Sunday, July 27, 2014

Mending Fences: An Analysis of State and Non-State Threat Actors and Their Impact on Critical Infrastructure Protection

Image from http://www.bsec-corp.com

Information systems and the way they are used have evolved drastically in the past few decades. Devices that are capable of accessing the internet are incorporated into almost everything that the average person does, from accomplishing occupational objectives to providing users with entertainment and having the means to connect with family, friends, and potential business associates. Along with this enhanced usage of information processing devices, there is an added risk of crime and espionage. The cyber threat landscape for the United States encompasses threat actors from all over the world, who work toward a variety of goals.

A major area of concern for many countries is the protection of critical infrastructure, or the electrical, water, and communications systems that aid in sustaining life. With the hopes of succeeding in these protection efforts, it is important to analyze the cyber threat landscape for the purpose of creating new cybersecurity policy and legislation. Without understanding who or what might attack these systems, along with their most likely methods, new policy and legislation would certainly be useless.

Cyber Threat Landscape Overview

The cyber threat landscape is the total analysis of the threats and threat actors that work against an organization or nation. A threat can be defined as a potential cause of an incident that may result in harm to a system or organization. A threat actor is a person, organization, or nation that acts upon a specific threat.

In order to fully understand the risks associated with processing, storing, and transmitting information, these threats and threat actors must be fully assessed and categorized. There are two basic categories of threat actors against the United States. These categories are those that are working of a nation-state and those that are not.

State Actors

State Actors Overview

State threat actors are those that are supported, operated, or influenced by a specific nation. Those nations might have goals to increase the effectiveness of their intelligence, military power, or business enhancements. The two nations that make up the headlines when it comes to cyber threats and actions are China and Russia. It is important to note that state actors also have the funding of their respective governments.

China

Chinese hacker groups have been known by now to actively attack organizations in the United States. The most notorious hacking group that is believed to be sponsored by the Chinese government is called the “Comment Crew”, APT1, or Unit 61398 of the People’s Liberation Army. They have attacked a large variety of targets, but their primary goal seems to be to gain unauthorized access to data and take over systems that the Chinese government deems as being advantageous. The group is responsible for attempting over 140 attacks, many in different industries. Some examples of some of their targets include the United States government and their military networks, Google, Intel, Adobe, and RSA.

Comment Crew dates back to 2006 and consists of professional hackers. Their members are recruited out of the top technical universities in China, more specifically the Harbin Institute of Technology and Zhejiang University School of Computer Science and Technology, where hiring events and recruiting efforts have taken place. There have been reports of fliars being posted and passed around at these schools, inviting young scholars to seek employment with the Chinese government. These young adults are often tempted to join due to the benefits of having a steady income after school and satisfying patriotic desires.

A report on the Comment Crew was released by Mandiant in February of 2013. In this report, over 3000 indicators of Comment Crew attacks were also released, giving cybersecurity professionals a way to identify their work in future attacks. Among those indicators were originating IP addresses, domain names, encryption certificates, malware samples, domain names, and samples of the group’s work. Additionally, videos of Comment Crew attacks are provided for further analysis and comparison.

Russia

Eastern Europe is a virtual breeding ground for hackers, as is explained in the next section. Russia’s realization of the benefits of cyber warfare has caused the rest of the world to be weary of their capabilities and intentions. Although there is no concrete proof that the Russian government has exercised its cyber warfare abilities against other countries, their citizens, at the very least, are quite practiced at it.

In the spring of 2007, Russian “hacktivists” attacked Estonian government and news sites in response to Estonian citizens removing Soviet military statue from Tallinn square. The attack was weak and not effective at first, but then the attackers started to use large botnets. Botnets are groups of compromised computers that can be used to send spam or conduct Denial-of-Service attacks against targets. In this case, over 20,000 botnets were used, totaling over 1 million different computers. Although this attack was blamed on “hacktivists” and not the Russian government, the possible implications and effects of the attack in the eyes of the Russian government are without question.

