer term and less visible aspects of the problem, the most important of which is the large-scale, systematic theft of intellectual property. It also promotes an essentially defensive posture towards the threat with most protective measures being taken inside the networks and environments of the targeted organizations. Meanwhile, the attackers are able to roam freely across the Internet, setting up and moving their command and control points between different locations and jurisdictions to avoid detection and attribution, or can take control of the machines of thousands of users in support of their operations. Currently, the balance of advantage lies with the

Andy Purdy, based in Falls Church, Virginia in the U.S., is chief cybersecurity strategist for CSC and helped to found and formerly headed the National Cyber Security Division and U.S. CERT at the Department of Homeland Security. Nick Hopkinson, based at Aldershot in the United Kingdom, is CSCs Cyber Security Director for the EMEA region and formerly served as the Chief Information Office for GCHQ, one of the UK Intelligence and Security Agencies.

attacker and, unless there is a radical shift in the terms of engagement, it will never be resolved favorably. Hence, we need to work out how to achieve this radical shift and adopt a more proactive strategy that dramatically erodes the critical advantages of the attacker.

II.

A Strategic View of the Threat

If we are to adopt a truly strategic approach to the cyber security problem we need to consider the threat from a strategic perspective. . One aspect of the strategic threat that continues to be the focus of attention is the possibility of a devastating attack by a nation state or terrorist group like the Japanese attack on Pearl Harbor in 1941, or the attack on the World Trade Center in New York on September 11, 2001. The targeted attacks on the Georgian infrastructure in 2008 and the discovery of Stuxnet in the industrial control systems of the Iranian nuclear facilities at Bushehr and Natanz are just two examples which illustrate the capability and intent of some threat actors to contemplate and execute such attacks.

The threat of such attacks has reportedly led the Pentagons new Cyber Command to seek*ing+ authority to carry out computer network attacks around the globe to protect U.S. interests.2). Deputy Secretary of Defense William Lynn recently wrote in Foreign Affairs about the significance of the threat, and the U.S. Departments of Defense and Homeland Affairs announced that they had signed a Memorandum of Understanding to exchange cyber experts to increase the level of coordination to enhance the preparedness of the U.S. for a cyber attack. White House Cybersecurity Coordinator, Howard Schmidt, has publically stated that his office is reviewing available legal authorities to make sure they do not pose an obstacle to an effective response.

Pentagon is Debating Cyber Attacks, Washington Post, 11/6/2010, p. 1.

At Tthe other end of the spectrum are the equally dramatic attacks launched for political or publicity purposes often by groups of amateur hackers. The recent use of botnets by various groups to mount distributed denial of service (DDOS) attacks on Amazon, Paypal, Visa, and other organizations, which had withdrawn their services from the Wikileaks organization, were successful in attracting a high degree of publicity and thus were an arguably effective means of protest against the perceived actions of the companies involved.

There are a number of other equally significant and strategically damaging threat types which need to be given at least the same degree of consideration. One such area is cyber crime where the number of groups engaged, their sophistication and resources, and their evident success indicate this is an issue of strategic importance. It is not just the drain in national wealth measured in the losses incurred by banks and other organisations, but it is the damage it does to the confidence of consumers in using online services that acts as a significant brake on economic growth and, hence, national prosperity. This alarming growth in cyber crime is almost certainly linked to the fact that in cyberspace there are virtually no consequences for malicious activity. When one compares the reported frequency and magnitude of cyber crime with the number of persons caught, much less convicted and sent to jail, it is clear that malicious actors have the upper hand. Yes, it is undoubtedly true that we need resources for investigations and prosecution, and nations around the world need a more effective legal construct to provide a foundation for investigation and prosecution, and they need to be able and willing to cooperate regarding cross-border criminality.3

There are a number of long-standing efforts to tackle the problem of cyber crime internationally, including: the G8 Subgroup on High-Tech Crime, INTERPOL with the help of their experts group on cyber crime, NATO and their Cyber Defense Management Authority and their Computer Incident Response Capability, the European Convention on Cyber Crime, the U.S. Secret Services European Electronic Crimes Task Force. For more details see the General Accountability report (GAO, 10-606, CYBERSPACE: United States Faces Challenges in Addressing Global Cybersecurity and Governance Challenges, July 2010).

