With all the news coming out of Washington last week as part of the confirmation process for Supreme Court Justice nominee Brett Kavanaugh, and the disclosure by Facebook of a breach that affected at least 50 million users, it would be easy to miss the equally significant story about the latest variant of nation-state cyberwarfare.
On Thursday, October 4, Bloomberg Businessweek reported that agents of the Chinese government may have inserted rouge computer chips into hardware used by “30 companies and multiple U.S. government agencies.” Regardless of if this story proves to be true, it represents a dangerous actual or potential escalation of the cyber battles waged between nation states.
Advanced Persistent Threats Definition
Typically, government supported, or condoned cyber attackers use a method known as advanced persistent threats (APT). University of Maryland computer networks and cybersecurity professor, Dr. Sam Musa, defined APT as “a set of stealthy and continuous hacking processes often orchestrated by humans targeting a specific entity.”
Do you have a response plan in place for potential litigation? Download this eBook to develop your resources in advance to prevent the headaches that arise from the need to scramble and the bottlenecks that accompany it.
APTs are typically used for business or political motives. By definition, advanced persistent threats consist of three major elements. First, advanced methods such as malware are used to exploit vulnerabilities in a system. Second, a persistent process must exist. Persistence can refer to continuous monitoring of the system, or the continued presence of the underlying threat. The last element, obviously, is a threat, often a human or group who is involved in orchestrating the attack.
History Behind Current Allegations
Before discussing why the present allegations denote a dangerous escalation in a decades long “cold” war between the U.S. and China, we need to step back and discuss where the accusations originate.
In 2015, as part of the due diligence conducted for a possible acquisition, global tech company Amazon conducted an evaluation of the security of the company that was being considered for acquisition. A first pass review of Elemental Technologies caused Amazon Web Services (AWS), the department tasked with completing the due diligence, to discover an alarming fact. The motherboard for the servers that Elemental sold to customers contained a small microchip that was not part of the original designs of the boards sold by Super Micro Computers Inc. to Elemental.
An investigation was conducted by U.S. government officials after Amazon informed them of the discovery. The investigation found that servers sold by Elemental were present in data centers for the U.S. Department of Defense, the Central Intelligence Agency’s drone operations center, and onboard several Naval warships. More alarming is that Elemental is only one of Supermicro’s customers. Finally, the investigation found that the chips appear to have been inserted on the motherboards while they were being manufactured at subcontractor sites in China.
APT attacks, like other malware and cyberattacks can typically be discovered by trained forensic investigators using specialized analysis techniques, indicators of compromise (IOCs), and automated tools that scan for abnormalities. A hardware vulnerability, such as the Supermicro issue, is largely immune from these types of investigative techniques. Further, a chip by chip, granular, manual review of each part of every desktop, laptop, or server in most organizations would require a specialized team of skilled experts that most organizations cannot support.
If U.S companies have learned anything in the wake of the Sony hack, the Target data breach, and the recent Facebook hack, it is that information is power.
With 75 percent of the world’s mobile phones, and 90 percent of PCs manufactured in China , the revelation that state sanctioned insertion of malicious computer chips occurred is a problem that must be addressed. It seems rather fortuitous that at the same time that California passed and has begun the process of preparing to enforce its new Consumer Privacy Protection Act, the discovery of a massive threat to U.S. consumer and national security data was made public.
If U.S companies have learned anything in the wake of the Sony hack, the Target data breach, and the recent Facebook hack, it is that information is power. According to a 2017 report from IBM , the equivalent of 2,273,736 terabytes of data are created each day. In the same year, cyberattacks cost US companies an average of $1.3 million. As early as 2012, when the famed Stuxnet attack on Iranian nuclear facilities took place, governments were characterizing cyberattacks in militaristic terms.
In a 2012 article , Edward Snowden journalist Glenn Greenwald noted that the Pentagon went on record to say: “If any cyber-attack is directed at the U.S. –rather than by the U.S.–it will be instantly depicted as an act of unparalleled aggression and evil.” The Pentagon decreed that any cyberattack on the U.S. would be deemed “an act of war.”
What Companies Can Do to Improve Cybersecurity
In 2008, as a response to massive data losses experienced by organizations, the SANS institute, a private for-profit company in the U.S., created the Critical Security Controls for Effective Cyber Defense (known colloquially as “CSCs” or “Critical Security Controls”). The Critical Security Controls are a list of twenty key actions that an organization can and should take to prevent or mitigate cyberattacks.
The underlying principle of the CSCs is the Pareto Principle. Commonly known as the 80/20 rule, the Pareto Principle and the application of the CSCs significantly reduces attack success. The Center for Internet Security, the organization that now maintains the CSCs, states on their website, “Organizations that apply just the first 5 CIS Controls can reduce their risk of cyberattack by around 85 percent. Implementing all 20 CIS Controls increases the risk reduction to around 94 percent.”
To ensure that the information technology and cybersecurity program of any organization is as robust as possible, a combination of internal and external risk assessment must occur. Additionally, the need for continuous monitoring of the supply chain and third-parties, and analysis and testing of items provided or tasks completed as they move through the chain must occur.
This undertaking cannot and should not be completed alone. Leveraging the expertise of an outside security consultant will ensure that an organization benefits from information sharing and vulnerabilities from the wider ecosystem. If, for example, the previously discussed vulnerability had not been shared in mainstream media, it would be likely that most companies would never have gone looking for it.