countering the cyber espionage threat from china
TRANSCRIPT
IMPACT 2016 - National Security Institute Countering the Cyber Espionage Threat from China
Dr. Shawn P. Murray, C|CISO, CISSP, CRISC
China’s Strategy
China’s Strategy for Information Warfare
• China has demonstrated its intention to become an internationally leading player in the fields of information-and- cyber warfare. Information warfare involves actions taken to achieve information superiority by affecting adversary information, information processes, information systems and computer-based networks, while denying the adversaries’ ability to do the same.
• More than 20 years ago, China began to publish its theories, doctrines, policies and strategies concerning both defensive and aggressive use of cyberspace.
• A student from the Institute of Systems Engineering of Dalian University of Technology in China published a research paper titled “Cascade-Based Attack Vulnerability on the US Power Grid.”
• Several American experts and journalists analyzed the article as a new demonstration of China’s offensive motivations against American infrastructure (and indeed against the security and sovereignty of the USA), and also as proof of China’s involvement in a new arms race in cyberspace.
• China’s approach to information warfare and cyber warfare has two main dimensions: military and civilian, both developed through theoretical and practical considerations.
http://ensec.org/index.php?option=com_content&view=article&id=241:critical-energy-infrastructure-security-and-chinese-cyber-threats&catid=106:energysecuritycontent0510&Itemid=361
First Gulf War Influence on China
The Military Dimension – from The Journal of Energy Security
The dazzling success of the US in the first Gulf War was interpreted by several armies in the world as the victory of new technologies.
According to this model • Information and information technologies’ dominance provided total control over the battlefield • Was also the key to military success, victory and power.
This conclusion called for a radical transformation within armed forces. • China’s Revolution in Military Affairs (RMA) concept. • Transformation of Chinese doctrine guided new strategies of evolution in
Chinese military affairs And in several industrialized countries worldwide.
In this context, the concept of information warfare acquired greater consideration among military experts in China. Since the mid 1990s the Chinese army has implemented a modernization program guided by the concept of “informationization” (which translates as dominance over information technologies and cyberspace). http://ensec.org/index.php?option=com_content&view=article&id=241:critical-energy-infrastructure-security-and-chinese-cyber-threats&catid=106:energysecuritycontent0510&Itemid=361
First Gulf War Influence on China
The Military Dimension – from The Journal of Energy Security
In 1995 General Wang Pufeng, who is considered the father of Chinese doctrine of information warfare, outlined several key concepts of this doctrine.
Among them he pointed out that: • The goal of information warfare is no longer the conquest of territories or the
destruction of enemy troops, but the destruction of the enemy’s will to resist. • Information warfare is a war in which the ability to see, to know and to strike
more accurately and before the adversary is as important as firepower.
In 1997 Chinese Colonel Baocun Wang added that: • Information warfare can be conducted in times of peace, crisis and war; • Information warfare consists of offensive and defensive operations;
The main components of information warfare are command and control, intelligence, electronic warfare, psychological warfare, hacker-warfare and economic warfare. http://ensec.org/index.php?option=com_content&view=article&id=241:critical-energy-infrastructure-security-and-chinese-cyber-threats&catid=106:energysecuritycontent0510&Itemid=361
3PLA The Third Department of the People’s Liberation Army’s General Staff Department
Also known as 3PLA, China’s equivalent to the National Security Agency
– Crucial to the country’s military strategy – Responsible for monitoring much of the world’s communications for threats and
commercial opportunities. – Using Chinese government websites, academic databases and foreign security
expertise, – The organization maintains what active and former U.S. officials say are facilities
around Shanghai specialized in watching the U.S. – One of them located close to the main transoceanic communications cables
linking China to the U.S. – Those activities were highlighted in May 2014, when the Justice
Department indicted five officers of 3PLA on charges they stole U.S. corporate secrets.
