13 September 2015

Effective Cyber Defense Against Foreign Spies Still Eludes the U.S. Government

September 10, 2015

Cyber Espionage to Splinter Internet Governance 

Despite its attempt to use foreign policy to discourage cyber espionage, effective deterrents to online spying will continue to elude the U.S. government.
Any sanctions against Chinese entities will not halt China’s global online espionage activities.
Efforts to curb cyber espionage will further fragment the Internet’s regulatory environment.

ANALYSIS

Ahead of Chinese President Xi Jinping’s visit to Washington at the end of September, the White House reportedly is ready to announce sanctions against Chinese entities allegedly involved in industrial espionage. The specific targets of the sanctions have not been revealed, but the sanctions will likely focus on the use of cyberattacks to siphon intellectual property and trade secrets. The planned sanctions follow U.S. President Barack Obama’s executive order authorizing the Treasury Department to seize the assets of and bar financial transactions with entities engaged in cyberattacks.

The timing of the announcement, so close to Xi’s visit to the United States, will likely anger Xi’s constituents, who will see it as an attack on China’s image during a presidential tour. Thus, the White House’s sanctions serve as a gesture to China but also to Obama’s domestic audience, which has grown more concerned about Chinese espionage in light of high-profile cyberattacks against U.S. businesses and government interests.


The message is Washington’s latest attempt to use its foreign policy to deter cyberattacks, in the hopes that nominal sanctions and criminal indictments will force China to a diplomatic solution regarding cyber espionage. However, any sanctions against Chinese businesses or individuals are unlikely to dissuade China’s global cyber espionage activities.

The United States’ uphill battle in protecting its interests in cyberspace is similar to the struggle for many countries around the world whose economic interests are increasingly intertwined with the Internet. While the United States continues to leverage foreign policy as a defense, other countries are turning to domestic policies that regulate Internet activity for both end users and businesses.

The global economy’s increasing reliance on Internet technologies and widening competition in high-tech industries around the world will further promote global industrial espionage. Cyber espionage and data breaches for technology-based companies will heighten the sense of urgency for national governments seeking to stymie the threat. The collective efforts of countries attempting to safeguard against foreign cyberattacks, like those motivated by industrial espionage, will continue to divide the Internet into fragmented regulatory environments.

Industrial Espionage Meets Cyberspace

Industrial espionage, whether against the United States or any other country, is a highly diffused threat that can and does emerge from virtually any country. China’s espionage activities are particularly prolific, but even U.S. allies such as France, Japan or Israel have at some point acted against U.S. economic interests by collecting information in secret. Likewise, the United States has used cyber espionage to target its allies with industrial espionage and broader spying activities.

Industrial espionage threats can also emerge from both state and non-state actors, such as businesses, lone actors or professional cyber criminals, largely motivated by their home country’s economic conditions and the value any trade secret possessed by a foreign (or domestic) company could hold. For example, inChina, where the government wants innovation for the high-tech sector and the domestic demand for online services and high-tech devices is high, an individual could have substantial monetary incentive for spying on foreign technology companies.

In 2013, network security researchers identified someone believed to be a non-state actor based in India who had been carrying out a cyber espionage campaign targeting both government and private sector interests in several regions, including South and East Asia, Europe and North America. In the United States, the attackers targeted the Chicago Mercantile Exchange, though the objective of that specific attack is unknown. If the attacker was not tied to a government intelligence service, the widespread activities would suggest the attacker was a cyber criminal.

Of course, national governments can and do support industrial espionage activities as well. Hackers tied to China’s People’s Liberation Army siphoned sensitive details on the F-35 fighter jet by compromising Lockheed Martin’s network in 2009. In 2015, intelligence reports leaked by former U.S. intelligence contractor Edward Snowden revealed that the United States, cooperating with Germany’s Federal Intelligence Service, had spied on European firms.

Before the 1990s, industrial espionage, though still rampant, largely relied on human intelligence disciplines that typically required some interaction with the business, primarily in a country containing the business’s physical operations. Once the desired trade secrets were acquired, collectors could return to their home countries. The emergence of digital storage devices allowed for greater volumes of information to be siphoned, while the Internet’s entry into mainstream use in the 1990s diminished geographic and political obstacles. Furthermore, cyber espionage as a tool in stealing trade secrets requires far fewer resources and carries less risk of criminal prosecution, or even attribution, expanding the range of possible actors spying on a company’s network activity. Any individual capable of compromising computer networks is capable of targeting a business for espionage.

