Hollywood and the entertainment industry are not critical infrastructure. The cyber attack on Sony’s computer networks and data is not, yet, a matter of national security. The attack is also not a use of force or an armed attack, the prerequisites for use of military force in self defense under international law. Thus, talk of military retaliation is inappropriate. The attack on Sony’s computer networks and data is first and foremost a law enforcement issue. Of course, as with any major crime with nation state involvement, diplomatic and economic responses also are legal and appropriate. The language of “proportional response” used recently by some U.S. Government officials echoes military terminology. It should not.
The U.S. has the legal tools to prosecute hacks and digital thefts like what happened to Sony. The crimes created by Congress are very broad and powerful, and Congress has made them applicable world-wide. The indictment in May of five Chinese military hackers for computer hacking, economic espionage and other offenses directed at six American corporate victims shows that the U.S. is willing to prosecute even foreign military officers. In October, the Department of Justice reorganized to increase its ability to handle cases just like this, especially state-sponsored economic espionage. The forensic abilities to prove these cases are surprisingly good. The problem is getting the defendants physically into a U.S. courtroom. Extradition for state-sponsored crimes is almost never possible until there is a regime change, but the indictment alone can cause real problems for the persons charged, limiting their ability to travel or to hold wealth outside of their home country. The legal tools are very powerful, but practical barriers make it very hard to put handcuffs on these defendants. Nevertheless, obstacles to prosecution do not legally elevate economic crime to warfare.
– Professor William C. Snyder
“The thinking was that the Iranians would blame bad parts, or bad engineering, or just incompetence.” – Architect of Stuxnet Cyber Attack.
According to an article by JustSecurity, confusion about whether an incident is an accident or a cyber attack may be a common problem going forward. The article opens with a reference to a Bloomberg news report which publicly revealed that hackers caused a 2008 explosion on the Baku-Tbilisi-Ceyhan (BTC) oil pipeline in Turkey. According to the article, the issue is that it took six years for analysts to identify this incident as a cyber attack rather than a simple malfunction. While attributing who is responsible for an attack continues to be a significant concern in cybersecurity, the JustSecurity article focuses on the equally troubling issue of attributing what caused an incident: a cyber attack or a simple malfunction?
The Importance of Determining the “What” Attribution Question:
Cybersecurity has become a top concern worldwide. Both international and state leaders have placed great efforts into forming rules of law and cyber norms to provide a strong enforcement arm in the worldwide cybersecurity battle. However, before these laws can be applied to the attacker and victim states, a cyber attack must be identified (and then of course attributed to an attacker). The difficulty attributing whether a cyber attack or malfunction occurred creates an additional barrier between states and international responsibility for their actions, according to the article. JustSecurity sets out three additional consequences of this problem:
(1) The increased fear that a cyber attacks has occurred whenever anything malfunctions in the future.
(2) The ambiguity may allow states to get away with aggressive actions that they could not undertake through conventional means without provoking a response.
(3) States may be more likely to undertake aggressive actions in the first place if they “. . . perceive that cyber actions will be recognized only after a delay or not at all and that (in part because of the delayed recognition) the consequences for the attacking state are minimal.”
How Attackers Take Advantage of the “What” Attribution Problem:
Sometimes the attacker makes the answer clear, like when the Shamoon virus was accompanied by an image of a burning American flag or when the Sony attack displayed a neon red skull on computers with the hacker group’s name. However, other times the attackers take advantage of the difficulty in attributing whether problems are from cyber attacks or simple malfunctions. A prime example is the Stuxnet worm. According to a 2012 New York Times article discussing the Stuxnet worm’s design:
The first attacks were small . . . “The thinking was that the Iranians would blame bad parts, or bad engineering, or just incompetence,” one of the architects of the early attack said. The Iranians were confused partly because no two attacks were exactly alike. Moreover, the code would lurk inside the plant for weeks, recording normal operations; when it attacked, it sent signals to the Natanz control room indicating that everything downstairs was operating normally.
According to the JustSecurity article, the BTC oil pipeline explosion provides an additional example of the “what” attribution problem at play. The article again cited to the Bloomberg report , which suggests that there was similar confusion about the cause of the BTC oil pipeline explosion:
. . . the Turkish government “blamed a malfunction,” and BP, the majority owner of the pipeline, noted in its annual report that the pipeline was shutdown because of a fire.
