Cyber Espionage and the Digital Redistribution of Wealth
Since the computerization of modern business, intellectual property (IP) theft in the U.S. has escalated to unprecedented levels. According to the former commander of the U.S. Cyber Command General Keith Alexander, the approximate economic loss to the U.S. amounts to $300 billion per annum. In a poignant statement to Congress, he referred to the escalating and widespread theft of U.S. trade secrets and intellectual property as “the greatest transfer of wealth in history.”
The Peoples Republic of China (PRC) accounts for 70% of industrial espionage activities in the U.S., affecting the automotive industry, aviation, industrial chemical, consumer electronics, software, electronic trading, pharmaceuticals, and defense technologies. Unlike the threats posed by other foreign-states, the theft of intellectual property by the PRC is a vertically integrated operation. All levels of government and business are involved in these activities.
In 2013, Mandiant released a report detailing the activities of PLA Unit 61398, a Chinese military intelligence unit dedicated to conducting global cyber espionage operations. Unit 61398 is best known for their attacks on Lockheed Martin, RSA, Google, Yahoo, Symantec, Adobe, Northrop Grumman and Dow Chemical. These sophisticated intrusions resulted in the theft of billions of dollars of intellectual property from some of the most well protected networks in corporate America. But direct remote intrusions by state sponsored intelligence agencies are eclipsed by the IP theft that occurs within U.S. borders on behalf of foreign powers. Most incidents are conducted by employees that have either knowingly or unwittingly become the intelligence assets of external entities.
So called “Water Cooler” attacks have taken many forms and are generally more effective than remote intrusion, a lesson hard learned by DuPont chemical. In 2012 DuPont controlled 20% of all production of an industrial chemical known as titanium white, or titanium dioxide. This chemical has a broad range of uses, from car paint to toothpaste, and commanded a worldwide market value of $17 billion. After negotiations failed to release DuPont’s’ proprietary manufacturing process, the PRC began to explore other options. Business intelligence agents within the United States, working for a Chinese state-owned conglomerate known as “Pangang Group Co. Ltd” began approaching current and former employees of DuPont chemical.
With the financial backing of the Pangang Group, Walter Lian-Heen Liew, a Chinese born resident of California and former employee of DuPont chemical, assembled a team of DuPont with the intent of stealing DuPont’s chloride-route titanium dioxide production technology. Tze Chao, an employee of DuPont for 36 years, noted in his statement to the FBI that Chinese officials “overtly appealed to my Chinese ethnicity and asked me to work for the good of the PRC.”
Walter Lian-Heen Liew, Tze Chao, and Robert Maegerle were all arrested and convicted in connection with the conspiracy to commit economic espionage on behalf of the PRC. By exploiting nationalist and ethno-centric ideologies combined with minimal financial commitment, the PRC was able to seize control of a multi-billion dollar industry with limited financial overhead or a lengthy R&D process. In this particular incident, their intelligence assets were arrested and prosecuted, but the economic damage was irreversible.
Domestic corporate espionage operations in many instances do not require the development of internal assets to gain access to proprietary information or confidential communications. In 2010 Intel sponsored a study in cooperation with the Ponemon Institute where they surveyed 329 large-scale public and private sector organizations for incidents of lost or stolen laptop computers belonging to their employees. Over a 12-month period a total of 86,455 laptops went missing from the participating organizations — 263 laptops per organizations on average. The report found that 43% of all lost laptops occurred while employees were off-site (working from home, or a hotel), and 33% of losses occurred while traveling, such as at airports or on trains. The total economic impact of a stolen laptop depends on the victim and the industry being targeted, but the results are often the same.
A stolen laptop belonging to any member of an organization can be a stepping stone for further remote intrusions into a corporate network. Intelligence agents using a stolen laptop or mobile device can extract network credentials, e-mail passwords, and copy large volumes of data from company file servers before the victim is even aware his employer’s property is in nefarious hands. Even more dangerous than the theft of these devices is the general lack of response to the incidents. Most employees perceive the theft of these devices as the actions of a common criminal and not the activities of sophisticated threat actor. This lack of respect or understanding of the threats leaves these incidents often unreported or treated with a minimal response. A foreign agent equipped with a stolen mobile device can often exploit a network for weeks after the theft if access credentials are not revoked immediately.