The advantages of cyber espionage have made it one of the most common means of targeting a company’s trade secrets. A 2015 report by anti-virus firm Symantec stated that five out of every six businesses with more than 2,500 employees observed by the company were targeted with spear-phishing attacks in 2014, a 40 percent increase from 2013. A spear-phishing attack is a targeted email meant to trick the target into providing sensitive information or install malware on the target’s device. Often such tactics are employed as an initial step in compromising a company’s network.

For several years, the U.S. government has expressed concerns about cyber espionage. A 2014 report by the U.S. Defense Security Service under the Department of Defense said 44 percent of reported collection attempts at U.S.-based companies came from the East Asia and Pacific region, with cyberattacks being the most common method. The U.S. National Counterintelligence and Security Center refocused its annual report on foreign economic collection to Congress in 2011 to emphasize cyber espionage as the principal threat.

The Gamut of Solutions

The technologies underlying the Internet — the Internet Protocol suite — were designed to facilitate the flow of information rather than restrict it. Thus, the Internet is inherently insecure, and guarding information requires a patchwork of likely vulnerable security tools that an attacker can eventually exploit. Moreover, the number of Internet users continues to grow and corporations’ increasingly rely on network technology, opening potential targets to hackers. As a result, offense in cyberspace seems to quickly outpace defensive measures.

Many countries have subsequently turned to domestic and foreign policy solutions in safeguarding their interests in cyberspace. These measures will often match a country’s domestic political climate and geopolitical needs. Russia and China, for instance, have pushed to transition global Internet governance from what is seen as a U.S.-dominated multi-stakeholder model to their own multilateral model.

Meanwhile, in the United States, political sensitivities about government control over the private sector mean that the government must work as an equal partner with private firms in cyber defense, but it is still charged with protecting the country’s economic interests. As a result, while working to improve security for the public, Washington has focused principally on foreign policy to deter cyber espionage rather than promoting Internet governance or substantial domestic regulations of Internet activity. However, the decentralized and extraterritorial nature of cyber espionage, as well as the difficulties in discerning the actors, undermines the effectiveness of any deterrence.

Integrating network security into a country’s strategic imperatives does not necessarily reflect the U.S. or Russo-Chinese view of global Internet governance. Despite the de facto multi-stakeholder system of Internet governance, countries have pursued their own national policies to protect their domestic industries against foreign industrial espionage in addition to serving other strategic needs.Data localization laws, which generally dictate that a company gathering information on users online in a country must store that information in data centers in that country, have slowly emerged in the past decade in countries such as Russia, Brazil, Vietnam and Indonesia. The laws, which can target different sectors, are meant to better safeguard citizens’ and businesses’ data and help governments monitor communication within their countries. A data localization law passed in Russia in 2013 would require companies such as Google, Facebook and Twitter to store data at centers in Russia or presumably their services would be blocked. Other countries, such as India and China, are still considering such regulations.

Meanwhile, the European Union seeks to unify network security strategies among its member states while also subjecting businesses to cyber security regulations, effectively giving member states greater authority over national cyber security. This month, the European Parliament and European Council will discuss a final draft for the EU National Information and Security directive, which, when adopted, would push member states to subject Internet-based companies to strict cyber security rules. Such measures include requiring businesses to report cyber intrusions to authorities — something many companies victimized by industrial espionage are reluctant to do.

Just the Beginning

Espionage activities, particularly those committed via cyberattacks, typically remain below the threshold of warranting a military response. Thus, a country such as the United States is not likely to employ a physical military response as implied when the Pentagon defined major cyberattacks as an act of war in 2011.

Retaliatory cyberattacks can be a possible deterrence, at least for countries possessing the technical capabilities to launch such attacks. However, offensive capabilities do not improve defensive measures. And because non-state actors in an offending country can initiate acts of industrial espionage, the sheer number of potential actors limits the effectiveness of retaliatory measures.

The rapid growth of the Internet in terms of users and economic interests will put governments under increasing pressure to pursue often disparate cyber security policies and regulations. Directives and national laws, such as the European Union’s proposed cyber security directive or Russia’s 2013 data localization law, mark the initial steps of sovereign states protecting their own economic interests from cyber espionage. This trend will create an increasingly fragmented regulatory environment for online activities divided by political borders. Although these measures are intended to safeguard businesses from foreign cyber espionage and more general cyber crime, they can also carry adverse effects for Internet-based companies, such as increased costs for compliance. Moreover, a sovereign state with more control over security policies and network infrastructure in its territory is better equipped to spy on foreign transnational businesses’ network communications.

No comments: