“Now our enemies are also seeking the ability to sabotage
our power grid, our financial institutions, and our air traffic control
systems. We cannot look back years from now and wonder why we did nothing in
the face of real threats to our security and our economy.”
With these words in his 2013 State of the Union address,
Barack Obama officially became the first U.S. cyberwarfare president. Obama was
about to sign the Improving Critical Infrastructure Cybersecurity executive
order, which allows companies associated with the supervision of electrical
grids, dams, and financial institutions to voluntarily join a program to
receive classified and other cyber security threat information previously
available only to government contractors. The main drawback is that legislation
can only enforce minimum security requirements for private sector companies,
which operate most U.S. critical infrastructure. Unfortunately, Congress, in
2012, had failed to pass two cyber security bills that were much stronger,
bowing to pressures from business worried about stepped-up security costs and
concerns raised by privacy advocates.
Cyberwarfare is more complex than conventional warfare.
Although many potential targets are military, a country’s power grids,
financial systems, and communications networks can also be crippled. Non-state
actors such as terrorists or criminal groups can mount attacks, and it is often
difficult to tell who is responsible. Nations must constantly be on the alert
for new malware and other technologies that could be used against them, and
some of these technologies developed by skilled hacker groups are openly for
sale to interested governments.
The scale and speed of cyber attacks has escalated in the
United States and other parts of the world. From September 2012 through March
2013, at least twelve U.S. financial institutions—Bank of America, Citigroup,
Wells Fargo, U.S. Bancorp, PNC, Capital One, Fifth Third Bank, BB&T, HSBC,
J.P. Morgan Chase, and American Express—were targeted in attacks that slowed
their servers to a crawl and then shut them down. The severity of the attacks
dwarfed previous distributed denial of service (DDoS) attacks. The data centers
of these organizations had been infected with a long-available malware agent
named Itsoknoproblembro, which creates botnets of slave servers, dubbed bRobots
because they are so difficult to trace back to a command and control (C&C)
server. The bRobots inundated the bank Web sites with encrypted data. A flood
of encryption requests immensely intensifies attack effectiveness, enabling the
attackers to take down a site with fewer requests.
The goal of the attacks was to inflict an unprecedented
level of strain on as many financial institutions as possible. No account
information was stolen and no financial gain sought, leading experts to think
it was a state-sponsored attack. The hacker group Izzad-Din al-Qassam Cyber
Fighters claimed responsibility, stating that it was retaliating for an
anti-Islam video. U.S government officials believe the perpetrator is actually
Iran, retaliating for economic sanctions imposed to halt its nuclear program
and for what it believes were U.S. cyber attacks.
In August 2012, the Shamoon virus infected 30,000 machines
at Saudi Arabian oil company, Aramco. It destroyed workstations by overwriting
the master boot record (MBR), which stores key information about a hard disk
drive to help a computer system start up. Shamoon also deleted data on servers,
and overwrote certain files with an image of a burning American flag. U.S.
officials attributed the attack to Iran.
Less than two weeks later, Qatari natural gas company,
Rasgas, was forced to shut down its Web site and e-mail systems in an attack
initially also attributed to Shamoon. An investigative team concluded it was
likely a copycat attack trying to look like the same perpetrator. U.S.
government officials blamed Iranian hackers. Israeli officials attributed both
attacks to Iran’s Cyber Corps, formed after Stuxnet.
Believed to have been developed by a secret joint United
States-Israel operation, the Stuxnet worm was discovered in June 2010. It was
designed to disable the software that controls Seimen centrifuges to enrich
uranium, and it reportedly delayed Iran’s ability to make nuclear arms by as
much as five years. Iran has also been the target of other malware. The Duqu
worm, discovered in September 2011, steals digital certificates used for
authentication to help future viruses appear as secure software. In April 2012,
other espionage malware closely related to Stuxnet and Duqu called Flame was
discovered when hard drives at the Iranian Oil Ministry and National Iranian
Oil Company were wiped clean. Four months later, investigators found that the
data deletion agent they had been looking for when they discovered Flame was a
separate malware agent they named Wiper. Investigators believe that Wiper’s
first objective is to eradicate the malware created by this group.
Cyber offensives come with a considerable downside.
Previously released malware is recoverable and can be adapted and reused by
both nation-state foes and unaffiliated cyber criminals. Stuxnet code has been
adapted for use in financial cybercrime. Another drawback is uncontrollability.
About 60 percent of known Stuxnet infections were in Iran, but 18 percent were
in Indonesia, 8 percent in India, and the remaining 15 percent scattered around
the world. In November 2012, Chevron admitted that its network had been
infected with Stuxnet shortly after it spread beyond Iran.
