La noticia conmocion\u00f3 al mundo de la ciberseguridad: FireEye, una empresa de seguridad l\u00edder con 9,600 clientes en 103 pa\u00edses, hab\u00eda sido pirateada. Se trat\u00f3 de un ataque sofisticado, con disciplina y t\u00e9cnicas operativas que hacen suponer que fu\u00e9 un ataque patrocinado por un estado. La industria militar sufre regularmente este tipo de ataques, pese a las medidas de seguridad implementadas.<\/p>\n
The news shocked the cybersecurity world: FireEye, a leading security company with 9,600 customers across 103 countries, had been hacked.<\/p>\n
The perpetrator was not your run-of-the-mill hacker on his laptop, but a \u201chighly sophisticated threat actor, one whose discipline, operational security and techniques lead us to believe it was a state-sponsored attack,\u201d said CEO Kevin Mandia.<\/p>\n
The attack was led by a nation with top-tier offensive capabilities, he said in a blog post in early December announcing the breach. The attack was consistent with a nation-state cyber espionage effort, with the hacker primarily seeking information related to certain government customers.<\/p>\n
While Mandia did not call out a specific country, experts were quick to suggest it was conducted by Russia.<\/p>\n
The country is one of the leading perpetrators of cyber espionage alongside China. Both nations are listed as great power competitors by the 2018 U.S. National Defense Strategy.<\/p>\n
The FireEye attack is indicative of a growing trend: cyber espionage has become an increasingly pervasive threat and is on the rise.<\/p>\n
For the U.S. defense industrial base, companies are increasingly worried about adversaries attempting to siphon off critical information and glean insights into Defense Department weapon designs.<\/p>\n
Contractors are bolstering their defenses, and the Pentagon is implementing new regulations through its Cybersecurity Maturity Model Certification, or CMMC, to help. But experts say that the defense industrial base remains vulnerable to attack.<\/p>\n
In the National Defense Industrial Association\u2019s annual report \u201cVital Signs 2021,\u201d which grades the health of the defense industry, industrial security scored the lowest among eight different dimensions that shape the performance capabilities of defense contractors. It received a score of 56 out of 100 for 2020.<\/p>\n
\u201cIndustrial security has gained prominence as massive data breaches and brazen acts of economic espionage by state and nonstate actors plagued defense contractors in recent years,\u201d said Wesley Hallman, NDIA vice president of strategy and policy and Nick Jones, NDIA director of regulatory policy, in a summary of the document.<\/p>\n
According to a recent report by the Center for Strategic and International Studies and security firm McAfee, the \u201cburden\u201d of global cybercrime has reached more than $1 trillion dollars \u2014 with more than $945 billion in monetary loss and global spending on cybersecurity expected to exceed $145 billion in 2020.<\/p>\n
The report \u2014 \u201cThe Hidden Costs of Cybercrime\u201d \u2014 is in its fourth iteration. Since the 2018 version was released, the cost of cybercrimes has increased by more than 50 percent.<\/p>\n
IP theft can represent a significant loss to agencies and companies and pose a national security risk, noted the report, which was released in December. It can be even harder to fight against when attackers are backed by a resourceful nation-state.<\/p>\n
The defense industrial base is made up of more than 300,000 companies and only a small percentage are large, multi-billion-dollar firms, said Armando Seay, director and co-founder of the Maryland Innovation and Security Institute.<\/p>\n
Those large \u201ccompanies are pretty resilient. They\u2019re not impervious \u2014 no one is \u2014 but they have the dollars to invest substantially in cyber resilience,\u201d he said. But most of the firms that make up the DIB are small- and medium-sized businesses that average 50 employees or less.
