Cybertheft and the U.S. Economy

In August 2011, the cybersecurity firm McAfee released an eye-opening report (PDF) detailing its investigation into a multi-year, most likely state-sponsored cyberattack that includes intrusions into the U.S. federal government and defense contractors, resulting in the theft of massive stores of intellectual property. The report’s author and McAfee’s vice president of threat research, Dmitri Alperovitch, describes these attacks, known as Operation Shady RAT, as a profound threat, indicative of a larger trend that may result in "the complete destruction" of the U.S. economy. Rather than focus on the potential for a theoretical "cyber Pearl Harbor," he says that U.S. policymakers should use all of the nation’s power to stem the steady theft of national secrets.

What do you see as the broader implications for U.S. cybersecurity policy given these Shady RAT attacks?

The policy discussion up to date, at least in open circles, has been a bit misfocused. The challenge has been that everyone has been talking about waiting for this massive event--a "cyber Pearl Harbor"--but what’s really happening is that we’re suffering a "death by a thousand cuts." It’s not one event, such as our electric grid going down, but rather a wholesale transfer of wealth from our economy (PDF) to our adversaries’ economies that’s been going on for the last six years or more. The results of these activities, especially theft, will manifest itself in dramatic ways over the years with reduced economic growth, reduced competitiveness, a loss of jobs, and everything that comes with that. While we should be worried about destructive attacks that can cause widespread damage, physical damage, and even potentially loss of life, the massive espionage (WSJ) that’s been taking place is really the more pressing issue.

What’s the first step to getting at this problem?

The first thing that needs to happen is an admission of the problem. One of the most striking things about the [Shady RAT] report is that seventy-two organizations are compromised, and not a single one of them--many had known about these infections--had ever reported it. You have this massive activity taking place, and yet our policymakers don’t know about it, the public doesn’t know about it, and the news media doesn’t know about it.

The first thing we need to do is to address the fact that these companies absolutely have to report this. Some of the regulations that require them to do so already exist, at least if they are a public company. The SEC mandates disclosure of any material event. Now there’s debate if someone hacks into a system and steals all of your intellectual property: Is that a material event? Most companies have unfortunately decided that it is not. That’s one of the things that needs to change in order to make sure everyone in the country understands the magnitude of this problem. When there’s a Shady RAT [attack] every single week that’s being disclosed in the media, then perhaps we will be much more willing to act to solve this problem.

The scale and volume on which this espionage and theft is taking place is really unprecedented and presents an existential threat to the U.S. economic well-being. While it’s true that every government engages in some form of espionage, this exceeds any acceptable norms. You cannot equate strategic espionage--such as trying to determine the disposition of an adversary’s strategic nuclear deterrent--to this wholesale theft of every sector of the economy.

Generally speaking, who are the perpetrators of cyberattacks?

I divide them into four categories based on capabilities. At the low end of the scale you have the hacktivist groups, such as Anonymous, and terrorist groups, such as al-Qaeda and Hezbollah. And we’re very lucky today--and this may change over time--but these groups do not have significant capabilities to do major damage to our country. Most of what they are doing is a distraction.

The second on that scale is cyber criminals. They certainly range in capabilities, but their motivation is primarily financial. They are not out to destroy the system; they benefit from the system like a parasite benefits from attacking its host. They don’t want to destroy the host because it’s their livelihood.

On the third end of that scale you have what the industry calls APT (Advanced Persistent Threat)--though not all these threats are advanced--effectively nation-states performing cyber espionage or operations like Shady Rat and Night Dragon. These are much more insidious and much more damaging to our economy than either the cyber-criminal actors, or certainly the hacktivists or terrorist actors. But so far they are not interested in destruction.

Finally, on the top end of the scale you have the military destructive operations or cyber network attack operation (CNA), and those today, on a significant scale, will only be conducted by foreign militaries. And if you think about that prospect, no one is out there to destroy our energy grid for example, unless we’re already at war with that country or about to enter into kinetic conflict. So while we should absolutely worry about it, it’s highly unlikely that out of the blue that sector gets attacked in a catastrophic way.

What percentage of cyberattacks--the ones discovered by the target entities--are reported?

Below 1 percent. And we’ve been involved in hundreds of investigations over the years. The reason we could not disclose most of them publicly is because of nondisclosure agreements. None of the companies have ever come forward. Most of the disclosures you’ve seen in the media, even this year, have been accidental leaks.

