Security optimize

Chinese cyberattacks and a Presidential executive order: What does it mean for you?

A wave of cyberattacks originating from China have been revealed and a new Presidential executive order pertaining to network security standards is in the works. Patrick Lambert takes a look.

At the beginning of the month, the New York Times revealed that it had been under a systematic and sophisticated attack by hackers for the past four months, and that they believed it was coming from China. Then, just a day later, the Wall Street Journal came out saying that they, too, were under constant attack by very similar hackers, again coming from China. Of course the Chinese government denied the allegations, but this is hardly the first time that U.S. corporations have suspected Chinese hackers from breaching in their systems. In 2010 Google had the first high profile attack, and more companies came out in the following years also claiming having been attacked or breached.

In this case the attack was fairly typical. After finding a hole in one of the NYT's edge servers in mid-September, they went in and snooped around until the hackers found a domain controller. From there, they could gain access to the usernames and passwords of every employee, and they then proceeded to infiltrate the personal computers of over 50 different employees. According to their investigation, the security experts realized that the hackers were after very specific information, namely the sources used in the investigation that the Times did of Wen Jiabao, China's prime minister, and how he managed to accumulate a large amount of money. It seems likely that the hackers were motivated by this story and wanted to get back at the Times.

Presidential executive order

This report obviously made the news worldwide, and even President Obama spoke last week of the increasing need for cybersecurity protection. In his State of the Union address, he told Congress that the time had come to pass legislation giving the government a greater capacity to secure networks and deter attacks. This is not just a symbolic statement; he was actually referring to a project that has been progressing for several months now. This new Executive Order issues a mandate to the National Institute of Standards and Technology (NIST) to create a set of standards that would guide organizations considered to be part of the country's "critical infrastructure" to secure their networks, along with incentives for them to meet these standards.

What does this mean for you?

These voluntary standards and best practices might mean that, if a company does not meet these standards, they may find themselves barred from getting government contracts, for example. The targeted organizations include public utilities and companies in the financial and defense sectors. So what does this mean for businesses, or even for IT pros who may be looking at this? Well in the immediate future, not much. Like any legislation, this will not happen overnight. It will take months, if not years, before this new set of standards is drafted. However, once the process starts, it will likely be in your interest to keep a close eye on what gets included.

Just like standards created by the W3C for web developers, or IANA for network engineers, security professionals will likely have to start working with these upcoming NIST standards soon enough, and you can thank China for it. But with that said, security should not be something that is forced upon you. Any network that lacks basic security measures is a potential target, and these attacks prove that the risks are too high to be ignored. There are many standard practices everyone should take without having to wait on government standards.

Phishing emails remain one of the most popular way for hackers to start targeted attacks. While basic malware will look at known vulnerabilities in an unsophisticated way, someone who wants to get into your organization can go to great lengths to do it. There are countless examples of a secretary receiving a payroll document that seems to be coming from a colleague, but instead contains a specially crafted document with malware in it. Or a phone call sent to an employee claiming to be from the helpdesk and requesting the user's password. Or simply a server getting scanned repeatedly until a hole can be found, even if you were late by just a day in applying a critical patch.

The point is that targeted attacks are very effective, and standards are not going to change that. Vigilance is needed, along with several layers of protection. This includes things like whitelisting, sandboxing, and good policies and training for your employees. These are all measures that can be employed right now without waiting for Congress, and only a lack of care or the thought that saving money now by skimping on security will somehow be more beneficial than what the cost could be in the long run when you get hacked.

Despite all the standards and security measures in the world, networks will still get hacked, so it's important to have a good policy of what to do when this happens. In the case of the NYT, they took the necessary time and effort to find out exactly what they were dealing with. While the attacks came from US universities, by doing proper forensics they noticed patterns that were similar to previously seen attacks, with the Chinese hackers likely using the same compromised servers to launch their attacks. Shutting down your attackers too quickly could make you miss a backdoor or another entry that they have set up. And just like the NYT did, revealing that you were compromised may help raise awareness of the situation, and help others realize how large the threat is.

Also see:

About

Patrick Lambert has been working in the tech industry for over 15 years, both as an online freelancer and in companies around Montreal, Canada. A fan of Star Wars, gaming, technology, and art, he writes for several sites including the art news commun...

13 comments
telliott
telliott

Check out Winn Schwartau and some of his topics of discussion about cyberwarfare (Google or You Tube). He was a keynote speaker at AFCOM and drove home some very relevant and serious points about the potential (and current) use of the internet as a means for cyberterrorism. As someone had asked him before, 'Why would they do something like that?' The answer, 'Because they can!' http://en.wikipedia.org/wiki/Winn_Schwartau

techrepublic
techrepublic

I remember (vaguely) the Cuban Missile Crisis, how JFK issued an ultimatum that accomplished its purpose. I remember when the United States was a country that was the envy of the world. I remember when the United States was a leader, in terms of technology and generally at least, morals. I guess I'm nostalgic. These things are fading fast, and in some cases have faded almost completely from existence. Former generations would have ceased all engagement with China long ago. But now, money and power are the do all, end all, and the only things those in power care about. China is out to boost themselves at our expense, pure and simple. If we continue to let them, like the blind idiots we are, they will end up with everything and we will end up with nothing wondering why we did nothing to stop it. I believe we should begin disengagement from China now. It won't be a smooth road, but it would be a lot better than the alternative.

