11 June 2015

Strike Back At Chinese For OPM Hack; Build A Cyber Strategy

June 09, 2015 

Chinese government-backed hackers continue to penetrate and steal information from large US personnel data repositories. Our government gnashes its teeth and may issue a statement.

These attacks are not about grabbing credit cards or frequent flyer miles, creating mayhem with political messaging, or pure mischief. These infiltrations by the Chinese are all about an industrial scale preparation of the cyber battlefield that enumerates the identities of the US population and starts to focus on political and economic targets. This is an intelligence operation on an unimaginable scale that demands a sense of urgency and a will to win on the part of the federal government.

The Associated Press broke the news that a long-term exploitation of the government’s personnel management department resulted in the breach of the personnel records of over 4 million current and former government employees. In the spirit of keeping secrets public Politico received a leak that the attack was attributed to the deliciously named Deep Panda whose exploits I assessed as a human intelligence operation during the Anthem hack earlier this year. The leak further revealed that the background investigations for these millions of security clearances were also taken (some of which went all the way back to 1985 so we can guess that it was all records entered since the dawn of the PC) and that none of these records were encrypted (Really, at this point, why bother?).

After running through the Elysian fields of the health care world’s customer databases — the Anthem hack — with nary a care, the same team of Chinese hackers has moved on to more fertile (though apparently similarly defended) pastures.

Let’s review what we know to date: Deep Panda was first publicly detected by CrowdStrike in 2014

2011 as a result of pro bono work it was doing for nonprofits and thinktanks that expressed views contrary to the Chinese government’s official line. They then sprang to prominence as a result of the Anthem breach disclosed at the start of 2015.

The information gathered didn’t fit the normal modus operandi of the usual suspects looking for money or credit card information, so we surmised at the time that 80 million individual records would make a smashing start to organizing a giant file cabinet that would ultimately contain the information of the entire nation. This incident was followed by 11 million records stolen at Premera and then more than one million taken at Carefirst (a DC-area Blue Cross/Shield Provider that services many current and former federal employees in the capitol region).

The Chinese plan seems to be to gather clearance information from the Office of Personnel Management, combine it with your next of kin, home phone, family members, etc. and suddenly they’ve got the cheat sheet for just about every “have you forgotten your password” question out there in IT land. With the answers to the “who am I?” questions, the Pandas can then delegate the rote work of actually being you to others with lesser technical skills who will use your identity online, try to access your other credentials, and use the large amount of information in the big data bin to gain access to any number of sensitive government, research, and financial systems.

We should be deeply concerned as a nation about this – millions of cleared individuals have had an enormous amount of personal information taken, their online identities made far more vulnerable, and secure accounts more easily compromised. We are seeing a nation-state moving with aplomb across our commercial and governmental networks gathering HUMINT (Human Intelligence) data with little resistance and — to date — no consequences. We have a governmental response that is hamstrung by turf and policy and befuddled by the speed of change in this newest of global commons (military speak for places we fight: Land, Sea, Air, Space, CyberSpace).

Combine all this with the Fed’s enormous loss of credibility in the “keep a secret” department resulting from Snowden, Manning, and the IRS online return scandal and you have the makings of tremendous barriers to sharing information within the government. Who wants to share information with an organization that can’t protect it? This is important because one of the lynchpins of the Fed’s strategy is to encourage, and in some industries mandate, information sharing on incidents for the greater good. The security world’s explosive reaction to DHS chief Jeh Johnson’s keynote at the RSA conference this year in which he said “Our inability to access encrypted information poses public safety challenges” as part of a larger theme of asking industry to help the government figure out how to break or weaken encryption set off the brouhaha.

The community’s response, to paraphrase the online catcalling, was that the government’s inability to encrypt key data is posing public safety challenges aplenty. This foreshadows the straits this strategy will have to negotiate as they see a federal government terribly out of touch with the realities of succeeding in a global security market, technology (particularly encryption), and the right to privacy. In this instance, the federal government came off as an aged King Canute hoping to stop the tide of technology with a simple decree and an appeal to patriotism.

A muscular governmental response is called for immediately: 
Increase the opportunity cost to the Chinese (and any other nation state) operating inside our cyber borders 
Develop defenses and kept up to date at the speed of technical change 
In a world where world class cyber manpower costs a quarter of a million a year (+) do not pretend that an adequate cyber force will be built on a GS 13’s salary. Come up with a realistic plan to train and staff our cyber border 
Develop a way for the government and industry to share information without doing harm 

Any plausible strategy has ways, means, and ends; we do not have one.

John Quigg, a retired Army lieutenant colonel, was one of America’s first cyber warriors. He now works for Spurrier Capital Partners, a New York investment bank.

No comments: