Cybertheft could destroy the U.S. economy
August 15th, 2011
02:51 PM ET

Cybertheft could destroy the U.S. economy

Editor's Note: The following is reprinted with permission of the Council on Foreign Relations.

By Jonathan Masters, CFR.org

In August 2011, the cybersecurity firm McAfee released an eye-opening report (PDF) detailing its investigation into a multi-year, most likely state-sponsored cyberattack that includes intrusions into the U.S. federal government and defense contractors, resulting in the theft of massive stores of intellectual property.

The report's author and McAfee's vice president of threat research, Dmitri Alperovitch, describes these attacks, known as Operation Shady RAT, as a profound threat, indicative of a larger trend that may result in "the complete destruction" of the U.S. economy. Rather than focus on the potential for a theoretical "cyber Pearl Harbor," he says that U.S. policymakers should use all of the nation's power to stem the steady theft of national secrets.

Jonathan Masters: What do you see as the broader implications for U.S. cybersecurity policy given these Shady RAT attacks?

Dmitri Alperovitch: The policy discussion up to date, at least in open circles, has been a bit misfocused. The challenge has been that everyone has been talking about waiting for this massive event–a "cyber Pearl Harbor"–but what's really happening is that we're suffering a "death by a thousand cuts."

It's not one event, such as our electric grid going down, but rather a wholesale transfer of wealth from our economy (PDF) to our adversaries' economies that's been going on for the last six years or more. The results of these activities, especially theft, will manifest itself in dramatic ways over the years with reduced economic growth, reduced competitiveness, a loss of jobs and everything that comes with that.

While we should be worried about destructive attacks that can cause widespread damage, physical damage, and even potentially loss of life, the massive espionage (WSJ) that's been taking place is really the more pressing issue.

What's the first step to getting at this problem?

The first thing that needs to happen is an admission of the problem. One of the most striking things about the [Shady RAT] report is that seventy-two organizations are compromised, and not a single one of them - many had known about these infections - had ever reported it. You have this massive activity taking place, and yet our policymakers don't know about it, the public doesn't know about it, and the news media doesn't know about it.

The first thing we need to do is to address the fact that these companies absolutely have to report this. Some of the regulations that require them to do so already exist, at least if they are a public company. The SEC mandates disclosure of any material event. Now there's debate if someone hacks into a system and steals all of your intellectual property: Is that a material event? Most companies have unfortunately decided that it is not. That's one of the things that needs to change in order to make sure everyone in the country understands the magnitude of this problem. When there's a Shady RAT [attack] every single week that's being disclosed in the media, then perhaps we will be much more willing to act to solve this problem.

The scale and volume on which this espionage and theft is taking place is really unprecedented and presents an existential threat to the U.S. economic well-being. While it's true that every government engages in some form of espionage, this exceeds any acceptable norms. You cannot equate strategic espionage - such as trying to determine the disposition of an adversary's strategic nuclear deterrent–to this wholesale theft of every sector of the economy.

Generally speaking, who are the perpetrators of cyberattacks?

I divide them into four categories based on capabilities.

At the low end of the scale you have the hacktivist groups, such as Anonymous, and terrorist groups, such as al-Qaeda and Hezbollah. And we're very lucky today - and this may change over time - but these groups do not have significant capabilities to do major damage to our country. Most of what they are doing is a distraction.

The second on that scale is cyber criminals. They certainly range in capabilities, but their motivation is primarily financial. They are not out to destroy the system; they benefit from the system like a parasite benefits from attacking its host. They don't want to destroy the host because it's their livelihood.

On the third end of that scale you have what the industry calls APT (Advanced Persistent Threat) - though not all these threats are advanced - effectively nation-states performing cyber espionage or operations like Shady Rat and Night Dragon. These are much more insidious and much more damaging to our economy than either the cyber-criminal actors, or certainly the hacktivists or terrorist actors. But so far they are not interested in destruction.

Finally, on the top end of the scale you have the military destructive operations or cyber network attack operation (CNA), and those today, on a significant scale, will only be conducted by foreign militaries. And if you think about that prospect, no one is out there to destroy our energy grid for example, unless we're already at war with that country or about to enter into kinetic conflict. So while we should absolutely worry about it, it's highly unlikely that out of the blue that sector gets attacked in a catastrophic way.