According to JustSecurity, the focus on mitigation will be a technical one rather than a legal one. Simply put, there needs to be faster recognition of cyber attacks as cyber attacks and malfunctions as malfunctions. The article places this responsibility on the numerous private cybersecurity firms with substantial forensic capabilities and government investigators.
Cyber Round Up: Aviation Cyber Risks; Sony Update; Interview Dark Web Leader; Other Cyber News in Prevention and Malware
- SONY BREACH UPDATE: As many are well aware, two weeks ago a hacker group calling themselves “Guardians of Peace” seized the computer system of Sony Pictures Entertainment. Many link the group to North Korea, who denounced Sony’s upcoming movie “The Interview” which centers around two journalists recruited by the CIA to assassinate North Korean leader Kim Jong-un. North Korea has denied any involvement with the hack, but has said they’re glad it happened. Since then, the group has initiated a number of cyber attacks against the company, revealed Sony employees’ personal information, leaked five unreleased Sony films on the web, and threatened current Sony employees through email. Business Insider has done an excellent job recapping the major events involved in this breach in a timeline accessible here.
- CYBER SECURITY FOR AIRPLANES AND DRONES: Reuters recently reported on the rising cybersecurity risks surrounding airplanes and drones. The Reuters article discusses a recent review of aviation safety published by German insurer Allianz which states: “Cyber terrorism may replace the hijacker and bomber and become the weapon of choice on attacks against the aviation community.” As for commercial drones, whose use is expanding in surveillance, crop dusting, news gathering and sporting events and for which there is no standard international regulation, Allianz states the following: “[t]he potential risks are obvious, namely collision or third-party damage or injury.” The Reuters article goes on to discuss the specific risks to the aviation community as well as the plans to mitigate these risks. Click here for the full article. PREVENTION: In other related news, RT.com reported on a new system that Pentagon-sponsored engineers have developed to shield unmanned aerial vehicles from cyber-attacks. According to the article, the system sounds the alert if a drone starts doing something that it is not supposed to do. For the full RT.com report, click here.
- INTERVIEW WITH DARK WEB SURVIVOR: Despite the numerous governmental crackdowns of dark web black market sites, one black market site that continues to survive is RAMP, which stands for Russian Anonymous Market. Wired was able to interview RAMP’s administrator, who goes by the name Darkside. According to the interview, Darkside has survived primarily for two reasons: the people who run and use the site and the strict rules for membership. The RAMP site is written in the Russian language and caters only to Russian clientele. The rules prohibit any political discussions, because Darkside states that would “attract attention,” and the rules also ban the selling of guns, stolen goods, or pornography. The primary good on their market: drugs. For the full interview by Wired, click here.
- SMARTPHONES WITH PRE-INSTALLED MALWARE: InformationWeek reports that malware was found pre-installed on several popular smartphones. The malware is a Chinese Trojan program dubbed DeathRing, which is disguised as a ringtone application and is loaded in the phone’s system directory from where it is impossible to remove by security vendors. The report warns that while the phones at issue were from low-cost, third-tier vendors in Asia and Africa, “. . . that doesn’t mean it can’t happen here.”
To continue reading more Cyber News Wrap-Ups from this past week:
The Federal Communications Commission is the latest agency that has begun sanctioning businesses for failing to protect sensitive customer data stored electronically, bringing the total number of agencies enforcing data security practices to three.
In October, the FCC ordered two telecommunications carriers, TerraCom, Inc. and YourTell America, Inc., (the Companies) to pay ten million dollars for failing to employ reasonable data security practices to protect customer information, and for failing to notify customers of the breach. Evidence showed that there had in fact been multiple cases of unauthorized entry and access to the customer data, which the companies kept in readily accessible servers connected to the web. The Companies did not encrypt the data, nor was the data password protected.
The Commission decided, with two of the four Commissioners dissenting, that in failing to provide reasonable data protection measures, the companies were in violation of Title 47 sections 201(b) and 222(a). Section 201(b) prohibits unjust and unreasonable charges, practices, classifications, and regulations in connection with communications services provided. While section 222(a) states that every telecommunications carrier has a duty to protect the confidentiality of a customer’s proprietary information.