http://www.wsj.com/articles/chinas-spy-agency-has-broad-reach-1404781324
3PLA
A ground view of 3PLA facilities with an organizational structure of the NSA-like military department. Increasingly rattles governments and corporations around the world while remaining obscure to outside security circles. http://www.wsj.com/articles/chinas-spy-agency-has-broad-reach-1404781324
Military Organization 3PLA Is Tasked With Monitoring World-Wide Electronic Information
• Monitors Russia and tracks missiles. • Its military experts analyze Internet phone calls on an island
dubbed China's Hawaii, • Eavesdrops on Europe from a secret town hidden behind an
array of residential towers. • Recruited from elite specialist universities, 3PLA’s estimated
100,000-plus hackers, linguists, analysts and officers populate a dozen military intelligence bureaus, according to the foreign experts.
http://www.wsj.com/articles/chinas-spy-agency-has-broad-reach-1404781324
Its operational units are spread out widely throughout China. From mountains near Beijing, China's 3LPA conducts the following:
FBI - Cyber’s Most Wanted
Five Chinese Military Hackers Charged with Cyber Espionage Against U.S. On May 1, 2014, a grand jury in the Western District of Pennsylvania indicted five officers in Unit 61398 of the Third Department of the Chinese People’s Liberation Army (PLA)
• HUANG ZHENYU (AKA: Huang Zhen Yu, “hzy_lhx”) • WEN XINYU (AKA: Wen Xin Yu, “WinXYHappy”, “Win_XY”, Lao Wen) • SUN KAILIANG (AKA: “Jack Sun”) • WANG DONG (AKA: Jack Wang, "UglyGorilla") • GU CHUNHUI (AKA: Gu Chun Hui, "KandyGoo")
Five 3PLA Officers Indicted From 2006-2014, the defendants allegedly involved in a hacking conspiracy that was targeted against: • Westinghouse Electric Co. • U.S. subsidiaries of SolarWorld AG • United States Steel Corp • Allegheny Technologies Inc. • United Steel, Paper and Forestry, Rubber, Manufacturing, Energy, Allied Industrial and
Service Workers International Union (USW) • Alcoa, Inc
31 criminal counts, including: – conspiring to commit computer fraud; – accessing a computer without authorization for the purpose of commercial advantage – private financial gain; – damaging computers through the transmission of code and commands; – aggravated identity theft; – economic espionage; – theft of trade secrets
https://www.fbi.gov/wanted/cyber/sun-kailiang/view
Lisong Ma - 2013 Lisong Ma, a citizen of China, pled guilty for violating the International Emergency Economic Powers Act by attempting to export weapons-grade carbon fiber from the USA to China During the investigation, federal agents maintained a covert cyber-presence on web sites related to the brokering, purchase and sale of controlled commodities.
• In February 2013, the defendant, using the name “Ma Li,” e-mailed an undercover agent and indicated that he was interested in acquiring several different types of high-grade carbon fiber.
• Then, through various online communications, the defendant attempted to negotiate the purchase of five tons of carbon fiber.
• Based on a review of Internet Protocol log-in information, investigators discovered that the defendant was communicating from the People’s Republic of China.
• After traveling to the United States to meet those agents, Ma paid $400 for a spool of Toray-type, T-800 carbon fiber, and tried to ship it in a box whose invoice said it contained clothing, prosecutors said.
http://www.reuters.com/article/us-usa-crime-exports-idUSBRE94T12920130530
Su Bin March 23, 2016 – FBI Press Report
• “A Chinese businessman pleaded guilty on Wednesday to charges of conspiring to steal sensitive military aircraft data from computers belonging to Boeing and other defense contractors, in the latest reminder of what the US has called a massive Chinese cyber espionage campaign.”
• “Su Bin, 50, admitted to collaborating with two unindicted Chinese co-conspirators over a near six-year period that ended shortly before his 2014 arrest.
• Among the aircraft they targeted were: – Boeing’s C-17 military transport aircraft and – Lockheed Martin’s F-35 and F-22 fighter jets.”
