Iscs-M3

Watch the video below and read the associated Case Study file included at the bottom of this
page. State your position on the 2 questions posed at the end of the Case Study and and be sure
to support your answers with at least 2 properly cited external references per question. Include a
single bibliography with the references for both questions.
CNBC – Cyber Espionage: The Chinese Threat Links to an external site.
Bloomberg Article: (this article is very long, scanning it to get an idea of what it is about is
probably sufficient – but it is a great read if you have time to digest it completely)
https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tinychip-to-infiltrate-america-s-top-companies?leadSource=uverify%20wallLinks to an external site.
CASE
Cyberespionage is very different from cyberwarfare. The objective in cyberespionage is to,
without detection, gain access to computer systems that contain valuable commercial and/or
military information; to remain in place for continuous data gathering; and to remove data from
the target system. The point is not to destroy enemy systems, but instead to collocate inside them
and continuously drain information. This is similar to the goals of the British intelligence agency
MI6 during World War II, when they broke the military codes of the Germans quite early in the
war. MI6 spent a great deal of effort to ensure the Germans never discovered their
communications were being closely monitored and intercepted for over four years. In contrast,
the objective of cyberwarfare is to destroy and disrupt enemy capabilities. When cyberwarfare
succeeds, the very fact of succeeding permits the enemy to become aware of the intrusion and
take steps to defend itself.
In a report on foreign economic espionage in cyberspace by the National Counterintelligence and
Security Center (NCSC), national security officials concluded that foreign collectors of sensitive
economic information are able to operate in cyberspace with relatively little risk of detection by
their private sector targets. The proliferation of malicious software, prevalence of cyber tool
sharing, use of hackers as proxies, and routing of operations through third countries make it
difficult to attribute responsibility for computer network intrusions. Cyber tools have enhanced
the economic espionage threat, and the Intelligence Community (IC) judges the use of such tools
is already a larger threat than more traditional espionage methods.
The threat comes from adversaries as well as partners. Allegedly, according to American and
European media and governments, Chinese actors are the world’s most active and persistent
perpetrators of economic espionage. U.S. private sector firms and cybersecurity specialists have
reported an onslaught of computer network intrusions that have originated in China, but the
intelligence community cannot definitively confirm who is responsible because of the possibility
that the attacks originate elsewhere but use compromised Chinese computers to implement the
attacks. Russia’s intelligence services come in second place. They are also conducting a range of
activities to collect economic information and technology from U.S. targets. In addition, some
U.S. allies and partners use their broad access to U.S. institutions to acquire sensitive U.S.
economic and technology information, primarily through aggressive elicitation and other human
intelligence (HUMINT) tactics.
In Europe, both France and the U.S. military are accused of leading the largest cyberespionage
operations against European countries, even larger than China or Russia. According to leaked
U.S. diplomatic cables (WikiLeaks) from the U.S. embassy in Berlin, “French espionage is so
widespread that the damages it causes the German economy are larger as a whole than those
caused by China or Russia.” Berry Smithy, the head of German satellite company OHB
Technology, is quoted in the diplomatic note as saying: “France is the Empire of Evil in terms of
technology theft, and Germany knows it.” The United States is also the object of commercial and
military espionage originating from its major Middle Eastern ally, Israel. U.S. national security
officials consider Israel to be, at times, a frustrating ally and a genuine counterintelligence threat.
Reviewing all the various reports and allegations, from the United States, to Europe, and China,
it appears that all nation states, and their commercial affiliates, engage in a variety of activities
that be could called espionage, or intelligence gathering. In some cases these activities are
illegal, or skirt the laws of both the target and the initiating states. The size of these
cyberespionage activities reflects both the economic strength of the nations involved (advanced
countries like the United States and European
countries arguably have the largest and most sophisticated programs), and the demand in
developing countries for stolen intellectual property.
It is also difficult to estimate the economic cost of these thefts to the U.S. economy. In a report to
Congress from the Office of National Counterintelligence, intelligence experts concluded that the
economic cost was in excess of $600 billion annually.
The potential impact of cyberespionage is illustrated in the following examples.