In justifying imposing liability under section 222(a), the Commission first established that the data found to be insecure was “proprietary information” within the meaning of the section. Secondly, the Commission established that the Companies did in fact owe a duty to the consumers. And third, that the Companies breached that duty when they failed to protect consumer data which in turn amounted to a violation of section 222(a).
Unsecured Data Found to be Proprietary Information
The Commission reasoned that the way the term “privacy” was used in the headings of sections 222(a) and 222(c)(1) it was clear that “proprietary information” encompassed all private information that a consumer has an interest in maintaining secret including names, addresses, phone numbers, and social security numbers.
However, § 222(c) explicitly refers to “consumer proprietary network information” which the statute defines as “information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service…that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship.” It goes on to specify that “information contained in the bills pertaining to telephone exchange service or telephone toll service received by the customer or carrier.” However, it explicitly makes an exception for “subscriber list information.” Part 64 of Title 47 provides that subscriber list information includes names, phone numbers, and addresses of subscribers.
Accordingly, it would seem to me that the “proprietary information” does not include the type of sensitive subscriber information as interpreted by the Commission. Commissioner O’Rielly explained in his dissenting statement that section 222 does not apply to protection of data online, and in fact cannot be interpreted to do so because the legislative history clearly shows that the goal of the section was to prevent carriers from gaining an anticompetitive advantage. In fact, the legislative history suggests that the privacy portion was added to prevent carriers from using proprietary information for its own marketing purposes, not to provide a general privacy protection to consumers.
“If Operation Cleaver doesn’t get the world to wake up to what is happening in the silent world of cyber, then perhaps nothing will.” – Cylance Report on Operation Cleaver.
According to researchers at Cylance, a security startup, a vast number of western organizations have been breached by hackers operating out of Iran. Cylance has designated this group of hackers: Operation Cleaver. Cylance has been tracking this group for over two years. Cylance recently released a report on the group earlier than they intended. As for the rationale behind the early release, the company stated:
Iran’s rising expertise, along with their choice of victims, has compelled us to release this report sooner than we would have liked in order to expose Operation Cleaver to the world.
Airports and airlines are amongst the list of targets and victims of Operation Cleaver, which according to the report is “[p]erhaps the most bone-chilling evidence we collected in this campaign.” According to the report, both physical and cyber assets, as well as logistics information, were compromised at major airline operators, airports, and transportation companies.
[T]heir entire remote access infrastructure and supply chain was under the control of the Cleaver team. . . . They achieved complete access to airport gates and their security control systems. . . . There is a possibility that this campaign could affect airline passenger safety.
Airports and/or airlines were targeted and/or victimized in the following countries: United States, Saudi Arabia, South Korea, United Arab Emirates, Qatar, and Pakistan. In addition, their targets amongst 16 countries include military, oil and gas, energy and utilities, transportation, hospitals, telecommunications, technology, education, aerospace, Defense Industrial Base (DIB), chemical companies, and governments.
Who is to blame? The Cylance report points the finger at Iran.
Cyber Round Up: Hacking Wall Street; FBI Warning Post Sony Malware; Hacking E-Cigs, Parking Lots, and Issues with Cryptography
- Hacking underlying a sophisticated cyber scheme to rig the stock market was revealed on Monday by the security firm FireEye. FireEye warned the FBI that a group of hackers, which FireEye has designated FIN4, had stolen highly sensitive secrets from over a hundred companies for the purpose of gaming the stock market. The primary targets of the scheme were companies in the healthcare sector, as well as attorneys and other consultants who worked with those companies. The types of documents that were taken include press releases about mergers, as well as drafts of FCC Filings. FireEye was unable to identify the hackers because they used Tor, a service for making web traffic anonymous and untraceable. According to a report by Reuters, the next step to identifying the hackers is to follow the money to determine if any trades were made that from this information that resulted in profits. FireEye is releasing indicators to help organizations detect FIN4 activity. Those indicators can be downloaded here. The full FireEye report, including examples of FIN4 targeted attacks, can be accessed here: FireEye Report Hacking the Street. For an analysis of the report by the New York Times, click here.