The recent widespread adaptation of smart phone technology has even broader consequences than the theft of company computer equipment. Many organizations are adapting a dangerous policy of ‘BYOD’ or “bring your own device,” where employees’ smart-phones, with little-to-no additional security mechanisms, are being connected to corporate networks and systems that contain sensitive and proprietary data. This dangerous practice expands the attack surface of U.S. corporate networks to include devices that are not administered by the company’s network administrator or security personnel. As with company laptops, these devices are often equipped with network credentials and e-mail passwords that could easily and quietly be compromised by a third party by physically tampering with the device, or tricking the user into installing a malicious “App.”
Richard Clarke, former special advisor to the President on cyber security once said “If you spend more on coffee than on IT security, then you will be hacked. What’s more you deserve to be hacked.” Despite the overwhelming evidence of the threat that the PRC poses to American businesses, effective computer security procedures in the U.S. are insufficient to counter the ongoing threat of corporate espionage.
Perhaps the greatest lapse in IT security is the under-utilization of effective cryptographic communications and secure document storage technology. Most companies in the United States use third party providers, such as GoDaddy, Rackspace, or Hostgator to host the entirety of their on-line presence, from web hosting to e-mail servers. These providers offer shared hosting solutions where dozens of websites and hundreds of e-mail accounts are held on the same server. In these situations the theft of intellectual property is made much easier by attacking the vulnerable websites hosted on the same solution, and expanding access from there. Since enhanced security is generally not a feature offered by a budget hosting provider, compromising these servers is not a difficult task for the determined attacker. Once access is gained, the attacker has full and complete access to all of the e-mail accounts belonging to the target, and can exfiltrate whatever data desired with minimal risk of detection. In a world where virtually every document, blueprint, design specification and photo belonging to a particular organization is exchanged via e-mail without any form of encryption, IP thieves with access to hosting solutions can steal everything without ever having to attack their target’s defenses head-on.
The primary targets for these attacks are organizations that return the highest value data with minimal risk. At the top of the list are law offices that handle patent and trademark protection. Since these law firms handle copyright and trademark filings, they have access to confidential blueprints and design specifications of hundreds of products manufactured by dozens of companies. These firms may be the first line of protection from counterfeiting, reverse engineering, and copyright and trademark infringement, but they are also one of the greatest weaknesses when it comes to protecting intellectual property from digital threats. Blueprints might be held in high security vaults, and protected by armed guards at their source. But, as soon as data is transmitted to a third party law firm or offshore manufacturing facility, all that security is negated when that data is exchanged in the clear by organizations that do not employ proper security procedures.
It is obvious to anyone that without legislated due-diligence for computer security, most firms will not employ anything but the minimal industry standard security on their networks. Unfortunately even organizations who do employ the so-called “industry standards” are only combating the most basic adversaries with minimal resources. Until organizations begin to develop effective counter-espionage strategies, and begin to do their due-diligence on the strategies of their partners, the threat of IP theft will continue to grow. The future of counter-espionage strategies in American business has to begin with the adoption of cryptographic security procedures for document storage and communication as well as role based access control on proprietary data and documents. Even with the virtually unlimited resources, technical capabilities, and thousands of hackers under the employ of the PRC, there is one immutable fact in intelligence: the enemy cannot steal what they cannot read. Until that day, America will continue to experience the greatest digital redistribution of wealth in human history.
Matthew Carin is a cyber-security consultant focused on digital counter-intelligence and global cyber-espionage. He has led red and black team penetration tests on multiple engagements during his decade long career as a cyber-security analyst. He is a subject matter expert on offensive information warfare strategy, Advanced Persistent Threat technology and Computer Network Exploitation.
Photo credit: Andrew Hart