The year after the Estonian cyber conflict, Russian “hacktivists” attacked governmental, bank, and news websites for the country of Georgia. This time however, it was done in conjunction with an official Russian military attack. Similarly to the attack on Estonian websites, the Georgian offensive utilized several botnets. As the military conflict escalated, so did the cyber-attacks. A few months before the Georgian occupation started, the cyber attackers seem to have tested out their botnets. This could be an indication that they knew the military occupation was going to happen, beforehand. As in the case with Estonia, there is no public evidence that the Russian government had any involvement in the cyber-attack on Georgia, but the attacks were extremely coordinated for “hacktivists” and the targets and timeframes for the attacks matched those of the military conflict. If the Russian government did not know the benefits of cyber warfare then, they certainly do now.

Non-state Actors

Non-state Actors Overview

In addition to the state actors described above, non-state actors can be just as, if not more, dangerous to critical information and information systems in the United States. Two non-state threat actors included in the United States cyber threat landscape are cybercriminals and “hacktivists”. Even though they are not typically driven by national interests, they have other motivating factors – purpose and money.

Cybercriminals

There are people and groups of people around the world who have taken advantage of widespread use of information systems and the internet for their own financial gain. These groups and individuals range from lone attackers to large organized crime organizations. The most noteworthy area that cybercriminals seem to come from is Eastern Europe. Where hackers in China seem to be attempting to gain access to business and intelligence information, Eastern European hackers seem to focus their efforts on gaining money.

There is a growing community of hackers in Eastern European countries. This growth has been associated with the culture in those countries and other economic and educational factors. The culture there is one that fosters and even encourages cybercrime, due to the fact that there is a general acceptance of copyright infringement and fraud when it comes to using the internet. Young adults have access to higher education in mathematics, science, and technology, but the job market in these fields are lacking and the pay for those jobs that are available does not equal similar jobs in Western countries. They graduate from school and have no uses for their skills professionally, so they often turn to cybercrime. Studies in the past have made a connection between high education and lack of employment opportunities and deviant behavior, more specifically, crime.

Eastern European hackers are also known for their malware. It is often very simple and unencumbering in terms of processing power used by the systems that are infected. One attribution to this fact is that computer users in Eastern European countries typically have out-of-date computer hardware. Their underperforming systems force users to find simple and creative ways to perform tasks, which has given them hackers advantages when it comes to performing attacks and creating malware.

Some well-known examples of cybercrime from Eastern European countries are the Target and Neiman Marcus breaches of late 2013, where several million customers were affected, and P.F. Chang’s restaurants. The malware that was used in the Target and Neiman Marcus attacks originated in Russia and was written by a 17 year old student who calls himself “Ree4”.

“Hacktivists”

Throughout history, there has always been a group of people who have disliked the way they (or others) have been treated. One method that this group has chosen to create change is activism. Activism can be defined as taking direct action in order to achieve change, more especially a political or social one. At one time, this meant organizing sit-ins, public protests, or chaining one’s self to a stationary object. The world’s dependence on information systems and the internet has created a new form of activism. Activists with hacking skills, or “hacktivists”, are able to actively protest against something on the other side of the world by hacking into systems or otherwise disrupting their intended use.

“Hacktivism” tactics, similarly to those for traditional activism, fall into three types – vandalism, disruption, and trespassing. Vandalism for “hacktivists” is the public defacement of websites. In the same way that protestors have been known to wave picket signs and spray graffiti at physical locations, “hacktivists” alter websites. Where traditional protestors have been known to block access to buildings, “hacktivists” are known for launching denial-of-service attacks to keep people from being able to use websites and web services in the way that they were originally intended. Activists of old have been known to break into unauthorized areas and vandalize, steal, or otherwise destroy equipment and information. “Hacktivists” similarly gain access to networks and information systems to copy and leak confidential information in an attempt to cause widespread distrust against their targets.

For some time, the word “Anonymous” was used as a synonym for vigilante justice on the internet. The reason for this is that a “hacktivist” group who took the word for their name gained the attention of the mainstream media. Anonymous was known to hack into systems belonging to businesses, governmental organizations, and even individuals for the sole purpose of advancing their own agenda. This agenda was to expose corruption, internet censorship, increase awareness in cybersecurity and political issues, and to attack organizations that did not adequately protect their employees’ and customers’ information.