We have to decide how to measure success. Do we do so by tracking the number of persons convicted and punished, or do we need to expand our focus to pursue a broader agenda? Should not our purpose be to reduce the frequency, impact and risk of wrongdoing, and develop and implement a strategy to do so?

Perhaps the most important, under-addressed component of the cyber threat is the targeted theft of intellectual property from major companies around the world. This threat is not theoretical and it is not something that might happen in the future. Perhaps the most public evidence of this threat occurred in December 2009, when Google was overwhelmed by attacks emanating from China attempting to, and reportedly succeeding, in stealing their intellectual property their crown jewels; specifically, a password system that controls access by millions of users worldwide to almost all of the companys Web services, including email and business applications.4 The attacks were so sophisticated that Google had to ask the US government specifically the National Security Agency -- for help.

Earlier this year, U.S. Deputy Secretary of State William Lynn spoke about the cyber threat targeting intellectual property as one of the least discussed of the four overlapping cyber threats facing the United States (the others being threats to military networks, to the nations critical infrastructure, and the risk of tampering in the supply chain).5 He referred to the exfiltration of key parts of Googles source code that were part of a larger sophisticated operation that also targeted dozens of other

John Markoff, Cyberattack on Google Said to Hit Password System, New York Times, April 19, 2010.

William Lynn, Remarks at the Stratcom Cyber Symposium, May 26, 2010. http://www.defense.gov/speeches/speech.aspx?speechid=1477.

companies; he noted that the U.S. defense industry has similarly been targeted, noting that designs for key weapons systems have been stolen.6

The U.S. military cyber head, Cyber Command chief Army Gen. Keith B. Alexander earlier this year said while the Internet is a tremendous capability, it also is an enormous vulnerability and noted that approximately $300 billion*of U.S.+ intellectual property is stolen over the networks per year out of a total value of about $5 trillion.7 An ambassador from the European Union recently told one of the authors of this article that the threat to intellectual property is very serious and agreed with the view that it has national security significance, and that the U.S. and EU alliance must take action against the threat. Little publicity has been given to such attacks in Europe, possibly because companies are

understandably reluctant to reveal the incidence and extent of their IP losses due to the likely adverse consequences. Baroness Pauline Neville-Jones, the UK Security Minister, recently stated that companies are reluctant to share information on their losses because they fear exposing the attacks may damage their reputation. We need to find a way of dealing with that. Nevertheless, the impacts are likely to be as significant.

The threat to intellectual property is less dramatic than a cyber attack on our infrastructure. But it may over the long term be the most significant cyber threat our nations face given the long term impact on the technological advantage and economic competitiveness of the US and Europe. Major companies

Ibid.

Cybercom Chief: Cyber Criminals Steal $300 Millions Worth of Intellectual Property Every Year. Thenewnewinternet.com blog. http://www.thenewnewinternet.com/2010/09/24/cybercom-chief-cyber-criminalssteal-300-millions-worth-of-intellectual-property-every-year/.

need to be partnered with governments to stem the surreptitious theft of intellectual property if there is any hope to be remain competitive in the global marketplace.

Well known to current and government officials on both sides of the Atlantic, the systematic theft of intellectual property is taking place in an ongoing and systematic way every day, although it rarely attracts the high profile publicity of those attacks targeted at political or PR impact, or discussions about the danger of a major, disruptive cyber attack. Most companies are understandably reluctant to reveal the incidence and extent of their IP losses due to the likely adverse consequences on brand reputation and shareholder value; however, most major US and European corporations and academic institutions are likely to have been attacked, in many cases successfully, sometimes undiscovered by the victim. The damage is difficult to quantify due to the insidious and cumulative nature of the attacks but its overall impact on the long-term economic competitiveness of the U.S. and Europe is of national security significance.

The U.S. Deputy Secretary of State, James Steinberg, recently told a meeting in Washington that companies who feel they have been victimized by attempts or actual thefts of their intellectual property should contact the Department, which can pursue complaints through the World Trade Organization (WTO). However, there does not appear to be a proactive effort by the Department or others in government to reach out to corporate America to solicit such information so there can be a coordinated effort to protect American interests. The situation appears to be the same in most European countries. The U.S.-Europe alliance must address this threat by a focused initiative led by key governmental and private sector stakeholders that identifies strategic priorities of the problem, and sets goals and objectives, and corresponding milestones, so that the effort can be resourced and its progress tracked.