What do you say to the critics who claim that this notion of cyberwarfare is exaggerated and that organizations like MacAfee are potentially engaging in hyperbole because they stand to profit?

You can accuse us of whatever intentions you want, but try to dispute the facts that we’re reporting--that massive sectors of our economy have been compromised and valuable intellectual property has been stolen (NYT). We’re not the only ones saying that. Google was very courageous in announcing their intrusions back in January 2010, and just recently RSA has announced intrusions (Bloomberg), as have Lockheed [Martin] and others. We’re not the only ones pointing a finger at this problem. And when you go and talk to an official off-the-record, or even on the record, some will tell you the exact same thing--that it’s a massive problem. I’m not a fan of the cyberwar analogy: Are we at a war? It’s a difficult question. Typically when you talk about wars, you expect to see dead people on the streets. We’re clearly not seeing that. But is it an existential threat to our country from an economic perspective? Absolutely.

What do you think is missing from the U.S. government’s various cyber strategies?

They’re very much focused on defense, which is the first step. But this problem is not going to be solved by defense alone. To be clear, I’m not arguing that we go on offense. But I am arguing that we need to raise the level of conversation in bilateral and multilateral discussions with our potential adversaries [such as China and Russia] and make it a major issue on the agenda. We need to bring to bear all of our national power: economic power, political power, and, if it makes sense, perhaps even military power. What is happening today is completely unacceptable and needs to stop.

On that note, is there any progress with identifying the perpetrators of these attacks?

That problem is much more theoretical than practical. Most of the time, you know who’s doing it. It may be classified, but the government is fully aware who these actors are in most cases. Even when you don’t have technological proof of their culpability, you do have the cui bono argument of who benefits. While there are circumstances in which rapid real-time attribution may be difficult, in hindsight virtually every case that is serious in nature can be tracked down and attributed.

How much of the problem of cyber criminals and cyber espionage is technical and how much is human error? For example, people falling victim to these spear-fishing scams and so on.

It’s both. But [the attacks] are getting better and better to the extent that you can’t blame the victim for this. One of the problems we have in this industry and the reason we don’t have more disclosures is this mentality [of] "If you get hacked it’s your fault." This is the equivalent of virtual assault. And in the physical world, we would never blame the victim of the assault for that assault taking place, but yet we do so all the time in the cyber world. I think that’s completely misguided. While certainly mistakes occur and they need to be rectified, it’s the attackers’ fault.

What’s trending with regard to cybersecurity that you or McAfee are positive about?

Some of the trends are positive where we’ve seen significant law enforcement wins in recent years and making progress in addressing the cyber-crime problem. There aren’t many of these top-notch cyber criminals out there in the world--my guess is less than a thousand are responsible for 90-plus percent of the problem. Law enforcement has made tremendous efforts, building relationships with other law enforcement agencies across the globe, including in places like Russia, where you wouldn’t have thought in a million years that there would be collaboration. There is collaboration now. Is it ideal? No. But it’s a lot more than there was even five years ago. We’re seeing arrests: A bunch of people from Anonymous [were] arrested in the last couple of weeks. The number of top Russian cyber criminals and those in the United States and other Western countries have been arrested in the last year. I’m seeing a lot more progress on the deterrent aspect in dealing with cyber crime.

Where do you see the evolving threat in five years?

I see complete destruction of our economy. One of the things that really worries me is whether it’s already too late. We’ve had this activity for the last six or seven years. Have they already stolen enough and now are just busy taking those schematics and plans and basically rebuilding entire sectors of our economy over there [i.e., China]. We will start to see the answer to that in a few years. The challenge is that, quite frankly, a lot of this has been painless thus far because when someone goes into a company and steals your intellectual property, it’s not like they stole your car--you still have your intellectual property. Until someone does something with it that damages you, you really haven’t experienced that loss in many ways. That’s why a lot of these companies have been hesitant to come forward.

The other thing that worries me is the risk that some of these cyber warriors who are currently doing espionage for a U.S. adversary--we don’t know how much control their own militaries or intelligence agencies have over them, and what rules of engagement they operate under. It could be that they go home and decide to work for their own benefit using very similar tools and, instead of stealing data, they may modify or destroy that data or the systems that are hosting that data. That’s a big problem. They may collude with cyber criminals or terrorists and loan out their skills.