It’s difficult to overstate the level of cyber security threats presently facing states, companies and individuals. As the United States considers legislation to share classified intelligence with private companies, IBA Global Insight assesses the risks and responses.
China is literally attempting to steal our way of life,’ US Republican Senator and House Intelligence Committee Chairman Mike Rogers told The Detroit News in February. Responding to a spate of increasingly high-profile data security attacks on US companies by Chinese hackers, he added: ‘Cyber war is currently being waged on American businesses and the government is unable to deploy defenses on their behalf. Today, we are in a stealthy cyber war in America. And we’re losing.’
Rogers and his Republican colleague Dutch Ruppersberger were then seeking support for their 19-page bill, the Cyber Intelligence Sharing and Protection Act(CISPA), which was passed by the House of Representatives in April. The Intelligence Committee in December had already passed the draft by a vote of 17 to one, although the act has run into late opposition from civil liberties groups who fear it is too broadly cast.
If passed by Congress – and not vetoed by President Barack Obama – the legislation would allow the government to share classified intelligence with private companies to give them the information they need to protect themselves from cyber-attacks. In cases where national security is thought to be at issue, corporations already draw on the expertise of federal agencies.
Rogers and others have been arguing for some time that major US companies lose valuable secrets to competitors in Russia and China because of online espionage. Some have even been upping the rhetoric by talking about the potential for a ‘digital Pearl Harbour,’ even though that phrase has been bandied around by alarmists since at least 1996, according to the website Tech Dirt.
Behind the words, there is plenty of real support for tougher US action on cyber espionage. US Director of National Intelligence James Clapper recently told a Senate committee that cyber-attacks and cyber espionage had supplanted terrorism as the top security threat facing the country. And Obama said in a TV interview with ABC News that the US is engaging in ‘tough talk’ with China about its alleged spying on American businesses and institutions.
‘What is absolutely true is that we have seen a steady ramping up of cyber security threats. Some are state sponsored. Some are just sponsored by criminals,’ Obama said. ‘We’ve made it very clear to China and some other state actors that we expect them to follow international norms and abide by international rules.’
The most recent furore got underway shortly after the New York Times revealed that it had been the victim of hackers. Just after Christmas this year, the paper reported that Chinese hackers had infiltrated its computer systems, stolen the passwords of key reporters and carried out a four-month long spying mission against it. The Timeslinked the incursion to its reporting on the relatives of Wen Jiabao, China’s former premier.
Despite detecting the penetration of its defences, the paper’s own cyber security experts and those of its telecommunications company AT&T could not eradicate the perpetrators from the system. It had to call in the security company Mandiant. When they had evicted the perpetrators, the firm said that the method used by them to gain access to The Times turned out to be relatively unsophisticated. The hackers had probably used a so-called spear-phishing attack to gain initial access, it said. That is an email sent to an employee that contains a link to a ‘remote access tool,’ or RAT. When the unsuspecting user clicks the link, the program installs itself on the system and it begins monitoring keystrokes, passwords and other information. This enables hackers to syphon sensitive data from the company and can be a bridgehead for further, more serious intrusions.
But was it really possible to trace these violations of data privacy to state-sponsored espionage? In August 2011, Dmitri Alperovitch, Vice-President of Threat Research at the antivirus company McAfee, published a ground-breaking paper ‘Revealed: Operation Shady Rat’. It was an investigation into the hacking of over 70 global corporations and government bodies – 49 of which were based in the US. Alperovitch described how hackers used often simple remote access tools to steal important commercial and government data. He noted that the report dealt only with ‘one specific operation conducted by a single actor/group,’ but did not specify to which country the group was affiliated.
‘We have seen a steady ramping up of cyber security threats. Some are state sponsored. Some are just sponsored by criminals’
US President Barack Obama
The second study, by Mandiant, ‘APT1: Exposing one of China’s Cyber Espionage Units’, pointed the finger squarely at state-sponsored Chinese espionage. It called the group described in the report APT1, which refers to the security term ‘advanced persistent threat’. It operated, Mandiant said, out of the Pudong New Area of Shanghai and comprised the People’s Liberation Army Unit 61398. ‘We estimate that Unit 61398 is staffed by hundreds, and perhaps thousands of people based on the size of the Unit 61398’s physical infrastructure,’ it wrote. Mandiant calculated that this group had single-handedly been behind 141 successful security penetrations on organisations since 2006 – 87 per cent of these in countries where English is the native language.