- The FBI is warning companies that cyberattackers are launching destructive malware in the U.S., Reuters reports. The five-page “flash” warning comes in the wake of a crippling attack on Sony Pictures Entertainment last week, though the FBI would not say whether the Sony hack prompted the warning. It is extremely difficult and costly, if not impossible, to recover hard drives that have been attacked with the malware, according to the report, which was distributed to security professionals at U.S. companies. As for the Sony attack, the technology news site Re/code reported that Sony was investigating to determine whether hackers working on behalf of North Korea were responsible for the attack as retribution for the company’s backing of the film “The Interview,” a comedy which follows two journalists recruited by the CIA to assassinate North Korean leader Kim Jong Un. According to Reuters, the technical section of the FBI report said some of the software used by the hackers had been compiled in Korean, but it did not discuss any possible connection to North Korea. See also reports on the Sony attack by the Chicago Tribune, Bloomberg, and Washington Post.
- POST THANKSGIVING CYBER NEWS WRAP UP:
- Cryptology Inhibits Law Enforcement: Economist reports that technology companies are beefing up the encryption of data to protect users’ privacy making it more difficult for law-enforcement agencies to find out what people have been up to online.
- Hacking into Parking Garages: InfoSecurity Reports that between Sept 29 and Nov 10, cybercriminals were able to gain access to payment card data at garages in the Chicago area, Philidelphia and Seattle.
- Chinese Hacking through E-Cig Chargers: TheHackerNews reports that China-made electronic cigarette chargers could infect your computer with viruses.
- Cybersecurity Training for Bank Examiners: Wall Street Journal reports that Federal and state regulators are ramping up plans to train bank examiners about cybersecurity risks at a time when the financial institutions they oversee face growing threats from hackers.
- Poland’s Weak Cybersecurity: ZDNet reports that an upcoming audit has found massive failings across Polish institutions when it comes to digital threats.
- Cybersecurity for Unmanned Systems: According to HelpSecurityNet, the University of Virginia School of Engineering and Applied Science Department of Systems and Information Engineering announced the success of an early-stage demonstration to improve defenses for unmanned aerial vehicles against cyber attacks. Read the full article here.
“In the world of malware threats, only a few rare examples can truly be considered GROUNDBREAKING and almost PEERLESS,” – Symantec.
With all the recent hype surrounding Regin, we have scoured the net and broken down the five W’s of Regin below:
The highly complex and sophisticated makeup of Regin, as well as its extensive espionage capabilities, suggests that it was developed by a nation-state, the Guardian reports. Although attribution in the cyber realm is difficult, speculation as to the source of the Regin malware point to the United States’ National Security Agency (“NSA”) and the United Kingdom’s Government Communications Headquarters (“GCHQ”), Wired reported. Sources cite to circumstantial evidence to link both the NSA and GCHQ to Regin. First, reports suggest that the Regin malware is eerily similar to an attack that occurred in 2010 on Belgium’s Belgacom, a phone and internet service provider, which allowed the attacker to gather data on the company’s network, as well as customer information, and was attributed to GCHQ. Second, sources cite to reports leaked by Edward Snowden describing two NSA operations targeting the mobile networks of several nations and designed to gather, record and store metadata on every mobile phone call to and from these nations. Accordingly, reports have linked the NSA to Regin because of the staggering amount of victims that have been identified by Symantec as telecom networks. Third, there have been no reports identifying victims in either the U.K. or the U.S., further inciting speculation that Regin is a product of both nations, reports the Guardian.
Regin is a back door-type Trojan malware with a degree of technical competence rarely seen. It has the ability to load custom features tailored to individual targets. In fact, according to Symantec, some of Regin’s custom payloads point to a high level of specialist knowledge in particular sectors on the part of the developers. Symantec’s report also notes that Regin is capable of installing a large number of additional payloads, some highly customized for the targeted computer. Symantec listed some of Regin’s payload capabilities: steal passwords, monitor network traffic, gather information on processes and memory utilization, and retrieve deleted files. Symantec also noted some advanced payload modules designed with specific goals which have included: monitor network traffic to Microsoft Internet Information Services (IIS) web servers, collect administration traffic for mobile telephony base station controllers, and parsing mail from Exchange databases. But perhaps the most significant aspect of Regin is its ability to target GSM base stations of cellular networks. Wired reports that access to GSM base station controllers would allow manipulation of the system, including the monitoring of cellular traffic. Wired adds that this capability includes the ability to shut down a cellular network, for example during an invasion for the country or other unrest. This fear is not just conceptual, Kaspersky reports that in 2008 Regin was used to steal the usernames and passwords of system administrators of a telecom somewhere in the Middle East.