A small and talented group within Anonymous, called “LulzSec”, organized a 50 day attack on governments and organizations around the world. Their targets were large and public, as were their attacks. One of their most commonly known attacks was against Sony in 2011. Their reason behind the attack was that the entertainment company filed a lawsuit against a man named George Hotz, who hacked into and altered his own PlayStation 3 gaming console. In the attack, usernames, email addresses, home addresses, passwords, and other personal information of several thousand individuals was leaked into the internet and the Sony Pictures website and networks were down for a short amount of time.

Critical Infrastructure, Protection, and Policy

Critical Infrastructure Overview

A growing concern during the past two decades has been the protection of critical infrastructure. Critical infrastructure is a term used to describe life-sustaining systems, such as power and water plants and delivery systems. Without these systems, society would cease to exist and governments would be rendered ineffective. Threat actors against critical infrastructure systems could be both state and non-state. These systems would be prime targets for terrorists, warring nations, “hactivists”, and even cybercriminals, who would likely try to ransom the systems and information contained in them.

Protection Challenges

Critical infrastructure environments typically use supervisory control and data acquisition (SCADA) systems to control operation in power and water plants. In the United States, about 80% of utility companies are owned by private businesses, who have constructed their systems in a way that best suits their business and customer requirements. Their information networks and systems are not standardized, by any means, and they operate under proprietary architectures.

Due to the unique structure at each individual utility vendor, creating a standard for the industries recognized as critical infrastructure is challenging. When attempting to make a set of rules or best practices that is broad enough to encompass all or most of the separate organizations and environments, its effectiveness degrades. Likewise, the most effective practices and controls for one organization will not likely be even relevant for another. The challenge lies in the balance between these two factors.

Another challenge for the protection of critical infrastructure is associated with its implementation and governance. In order for legislation to be effective in making positive change for the entire security posture of the critical infrastructure systems in the United States, it would have to be mandatory. If this legislation became mandatory, the federal government would, in essence, be imposing operational requirements on private businesses. For the sake of public favor and political influence, such a move might not be in the best interests of the politician who imposed it.

If mandatory legislation was accomplished for the protection of critical infrastructure, the next question would have to be, “who would govern it?” There are various federal agencies that the task could fall under, from the National Security Agency and Department of Homeland Security to the Department of Energy. Identifying a governing agency for critical infrastructure is necessary for continuous monitoring, auditing, and policy maintenance. It would also aid in the organization of protection efforts.

Current Policies

The current administration has tried to make changes for the protection of critical infrastructure. When President Obama gained office, he ordered a review of the cybersecurity policies of the previous administrations. The result was the Cybersecurity Policy Review, which outlined issues with the security posture of the nation and provided steps to address those issues. In 2012, President Obama released a legislation proposal that would require mandatory cooperation between the government and private businesses that provided for the nation’s critical infrastructure. That legislation was debated by Congress, but was ultimately never signed into law.

In response to the rejection of his proposed critical infrastructure protection legislation, President Obama issued Executive Order 13636, which required that the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence produce public, unclassified reports on threats to critical infrastructure, which could be used by critical infrastructure vendors for the protection of their networks and systems. Additionally, the executive order employed the Director of the National Institute of Standards and Technology in developing a cybersecurity framework for the protection of critical infrastructure. This framework could also be used by critical infrastructure service providers, and the Director of Homeland Security was ordered to find incentives for businesses that chose to work with the government in this effort.

The incentives program provided by the Department of Homeland Security was accomplished through the revision of the National Infrastructure Protection Plan in 2013. Therein are suggested methods for encouraging critical infrastructure providers to participate in the voluntary governmental frameworks, standards, and programs for enhanced security.

Future Policies and Dependencies

The fact that the United States needs better protection efforts for the security of critical infrastructure systems and networks is well-known. The observance of both state and non-state threat actors in the United States cybersecurity threat landscape further intensifies this concept. Before progressing further in making recommendations for future critical infrastructure protection legislation and policy in response to these threats however, the need for non-voluntary legislation is paramount.

