Published: 01 Feb 2019
In his first state visit to the United States, Chinese President Xi Jinping landed in Seattle on Sept. 22, 2015, to deliver a strong cybersecurity statement to U.S. technology companies. He pledged China would not hack for commercial advantage.
"China is a staunch defender of cybersecurity -- it is also a victim of hacking," President Xi said. "The Chinese government will not, in whatever form, engage in commercial thefts or encourage or support such attempts by anyone. Both commercial cybertheft and hacking against government networks are crimes that must be punished in accordance with law and relevant international treaties."
Three days later, President Xi and U.S. President Barack Obama agreed both countries would work together to stem "malicious cyber activities" and refrain from "conduct[ing] or knowingly support[ing] cyber-enabled theft of intellectual property."
At first, the U.S.-China Cyber Agreement seemed to curtail prolific Chinese cyber operations, according to cybersecurity firms. But following the recent trade tensions with China, cyberattacks against U.S. firms have again increased, with some cybersecurity experts and U.S. officials maintaining that China never stopped hacking U.S. companies.
"China never went away," said Chris Camacho, a former information security officer at the World Bank and now chief strategy officer at threat intelligence firm Flashpoint. "The activities did kind of slow down during the treaty, but they never went away. It seems like they no longer care. They are not being as careful as they were when the treaty first started."
The U.S.-China Cyber Agreement is arguably the most significant attempt by the U.S government at finding a policy solution to the sophisticated cyber-intrusions conducted by other nations against U.S. high-tech companies.
Yet the agreement and other policy approaches largely failed. Indictments against Russian and Chinese intelligence personnel for criminal hacking have only angered other countries, not curtailed the intrusions. A recent indictment, for example, unsealed on Dec. 20, 2018, accused two hackers allegedly affiliated with China's Ministry of State Security with conducting attacks against various companies, including those in the consumer electronics and aviation industries, for more than a dozen years. A Chinese official denied government involvement, calling the U.S. "quite arrogant and selfish."
Hacking without end?
Attackers in other countries -- especially North Korea and Iran -- also target U.S. businesses, especially with ransomware and extortion schemes.
"We don't think that this activity is ever going to go away as long as there is a means to monetize the information or to use it to gain political advantage," said Thomas Etheridge, vice president of services for security firm CrowdStrike. "This will continue to be an ongoing problem."
Common wisdom holds that companies cannot defend indefinitely against a determined adversary, but with the government unable to find a policy that deters well-funded nation-state cyberattacks, U.S. and European businesses and organizations have to find ways to better secure their data and infrastructure, experts said.
Take the Texas A&M University System. Consisting of 11 universities and seven state agencies, TAMUS has to constantly be on watch for nation-state attempts to steal information from academic researchers or to collect data on its more than 140,000 students, said Dan Basile, executive director of the security operations center for TAMUS. At the same time, the academic institutions maintain largely relaxed data-sharing requirements.
"We have a great deal of classified research and student information, and even access to periodic journals that are of great interest to some nation-state attackers," Basile said. "But in higher ed, it's all about data sharing. Researchers need to share information with other organizations -- that is just how research is done."
Government -- here to help, but can it?
A united front against attackers would be best, but so far, government agencies have not found a reliable way to deter or stop nation-state cyberattacks.
From information sharing and analysis centers (ISACs) to Infragard, the U.S. government has created many ways to work with companies to help them secure their systems, network and data. The government continues to find ways to share potential threats with the private sector. In November 2018, for example, the U.S. Cyber National Mission Force announced it would share foreign malware samples with private industry by posting the samples to the malware database VirusTotal, now owned by Alphabet, Google's parent company.
Yet information on cyberattacks, especially nation-state cyberattacks, percolates up from intelligence networks slowly. Classified information has to be anonymized and then declassified, finally reaching ISACs and industry partners for distribution.
The attempts to share information are well-meant but end up offering little of value, TAMUS's Basile said.
"The government is really trying hard to get the information out to those who need it, and we are directly partnering with different groups to get that declassified information as soon as possible, but it is not always timely enough to be helpful," he said. "Often times, you will find better information off of Twitter than from the government feeds."
Companies should assume they are largely on their own, even against the most pernicious attackers and nation-state cyberattacks. The best course to limit damage is to develop their own expertise to detect and respond to attacks.
Chad Seamansenior engineer, Akamai Technologies
"Given the level of adversary you are dealing with, and the reality that you need to get something done, you have to assume that there will be a compromise," said Chad Seaman, senior engineer for the security intelligence response team at Akamai Technologies. "So you have to bring the professional paranoia to the table. It is one thing to have a machine get compromised. It's another thing to have that machine pivot and give the attacker the keys to the kingdom."
Some level of nation-state cyberattack activity will always be there, so companies have to be ready to respond. And when defenses do not stop the attacker, response time becomes most important, Seaman said.
"Basically, operating under the assumption that they have unlimited time or unlimited resources, put yourself in that mindset and try to make sure you can minimize damages," he said. "You will not keep a nation-state actor at bay forever, and it is not necessarily your organization's fault. It is the ecosystem that we live in."
Know thine enemy, and environment
In November 2018, nonprofit R&D organization Mitre Corp. released its first report evaluating commercial cybersecurity products' ability to defend against advanced attacks. The tests used the capabilities of Advance Persistent Threat-3 (APT3) -- also known as a Gothic Panda, a group affiliated with China's Ministry of State Security -- to evaluate the products as part of Mitre's ATT&CK security framework, a freely available database of attacker techniques and tactics.
The framework allows companies to evaluate attackers' capabilities, as well as determine whether their own systems can detect those types of techniques, said Katie Nickels, lead cybersecurity engineer with the Mitre. Attackers typically look for gaps in an organization's detection capability to establish a beachhead, she said.
"What we find with a lot of state-sponsored adversaries is they really try to find those gaps," Nickels said. "A few years ago, the adversaries recognized that defenders were not monitoring PowerShell. Attackers knew that and took advantage of that visibility gap."
By determining the tactics that attackers are currently using and making sure that your defenses can detect those attacks, companies can improve their detection of advanced attacks.
Speed is essential
Once an intrusion is detected, time becomes crucial. Companies' security response must outpace the attacker's ability to exploit their incursion. While a typical company may respond in weeks, attackers are usually moving through a network within hours, said CrowdStrike's Etheridge.
"We know from past data that the typical breakout time for an advanced adversary is less than two hours, so being able to remediate the attacker within an hour is a goal that organizations should have to prevent a breach from happening, or to prevent a small breach from turning into a large breach," Etheridge said.
CrowdStrike aims for what it calls the 1-10-60 rule: One minute to detect, 10 minutes to triage and understand the threat, and no more than 60 minutes to remediate.
Defense in depth is often the goal of most companies' security programs, but stopping nation-state cyberattacks requires the right strategy. Companies need to know their enemies, know themselves and be ready to respond quickly, said Flashpoint's Camacho.
"Even though companies continue to spend on security, if a nation-state is after you, they will find a way into your network," he said. "It matters how well-trained and how experienced your information security team is and how fast they respond."
While the government does not yet have the solution, always keep them in the loop, Camacho said.
"In your exercises, you need to figure out who to contact in the federal government and law enforcement," he said. "Sanctions, treaties -- anything that will make the attackers think twice about who they are going to operate against will, in the end, pay off."