Cyber Round Up: REGIN Malware; Egyptian Cyber Army; Potential Iran Cyber Attacks; State-Sponsored Hackers VS Human Rights Groups
- REGIN – Top-tier espionage malware that Symantec and Kaspersky reports indicate was created by a nation state has been described as a highly sophisticated back door-type Trojan that is customizable with an extensive range of capabilities depending on the target. Stay tuned to Crossroads Blog this week for an in-depth look at “The Five Ws of Regin,” but until then, read the full reports here: Symantec; Kaspersky. As for which nation state is responsible for this malware, reports are inconsistent. While most articles circulating the news cycle claim uncertainty, the following reports attribute Western Sources: Wired; Intercept; The Guardian.
- An Egyptian Cyber Army is the hacktivist group behind ISIS propaganda attacks online, according to an article by Mashable. With its anti-ISIS stance, the group seems to join “a motley crew of hacktivists who are trying to counter the terrorist group’s influence on the Internet,” according to the article. The article points out that it is unclear whether the group is sanctioned by the Egyptian Government.
- Fears are growing that Iran will unleash cyber warfare on U.S. companies if negotiators are unable to reach a nuclear deal that would require Tehran to limit its nuclear program, according to The Hill. According to the article, the companies that could be targeted include U.S. financial firms, oil and gas companies, and water filtration systems. While researchers cited in the article describe Iran as a close fourth behind the U.S., Russia and China in terms of its ability to launch cyber attacks, they make up for their lagging position in their apparent willingness to go on the offensive.
- The Globe and Mail recently reported the findings of a study by The Citizen Lab into human rights groups targeted by state-sponsored hackers. The four year study examined eight groups engaged in “rights issues related to China and Tibet” and two larger human-rights groups operating globally. According to the report, a powerful hacking team run by the Chinese People’s Liberation Army is thought to be responsible for targeting one China-focused group and one international rights group. For the full report, click here. For a link to the actual study behind the report, click here.
From November 18 to November 20, NATO conducted its seventh annual Cyber Coalition Exercise, NATO reported. According to NATO, the three day exercise, dubbed “Cyber Coalition 2014”, was designed to test the “Alliance’s ability to defend its networks” from the myriad of threats that exist in the cyber domain. Additionally, NATO Assistant Secretary General for Enhanced Security Challenges Ambassador Sorin Ducaru highlighted the importance of ensuring that NATO’s cyber specialists “keeps pace with the evolving threat.”
During the Wales Summit that was held in September, NATO adopted a new policy making cyber defense a part of its core tasks. Although the new policy prioritizes NATO’s communications and information systems (“CIS”), according to NATO its operations require reliable and secure supporting national infrastructure. Accordingly, the new policy aims to increase cooperation between NATO, national authorities, international organizations and private industry. Additionally, NATO announced plans to improve its cyber defense through continued “cyber defense education, training, exercises and evaluation.”
Cyber Coalition 2014, NATO’s largest multinational cyber defense exercise, consisted of over 670 technical, government and cyber experts from over 30 countries, including all member nations and several non-member nations, NATO reported. Additionally, NATO revealed that representatives from academia and industry were present as observers. This marks the first time NATO has invited these representatives, and is in line with NATO’s recent initiative outlined during the Wales Summit. NATO further stated that industry plays a key role in cyberspace, and plans to foster its relationship with the private sector.
“The cyber threat is not just a potential threat, it is a daily reality,” Ambassador Ducaru said. Cyber Coalition 2014 is most certainly a part of NATO’s initiative to develop its ability to tackle these threats.
“The cyber threat is real, this is not theoretical.” – National Security Agency Director Admiral Michael Rogers.