To U.S. officials, these recent Iranian attacks signaled a
shift in Iranian policy from cyber defense to cyber offense. After investing
approximately $1 billion in its Cyber Corps in 2012 (still just a third of
United States expenditures), Iran may have arrived as a first-tier cyber power.
China has been a first-tier cyber power for years. U.S.
targets of suspected Chinese cyber attacks include federal departments
(Homeland Security, State, Energy, Commerce); senior officials (Hillary
Clinton, Adm. Mike Mullen); nuclear-weapons labs (Los Alamos, Oak Ridge);
defense contractors (Northrup Grumman, Lockheed Martin); news organizations
(the Wall Street Journal, the New York Times, Bloomberg), technology firms
(Google, Adobe, Yahoo), multinationals (Coca-Cola, Dow Chemical), and just
about every other node of American commerce, infrastructure or authority.
Hackers have obtained sensitive information such as negotiation strategies of
major corporations; designs of more than two dozen major U.S. weapons systems,
including the advanced Patriot missile system, the Navy’s Aegis ballistic
missile defense systems, the F/A-18 fighter jet, the V-22 Osprey, the Black
Hawk helicopter and the F-35 Joint Strike Fighter; and the workings of America’s
power grid, possibly laying groundwork for acts of sabotage. Cyberattacks from
China and other nations have persisted because the U.S. has difficulty
defending its information systems, cyberspace is not yet subject to
international norms, and years of intrusions have provoked little American
response.
Investigators believe that in September 2012, one of the
elite hacking groups from China’s People’s Liberation Army (P.L.A.) attacked
Telvent, a company that monitors utility companies, water treatment plants, and
over half the oil and gas pipelines in North America. Six months later, Telvent
and government investigators still didn’t know if the motive was espionage or
sabotage. U.S. intelligence experts believe that China’s U.S. investments,
particularly new, substantial investments in oil and gas, deter China from
infrastructure attacks. China’s economy could not escape the negative
consequences from a significant shutdown of U.S. transportation systems or
financial markets. Iran, with no U.S. investments, is a much greater threat.
Moreover, diplomatic channels are open with China.
Less than a week after Obama’s State of the Union address,
security firm Mandiant released details on a group it dubbed “APT1.” Mandiant
traced APT1 to a building in Shanghai that documents from China Telecom
indicate was built at the same time as the General Staff Department’s 3rd
Department, 2nd Bureau—the military hacking unit, P.L.A. Unit 61398.Outfitted
with a high-tech fiber optic infrastructure, this 12-story white office tower
was said to be the origin of a six year offensive that infiltrated 141
companies across 20 industries.
The Obama administration’s mounting concern with the
economic and national security risks posed by cyber-intrusions has repeatedly
been expressed to top Chinese officials. In May 2013, the Pentagon’s annual
report to Congress for the first time directly accused the Chinese government
and P.L.A. of attacking U.S. government and defense contractor networks. In May
2014, the U.S. charged five Chinese military officials with hacking into six
U.S. steel, solar and nuclear companies and a labor organization for trade
secrets and other information.
Two months earlier, however, North Korea, another budding
cyberwarfare adversary, was accused of launching its most damaging attack to
date. Despite obstacles limiting its ability to develop expertise, including
sanctions, which restrict its access to technology, and a limited talent pool
due to meager Internet penetration and restrictive access policies, North Korea
is believed to have perpetrated attacks on both South Korean and American
commercial, educational, governmental, and military institutions. In March
2013, 32,000 computers at three major South Korean banks and the two largest
television broadcasters were affected. Internet banking sites were temporarily
blocked, computer screens went blank, ATM machines failed, and commerce was
disrupted.
The attackers used the Chinese-written Gondad exploit kit to
infect PCs with a Trojan horse that provides an entryway for an attacker to
take control of the machine, creating a bot or zombie computer. Once the
digital backdoor is created, the controller can deposit a malware payload, in
this case, a wiper agent named Dark Seoul. Like Shamoon, Dark Seoul overwrites
the master boot record (MBR). There is no conclusive evidence implicating North
Korea, but tensions had been escalating between the two countries. The Kim
Jong-un administration had expressed fury in the days leading up to the attack
over ongoing, routine joint Korea/United States military training exercises,
exacerbated by South Korea’s participation in U.S.-spearheaded United Nations
sanctions against North Korea for its nuclear test the month before. Seoul
contends that Pyongyang has committed six previous cyber attacks since 2009.