robo_dev
robo_dev

And creating incentives for complying with the standards. This is not some socialist plot. NIST creates all sorts of hardening standards, that's what they do. http://www.nist.gov/index.html Without clearly defined standards for critical infrastructure, it is up to security experts to decide what is 'secure enough' for a nuclear power plant or for the computers that run our air traffic control systems. Creating incentives means developing a program to assist companies with implementing the NIST standards and to identify incentives for adoption.

mikifinaz1
mikifinaz1

It will be a loss of freedom and create hassles you can't believe exist.

Adam_12345
Adam_12345

well, what can u say :( Around 150 million people at the keybords in China and US Internet got stuck :/ ...Dear Mr President BH Obama, I think it is time for you to get out some guys from jail sentanced for cybercrimes and put them into CIA,NSA and other fancy letters. :)

info
info

...But I'm sure the aforementioned people that died for their country would just shake their heads at the levels of paranoia and negativity that abound today. The government reacts to a threat? It must be a plot, engineered by them! (Of course, we know it is, because the government never reacts to anything... ;) ) There are already a set of 'standards' set in place by NIST and the FBI to be used as guidelines for network and system security. I looked at the documents when reviewing my network setup. These will most likely be updated, and similar, but also enforceable when companies and agencies deal closely with government. I won't put on my tinfoil hat just yet. Also, if you want to judge a country's aggression by how many hackers are based there, Norway, Finland, and a few other EU nations could be considered huge National Security threats. An organized effort by a Government spy agency? Or just a bunch of skilled, idealistic young people with little sense of accountability trying to prove a point? Or are just bored?

gnorton100
gnorton100

With the media being mostly pro-Obama, I have to wonder if NYT is part of the deception or merely a pawn in the plan to to garner more power in the POTUS. It's very likely that the attacks came from Chine but the FBI, CIA or some other government agency could easily spoof the source to make it look like the attack came from China. The Executive Order referenced (http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity) holds some ominous wording. It starts nicely enough, in Sec. 8. (Voluntary Critical Infrastructure Cybersecurity Program) by letting the companies identified by the government participate VOLUNTARILY. But continued reading placed that choice more into the hands of the government. The text leaves huge holes that could permit the government to either force compliance or nationalize the companies. Section 10 (Adoption of Framework) (b) "If current regulatory requirements are deemed to be insufficient, ... agencies ... shall propose prioritized, risk-based, efficient, and coordinated ACTIONS, ... to mitigate cyber risk." (capitalization is mine) This Order requires the companies to establish groups whose staff will hold security clearances. This puts the government in charge because any clearance request can be denied to ensure only those who agree with government policy can be hired. Sec. 5. Privacy and Civil Liberties Protections "... (DHS) shall assess the privacy and civil liberties risks ... and shall recommend to the Secretary ways to minimize or mitigate such risks". This indicates that the government is OK with infringing on the privacy and civil liberties of Americans. Finally, Section 12 (General Provisions) seems to release the government from all liability. While it states that no agencies will have their power increased by this Order, prior sections require various reports which could easily be used to justify granting more power and control to those agencies WITHOUT legislative action. Like many of Obama's Executive Orders, this one further cracks open the door to a new U.S. governed under a mix of Socialism, Marxism and Leninism. Where those that work hard to build a future for themselves and their family, have that future taken away and given to others to enjoy. My parent's generation - those that lived through the Depression, that lost friends and family fighting Socialism, Marxism and Communism in WW I, WW II, Korea, VietNam and the Cold War - are rolling in their graves at the sad situation in the U.S. today. Where the ideals, that they fought against so hard, are being brought though the front door of this country by the President.

jelabarre
jelabarre

The Federal government is going to decide what constitutes secure vs non-secure networks? I guess we're in for a **LOT** more cyber-attacks when that happens.

JCitizen
JCitizen

China is actually very vulnerable - still - economically. They are at the brink of a VERY large construction bubble; and things could melt into chaos so fast your head would spin. I can see why the PRC is so paranoid, because they just don't understand free enterprise enough to prepare for disaster. I think both our nations have benefited from the relationship - however I don't believe in letting them run over us like a truck either - but the smart way to deal with oriental politics is to apply pressure under the table. If that doesn't work then all bets are off - but I suspect we have many more friends in China than are in the government over there. Governments come and go, our good relations survived the Korean war and their cultural revolution, I just hope it will survive the next disaster, which I suspect will be very bad for at least one third of all the human beings on the Earth.

HAL 9000
HAL 9000

It has to be a Conspiracy because a Democrat is pushing it. Of course if there was a Publican in the White House it would be OK. The way some people react to what is [b]Blindly Obvious[/b] just worries me. Personally no matter who was in Government at the time I would be worried if they did nothing which is all too common. ;) Col

robo_dev
robo_dev

So therefore the three-letter-agencies may not want him (or her).

robo_dev
robo_dev

take the pills in the white cup please