Not a week seems to go by without there being a news headline about the cyber security threat posed to the United States by the Chinese Government.
|Does the Chinese Government Pose an Advanced Persistent Threat to the United States on the Cyber Security Front?|
The latest slew of headlines allege that the Chinese may have gained access to extensive design information on advanced American weapons. On Friday U.S, Defense Secretary Chuck Hagel said that cyber threats posed a "quiet, stealthy, insidious" danger to the United States and other nations, and called for "rules of the road" to guide behavior and avoid conflict on global computer networks. So, the (rhetorical) question is...
Do the Chinese Pose an Advanced Persistent Threat to the United States on the Cyber Security Front?
Well, let's look at the definition of an Advanced Persistent Threat, courtesy Wikipedia...
Perhaps we should dissect the defintion ...
Based on the above, it does seem to the logical mind that the Chinese Government may very well pose an Advanced Persistent Threat to the United States.
An Organized and Structured Cyber War/Espionage Effort?
According to Mark Stokes and his colleagues at the Project 2049 institute, the PLA General Staff Department (GSD), Third Department and Fourth Department are organized and structured to systematically penetrate communications and computer systems, extract information and exploit that information.
Their research indicates that cyber operations are a massive effort in China with the GSD Third Department being responsible for monitoring communications, communications security, computer network exploitation, and cyber security for the PLA, and the the GSD Fourth Department being responsible for electronic countermeasures, electronic support measures, gathering electronic intelligence, and probably cyber attack to penetrate information systems and assists in computer network exploitation. There apparently also are militia units that have cyber-related missions for the PLA, and the People’s Armed Police has its own technical reconnaissance unit.
According to Mike McConnell, former Director of National Intelligence, Michael Chertoff, former Secretary of Homeland Security; and William Lynn, former Deputy Secretary of Defense, China has a national policy of espionage in cyberspace and is "the world’s most active and persistent practitioner of cyber espionage today"
If you scroll down the Wikipedia page on Advanced Persistent Threats to the APT life cycle section, you'll find the following excerpt: "In 2013, Mandiant presented results of their research on alleged Chinese attacks using APT methodology between 2004 and 2013 that followed similar lifecycle:
- Initial compromise — performed by ...
- Establish Foothold — plant ...
- Escalate Privileges — use exploits and password cracking to acquire administrator privileges over victim's computer and possibly expand it to Windows domain administrator accounts.
- Internal Reconnaissance — collect ...
- Move Laterally — expand ...
- Complete Mission — exfiltrate stolen data from victim's network."
We happen to know a thing or two about it because we help organizations worldwide prevent the successful enactment of this step in their Active Directory infrastructures, which is where the prized "domain administrator" accounts reside.
We have seen the Chinese attempt to gather information on a specific, advanced exploitation technique / threat related to the escalation of privileges in Windows environments, "Active Directory Privilege Escalation".
We also believe that many business and government organizations may still be vulnerable to such attacks, and we have been privately and publicly helping organizations become aware of the importance of adequately protecting their foundational Active Directory infrastructures, so that any attempts to infiltrate their networks and subsequently escalate privilege to obtain unrestricted administrative access in their internal IT environments can be thwarted.
A Call to Establish Rules of the Road - Is the U.S. Government Scrambling?
The U.S. government would like to see Rules of the Road established for Cyber Security, and it would like the Chinese to adhere to these rules, apparently so as to prevent the continued barrage of cyber security attacks and breaches.
That's very gentlemanly, but with all due respect, that's like Iron Man requesting his adversaries to please not kick him on his knees while engaging in battle, since the armour around his knees is not strong enough yet.
One cannot rely on the presence of rules of the road for protection, especially with the Chinese. What is needed is for our organizations to realize just how serious the threat of cyber security is, and to take immediate steps to adequately bolster their defenses, so as to be resilient in the face of attacks.
I say so because the threat is not only from China. The threat is equally from any other foreign government or a non-national business entity that might have something to gain by compromising or breaching an organization's IT security defenses. Examples include organized mafia, ideological groups, groups engaged in corporate espionage, and even individuals.
By the same token, its not just U.S organizations that are at risk. Business and government organizations in our ally countries, such as the United Kingdom, Canada, Germany, France, Switzerland, the Middle East, India, Australia etc. are all equally at risk.
The challenge with cyber security is that, unlike physical security, which involves clearly definable and defensible borders, it is very difficult to draw boundaries online, and thus very difficult to protect organizations from attackers and attacks.
I do believe that most organizations do want to adequately bolster their defenses, but struggle to determine how to do so efficiently, measurably and provably. My humble suggestion to them would be to begin by establishing their top cyber security priorities, then performing prioritized risk assessments to assess risks and weaknesses, and subsequently determine and implement an adequate set of asset-specific risk mitigation measures aimed at providing comprehensive security at all times.
No organization can ever completely eliminate risk, but they can substantially minimize it.
I could share a lot more, but my 10 minute alarm just rang, so I'm afraid I'll have to end this here.
More next time. Stay tuned. Alright, back to work.