III.

A Continuum of Malicious Cyber Activity

Cyberspace is similar to the Wild West in the 1800s in the U.S. where too often people did what they could get away with, and the quicker draw won out. Today there is a continuum of activity in cyberspace that ranges from the amateur hacker, to the malevolent opportunist, to the online criminal, to well-organized criminal groups, to nation states and those who serve as their proxies. This lawlessness thrives on an environment in which wrongdoing has its unjust rewards, attribution is difficult, detection is unlikely, punishment uncertain and inconsistent, widespread exploitable vulnerabilities are easy pickings, and user-friendly attack tools make the amateur of today the equivalent of the professional of yester-year. The risk-reward ratio favors those who profit from the under belly activities of criminal actors, and makes it all too easy for those with the most serious of intentions and wealth of resources, to hide their activities in the white noise of cyberspace. The breadth and depth of malicious activity helps the full range of malicious actors and dooms reactive, under-resourced efforts to short-term frustration and long-term failure.

The over-arching problem is that there are virtually no consequences for malicious activity in cyberspace. In the major capitals of the world we approach the problem of malicious activity like a crime problem learn of an incident, catch and punish the criminal, warn the public, and repeat. If there is a growing frequency and impact of a particular kind of crime, the understandable reaction is to beef up the law enforcement effort, work harder to catch the bad guys, and punish them more. In this model, private companies and individuals are largely only a source of information about incidents. The good guys do not have a fighting chance in cyberspace because the bad guys have all the advantages and we are not addressing the problem with techniques and collaboration appropriate to the task. We have to analyze the problem strategically and proactivelybring together key government and private organizations and develop, resource, implement, and track a plan to reduce the frequency, impact, and risk of malicious cyber activity. The private sector needs to be a true partner in this effort and not just largely a source of information about particular incidents.

One significant challenge in developing and implementing such a strategic approach is the current status of international cooperation. A report in 2010 by the U.S. General Accountability Office focused on cyber incident response, but its findings are equally applicable to the common challenge of the theft of intellectual property:

Although multiple [U.S.] federal agencies are parties to information-sharing or incidentresponse agreements with other countries, the [U.S.] federal government lacks a coherent approach toward participating in a broader international framework for responding to cyber incidents with global impact.8 IV. Drain the Swamp of Malicious Cyber Activity

In responding to this ever-growing tumult of malicious cyber activity, the attention of policy makers has focused primarily on what can be termed a defensive response: hardening networks, locking down systems, enforcing rigorous processes for patching software, implementing more effective monitoring and compliance regimes. Effective cyber defence measures have a key part to play in terms of filtering out the low-level threats and increasing deterrence against the more sophisticated adversary by transforming the cost/benefit equation for the attacker. However, if we are to achieve a decisive shift in the balance of power in our favour, we need to go on to the metaphorical offensive.

Melissa Hathaway, the author of the 2009 White House Cyberspace Policy Review, has spoken forcefully about the imperative to drain the swamp of malicious cyber activity, to tilt the playing field in our favor by concerted action across the entire cyber security community Governments, corporations, ISPs - to reduce, remove or ultimately destroy the assets of the attackers in cyber space. Clearly, one aspect of this can be effected through covert action to disrupt, degrade, or destroy their operations and is beyond the scope of this paper. However, there is much scope for achieving strategic impact through

GAO, 10-606, CYBERSPACE: United States Faces Challenges in Addressing Global Cybersecurity and Governance Challenges, July 2010, at 35.

overt action although, given the ease with which attackers can shift their operations from country to country, for such action to be effective it has to be concerted across national boundaries by cooperating governments.

We recommend that the U.S. and Europe launch an initiative to establish a working group made up of key government and private sector stakeholders that would draft a report to detail the underlying problem and its causes and to create a plan to reduce the frequency, impact and risk of malicious activity. Some examples of possible actions that could be taken to help drain the swamp include: (i) an ISP botnet initiative that would focus effort with Internet Service Providers (ISPs) to reduce the prevalence of computers infected with malicious software that can be combined with thousands of other hijacked computers into botnets to create a capability to launch spam and cyber attacks; (ii) an effort to better understand and improve the current norms of behavior between ISPs that help maintain order in the Internet and are designed, among other things, to reduce malicious activity by the ISPs customers by enforcing their contractual terms of use; (iii) consider how public-private cyber information sharing capabilities might be improved to facilitate, for example, collecting and sharing of information about which ISPs and which owners of IP addresses are the origination or relay points for malicious traffic; and (iv) consider how best practices among ISPs might be improved, and whether, how, and when ISPs might cooperate in blocking uncooperative ISPs and/or developing a system of white listing cooperative ISPs.9

V.

