Remember "Ocean's Eleven," where George Clooney's character Danny Ocean masterminds an elaborate heist of the posh Bellagio casino in Las Vegas?
Mr. Ocean and his accomplices used social engineering, technical smarts, and strategically placed insiders to penetrate the Bellagio’s comprehensive, state-of-the-art security system and abscond with $160 million. In "Ocean’s Eleven" even the best defenses could not immunize the organization against penetration by concerted adversaries.
It is in this regard that "Ocean's Eleven" should serve as a cautionary tale to cybersecurity policymakers.
For more than a decade, US cybersecurity policy has focused on defense – using stronger locks and taller fences to protect government and corporate crown jewels from cyberintruders. A great deal of time and money has been spent beefing up cyberdefenses to prevent network intrusions. And there's reason to believe that certain defensive actions significantly enhance network security.
Consider, for example, the so-called “Australian Top 4." Those are the four defensive measures the Australian Signals Directorate says could prevent at least 85 percent of the targeted cyberintrusions to which it responds. The Top 4 requires, among other things, patching high-risk vulnerabilities within 48 hours and minimizing administrative privileges. Sure, defensive measures can prevent some cyberintrusions.
But even the best cyberdefenses are no match for certain intruders – nation-states such as China, Russia, Iran, and North Korea – and other concerted adversaries willing to go to almost any expense to penetrate specific networks of value to them.
Imagine, for example, a group of Chinese government-backed hackers are targeting a specific US defense contractor’s data. The hackers will not give up and move on to a different target simply because the defense contractor hardens its networks. More than a decade has passed since the discovery of Operation Moonlight Maze (1998), Byzantine Hades (2002), Operation Titan Rain (2003), and other cyberespionage operations allegedly orchestrated by China. Yet, despite ever increasing government and private sector investments in network defenses we don’t appear to have made much headway on the nation-state sponsored cyberespionage problem.
Recent media reports allege that a number of foreign hacking groups – Dragonfly, Newscaster, Axiom, and Unit 61398 to name just a few – are engaged in sophisticated, multiyear cyberespionage campaigns against a variety of US military and commercial targets.
Reports from US cybersecurity firms have offered a rare glimpse into the activity of these hacking groups. We have learned, for example, that Dragonfly (a.k.a. Energetic Bear) is a well-resourced, likely Russian government-backed, group of hackers engaged in a multiyear cyberespionage campaign that targeted defense and aviation firms before turning its attention to the energy sector in 2013.
Newscaster, a cyberespionage campaign that US researchers recently linked to Iran, has stealthily targeted US military contractors as well as senior US military and diplomatic personnel since 2011. Axiom is a group of highly skilled hackers allegedly backed by the Chinese government. The group is believed to have victimized Fortune 500 companies, governments, and other targets worldwide for at least six years.
People’s Liberation Army (PLA) Unit 61398 is allegedly a Chinese military hacker unit whose existence was exposed by US cybersecurity firm Mandiant in February 2013. Five members of Unit 61398 were indicted in the US this past May on charges of hacking and economic espionage against US industrial giants including Alcoa (the largest aluminum company in the US), US Steel (the largest steel company in the US), and Westinghouse Electric.
In July 2013, McAfee Labs issued a report exposing a massive cyberespionage operation – dubbed Operation Troy – designed to steal sensitive South Korean military and government data. While McAfee's report did not publicly name North Korea as the culprit, the evidence provided pointed to North Korea, and experts generally agree that the operation was attributable to North Korean state-sponsored hackers.
Now, in the wake of the recent Sony Pictures hack, there's renewed interest in Unit 121 of the North Korean People's Army, an alleged military hacking unit of which the US has been aware for more than a half dozen years. Unit 121 is tasked, among other things, with military cyberespionage.
Despite efforts to strengthen our cyberdefenses, cyberespionage continues. In some cases, our adversaries defeat our improved defenses; in other cases, they simply avoid them. For example, adversaries frequently rely on social engineering – tricking people into disclosing information they should not so that the adversary can gain their targets' trust and compromise their networks – a tactic against which it can be quite difficult to defend as it requires, among other things, extensive employee education and awareness.
Our adversaries’ continued success with cyberespionage suggests that, by themselves, stronger locks and taller fences are not enough to stop targeted attacks by determined adversaries; threat deterrence is essential. The goal of threat deterrence is to make cyberespionage so costly that it no longer pays. Cyberespionage can be made more costly through improved detection, attribution, and punishment of cyberintruders.
First, improved detection of cyberintruders is important because a high probability of being discovered can serve as an effective deterrent to would-be intruders.
Second, while effective threat deterrence does not require perfect attribution, we must identify cyberintruders with enough confidence to pursue sanctions, civil litigation, criminal prosecution, and other actions that will make cyberespionage more costly to our adversaries.
Lastly, we must penalize cyberintruders, whether through criminal prosecutions, trade sanctions, or civil litigation designed to recoup damages from foreign industry recipients of stolen intellectual property.
Shifting from a defense-dominated cybersecurity strategy to one that embraces threat deterrence will not be without challenges, but it is essential if we are to secure cyberspace for the future.
Melanie Teplinsky teaches information privacy law at the American University Washington College of Law as an adjunct professor. She started her career in cybersecurity in 1991 as an analyst at the National Security Agency.