Security experts at South Korea’s newly formed cyber security command center
believe that North Korea has been assembling and training a cyberwarrior team
of thousands, and the United States agrees. For North Korea, the threat of cyber
retaliation is negligible. Internet access is only now extending beyond a
privileged few, businesses are just beginning to adopt online banking, and
worthwhile targets are virtually nonexistent.
The Obama administration has begun helping Asian and Middle
Eastern allies build up their computer network defenses against Iran and North
Korea, including supplying advanced hardware and software and training
programs. Future joint war games would include simulated cyber attacks. But
deterring cyber attacks is a far more complex problem than conventional
warfare, and U.S. officials concede that this effort is an experiment.
While increased diplomatic pressure and the intertwined
nature of the worlds’ two largest economies may yield a practicable agreement
between China and the United States, how to deal with the so-called “irrational
actors,” Iran and North Korea, is thornier. Since China is North Korea’s
biggest trading partner and most important ally, hammering out an agreement
with China may be the first step towards managing North Korea. While Iran is
diplomatically isolated, China depends on it to meet its energy needs. China
walks a tightrope between exploiting the sanctioned Iranian economy and
following the U.N. sanctions for which it voted. It just may be that the road
to agreements with both Pyongyang and Tehran runs through Beijing. Meanwhile,
the military command responsible for most U.S. cyber war efforts, U.S. Cyber
Command (CYBERCOM), is slated for a 500 percent manpower increase between 2014
and 2016 and all of the major combat commands in the United States military
will share dedicated forces to conduct cyberattacks alongside their air, naval
and ground capabilities.
Sources: Devlin Barrett and Siobhan Gorman, “U.S. Charges
Five in Chinese Army With Hacking,” Wall Street Journal, May 19, 2014; John
Torrisi, “Cyberwarfare: Protecting ‘Soft Underbelly’ of USA,” CNBC.com, May 15,
2014; Matthew L. Wald, “Report Calls for Better Backstops to Protect Power Grid
From Cyberattacks,” New York Times, March 2, 2014; David E. Sanger, “N.S.A.
Nominee Promotes Cyberwar Units,” New York Times, March 11, 2014; Julian E.
Barnes, Siobhan Gorman, and Jeremy Page, “U.S., China Ties Tested in
Cyberspace,” Wall Street Journal, February 19, 2013; Thom Shanker and David E.
Sanger, “ U.S. Helps Allies Trying to Battle Iranian Hackers,” New York Times,
June 8, 2013; Mark Clayton , “New Clue in South Korea cyberattack reveals link
to Chinese criminals,” Christian Science Monitor, March 21, 2013; Siobhan
Gorman and Siobhan Hughes, “U.S. Steps Up Alarm Over Cyberattacks,” Wall Street
Journal, March 12, 2013; Siobhan Gorman and Julian E. Barnes, “Iran Blamed for
Cyberattacks: U.S. Officials Say Iranian Hackers Behind Electronic Assaults on
U.S. Banks, Foreign Energy Firms, Wall Street Journal, October 12, 2012; Choe
Sang-Hun, “Computer Networks in South Korea Are Paralyzed in Cyberattacks,” New
York Times, March 20, 2013; Rachael King, “Stuxnet Infected Chevron’s IT
Network,” Wall Street Journal, November 8, 2012; Mark Landler and David E.
Sanger, “U.S. Demands China Block Cyberattacks and Agree to Rules,” New York
Times, March 11, 2013; Nicole Perlroth, David E. Sanger and Michael S. Schmidt,
“As Hacking Against U.S. Rises, Experts Try to Pin Down Motive,” New York
Times, March 3, 2013; Nicole Perlroth and Quentin Hardy, “Bank Hacking Was the
Work of Iranians, Officials Say,” New York Times, January 8, 2013; Nicole
Perlroth and David E. Sanger, “Cyberattacks Seem Meant to Destroy, Not Just
Disrupt,” New York Times, March 28, 2013; David E. Sanger, David Barboza and
Nicole Perlroth, “Chinese Army Unit Is Seen as Tied to Hacking Against U.S.,”
New York Times, February 18, 2013; and David E. Sanger and Nicole Perlroth,
“Cyberattacks Against U.S. Corporations Are on the Rise,” New York Times, May
12, 2013.
EVALUATION: Apply the concepts from the appropriate chapter.
Hint: The appropriate chapter is the same number as your case. Be sure to use
specific terms and models directly from the textbook in analyzing this case and
include the page in the citation. (15 points)
1 page
