SUMMARY: As U.S. and Chinese officials meet this week in Washington to discuss cyber issues -- as well as broader strategic and economic issues -- a number of Congress members and computer security experts say they are fed up with China stealing proprietary data from American companies. Ray Suarez reports.
When Telvent, a company that monitors more than half the oil and gas pipelines in North America, discovered last September that the Chinese had hacked into its computer systems, it immediately shut down remote access to its clients’ systems.
Company officials and American intelligence agencies then grappled with a fundamental question: Why had the Chinese done it?
Was the People’s Liberation Army, which is suspected of being behind the hacking group, trying to plant bugs into the system so they could cut off energy supplies and shut down the power grid if the United States and China ever confronted each other in the Pacific? Or were the Chinese hackers just trolling for industrial secrets, trying to rip off the technology and pass it along to China’s own energy companies?
“We are still trying to figure it out,” a senior American intelligence official said last week. “They could have been doing both.”
Telvent, which also watches utilities and water treatment plants, ultimately managed to keep the hackers from breaking into its clients’ computers.
At a moment when corporate America is caught between what it sees as two different nightmares — preventing a crippling attack that brings down America’s most critical systems, and preventing Congress from mandating that the private sector spend billions of dollars protecting against that risk — the Telvent experience resonates as a study in ambiguity.
To some it is prime evidence of the threat that President Obama highlighted in his State of the Union address, when he warned that “our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air traffic control systems,” perhaps causing mass casualties. Mr. Obama called anew for legislation to protect critical infrastructure, which was killed last year by a Republican filibuster after intensive lobbying by the Chamber of Commerce and other business groups.
But the security breach of Telvent, which the Chinese government has denied, also raises questions of whether those fears — the subject of weekly research group reports, testimony and Congressional studies — may be somewhat overblown, or whether the precise nature of the threat has been misunderstood.
American intelligence officials believe that the greater danger to the nation’s infrastructure may not even be China, but Iran, because of its avowal to retaliate for the Stuxnet virus created by the United States and Israel and unleashed on one of its nuclear sites. But for now, these officials say, that threat is limited by gaps in Iranian technical skills.
There is no doubt that attacks of all kinds are on the rise. The Department of Homeland Security has been responding to intrusions on oil pipelines and electric power organizations at “an alarming rate,” according to an agency report last December. Some 198 attacks on the nation’s critical infrastructure systems were reported to the agency last year, a 52 percent increase from the number of attacks in 2011.
Researchers at McAfee, a security firm, discovered in 2011 that five multinational oil and gas companies had been attacked by Chinese hackers. The researchers suspected that the Chinese hacking campaign, which they called Night Dragon, had affected more than a dozen companies in the energy industry. More recently, the Department of Energy confirmed in January that its network had been infiltrated, though it has said little about what damage, if any, was done.
But security researchers say that the majority of those attacks were as ambiguous as the Telvent case. They appeared to be more about cyberespionage, intended to bolster the Chinese economy. If the goal was to blow up a pipeline or take down the United States power grid, the attacks would likely have been of a different nature.
In a recent report, Critical Intelligence, an Idaho Falls security company, said that several cyberattacks by “Chinese adversaries” against North American energy firms seemed intended to steal fracking technologies, reflecting fears by the Chinese government that the shale energy revolution will tip the global energy balance back in America’s favor. “These facts are likely a significant motivation behind the wave of sophisticated attacks affecting firms that operate in natural gas, as well as industries that rely on natural gas as an input, including petrochemicals and steel-making,” the Critical Intelligence report said, adding that the attack on Telvent, and “numerous” North American pipeline operators may be related.
American intelligence experts believe that the primary reason China is deterred from conducting an attack on infrastructure in the United States is the simple economic fact that anything that hurts America’s financial markets or transportation systems would also have consequences for its own economy.
As part of his State of the Union speech last night, President Obama tipped an executive order that is intended to improve the security of Internet-based critical infrastructure. But what does that order include?
Obama's plan would allow federal agencies to notify private companies if they detect any sort of cyber intrusion that would harm operations or the security of company data.
Specifically, the plan expands the Defense Industrial Base (DIB) information-sharing program to other federal agencies. The DIB was put in place in 2011 and allows the Defense and Homeland Security Departments to share non-classified information about cybersecurity-related threats with DIB partner companies, like contractors.
But as we've seen with hacks of the Federal Reserve and the Department of Energy, defense-related agencies are not the only ones being targeted by hackers. So the executive order "requires Federal agencies to produce unclassified reports of threats to U.S. companies and requires the reports to be shared in a timely manner," the White House said. It also allows for "near real-time sharing of cyber threat information to assist participating critical infrastructure companies in their cyber protection efforts."
Obama has also ordered the National Institute of Standards and Technology (NIST) to develop a framework for handling cyber-security threats. "NIST will work collaboratively with industry to develop the framework, relying on existing international standards, practices, and procedures that have proven to be effective," the White House said.
Given the rapid pace of technology, the recommendations will be technology neutral, the administration said. Once they've been developed, DHS will work with other agencies to reach out to companies for voluntary implementation of the framework.
While sharing details about cyber attacks might seem like a no brainer, a major concern is how the data is handled. If these threats deal with a credit card company or major social network, will your personal information be protected?
The White House insisted that the executive order includes "strong privacy and civil liberties protections." Any type of information sharing will be based on the Fair Information Practice Principles (FIPP), a set of information-sharing principles developed by the FTC, as well as other applicable privacy and civil liberties policies, principles, and frameworks.
"Agencies will conduct regular assessments of privacy and civil liberties impacts of their activities and such assessments will be made public," the White House said.
Executive Order vs. CISPA
Last night, Obama called on Congress to do even more on cyber security. Two members of the House, in fact, plan to re-introduce the controversial CISPA information-sharing bill today, but it has not secured the support of the White House. A bill backed by the administration was introduced in the Senate last year, but did not make any major headway.
The main difference between the White House executive order and CISPA is that CISPA would allow private companies (like Facebook or Google) to share details about cyber attacks with the government, whereas the executive order is a one-way street, with the feds sharing information with the private sector. CISPA opponents were concerned about immunity clauses that they said would incentivize companies to hand over customer information without hesitation.
As a result, the White House threatened to veto CISPA if it made it to President Obama's desk. The White House Office of Management and Budget (OMB) released a statement that said the bill "departs from longstanding efforts to treat the Internet and cyberspace as civilian spheres."
In a statement last night, the ACLU issued its support for the executive order and warned against CISPA. "The president's executive order rightly focuses on cybersecurity solutions that don't negatively impact civil liberties," said ACLU Legislative Counsel Michelle Richardson. "For example, greasing the wheels of information sharing from the government to the private sector is a privacy-neutral way to distribute critical cyber information."
Broadband trade association USTelecom said the executive order "takes some important steps toward achieving policy goals that will help protect our nation from harmful threats," but said the issue should ultimately be handled by Congress - via bills like CISPA.
I make no guarantee that any advice given on these pages will work as expected. There are just too many variables depending on Operator Systems and hardware configurations to give any advice that will always work.
Where possible, I will provide links to my source.
