Early in May it was reported that Qinetiq had become the latest U.S. defense contractor to be hacked by the Chinese military. A security problem identified some months ago had still not been addressed, and considerable information was extracted from the company’s computers. Cyber espionage is on a par with other kinds of communication intercept, but it is more active, like conventional espionage. It is also much safer: No one sitting behind a computer monitor in Shanghai risks having the FBI break down the door.
Presumably the United States has made some attempt to penetrate China’s computer security, but the Chinese have less worth stealing, and they do not rely nearly as much on computer networks. As long as the United States leads the world in defense-system development, it will remain the single most attractive target of cyber espionage, and not only from the Chinese.
We can and do invest in computer security, but the most effective way to break that security is to corrupt individuals or to get at their personal computers, i.e., social engineering. For example, executives who travel to China for business may imagine that no one would dare touch their personal computers but discover upon returning that someone has, and that their computers are now gateways into their companies’ secure data. This type of penetration affects business deals, trade secrets, and also defense.
The best protection against invasion via the Internet is to create physically separate computer systems “air-gapped” so that nothing that happens on the Internet can affect them. Such networks are expensive and rare, and impose operating problems. The Navy tried to create one in the form of the Navy-Marine Corps Intranet (NMCI), but its manifold problems led to its nickname: “No More Computing Infrastructure Here.” Even then social engineering can be effective. For example, the Iranians air-gapped the control systems for their centrifuges. Yet it was still possible to insert the Stuxnet virus by the simple expedient of putting it on memory sticks left in Iranian control rooms. The computer operators had to find out what was on the sticks, so they inserted them into their machines and inadvertently uploaded the virus. All that can be said is that anyone trying to loot an air-gapped system has to remove the results physically (unless he can connect the system to the Internet). Physical security can be effective. In an Internet system though, it may be irrelevant.
Attack from the Clouds
The current trend toward cloud-based solutions seems to invite cyber attack because a single server company may collect data from many possible target companies. Each cloud provider claims that it provides state-of-the-art security, but no form of cyber-based security is proof against social engineering. The only defense raised in the past was to split sensitive data among many different organizations. The current mantra of information sharing, which has real and important advantages, makes such splitting difficult at best.
Cyber espionage is potentially far more damaging than the older kind of spying because the take can be so much larger. It is currently estimated that the Chinese have extracted tens or hundreds of terabytes of data from the United States, to the extent, for example, that the stealth features of the F-22 may have been compromised so that it is no longer capable of penetrating Chinese air defenses (as opposed to making it possible for the Chinese to develop stealthier aircraft). As described publicly, the new concept of Air-Sea Battle relies on the ability of stealthy aircraft to enter Chinese air space at will. What happens to that strategy now? How serious is the compromise?
One terabyte is equivalent to millions of pages. Think of the way spy movies have changed. Once upon a time, the spy broke into some secret location with his Minox camera. He photographed a few pages—the camera did not hold more than 30 or so shots—and then got out. You almost never saw him reload his camera; woe to the spy faced with a hundred-page document! The spy also risked mis-exposing or mis-focusing and thus wasting his time altogether. In later movies you watched James Bond break into the enemy’s lair, slip a disk into his computer, and down-load the contents of his hard drive—millions of bytes of data and thousands of pages—with no risk at all of ruining it by mishandling a camera. But Bond was still limited by the size of the disks he was using (and he risked compromise if the disks were found on him). The Chinese have done far better, breaking in remotely and roaming apparently at will in large libraries of data. Are we more or less transparent to the Chinese and probably the Russians, but not to others?
At one time anyone using a classified library had to ask for specific documents, access to which was usually based on a need to know. Much of that restriction vanished when classified libraries went online. Protection moved to passwords and firewalls, but all of them seem to be flawed. There is a constant battle between attacker and defender, and the Qinetiq example suggests that defenders sometimes do not receive sufficient priority. A cynic would suggest that company management puts its money where it earns the most, and that the penalties, if any, for failing to repair reported breaches are not steep enough to attract the needed attention. It may be that enumerating all known security breaches (in order to penalize those not repairing them) would reveal just how poor security is overall, and thus attract further penetration.
The one bright spot in all this may be that the computer also invites massive production of redundant and even useless material. Documents are rewritten again and again, because each rewrite does not cost much. In many systems, rewrites are in effect added to the original file. Since data storage is now so inexpensive, there is no incentive to neck down the results. Anyone penetrating a file is presented with lots of data, much of which is not terribly useful. The bloat is also fed by stored video, which takes up many bytes, but which again offers little content per byte. It is not clear that data-mining techniques help a cyber attacker winnow the chaff to get at what he wants. Many modern search engines worsen the situation because they can get into the content of items rather than merely the titles.
Short Shelf Life
We rely heavily on research and development to maintain superiority by producing revolutionary systems. Unfortunately, we develop and buy systems rather sluggishly, for a whole series of reasons. A revolutionary system whose secrets leak out before it can be fielded is unlikely to remain truly revolutionary, because someone else may copy it (or counter it) before it ever enters service. Perhaps a constant reminder that secrets go stale would induce us to rethink our development cycle. In our quest for truly remarkable results, we have forgotten the time factor. At the very least, we should rethink the balance between money spent on development and money spent to safeguard truly vital developments from cyber spies. Not everything can be protected; we should be thinking about what matters most.
We may want to change systems (or system parameters) periodically so that knowledge of their details, gained by cyber or other espionage, goes stale. Knowledge of the detailed waveform of some secret radio, for example, does an enemy no good if, after X years, that waveform is changed. This type of planned change (not improvement) becomes easier and less expensive as we move to devices that use software to generate their waveforms (as is currently the case). Of course, because the change is produced by new software, news of the change is also vulnerable to cyber espionage. All we can do is recognize the conditions of cyber warfare and adapt to them. If the Chinese are aware of some flaw we have identified in the F-22, can we modify the airplane so that a weapon exploiting that flaw becomes useless? Should we develop weapons with an eye to making them more changeable?
All of this is apart from the risk to the U.S. infrastructure and economy from cyber attack. We are certainly vulnerable. Readers will remember a plunge in the stock market when hackers inserted a false claim in an AP tweet that the White House had been attacked and the President injured. Later the “Syrian Electronic Army” claimed responsibility, though it could also have been a group of investors planning to short stocks. The real defense against such attack is deterrence. We may be inclined to treat a cyber attack just as we treat a physical attack, and deliver either in retaliation. The key to such defense is an ability to identify the attacker so that he can be held responsible. It is important to distinguish this kind of action and potential reaction from cyber espionage. There will never be retaliation against cyber espionage simply because we will already be engaging in it just as much as our enemies. The only issue is whether we can do as effective a job as they seem to.