Tag Archives: cyber security

When Is Electronic Espionage an ‘Act of War?”

Is the U.S. engaged in a “cyber war?” 

Until recently the identity of the perpetrators of cyber-attacks against U.S. networks, infrastructure and the military were clouded in suspicion and not spoken of out loud.  There has been much speculation about cyber war or a cyber-Pearl Harbor, but no official declaration of what constitutes cyber war or naming of names, until now. 

In March, General Keith Alexander, speaking before Congress, and in May, Secretary of Defense Leon Panetta, during an interview with ABC News, outwardly named China as the main perpetrator and identified criteria for defining cyber war.  General Alexander, the Director of NSA and CYBERCOM commander, stated, “China is stealing a ‘great deal’ of military-related intellectual property from the United States and was responsible for last year’s attacks against cyber security company RSA . . . .”[1] Secretary of Defense Panetta said, “Well, there’s no question that if a cyber attack, you know, crippled our power grid in this country, took down our financial systems, took down our government systems, that that would constitute an act of war.”[2]

Over the last year the Department of Homeland Security (DHS) has voiced their concern over the vulnerability of our critical infrastructure, oil and gas refineries, electric grids and nuclear reactors, to potential cyber-attacks. If you are not fully convinced of the threat, consider the “Shady RAT (remote access tool)” report by McAfee wherein they identify companies and governments which recently discovered that hackers have been in their networks for the last five or six years undetected.[3]

One might conclude that a clear picture is emerging, but is it? 

During the Cold War, when government secrets were stolen, it was treated as espionage or spying.  Remember all of the spies tried for espionage: Aldrich Ames, Robert Hansen, the shoot down of Gary Powers and the U2 spy plane over the USSR.  What if a nation placed “sleeper cells” in its adversary’s country ready to attack critical infrastructure if a war broke?  Would this be considered spying and part of the “cat and mouse” game or grounds for a retaliatory strike?

Does the fact that these activities can now be accomplished electronically from the safety and comfort of your own nation change the playing field?  At the time, we probably considered the flights of the U2 relatively safe since it flew above the threat zone of anti-aircraft guns.  Does stealing terabytes of military secrets or planting logic bombs in critical infrastructure (to be launched in a moments’ notice to disable the infrastructure) cross the line from espionage to war or an “act of aggression?”  

This and many similar scenarios are now the new normal and must be defined as nations and the international community grapple with technology and current and future capabilities.  Where should the line be drawn?  Do we just accept, that an adversary, via computers, can now access and potentially steal, manipulate, or destroy information and functionality, or should nations aggressively draw the line now and openly retaliate in protest?

Obviously, as Secretary of Defense Panetta stated, if you disrupt critical infrastructure, deny critical communications, or blind a military defense system, the line has likely been crossed.  Certainly defacing a website does not even come close to being an act of war or aggression.  What about stealing terabytes of military secrets to later be used to disable your adversary’s defenses?  Possibly!  For now the line will be defined by the reactions of various nations faced with cyber-attacks.  If a nation does nothing or retaliates with a similar attack, e.g. theft for theft, then a line has been drawn and a precedent set.

A similar problem is the issue regarding Iran and nuclear weapons.  Is Iran’s pursuit of nuclear weapons and statements attributed to them about annihilating Israel and the West enough provocation to take aggressive action to prevent them from obtaining a bomb?  Clearly no one wants to escalate the situation but most agree something must be done before it is too late.  Similarly, in the cyber arena, all interested parties are reacting very cautiously in their response to cyber-attacks, likely to avoid escalation and the setting of precedence. 

In the Estonian and the Georgian conflicts the reaction was to block, clean up, and speculate about who may have launched the attacks and only the media claimed cyber war.  Not until recently has one nation, e.g. the U.S., been so vocal about who is using cyber espionage and attacks to invade and plague their networks.

[1] NSA Chief: China Behind RSA Attacks, J. Nicholas Hoover, Information Week Government (Mar. 27, 2012) http://www.informationweek.com/news/government/security/232700341.

[2] Leon Panetta: A Crippling Cyber Attack Would Be ‘Act of War’, Jake Tapper, ABC News (May 27, 2012) http://abcnews.go.com/blogs/politics/2012/05/leon-panetta-a-crippling-cyber-attack-would-be-act-of-war/.

[3] McAfee: Operation Shady RAT, http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf.

Attorneys and Law Firms Beware and Implement Good Cyber Security Practices

If you are an attorney you need to heed the warnings: lock down and protect client data.  This is not a scare tactic, but good advice in light of recent events.  In 2010 at least seven law firms in Canada were hacked, allegedly by Chinese hackers seeking to derail a $40 billion deal with an Australian mining company and to steal valuable client data resident at the law firms; and just this year the Puckett law firm was hacked by the Anonymous hacker group because the firm represents one of the Marine sergeants accused in the Hidatha, Iraq killings.  Some members of Anonymous were upset that the sergeant was getting a pretty good deal and Bradley Manning, the private who leaked      secrets to WikiLeaks was facing life in prison.  Imagine realizing that your law firm has been hacked and wondering what this is going to do to your reputation, and what, if any, ethics or disciplinary action may result. These are the type of stories that make the headlines.