Disrupt the Massive Exfiltration of Intellectual Property

See, for example, the Spamhaus Whitelist initiative. http://www.spamhaus.org/whitelist/index.lasso (The Spamhaus Whitelist allows mail servers to separate incoming email traffic into 3 categories: Good, Bad and Unknown. Now you can block known bad email traffic, let known good email traffic pass safely, and only filter unknown email sources. The benefit is better, faster and infinitely safer spam filtering.)

Efforts to drain the swamp of malicious cyber activity, however important and helpful, will not alone address the problem of the online theft of intellectual property. The European and U.S. alliance needs to establish a public-private working group to develop and implement a comprehensive campaign to impede and block the current exfiltration of intellectual property. The key to success in this effort is close international collaboration across the full range of cyber security initiatives so that ultimately the attacker, even if not caught and punished, does not succeed in stealing a significant amount of information from any victim. It is also vital that the range of policies and activities are as closely aligned as possible and applied consistently across as many different jurisdictions as possible. The joint campaign should establish strategic priorities and goals, with corresponding milestones, resources and tracking to ensure implementation and to measure success.

An important part of this campaign is to raise the awareness of the scale and sophistication of the attacks; when the leadership of companies can understand the extent of the potential losses, and the potential long-term damage to their market position, this is more likely to result in their advocacy of the important national and international cyber security initiatives that can help to stem the information losses, as well as to motivate them to invest in improvement of their own internal defences. A series of comprehensive threat briefings at senior level can begin this process but this needs to be followed by the establishment of ongoing and systematic sharing of threat intelligence and situational awareness between government and the key sectors of industry.

The efforts to coordinate strategic actions should encompass the raising of awareness through the systematic sharing of threat intelligence and situational awareness across the international and publicprivate partnerships, and drive the development and implementation of active programs within nations to help companies determine if they are affected, how to dis-infect, and how to manage risk effectively going forward. Government can work closely with the private sector to set voluntary benchmarks for

companies to adapt to their sectors and individual ICT infrastructures to establish and implement effective ICT risk management programs. It is critical, though, that companies understand that they cannot manage their risk as an ICT island, they need to work closely with other companies and government on an ongoing base to share information and work collaboratively to adjust their defenses (people, processes, and technology) in real time going forward.10

VI.

Conclusion

A strategic assessment of the full range of cyber threats generates a new sense of urgency to develop an appropriate response. Whether or not we ever face a devastating cyber event, the large-scale theft of intellectual property and the often associated activities of organized cyber crime groups are a reality now, and together are inflicting ongoing, long term damage to the national security and future economic prosperity of the U.S. and Europe.

We need radical action to shift the balance of advantage away from the attacker. Now is the time to launch an initiative to develop a strategic roadmap to address malicious cyber activity particularly the theft of intellectual property -- in a proactive way that uses all available resources, one that includes the engagement of key stakeholders from government and the private sector. This initiative must include a focused effort to collect and share data on malicious actors and those who enable them to operate successfully and frequently anonymously in cyberspace, and identify and leverage available technologies and processes to better secure the transactions, communications, and online interactions between and among individuals and organizations. By more strategically collecting and sharing data we can better connect the dots between the offending activity and those behind it, and we can supplement the

10

See The Security Stack a White Paper for more information on a conceptual model to follow. http://www.csc.com/cybersecurity/insights/53094-the_security_stack_a_white_paper.

traditional law enforcement response with a response that uses the full authorities and resources of government and the private sector. We must recognize that our companies need help from government and their private sector suppliers, customers, and competitors if they are to protect their crown jewels, their intellectual property, so critical to their competitiveness and our economic prosperity. No single effort or initiative will eliminate the cyber threat posed to our government, critical infrastructure, organizations, or individuals, but this initiative can help shift the odds in our favour.