1 December 2016

***The Danger of Ignoring the 'Espionage' in Cyber Espionage

NOVEMBER 10, 2016

It is becoming increasingly clear that digital information is not as secure as it was once thought to be. 

This week, I had the honor of delivering a keynote speech for the Global Cyber Security Leaders Conference in Berlin. The city, which decades ago was a hub of Cold War-era espionage, provided the perfect backdrop for my attempt to put its modern cousin — cyber espionage — into context.

One need only glance at the headlines to see that all things cyber are attracting quite a bit of attention these days. From vulnerabilities in the Internet of Things and distributed denial of service attacks to the hack of the Democratic National Committee, it is becoming increasingly clear that digital information is not as secure as it was once thought to be. Because of this, I'd like to share my thoughts on cyber espionage with Stratfor's readers.
One of Many Tools

First, I want to be clear about what I mean when I say "cyber espionage." As I am using it, the term simply refers to any espionage committed against a computer system. So, according to this definition, cyber attacks are just one tool in the espionage toolbox, alongside many other methods of attacking a computer system including human, signal and imagery intelligence. Cyber espionage's close link to these tactics is what sets it apart from more traditional forms of hacking. Hackers certainly use internet searches (open-source intelligence) to plan their attacks, and social engineering (human intelligence) to assist them, but their reliance on other tools of espionage is limited compared with that of the sophisticated state and non-state actors engaged in cyber espionage.

Historically, espionage has evolved to stay at the cutting edge of technology. During World War II, Western mathematicians developed primitive computers to break the codes cranked out by the Nazis' Enigma machine. And over the past few decades, U.S. intelligence agencies have created incredible optics that can be mounted on spy satellites, and lasers that can be bounced off a building's windows to eavesdrop on the conversations being had inside. Breaking into computer systems to gather intelligence, plant disinformation or conduct sabotage is merely another example of the world's intelligence agencies embracing the latest technology as a means of accomplishing their goals.

For one, cyber techniques can be used to increase the efficacy of other espionage tools. If an intelligence service, say, cracked someone's email or social media passwords, or took control of their smartphone or computer with malware, the intelligence gleaned in the process could prove useful in crafting a strategy to recruit that person as a human intelligence agent. Likewise, obtaining a foreign defense contractor's email about the time, date and location of the testing of a weapon with revolutionary technology could give an intelligence agency enough notice to focus its imagery, electronic and other collections platforms on the test site.

Other espionage tools can be used to enhance cyber espionage operations as well. A myopic focus on the "cyber" aspect of cyber espionage can be dangerous. Forgetting that it is also an activity that can involve other forms of espionage encourages too heavy an emphasis on addressing technological vulnerabilities and external threats while ignoring non-technical weaknesses and methods of attack. No doubt, if a target has information that a perpetrator might want, hacking into the computer system it resides on from a remote location can be a convenient way of getting it with a degree of plausible deniability and without risking arrest. Such operations are often far less dangerous — and perhaps quicker — than espionage activities that require the deployment of intelligence operatives inside a foreign country with a hostile security service. That said, if the computer system cannot be accessed from afar, perpetrators are likely to lean on the other espionage tools at their disposal to obtain the information they seek, regardless of the perils and pains it entails.
Complements to Cyber Espionage

And there are many ways they can do it. Open-source intelligence, for example, can help intelligence services to identify the hardware and software a target has bought and used, enabling them to better tailor a hacking attack against it. Likewise, photographs of executives or employees can help to pinpoint which brand of computer, cellphone and other devices they use. Intercepting a target's communications via cellphone or satellite phone, or perhaps running a black-bag job on the building where information is stored, might also prove useful to an operation. But perhaps the most effective tactic is adding an element of human intelligence — recruiting an agent with access to the material or system desired.

Historically, buying cooperation with cold hard cash has been one of the most effective means of recruiting human agents. Though the system's administrator would obviously be the most ideal candidate for recruitment, other types of employees can be invaluable to a cyber espionage operation. Even non-IT workers within a company or organization can agree to download information, inject malware, identify other recruits or provide the details needed to customize spear phishing attacks in exchange for money.

Honey traps, or the use of sexual favors and romantic bonds to gain an agent's cooperation, are a tried and true approach to recruitment as well. The stereotype of the awkward, lonely computer nerd does not apply to most system administrators, but that does not mean that they — or other employees — are not just as vulnerable to honey traps as their government counterparts. In fact, they may even be easier prey, since few employees in the private sector receive security awareness training related to such threats. Men are not the only ones open to sexual or romantic exploitation, either; women can fall victim to honey traps as well.

Intelligence agencies can also leverage family members to gain a target's compliance. The government, for instance, could offer to shower them with benefits, such as admission to a prestigious school or a lucrative job, in exchange for the information it needs. On the other hand, authorities could threaten to withdraw privileges or even imprison family members if a target refuses to cooperate. These techniques can have great persuasive power over the employee or individual subjected to them.

As cyber defenses improve, and as targets become more difficult to penetrate, the people with access to information stored on computer systems will increasingly come to be seen as the weakest link in those systems' security. This will also mean that they are more likely to become targets for recruitment as human intelligence assets. And as we have already identified, the only limitation to eliciting a person's help is the creativity of the intelligence officer seeking it.
A Holistic Solution

Because of the common (if misguided) emphasis on the cyber aspect of cyber espionage — and the wanton disregard for the role of other espionage tools in facilitating cyber attacks — cyber espionage is often considered to be a problem of information security that only technical personnel can address. But in the true sense of the term, cyber espionage is a much broader threat that can emanate from many different sources. Therefore, it must be treated more holistically: Chief information security officers will need the help of chief security officers, human resources, legal counsel and others if they hope to protect the companies and departments in their charge.

Employees will become a crucial part of their employers' defenses, too. Many companies provide training in cybersecurity that includes warnings about hacking methods like phishing and social engineering, but few cover traditional espionage threats and tactics. This frequently leaves the majority of workers ill prepared to guard themselves against such methods. And ultimately, thwarting a sophisticated enemy equipped with a wide array of espionage tools will be possible only with a better informed and more coordinated effort on the entire company's part.

No comments: