The computerized critical infrastructure of the US is "severely threatened" by malicious cyberattacks now occurring on an "unprecedented scale with extraordinary sophistication."
That's the headline Dennis Blair, director of national intelligence, offered the Senate Select Committee on Intelligence Tuesday. But it was the largely unreported details he unpacked that could provide the wake-up call for government and private industry, whose computer networks he says are now under persistent and subtle assault.
In his remarks, Mr. Blair concluded that:
• Sensitive information is “stolen daily from both government and private sector networks.”
• Investigations are finding "persistent, unauthorized, and at times unattributable presences on exploited networks, the hallmark of an unknown adversary...."
• The US cannot be certain its cyberspace infrastructure will be available and reliable in a crisis.
• The US and the world face greater vulnerability to disruption as a result of the trend toward convergence of voice, facsimile, video, computers, and controls that operate critical infrastructure on a single network: the internet. These include banking, power, and water supplies
• Cyberthreats are increasingly subtle and sophisticated. Last year saw the deployment of “self-modifying malware, which evolves to render traditional virus detection technologies less effective.”
Such attacks are already happening, confirmed Daniel Geer, chief information security officer for In-Q-Tel, a nonprofit venture capital firm funded by the Central Intelligence Agency, at a security conference for the oil and gas industry in Houston in November. Other cybersecurity experts cite a growing threat from so-called "polymorphic" spyware that can change its digital signature to millions of different combinations to evade identification by anti-virus software.
In this new scenario, a single piece of malware often has multiple characteristics. Its digital signatures can morph to evade detection. At the same time, it can spin off decoys intended to be caught to make it appear as if an attack has been thwarted.
The recent sophisticated attacks on Google should be a "wake-up call,” Blair said. His remarks echoed recent reports that show the problem is not only coming from clever hackers, advanced viruses, or organized cybercrime gangs – but from “nation states,” too.
"Many [of the most sophisticated attackers] have the capabilities to target elements of the US information infrastructure for intelligence collection, intellectual property theft, or disruption," Blair said.
Countries see repeated cyberattacks
More than half of the 600 IT managers operating critical infrastructure in 14 countries reported being recently hit by "high-level" adversaries such as organized crime, terrorists or nation states, according to a new global survey of information technology executives by the Center for Strategic and International Studies in Washington late last month.
A majority of the group hit, 59 percent, said they thought their computer networks and controls systems were under "repeated cyberattack, often from high-level adversaries like foreign nation-states."
Blair's comments might be news to the Senate, but cybersecurity experts face these threats daily. The "persistent" threat he referred to, for instance, is known widely as the "Advanced Persistent Threat" or APT within the security community. It's also shorthand for state-sponsored "foreign intelligence" operations and sometimes just "China."
"These are not ‘slash-and-grab jobs’,” says Rob Lee, a director at Mandiant, a leading cyber security firm. "The goal of the intruder is to occupy the network. These are professionals, not people doing this at night. This is someone's full-time job from the initial breach to lateral movement across the network, the actual occupation, then the exfiltration of data - there are clear lines of responsibility between different actors going on."
Is China to blame?
According to Mr. Lee and other experts, the common thread in the APT is connected to China. Among 40-45 very sophisticated attacks in the past year, about two-thirds were “China related,” he said.
Shawn Carpenter, principal forensics analyst at NetWitness Corporation, concurs. He says that in a number of cases he has traced malware code back to Chinese hacker sites and to Chinese character sets in software compilers used to create the code. "You can put together some pretty compelling links that trace their way back to China," he says.
Follow us on Twitter.