A recent case of hacking—actually of industrial espionage—offers insights into the world of cyber-warfare. The victim was the Canadian company NorTel, which is now being broken up after suffering severe losses (not attributed to the cyber attack). NorTel may be of direct naval interest because it was deeply involved in the development of active-array radars; it was responsible for the Tx/Rx module used by the Dutch and German navies (at the time the Canadians were planning to buy active-array radars for some modernized Halifax-class frigates). It is not clear to what if any extent details of NorTel’s research were obtained by the attackers. They certainly gained access to reports of that research prepared for management.
Discussions of countermeasures against cyber-attack tend to emphasize technology: better encryption, better means of detecting intrusion, better means of isolating and destroying software that has been maliciously inserted. The NorTel case suggests that the real vulnerability is the people who operate the system and also those who have the power to demand countermeasures. In the cyber-warfare world this is the human engineering side. For example, much effort is expended to create and also frequently change passwords too complicated to be duplicated easily by a hacker. That may well deter a hacker working at a distant computer. However, if the attacker really is a criminal, then he may see little point in playing with his computer. Instead, he might simply bribe or threaten his way in, or even simply steal a laptop containing the password.
A few years ago a group at the Indian Defence Research and Development Organization (DRDO) was responsible for that country’s strategic nuclear communication system, an obvious target for several foreign intelligence organizations. DRDO members had to visit many strategic sites, and they carried their laptops with them. Long after the fact an Indian journalist revealed that in several cases those laptops disappeared, only to be found later minus their hard drives. Prolonged physical examination of a hard drive will probably reveal what has been written on it, despite protective software.
In NorTel’s case, the key disaster seems to have been the theft of the passwords used by seven senior managers. It came to light only when someone alert noticed that one of the managers seemed to be requesting files he would not normally need. The manager then denied asking for the files, and it became clear that someone else was using the password.
An Inside Job
Anyone carrying a laptop outside the office exposes it to unwanted attention. For some years the existence of devices that register password keystrokes has been known. It does not matter that the screen does not show those characters. The black dots that appear on the screen are an earlier security measure, introduced because it is often possible to read the characters on a screen remotely, using the little bursts of energy each character represents. Apparently a stroke-stealer cannot, at least initially, be installed remotely as software; someone has to gain access to the target computer. That is the human engineering part.
There cannot be many, particularly executives, who carry their laptops with them everywhere they go, including after business hours. Nor can there be many hotels so secure that no one can slip into a room and find a laptop there. NorTel’s network apparently was being attacked from China (the Chinese argue that no one can be sure of the true origin of an attack, since the Web can be used to disguise the attacking computer). It is not difficult to imagine a computer left in a hotel room to which Chinese security services would automatically enjoy free access. Senior executives may be particularly vulnerable, because they offer good access. Analysts argued that NorTel was an excellent target because its network had few or no internal firewalls; once someone was in, he could get whatever he wanted. Some companies compartmentalize, requiring a lot more passwords to get at what is wanted.
Perhaps the most interesting (and alarming) aspect of the NorTel affair is that once the penetration had been discovered, senior management showed remarkably little interest in cleaning out their network. They may not have understood how valuable the information in the network was, compared with more conventional measures of value. That would not be a great surprise, particularly in a company in trouble, trying desperately to stay above water. Management formed a three-man cell to discover how badly the company had been compromised, but the operation was soon wound down. It did not help that the cell was unable to prove the origin of the attack. No counterattack, for example a major lawsuit, could be launched. Even if it were certain that the attack had come from China, it would be impossible to say whether it was an attempt to tip the balance in favor of a Chinese competitor to NorTel, or something darker connected with NorTel’s old defense business. Given the close relationship between the Chinese economy and the Chinese government, the difference may not be so obvious in reality.
Management did react when the penetration was discovered. All seven passwords were changed. By that time the penetration software was so deep in the system that the change likely had no major effect. The penetrators were probably able to detect the new passwords so promptly that they were put to little or no trouble. After all, if they could embed the right software in the security system, they could probably detect the passwords that the executives were sending in when they signed on.
Security isn’t Just for Geeks
Many people know that information is valuable, of course; companies on Wall Street live and die for enough of it, and some have become wealthy selling the most current financial data. However, it seems much less likely that executives have been conditioned to think in terms of the value of the information resident in their companies, if they can even calculate how much data that is. Obviously certain information is a lot more valuable than the bulk of it, but that is a very qualitative statement. Some information is not too difficult to value—perhaps the plan to launch an IPO, or the content of a key patent. How much is it worth to protect information in bulk form?
The great lesson of the NorTel penetration is that, even after a good deal of publicity, the cyber side of security still seems to many in responsible positions to be a sort of hobby for “geeks.” Human engineering attacks work because relatively simple security measures are not taken seriously. Why? They often make for inconvenience. Taking home a laptop containing classified-access software makes it a lot easier to be productive, but it places that computer within range of someone determined to install, say, a keystroke stealer. The higher the individual’s rank or position, the more difficult it is to convince him to heed a geek’s prohibition on what seems an easy or natural way to be more productive.
The United States operates a variety of classified internets. If they were physically separate from the Internet, they could not be penetrated remotely. In fact they (at least some of them) are not separated. A few years ago, an Air Force officer mentioned that his subordinates really enjoyed watching basketball on their office computers. It seems not to have occurred to him that to do so they had to be connecting those computers to the open Internet, with all the potential that carried for penetration. The usual solution to this problem is a series of firewalls that cannot be passed without using various passwords—which are frequently changed.
To the extent that is true, the NorTel example should be extremely sobering. At least to all appearances, NorTel did not fall victim to some flaw in the design of its security software. It fell to human engineering, in the form either of compromised passwords or, even more likely, the insertion of a keystroke stealer while someone was able to get at an executive’s computer. Then it fell victim to another kind of human engineering, in this case self-inflicted—a failure to grasp the likely cost of the compromise. It is of course possible that the passwords were obtained in more old-fashioned ways, such as bribes to trusted secretaries and other support personnel. But the point is that nothing very complex was needed.
All of this may seem new, but in fact it isn’t. Cyber-attack is the current equivalent to the code-breaking of the past, which has been described in great detail by several historians. The main lesson of that past is that the victims of code-breaking are never willing to face it; they have too much emotional stake in the belief that they alone have good security. That applied during World War II, as much to allies as to enemies—the British changed a key code only after the U.S. Navy obtained incontrovertible evidence that the Germans were reading it. The depressing aspect is that all of those victims really did understand how important it was to keep their communications secure. NorTel clearly didn’t.