What U.S. Defense System Details Have Hackers Accessed?
In the past year, the U.S. government has gone from making thinly-veiled accusations about nation-state sponsored cyberattacks to pointing fingers directly at China as the entity behind a string of hacks in which intellectual property and other sensitive information has been stolen from private firms and government agencies. That was the tone of a report released earlier this month by the U.S. Department of Defense. The 92-page report says the stolen information is helping China build “a picture of U.S. defense networks, logistics and related military capabilities that could be exploited during a crisis.” And this week we learned, courtesy of the Washington Post, some of the elements in that picture. The Post says it obtained a copy of a previously undisclosed section of a report written by the Defense Science Board (DSB), a committee of experts that advises the U.S. Department of Defense on technical and scientific matters.
That report, which was released in January, provided the Pentagon and defense contractors details regarding the data to which cyberthieves gained access. It said that the “DoD and its contractor base have already sustained staggering losses of system design information incorporating decades of combat knowledge and experience that provide adversaries insight to technical designs and system use.” But the public version of the report did not list the weapons whose plans had been stolen. According to an article in the Washington Post, the pilfered information included plans and technical details on several missile defense systems such as the PAC-3 Patriot missile system, the Terminal High Altitude Area Defense (THAAD) system and the U.S. Navy's Aegis ballistic-missile defense system. The cyberthieves—who U.S. government officials say were working at China’s behest—also saw design plans for the F/A-18 fighter jet, the F-35 multirole combat aircraft, the V-22 Osprey aircraft, the Black Hawk helicopter and the Navy's Littoral Combat Ship (LCS) class of vessels.
Though the DSB didn’t name any likely suspects, the Post says unnamed sources in the military and the defense industry placed the blame on a Chinese espionage campaign whose sole intention is to fill in its picture of the U.S. defense industry. The DSB emphasized that regardless of who the attackers are and who they work for, the bottom line is that the United States’ defense networks are set up in a manner that is inherently insecure and will not likely withstand attacks from a “sophisticated and well-resourced opponent.”
The Best Cyberdefense: A Good Offense?
With the strong that belief that China and other countries are waging highly-organized campaigns aimed at plundering proprietary data from U.S. companies and the government as the backdrop, the Commission on the Theft of American Intellectual Property, a private group, released a report on Wednesday recommending that U.S. businesses be allowed to retaliate against cyberattackers if they can’t find other ways to deter IP theft. “The American response to date of hectoring governments and prosecuting individuals has been utterly inadequate to deal with the problem,” said the commission, which is co-chaired by Dennis Blair, former U.S. director of National Intelligence and Jon Huntsman, former U.S. ambassador to China. The report argues that because “effective security concepts against targeted attacks must be based on the reality that a perfect defense against intrusion is impossible,” deterrence should be based, in part, on measures designed to make it more costly for someone to steal a company’s or a government’s property. The thinking, I guess, is something to the effect of: An ounce of retribution is worth a pound of international laws and treaties.
But not everyone agrees with that tactic. “This is a remarkably bad idea.” said James A. Lewis, senior fellow and director of the technology and public policy program at the Center for Strategic and International Studies (CSIS) in Washington, D.C., in response to the report. In commentary released by the CSIS this week, Lewis said, “Our goal is to make cyberspace more stable and secure, not less. Endorsing retaliation works against that goal in many ways, all damaging.” Besides undercutting U.S. efforts to get international law to hold countries accountable for the actions of their citizens, retaliation would put U.S. companies on a playing field where they’re unable to compete. Says Lewis:
“In a contest over who can go further in violating the law, despite the bluster of some in the high-tech community, private citizens are no match for the Russian mafia, the Russian Federal Security Service, or the People's Liberation Army in China. This is not a contest American companies can win.”
Implausible Identity Theft
On a lighter note (depending on how you look at it), a Security Week article reports on an Internet café in Jinan, China, that claims to be the regular hangout of U.S. President Barack Obama. Well, at least that was what the café’s manager wanted Chinese authorities to believe. He doctored someone’s lost government identity card so that it featured Obama’s picture and personal details including the president’s birth date and home address: 1600 Pennsylvania Avenue, Washington, D.C. The forged card came in handy for sidestepping China’s rules demanding that cafes make note of users' ID numbers before letting them go online. It let the manager provide Internet access to—and collect money from—customers unable or unwilling to present IDs of their own. The scheme ended when police, performing a routine inspection of the shop, saw the card and were certain that this Barack Obama fellow checked his e-mail elsewhere.
In Other Cybercrime News…
On Wednesday, Drupal.org posted a notice revealing that it reset all of its customers’ account passwords when it discovered malicious files on a server. Drupal, home to one of the Web’s most popular Content Management System (CMS) platforms, says the files were uploaded by attackers trying to exploit a third-party application used by the site.
Next week in Washington, D.C., Kaspersky Lab will host the 2013 Government Cybersecurity Forum. Featured speakers will include Former CIA Director Michael Hayden, Interpol Secretary General Ronald Noble, and Kaspersky Lab CEO Eugene Kaspersky.
Photo: Andy Wolfe/Creative Commons
Willie Jones is an associate editor at IEEE Spectrum. In addition to editing and planning daily coverage, he manages several of Spectrum's newsletters and contributes regularly to the monthly Big Picture section that appears in the print edition.