On Shady Rats

Another week, another report of massive cyber hacking. This time it is a McAfee report, Revealed: Operation Shady RAT, that details hacking that started at least 5 years ago and targeted companies, governments, and nonprofits in 14 countries and territories as well as international organizations such as the UN, ASEAN, the International Olympic Committee, and the World Anti-Doping Agency.  Few of the organizations and companies that were attacked are named in the report, so it is hard to know if these attacks are different from others reported on Lockheed Martin, RSA, the Canadian government, or Oak Ridge National Laboratory to name just a few.  While the attacks described in the McAfee report used one Command and Control server, all of these attacks seem to share the same techniques—a spear phishing email that often exploits a zero-day vulnerability (the security researcher Mikko H. Hypponen has posted a pdf of a presentation that explains all of this)—and go after a similar type of information which makes you wonder how clearly one can divide one "operation" from the next.  So I am less worked up about the specific operations and code names, and more about the larger trend—which is that hackers have been gaining access to and stealing data from companies and countries for years.

As usual, the central, and unanswered, question is who is behind the attacks. Because most of the information has little immediate commercial benefit, the McAfee report concludes that the hackers are likely to be state actors.  What would a criminal want with information from ASEAN? Also, since many of the victims have difficult relations with China, then naturally suspicion falls on Beijing.  Again, so the logic goes, what would the common cyber criminal want with Korean or Taiwanese government information?

With all of these events we are quickly brought to the question of the relationship between the state and the hackers. At the extremes, you can imagine purely state hackers and entirely independent hackers. But since this is almost certainly a false dichotomy, you then end up with much messier variations: state actors acting criminally; criminals who contract or sell information to the state; and hackers who move in and out of the orbit of the state.  (This lack of a clear line between state and nonstate is probably one of the defining characteristics of cyber conflict.  Just this week General Michael Hayden, former director of the NSA and CIA, suggested the government might create privateers or "digital Blackwaters" to conduct operations in cyberspace and the NSA and other agencies are looking for new talent at DefCon, the annual hacker convention.)  As Information Warfare Monitor and the Shadowserver Foundation noted in Shadows in the Cloud, there is an emerging ecosystem of crime and espionage, one in which criminal networks can be repurposed for political espionage and signals intelligence.

No matter who is behind it, how does the United States try and bring this kind of activity under control? Ideas on the table include: agreeing to some "rules of the road" with China about what should be off limits; international pressure; pursue a case against China in the WTO for intellectual property rights theft; better defense, and in particular have the government play a more active role in defending the private sector; and better offense. All of these have some pretty serious limitations, but which do you think might work best?