Google Attack: Commercial Espionage and Punishment
Google announced in 2010 that it had been the target of a highly sophisticated Chinese
cyberattack. At least 34 other companies, including Yahoo, Symantec, Adobe, Northrop
Grumman, and Dow Chemical, were attacked at the same time. According to the experts, the
attacks at defense contractors were aimed at obtaining information on weapons systems, while
those on technology companies sought out valuable source code that powers these companies’
software applications. At Google, the attackers also gained access to the Gmail accounts of
Chinese human rights advocates in the United States, Europe, and China.
Experts say that the attacks followed the familiar “phishing” technique. A recipient opens a
message that purports to be from someone he knows and, not suspecting malicious intent, opens
an attachment containing a malicious program that embeds in his computer. That program then
paves the way for downloading and concealing additional programs that allow the attacker to
gain total control over the recipient’s computer.
Subsequent investigation determined that the Google break-in started with an instant message
sent to a Google employee in China who was using Microsoft’s Messenger program. By clicking
on a link within this instant message, the employee inadvertently downloaded malware that
allowed the attackers to gain access to the employee’s computer and then, through that computer,
access to the computers of a critical group of software developers at Google headquarters.
Joint Strike Fighter
The Joint Strike Fighter, also known as the F-35 Lightning II, is reportedly the costliest and most
technically challenging weapons program the DoD has ever attempted. Intruders apparently
entered this program repeatedly during the 2007–2009 period through vulnerabilities in the
networks of contractors working on the program. These include Lockheed Martin, Northrop
Grumman, and BAE Systems. One example of the sophistication of these attacks is that the
intruders inserted technology that encrypts the data as it is being stolen. As a result, investigators
cannot determine exactly what data has been taken. The source of the attacks was traced back to
China.
Ghost Net
Information Warfare Monitor, a Canadian research organization, conducted a detailed
investigation of Chinese cyberespionage against the Tibetan community and Tibetan
Government-in-Exile during 2008 to 2009. It identified an extensive network of cyber penetration
of Tibetan targets that it called Ghost Net. This is relevant here not just because of the successful
penetration of Tibetan targets, but for what was learned about successful penetration of other
targets during a second phase of this investigation.
This investigation led to the discovery of four commercial Internet access accounts located in
Hainan, China, that received data from, and sent instructions to at least 1,295 infected computers
in 103 different countries. Almost 30 percent of the infected computers were what might be
considered high-value intelligence targets. This included the ministries of foreign affairs of
Bangladesh, Latvia, Indonesia, Philippines, Brunei, Barbados, and Bhutan; embassies of India,
South Korea, Indonesia, Romania, Cyprus, Malta, Thailand, Taiwan, Portugal, Germany, and
Pakistan; the ASEAN (Association of Southeast Asian Nations) Secretariat, SAARC (South
Asian Association for Regional Cooperation), and the Asian Development Bank; news
organizations; and an unclassified computer located at NATO headquarters.
The Ghost Net system allowed the attackers to gain complete, real-time control over the infected
computers. This includes searching and downloading specific files and covertly operating any
attached devices, including microphones and web cameras. It is not known whether all of the
infected computers were actually being exploited by the attackers. It is possible that some of the
infected computers were infected coincidentally through emails received from an infected
computer.
References
“The Cost of Malicious Cyber Activity to the U.S. Economy,” Council of
Economic Advisors, March 5, 2018.
“2018 Foreign Economic Espionage in Cyberspace,” The National Counterintelligence and
Security Center, July 26, 2018.
“Foreign Economic Espionage in Cyberspace,” The National Counterintelligence and Security
Center, 2018.
“Foreign Spies Stealing US Economics Secrets in Cyberspace,” Office of the National
Counterintelligence Executive, Washington D.C., November 3, 2011.
Questions:
1. Identify and describe at least 2 steps manufacturers can take to prevent the type of supply
chain attacks outlined in the Bloomberg article.
2. Encryption of data is a double-edged sword. Data owners use it to protect their assets from
unauthorized viewing. Data thieves use it to hide what they’re exfiltrating (like in the Joint Strike
Fighter example). Criminal gangs use encryption as the core component of the ransomware
attacks that are currently so pervasive in our information systems domain. Given what you know
about counterintelligence and good/bad uses of encryption, should companies be encrypting their
data? Support your position.