What percentage of cyberattacks - the ones discovered by the target entities - are reported?

Below 1 percent. And we've been involved in hundreds of investigations over the years. The reason we could not disclose most of them publicly is because of nondisclosure agreements. None of the companies have ever come forward. Most of the disclosures you've seen in the media, even this year, have been accidental leaks.

What do you say to the critics who claim that this notion of cyberwarfare is exaggerated and that organizations like MacAfee are potentially engaging in hyperbole because they stand to profit?

You can accuse us of whatever intentions you want, but try to dispute the facts that we're reporting - that massive sectors of our economy have been compromised and valuable intellectual property has been stolen (NYT). We're not the only ones saying that.

Google was very courageous in announcing their intrusions back in January 2010, and just recently RSA has announced intrusions (Bloomberg), as have Lockheed [Martin] and others. We're not the only ones pointing a finger at this problem. And when you go and talk to an official off-the-record, or even on the record, some will tell you the exact same thing - that it's a massive problem.

I'm not a fan of the cyberwar analogy: Are we at a war? It's a difficult question. Typically when you talk about wars, you expect to see dead people on the streets. We're clearly not seeing that. But is it an existential threat to our country from an economic perspective? Absolutely.

What do you think is missing from the U.S. government's various cyber strategies?

They're very much focused on defense, which is the first step. But this problem is not going to be solved by defense alone. To be clear, I'm not arguing that we go on offense. But I am arguing that we need to raise the level of conversation in bilateral and multilateral discussions with our potential adversaries [such as China and Russia] and make it a major issue on the agenda. We need to bring to bear all of our national power: economic power, political power, and, if it makes sense, perhaps even military power. What is happening today is completely unacceptable and needs to stop.

On that note, is there any progress with identifying the perpetrators of these attacks?

That problem is much more theoretical than practical. Most of the time, you know who's doing it. It may be classified, but the government is fully aware who these actors are in most cases. Even when you don't have technological proof of their culpability, you do have the cui bono argument of who benefits. While there are circumstances in which rapid real-time attribution may be difficult, in hindsight virtually every case that is serious in nature can be tracked down and attributed.

How much of the problem of cyber criminals and cyber espionage is technical and how much is human error? For example, people falling victim to these spear-fishing scams and so on.

It's both. But [the attacks] are getting better and better to the extent that you can't blame the victim for this. One of the problems we have in this industry and the reason we don't have more disclosures is this mentality [of] "If you get hacked it's your fault."

This is the equivalent of virtual assault. And in the physical world, we would never blame the victim of the assault for that assault taking place, but yet we do so all the time in the cyber world. I think that's completely misguided. While certainly mistakes occur and they need to be rectified, it's the attackers' fault.

What's trending with regard to cybersecurity that you or McAfee are positive about?

Some of the trends are positive where we've seen significant law enforcement wins in recent years and making progress in addressing the cyber-crime problem. There aren't many of these top-notch cyber criminals out there in the world - my guess is less than a thousand are responsible for 90-plus percent of the problem.

Law enforcement has made tremendous efforts, building relationships with other law enforcement agencies across the globe, including in places like Russia, where you wouldn't have thought in a million years that there would be collaboration. There is collaboration now. Is it ideal? No. But it's a lot more than there was even five years ago.

We're seeing arrests: A bunch of people from Anonymous [were] arrested in the last couple of weeks. The number of top Russian cyber criminals and those in the United States and other Western countries have been arrested in the last year. I'm seeing a lot more progress on the deterrent aspect in dealing with cyber crime.

Where do you see the evolving threat in five years?

I see complete destruction of our economy. One of the things that really worries me is whether it's already too late. We've had this activity for the last six or seven years. Have they already stolen enough and now are just busy taking those schematics and plans and basically rebuilding entire sectors of our economy over there [i.e., China]. We will start to see the answer to that in a few years.

The challenge is that, quite frankly, a lot of this has been painless thus far because when someone goes into a company and steals your intellectual property, it's not like they stole your car - you still have your intellectual property. Until someone does something with it that damages you, you really haven't experienced that loss in many ways. That's why a lot of these companies have been hesitant to come forward.