“In the last fiscal year alone, economic espionage and theft of trade secrets cost the American economy more than $19 billion.” “Economic espionage and theft of trade secrets are increasingly linked to the insider threat and the growing threat of cyber espionage.” http://www.ft.com/intl/cms/s/0/f1206e54-f13e-11e5-9f20-c3a047354386.html#axzz44vRXCKIr
USTRANSCOM
September 2014 • “In a 12-month period beginning June 1, 2012, there were about 50
intrusions or other cyber events into the computer networks of TRANSCOM contractors, the 52-page report stated.”
• “At least 20 of those were successful intrusions attributed to an "advanced persistent threat," a term used to designate sophisticated threats commonly associated with attacks against governments. All of those intrusions were attributed to China.”
• “The investigation found that a "Chinese military intrusion" into a Transcom contractor between 2008 and 2010 "compromised emails, documents, user passwords and computer code."
• “In 2012, another intrusion was made into multiple systems of a commercial ship contracted by Transcom, the report said.”
Private Health Care “Healthcare is by far the largest sector of where data breaches are occurring.”
According to the Experian identity theft resource center, in 2014, 43% of the major data breeches were from the health care industry. • August 2014 - Community Health Systems (CYH.N), one of the largest U.S. hospital groups,
said Chinese hackers had stolen Social Security numbers and other personal data from some 4.5 million patients.
• A group of sophisticated Chinese hackers known for its high-stakes corporate espionage has a history of stealing medical-device blueprints, prescription-drug formulas and other valuable intellectual property from large health-care companies.
– For over a year, Dell's SecureWorks division responded to multiple intrusions by a hacking group targeting health-care and pharmaceutical companies.
– The group uses phishing e-mails and has even gained physical access to computers to infect target companies.
– They have been "extremely successful in exfiltrating the most valuable intellectual property of organizations," according to Dell.
• October 2015 - Hackers in China targeted health insurer Anthem to learn how medical coverage is set up in the US as Beijing grapples with providing healthcare for an ageing population, US investigators have concluded.
– “People familiar with the Anthem investigation believe that gaining intellectual property and trade secrets were the rationale for the hack. The individual data held by Anthem, which insures many US government employees, could also be helpful to Chinese intelligence agencies.”
Comparing Costs How much did the September 11 terrorist attack cost America?
• Counting the value of lives lost as well as property damage and lost production of goods and services, losses already exceed $100 billion.
• Including the loss in stock market wealth -- the market's own estimate arising from expectations of lower corporate profits and higher discount rates for economic volatility -- the price tag approaches $2 trillion.
Among the big-ticket items:
- The loss of four civilian aircraft valued at $385 million. - Destruction of major buildings in the World Trade Center with replacement cost of from $3 to $4.5 billion. - Damage to a portion of the Pentagon: up to $1 billion. - Cleanup costs: $1.3 billion. - Property and infrastructure damage: $10 billion to $13 billion. - Federal emergency funds (heightened airport security, sky marshals, government takeover of airport security, retrofitting aircraft with anti-terrorist devices, cost of operations in Afghanistan): $40 billion. - Direct job losses amounted to 83,000, with $17 billion in lost wages. - The amount of damaged or unrecoverable property hit $21.8 billion. - Losses to the city of New York (lost jobs, lost taxes, damage to infrastructure, cleaning): $95 billion. - Losses to the insurance industry: $40 billion. - Loss of air traffic revenue: $10 billion. - Fall of global markets: incalculable.
- http://www.iags.org/costof911.html
Comparing Costs Cybercrime and espionage costs $445 billion annually
The estimate conducted by the Center for Strategic and International Studies
The report, funded by the security firm McAfee, which is part of Intel Security, represents one of the first efforts to analyze the costs, drawing on a variety of data.