As previously explained, current cybersecurity policies and frameworks are strictly voluntary, with incentives for those critical infrastructure organizations that choose to participate. Until the federal government makes the decision to mandate standardized protection efforts from all critical infrastructure vendors, the state and non-state threat actors are at an advantage. Each critical infrastructure provider is a small part of the overall system, and if any of those providers choose not to participate in the voluntary policies and frameworks, that system is at risk.

In order to ensure that the critical infrastructure is protected by future policy, lawmakers must take the different threat actors and their motivations into account. They cannot adequately protect the systems and networks without understanding what they are protecting against. The biggest state threat actors are China and Russia. The Chinese government would most likely attack the critical infrastructure of the United States to gain a business or intelligence advantage. If, for example, several large metropolitan areas of the United States were to lose the capability to process and deliver drinking water, a Chinese water company could offer their services and products at an increased expense.

Russia, on the other hand, would most likely use attacks on critical infrastructure to coincide with a military attack, as they already have experience in doing. If the United States were ever to go to war with Russia, cyber warfare would almost certainly be a factor. By detonating a nuclear weapon at high altitudes, the electromagnetic pulse would knock out all electronic equipment, to include those used for critical infrastructure and communication.

Non-state threat actors discussed earlier were cybercriminals and “hacktivists”. Cybercriminals have been known to hold information and information systems for ransom. This year, a piece of ransom software, or “ransomware” called CryptoLocker infected over 250,000 systems and resulted in a financial gain of over $27 million in Bitcoin for the developer. This price could be much higher when the importance of critical infrastructure is taken into account and how much the federal government would be willing to pay to ensure the safety of its citizens.

Internet activism, or “hacktivism”, could have profound effects on society if it “hacktivists” were able to disrupt or gain control of critical infrastructure systems and networks. Currently, “hactivists” use the internet to attack organizations through defacement and data breaches. The other category of attacks that they use would be much more problematic for critical infrastructure – disruption. If these hacker groups were able to conduct large scale denial-of-service attacks on critical infrastructure systems and networks, they would certainly be able to get their issues brought to light. It is one thing when we aren’t able to get to our email or a website, but it is an entirely different issue when we are unable to get power or fresh water to drink. When a denial-of-service attack is conducted against critical infrastructure, people can die and society could cease to exist.

Summary

The world, more specifically the United States, has greatly benefited from the advancements in technology of the past few decades. From simple niceties like finding information on the internet and sending email, to streaming video and playing computer games with friends on the other side of the world, the internet has allowed its users to connect with other users and information far beyond their previous reach. Information technology has allowed for business collaboration and enhanced communication for soldiers, airmen, and sailors in the military.

With these added capabilities for good, there are also risks. When people shop or make bank transactions online, their information and money are susceptible to theft. All internet-connected devices come with a natural vulnerability. In this paper, state and non-state threat actors were discussed and examples were provided. Other countries, like China and Russia, have the capability of doing great harm to other countries through cyber warfare. Non-state threat actors, like cybercriminals and “hacktivists”, have the power to disrupt, vandalize, or steal information for their own personal social or financial gain.

Another growing topic of concern is the protection of the critical infrastructure in the United States. If these state and non-state threat actors were to act upon the natural vulnerabilities that are present in the current critical infrastructure operating environments, the results could be catastrophic. These are the systems that provide citizens with water to drink and power and gas to light and warm their homes. All other life-sustaining products and services depend on these simple, yet undeniably essential provisions.

Currently, there are no concrete laws or polices that govern the protection of critical infrastructure. All attempts to create such pieces of legislation have led to voluntary participation on the part of the private businesses that operate their own pieces of the overall system. In order to gain positive ground in the protection of critical infrastructure, mandatory standardization is required across all critical infrastructure segments. They must also incorporate and account for the different types of threat actors and their individual methods and intentions.

This change has to start somewhere and it has to start now. It is the intention of this paper and the author to raise awareness of this critical issue and to influence United States citizens to have a more active role in protecting the essential things in life. They must do their part in encouraging their elected representatives to take a positive step toward protection of critical infrastructure. Life depends on it.

Steve P. Higdon has been working in the information security field for over ten years, providing support and consultancy to several public and private sector organizations. Steve holds several industry certifications and can be reached via email at infosec@stephenhigdon.com and on Twitter at @SteveHigdon.