Despite the possibility that the hackers could ‘hop’ from servers and cover their physical location, Mandiant was willing to conclude that the group must have been operating with the full knowledge and cooperation of China’s government: ‘Either a secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multi-year, enterprise scale computer espionage campaign right outside of Unit 61398’s gates, performing tasks similar to Unit 61398’s known mission – or, ATP1 is Unit 61398.’
Rob Sloan has been professionally engaged in the Chinese hacking question for ten years – both for government agencies and in his current capacity as Head of Response at Context Information Security. He has little doubt that the activity is state sponsored.
‘They have got this down to a fine art, have been doing it a long time and are getting better and slicker at it,’ he says. ‘To get it that organised, it has to be military – there is a lot of boring work and you wouldn’t be able to get people to do such repetitive tasks over such a long period while keeping their mouths shut without that sort of organisation.’
He says any company engaged with something that China would like to produce, buy or compete against is a potential target. And that it is impossible to prevent security breaches against such levels of well-organised activity. That is because sensitive data may be distributed across many subsidiary companies, suppliers and customers.
‘Someone in the organisation just needs to click on the wrong attachment or website link and security is compromised,’ he says. Once the hackers have breached the system, they go through a series of set procedures to gain a firm foothold, find the data they want and extract it – much of the time undetected.
Joseph Steinberg, Chief Executive of Green Armor Solutions, an online security firm, is more circumspect about tracing the data security breaches to a specific group, but agrees that the phenomenon is a real problem. ‘If you are an upcoming power, it’s far easier, faster and less expensive to steal information than to reinvent the wheel,’ he says. ‘And if you don’t have security around intelligence, it is going to happen to you.’
‘Chinese perspectives on the accusations leveled against China emphasise US cyber espionage and attempts to impose its interests and values on other countries through political and military cyber dominance’
Professor, Indiana University Maurer School of Law
What makes it equally attractive, he says, is that tracing either the data breaches or the purpose to which the information may be put is extremely unlikely. ‘If a new product comes onto the market, for example, it is very difficult to identify where the producers got the information from to make it,’ he says. ‘There is not always going to be a simple one-to-one correlation.’ Similarly, he says, the Chinese authorities only need to turn a blind eye to hacking to benefit from it: ‘Indirect support gives the authorities plausible deniability.’
And denying the allegations is what Geng Yansheng, a spokesman with the Chinese Ministry of Defence, did. He told reporters at a media briefing in Beijing in February: ‘US cyber security firm Mandiant’s report is groundless both in facts and legal basis.’ China’s armed forces had never backed any hacking activities, he said, and the report had merely shown that the attacks were linked to internet protocol (IP) addresses based in China. Furthermore, he argued, the report lacked legal basis because it only catalogued routine cybercrimes and did not prove espionage. Geng said cyber-attacks were transnational, anonymous and deceptive with their source often difficult to identify.
President Obama’s careful avoidance of the rhetoric of ‘cyber war’ underlines the US’s own reluctance to break the international practice of refusing to treat online espionage as the violation of state sovereignty, or as a use of force against a nation under international law. His strategy is to strengthen domestic law – such as the bill proposed by Mike Rogers – security best practices and international cooperation on combatting cybercrime.
David Fidler, professor at the Indiana University Maurer School of Law, wrote recently that neither the US’s own Economic Espionage Act 1996, nor the World Trade Organization’s intellectual property laws were likely to prove effective against state-sponsored espionage. The US’s inability categorically to prove state involvement, link infringements to specific intellectual property rights or to bring specific people to trial all counted against it, he argued in the March 2013 issue of Insights, a publication of the American Society of International Law.
‘Chinese perspectives on the accusations leveled against China emphasize the extent of US cyber espionage and Chinese perceptions of American attempts to impose its interests and values on other countries through political and military cyber dominance,’ he concluded.
Evidence of US cyber espionage is likely to be equally difficult to prove categorically. But the US authorities, such as the National Security Agency, have been accused of prying into the internet activity of its private citizens and those of foreign nationals. As the IBA reported on its website in February this year (see ‘US surveillance of cloud data cause for European concern’), provisions contained in the Foreign Intelligence Surveillance Act of 1978, Amendment Act of 2008 (FISAAA) give federal agencies access to any data held on computer servers that fall under US jurisdiction. Congress had made this activity legal in 2008 and again in 2012.
Amnesty International, the American Civil Liberties Union and others have challenged the lawfulness of the extent and use of such warrantless wiretapping. The case, Clapper v Amnesty International, No 11-1025, reached the Supreme Court in February, which ruled in a 5-4 decision that government powers under FISAAA were not subject to challenge. The Court did not make a judgment on the substance of whether the activity was constitutional or not, instead it focused on the legal basis of the plaintiffs’ right to stand.