– CSIS estimated that the United States lost about $100 billion. – Germany was second with $60 billion. – China followed with $45 billion.
https://www.washingtonpost.com/world/national-security/report-cybercrime-and-espionage-costs-445-billion-annually/2014/06/08/8995291c-ecce-11e3-9f5c-9075d5508f0a_story.html
What can you do? • Identify Critical Data and Information
– Protect it with defense in depth – Don’t put all your eggs in one basket
• Split up and store the secrets in different locations • Control and monitor access
• Identify Critical Personnel – Positions key to the success and continuity – Train replacements – Perform and record job task analysis
• Identify Critical Resources – Tech power – High value technology
Insider Threat Who is an Accidental Insider Threat?
Insider Threat Who is an Accidental Insider Threat? • All employees – exhibit bad habits
– Passwords left on screens, under keyboards – Tailgating into restricted areas, loss of accountability – Using their computers to surf the web or communicate personal e-mail – Bring personal computing devices to work (laptops, PDAs, Smart Phones & Tablets) – Failing to follow OPSEC – Social Engineering – Phone call from imposters, Phishing Emails etc..
• IT Personnel - Create vulnerabilities by: – Having group accounts – Separation of duties – Create scripts or back doors for conveniences – Don’t change default passwords
• Security Personnel – exhibit bad habits – Deviate from security practices they are required to enforce
• Executive Management
Insider Threat Reduce the Risk for the Accidental Insider Threat: • Educate and Train all personnel on exhibiting good habits
& behavior – Computer based – Internal/External (DSS/DISA, Others) – Develop in house programs – External training & Conferences – Provide periodically (monthly, biannually, annually) – Gear training to the audience
• All personnel • IT Personnel • Security Personnel
• Assess the training material for currency and effectiveness – Update – Provide Examples (real world events or case studies)
Key Take Aways • Technology touches every aspect of our daily lives
– Does every computing environment need access to the network?
• 2.8 personal devices exist for every human on earth • IoT creates more ways to be hacked, be wary of new technology • Work with other stakeholders in the organization • Look at your contracts and DD-254s
– Do clearances align with both documents? – What are the ADP/IT requirements?
• Look at 3rd party vendors and – Create and sign service agreements
• Supply Chain Management – Applies to sub contractors – Applies to R&D & Academia relationships
• Talk to HR, Legal and other Stakeholders – Establish an Incident Response Team and practice it – Establish a Insider Threat program and review it, meet and discuss indicators
Resources
Resources How to Combat the Threat FBI - Economic Espionage: Protecting American’s Trade Secrets
https://www.fbi.gov/about-us/investigate/counterintelligence/economic-espionage-brochure
The FBI’s Business Alliance Initiative https://www.fbi.gov/about-us/investigate/counterintelligence/us-business-1
Internet Social Networking Risks https://www.fbi.gov/about-us/investigate/counterintelligence/internet-social-networking-risks
Journal of Energy Security http://ensec.org/index.php?option=com_content&view=article&id=241:critical-energy-infrastructure-security-and-chinese-cyber-threats&catid=106:energysecuritycontent0510&Itemid=361
Infragard Chapters https://www.infragard.org/
Dr. Shawn P. Murray on SlideShare http://www.slideshare.net/
Security Organizations (DSS, ISSA, ISC2, Others) National Security Institute – Reference CD & News Letters
References & Citations Resources and references used for presentation: • http://www.reuters.com/article/us-usa-military-cyberspying-idUSKBN0HC1TA20140918 • http://blogs.wsj.com/chinarealtime/2014/07/08/meet-3pla-chinas-version-of-the-nsa/?KEYWORDS=china%20hackers • https://project2049.net/documents/pla_third_department_sigint_cyber_stokes_lin_hsiao.pdf • http://www.strategicstudiesinstitute.army.mil/pdffiles/pub1191.pdf • http://www.ft.com/cms/s/0/242c2f4e-7c2e-11e5-98fb-5a6d4728f74e.html#axzz44vRXCKIr • https://news.wgbh.org/post/why-would-chinese-hack-your-health-care-account-why-would-anybody • http://ensec.org/index.php?option=com_content&view=article&id=241:critical-energy-infrastructure-security-and-chinese-cyber-
threats&catid=106:energysecuritycontent0510&Itemid=361
Questions?
Thank You!