The other thing that worries me is the risk that some of these cyber warriors who are currently doing espionage for a U.S. adversary - we don't know how much control their own militaries or intelligence agencies have over them, and what rules of engagement they operate under.

It could be that they go home and decide to work for their own benefit using very similar tools and, instead of stealing data, they may modify or destroy that data or the systems that are hosting that data. That's a big problem. They may collude with cyber criminals or terrorists and loan out their skills.

Post by:
Topics: Economy • Global • Internet • Security • United States

soundoff (12 Responses)
  1. Dose of reality

    China needs swift retaliation.

    August 16, 2011 at 3:09 pm | Reply
  2. WAKE UP!!!

    We need to go on the offensive. This affects every sector of our society.

    August 16, 2011 at 3:58 pm | Reply
  3. WAKE UP!!!

    Many companies are reluctant to mention these thefts because they believe that it may damage relations with China. They see the huge potential market over there, but the reality is that the market is not open to us anyway.

    They are stealing all our intellectual property rights and producing knockoffs at a fraction of the price. This is not only harming companies, but the United States as a whole.

    They are bleeding us slowly and by the time we wake up it will be too late.

    Just look at the recent example of fake Apple Stores. You mean to tell me that Chinese government was unaware of this. They encourage it.

    August 16, 2011 at 4:24 pm | Reply
    • Maersk

      Kwok head, you must have overdosed on expired viagraa. Your "Head"was hard and you could not think "Straight". As a result, you stuffed your azz with a toy. When you woke up, you accused the Chinese for hacking into you azz and stealing your virginity.
      By the way, even if the Chinese did hack into your azz and stole your virginity, you have nobody to blame but yourself if your azz can be hacked so easily. I suggest that you buy yourself a chasity belt and give the key to your uncle.

      August 16, 2011 at 5:28 pm | Reply
  4. TG

    Interesting read. Someone took apart the covert communications channel for these guys. They communicate using HTML comments.

    August 16, 2011 at 4:25 pm | Reply
  5. GOPisGreedOverPeople

    We'll all be slaves to the rich anyway. Nothing left to steal.

    August 16, 2011 at 8:05 pm | Reply
  6. krehator

    Most of the fraudulent activity on the Internet is motivated by corporate marketing to generate revenue.

    They turn a blind eye to anything that generates profit, and deny security problems that risk consumer confidence. Big business can blame itself for the greed it has fed.

    August 16, 2011 at 11:53 pm | Reply
  7. Thou shall not ask

    "Yesterday is history, tomorrow is a mystery. And today? Today is a gift. That’s why we call it the present." B. Olatunji

    August 17, 2011 at 1:41 am | Reply
  8. AntiChina

    USA should just ignore the business relationship with China.. to stop exporting chinese products in US , which the same thing also Europe should be doing the same thing.. Let China sell their products to Russia, we will see how far they are gonna go... Me as US citizen i blame USA and EUROPE, why? because you give a helping hand to China, they want to take all your body... Block the all the ISPS of CHina and Russia.. to access Google and Bing, and you will see how safe we will be... If China can block Google and other US sites.. why can't we block them completely.. let them suffer in that huge land, let's see how they gonna make it without US/EURO ... but Americans became so lazy, they just want to resell Chinese products, without doing anything.. just Make the damn order in China, and resell to Americans.. if you want to go that way, US/EURO should raise the taxes for exporting products from China..up the point where they have to follow our steps and rules.. or die in the toilet....
    Dear Americans, pickup your A$$es and start working, don't wait everything on being served, let's work and let's get back on the track

    August 18, 2011 at 10:43 am | Reply
  9. Damien Christy

    I think China should build us factories here..Because we would have to borrow any way and they have better tech.

    August 18, 2011 at 3:09 pm | Reply

Post a comment


 

CNN welcomes a lively and courteous discussion as long as you follow the Rules of Conduct set forth in our Terms of Service. Comments are not pre-screened before they post. You agree that anything you post may be used, along with your name and profile picture, in accordance with our Privacy Policy and the license you have granted pursuant to our Terms of Service.

Follow

Get every new post delivered to your Inbox.

Join 4,690 other followers