Under FISAAA section 1881a, government agencies can electronically eavesdrop on the phone calls of American citizens and read their emails without a probable cause warrant, provided that one of the parties to the communication is outside the US. The communication may be intercepted ‘to acquire foreign intelligence information.’ Although the Foreign Intelligence Surveillance Court, which rubber-stamps such secret requests, monitors the process the actual intercepts can take place up to a week before the agency makes its activity known.
Journalists who were party to the action claimed that the surveillance violated their rights under the Fourth Amendment, which bars unreasonable searches.
But Justice Samuel Alito, in handing down the judgment, wrote, ‘Respondents have no actual knowledge of the Government’s section 1881a targeting practices. Instead, respondents merely speculate and make assumptions about whether their communications with their foreign contacts will be acquired under section 1881a.’ He said that the plaintiffs had no right to stand because they could not show that any actual harm had occurred.
‘This ruling is the end of the road for litigation on the issue,’ says Stephen Vladeck, a professor of law at American University. ‘The ball is now in Congress’s court, which historically has been the principal actor for protecting privacy.’
Since action from Congress is unlikely, he says, the only way to find out in future if government agencies abuse their powers would be if one ‘makes a mistake accidentally, or makes a disclosure’. To date, he said, the government had brought ‘zero cases’ using evidence collected under FISAAA.
He remains concerned about the unintended consequences of such surveillance. ‘The intention of surveillance has to be foreign intelligence – terrorism or espionage – but the problem is there is no constraint about what they sweep up by accident. Even without specifically targeting someone, they can sweep up huge amounts of data.’
Protecting privacy in the cloud
The strategy has caused waves in Europe where the European Parliament is currently redrafting its own data privacy laws, which have remained largely unchanged since 1995. A multi-authored report to the parliament, Fighting cybercrime and protecting privacy in the cloud, pointed out that FISAAA effectively ‘authorized mass surveillance of foreigners’ on popular cloud services, including those offered by Amazon, Apple, Google and Microsoft, because their services came under the jurisdiction of the US authorities.
‘Someone in the organisation just needs to click on the wrong attachment or website link and security is compromised’
Head of Response, Context Information Security
Given that European Union officials were unaware of the extent of the US’s powers under FISAAA until mid-2011, according to the report, it is not certain how the Data Protection Regulation will turn out. At present, data protection in Europe is enshrined in the Data Protection Directive, which forbids organisations to collect, use or store data without the subject’s consent. In theory, the laws in all of the European Union’s 27 Member States should harmonise around that principle, in practice they do not.
‘It’s simply a nightmare from a legal perspective,’ says Christian Hamann, Counsel at the German law firm Gleiss Lutz. He says that the transfer of employment data between subsidiaries of the same company located in two different European countries can be extremely onerous. He supports the idea that the new law will be enshrined in a Regulation because it will force harmonisation around the principle of protecting an individual data rights while allowing smoother flows of information – something that is not possible under the existing Directive.
He also believes the new Regulation should protect the data rights of European citizens against excessive government prying within the European Union. However, he says that FISAAA circumvents the usual ‘safe harbour’ arrangements between the European Commission and the US government. That means that even if there were contractual agreements with US cloud companies, for example, not to divulge the data of European citizens, they would not be effective.
‘An American data importer may sign a contract not to give data to the US government,’ he says, ‘then along comes a federal agency and simply puts a pistol to the temple of the CEO and says, “give me the data”. This is not a problem EU regulation can solve unilaterally.’
Given that both Chinese hacking intrusions and the surveillance of private data by US government agencies are not subject to legal challenge, citizens and organisations are turning to alternative technologies. One example is Silent Circle, a company that offers a ‘surveillance-proof’ smartphone app that enables people to make secure phone calls, and send encrypted texts and data. The software transmits the data then burns it off the device. The company claims that human rights reporters have already road-tested the technology in places such as Afghanistan and Jordan.
Another company, Privax, offers clients a virtual private network and other services so that they can use the internet, transfer data and send emails anonymously. Danvers Baillieu, the company’s Chief Operating Officer, says that because the company uses servers distributed around the globe, authorities would have to approach its office in the UK to obtain the information they wanted to access. ‘They would have to go through the British justice system to do that,’ he says, ‘which is not impossible, but difficult and public.’ He says the company has a growing number of competitors in Europe and globally, suggesting an increasing awareness that citizens must take more responsibility for the security of their own data.
Arthur Piper is a freelance journalist. He can be contacted at email@example.com