At a hearing in Washington today of the House Intelligence Committee, National Security Agency Director Admiral Michael Rogers discussed the nation’s cyber vulnerabilities. Roger set out the three missions of the US Cyber Command: defend DOD’s network, generate a cyber commission force, and provide DOD capability to defend critical infrastructure.
According to Rogers, multiple nation states have already developed the capability to shut down our industrial control systems. Specifically, this means that these nation states can shut down or forestall the control systems that control our water, power, financial systems, and aviation. Not only that, Rogers states that these nation states have already been discovered hacking into these systems.
Nation states are not the only actors with the capability to launch a cyber attack. According to Rogers, organized crime groups also pose a risk to our nation’s security. These groups penetrate systems to gain information that they can sell on illegal markets. Rogers predicted a terrifying future trend: nation states using these groups as surrogates to create plausible deniability.
Rogers pointed to the absence of international norms in cyberspace as reason for our expanding cybersecurity risks. According to Rogers, this deficiency has resulted in the appearance of an online world without consequences. When Congressman Jim Hines asked Rogers what types of norms should be set, his first response dealt with emergency response. According to Rogers, an emergency response norm would involve an agreement not to attack a nation’s emergency response capabilities. Other norms mentioned by Rogers included norms protecting critical infrastructure, intellectual property, and anything else that could lead to loss of life or loss of control.
On the one hand, it is not surprising that it is taking time to develop these international cyber norms. Rogers compared the current cybersecurity risks to nuclear risks during the Cold War, pointing out that the policy of deterrence did not develop overnight. However, Rogers also suggested that the current cyber threat presents additional problems. While the execution of the nuclear threat was originally limited to a few nation states with the finances and power necessary to carry out that threat, the current cyber threat is not restricted by those obstacles. In addition to nation states, groups and individuals are able to carry out cyber attacks individually. Moreover, Rogers pointed out that unlike the nuclear model, developing the capability to perform a cyber attack is inexpensive.
Jennifer A. Camillo
is a third year student at Syracuse College of Law. She has served as a law clerk in the United States Attorney’s Office for the Northern District of New York and the Cayuga County District Attorney’s Office and as an extern in the Oneida County District Attorney’s Office. She is a member of the Syracuse National Trial Team and was recently awarded the Tiffany Cup by the New York Bar Association for her trial advocacy achievements.
holds Juris Doctor and Masters of Public Administration degrees from Syracuse University's Maxwell School of Citizenship and Public Affairs and its College of Law. She has served as a law clerk in the United States Attorney's Office for the Western District of New York and the Public Defender Service for the District of Columbia and as an extern in the United States District Court for the Western District of Washington.
Professor William Snyder
is a member of the faculty of the Institute for National Security and Counter-terrorism at Syracuse University after fifteen years with the United States Department of Justice.
- Our Legal Analysis of U.S. Response to Sony Attack
- A New Attribution Problem: Cyber Attack or Malfunction?
- Cyber Round Up: Aviation Cyber Risks; Sony Update; Interview Dark Web Leader; Other Cyber News in Prevention and Malware
- Too Many Cooks in the Kitchen: Regulatory Enforcement of Data Security Practices
- Operation Cleaver Cyber Attacks: Is Iran the New China?
- Cyber Round Up: Government Workers Responsible for Cyber-Incidents?; UK Research to Stop Flight Cyber Jacking; Cyber-Attack on U.S. Water Systems; New Cybersecurity Law in Japan; Israeli Researchers Remotely Hack a Car on
- Rethinking cybersecurity, retribution, and the role of the private sector: Stewart Baker on
- Justice Shifts to Cyber From Terrorists With Reorganization Announced Today on
- NATO’s Cyber Declaration: More Bark than Bite? on
- Cyber Provisions in NATO Wales Summit Declaration on
- December 2014
- November 2014
- October 2014
- September 2014
- May 2014
- April 2014
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- July 2013
- June 2013
- May 2013
- April 2013
- March 2013
- February 2013
- January 2013
- December 2012
- November 2012
- October 2012
- September 2012
- August 2012
- July 2012
- June 2012
- May 2012
- April 2012
- March 2012
- February 2012
- January 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
- August 2010
- July 2010
- June 2010
- May 2010