Let’s face it, if your client’s network and/or data is secure, smart hackers will look for the soft target and see if they can get what they are looking for by going through you.  “As financial institutions in New York City and the world become stronger, a hacker can hit a law firm and it’s a much, much easier quarry.” (Mary Galligan, head of cyber in the New York City office of the FBI).  As a profession, we have moved far beyond being able to claim ignorance when it comes to cyber security.

An Aug. 2011 ABA formal opinion suggested that attorneys discuss with clients the fact that email may not be very secure.  Ensure clients are comfortable sending sensitive client info via email.  Some local bar associations have taken it a step further and stated that ethics require attorneys to use a secure email service.  I agree.  In fact, I would do two things:

1) include in your engagement letter a statement that email is not secure and that clients should either agree to use a secure service or sign a statement indicating their desire to continue to use email despite the security concerns; and,

2) Incorporate into a security policy for the firm a plan that outlines how client data will be protected and ensure all in the firm have read and are following it.

Cyber security does not need to be a mystery.  Many free and easy to use tools exist that will help you keep your practice more secure.  For instance, your email service may support secure or encrypted email.  If it doesn’t, there are many good options, such as Hushmail.  It is free, like Hotmail, and allows you to password protect emails using a question and answer format.  Just send your client a text or call them on the phone and tell them the password/answer.  This will significantly lower the risk of loss or theft of data and potentially reduce or eliminate your liability if an incident does occur.  It will also be a deterrent to your client if he/she decides to share your confidential communications with a third party, thus destroying attorney-client confidentiality. He/she will have to provide the password to that person or at least take extra steps to forward the message.  This is just one of many free tools that you can use to significantly lower the risk of a cyber-incident and reduce your liability if data is lost or stolen.  Will these tools make you 100% secure?  Not even close, but if the big guys like Citibank, JP Morgan, Google, the Pentagon, RSA, Visa, and a slew of others cannot prevent getting hacked neither can you.  What you can do is pull yourself out of the low hanging fruit category and minimize the risk of an incident. It’s time to do some research into this topic or hire someone you can trust.  Do Not trust the firm that tells you they have made your network secure, its not going to happen, and if you believe it there is a little bridge I would love to sell you ; – ).  Feel free to contact me with questions or leave a comment.

Congress: Cyber Security & the Private Sector. FBI Hacked

This week the House Energy & Commerce Subcommittee on Communications & Technology held hearings on how to address the cyber security threat and better implement private/public cooperation to mitigate the threat.  A question was raised about current laws and whether they hamper the private sectors’ ability to defend itself.  The Committee recognized the White House commission report on cyber security and its discussion on current law gaps (White House Cyber Security Policy Review).  At least in my opinion, the laws clearly hamper the private sectors’ ability to defend themselves.

Every time I lecture on my article, “Hacking Back In Self-Defense: . . .,” there is at least one or two people in the audience who argue that my theory is illegal. Is hacking back illegal? Yes, in some respects, and no in others.  It all depends.  I also receive pushback when I claim self-defense does exist in cyberspace. Regardless of where you stand on these issues, the discussion needs to be had and pushed down the road quickly. The naysayers do not provide solutions but only roadblocks. Attacks move at the speed of light and can severely damage and destroy companies. We need answers and solutions sooner rather than later.

Case in point, the FBI as they spoke to Scotland Yard about how to take down the Anonymous hacker group was hacked. Their 15 minute conversation was recorded by Anonymous and put out on the Internet. 

We are being challenged in cyberspace and must act now.  If you are interested in further discussion on tools and techniques for the private sector, attend a webinar on 16 Feb. titled, “Mitigative Counterstrike.”

Courts and Lawyers: Gauging the Level of Technical Knowledge

Like many people, I make a lot of assumptions.  Lately, I have made a lot of assumptions about people’s level of knowledge when it comes to cyber security and technology.  This is likely due to my background and training.  If you work in the IT or cyber security or related areas chances are you also make a lot of these assumptions as well.

Recently I learned that the level of knowledge regarding cyber security and technology amongst the legal profession is not as high as I had assumed.  This is not a knock on my colleagues in the law profession, but my failure to avoid making assumptions.  For instance, when emails are offered into evidence their authenticity must be established, but does this include whether the email address is genuine and was not spoofed, the content is original and was not altered, the date and time was not altered, the location of where the mail was accessed if webmail; how webmail works, where the servers are located, the meta data of messages, etc.  Example: if one party offers emails to prove a point about their opponent and the offering party had not been given access to the email account, the question should be raised as to where the emails came from and whether they constitute evidence of a crime; e.g. was the email account hacked?

This is not unique to email but would apply to social media accounts as well.  Many people today do not realize how easy it is to fake, alter and manipulate Online or E-accounts.  Certainly the legal profession must be provided the training and information to know the right questions to ask regarding the authenticity of evidence.