\nSmaller firms are more vulnerable, he noted.<\/p>\n
\u201cThey\u2019re interested in making that widget. That\u2019s what they do,\u201d Seay said. \u201cThey\u2019re not computer people, they\u2019re not internet folks.\u201d<\/p>\n
And adversaries are taking note, he added. \u201cWhen it comes to weapon systems, when it comes to software, satellites, space, data, the adversary is crawling all over the supply chain.\u201d<\/p>\n
According to a RAND Corp. report, \u201cUnclassified and Secure: A Defense Industrial Base Cyber Protection Program for Unclassified Defense Networks,\u201d cyber attacks designed to steal IP from U.S. companies are on the upswing.<\/p>\n
The Pentagon\u2019s approach to thwarting attacks is based on the Defense Acquisition Regulation Supplement (DFARS) 252.204-7012 and National Institute of Standards and Technology (NIST) Special Publication 800-171. However, it \u201cappears to be inadequate,\u201d the report said.<\/p>\n
The document \u2014 which was released in 2020 \u2014 said that as of July 2019, no defense industrial base firm had been able to fully implement the cybersecurity controls specified in NIST SP 800-171 and that some medium-sized firms will not have the resources to comply with it.<\/p>\n
Further, it noted that DFARS 252.204-7012 assumes that controlled unclassified information, or CUI, \u201cflows down from the prime contractors, with primes responsible for denying a subtractor access to CUI if the subcontractor does not comply with regulation.<\/p>\n
\u201cHowever, many subcontractors are in business because of their trade secrets. CUI exists at all levels of the supply chain,\u201d the study noted.<\/p>\n
CUI on unclassified defense industrial base networks are vulnerable to theft by foreign actors. \u201cThe persistent attacks and hemorrhaging of critical information and technology from unclassified networks, coupled with associated significant financial losses, erodes the U.S. DIB and threatens U.S. military advantage over the long term,\u201d the report said.<\/p>\n
Even the Pentagon\u2019s much talked about CMMC effort \u2014 which requires the defense industry to better protect CUI \u2014 is not sufficient, RAND said.<\/p>\n
\u201cOur cost analysis indicates that most small DIB firms may not be able to afford the cyber defenses that could be mandated by the CMMC, and many medium-sized DIB firms may face the same challenges, especially if held to the highest compliance levels of the CMMC.\u201d<\/p>\n
Additionally, the cybersecurity architectures of small firms are likely to be \u201cdeficient\u201d in several areas including authentication, network defenses, vulnerability scanning, software patching, and security information and event management, the report said.
\nRAND recommended the Defense Department establish what it called a DIB Cyber Protection Program, or DCP2, that would improve the monitoring and real-time health of industry networks, bolster cybersecurity, and offer data and legal protections.<\/p>\n
\u201cThe DCP2 would be a voluntary program under which DoD would provide [cybersecurity tools] to DIB firms either free of charge or at significantly reduced licensing costs,\u201d the report said. \u201cIn turn, the DIB firms would agree to provide sanitized data \u2026 to a security operations center \u2014 either one run by DoD or a trusted third-party SOC \u2014 devoted exclusively to defending the DIB.\u201d<\/p>\n
This security center would provide dynamic intelligence, security alerts and recommendations to defense contractors to identify and remediate advanced persistent threat incursions.<\/p>\n
China is the leading actor behind global cyber espionage, according to the CSIS report.<\/p>\n
\u201cEconomic espionage to benefit national industry has long been a hallmark of China\u2019s economic policy,\u201d the report said. \u201cChina accounts for roughly 80 percent of all economic espionage cases in the U.S., and it has cost the U.S. economy around half a trillion to a trillion dollars of damage.\u201d<\/p>\n
Doug Howard, CEO of Pondurance, an Indiana-based cybersecurity company, said China is the adversary that gets the most press and attention.<\/p>\n
Beijing takes a \u201cshotgun\u201d approach to its cyberespionage tactics, he said.<\/p>\n
China\u2019s thinking is: \u201cI\u2019m going to go after everything, and I\u2019ll never worry about them seeing me. I\u2019m just going to try to get in, and I\u2019m going to break in, because … the hygiene of [the] security is pretty weak,\u201d Howard said.<\/p>\n
Maiya Clark, a research assistant at the Heritage Foundation\u2019s Center for National Defense, said China\u2019s interests are widespread. It is looking for information on capabilities such as autonomous vehicles, semiconductors, cloud computing, aviation, space and maritime technology.<\/p>\n
To determine what Beijing is after, officials need only take a look at the country\u2019s \u201cMade in China 2025\u201d strategy, said a report by the Harvard Kennedy School\u2019s Belfer Center for Science and International Affairs titled, \u201cConfronting China\u2019s Effort to Steal Defense Information.\u201d<\/p>\n
\u201cThe industries identified in this strategy either directly or indirectly impact the United States\u2019 ability to wage \u2014 or defend against \u2014 military action against its adversaries,\u201d said author Jeffrey Jones in the May 2020 report.<\/p>\n
The report estimated that $300 billion per year is lost due to Chinese cyber espionage activities.<\/p>\n
\u201cThe sheer magnitude of the value of the theft is alarming; however, the Chinese government is compounding the severity of the problem by releasing the results of this corporate theft to leading Chinese companies so that they can accelerate their research-and-development efforts without having to spend any money or devote the massive amounts of time and resources necessary to arrive at the information on their own,\u201d it said.<\/p>\n
Russia takes a stealthier and more sophisticated approach to its cyber attacks compared to China, Howard said.<\/p>\n
\u201cThey will take years and years and years to compromise something,\u201d he said. \u201cTheir dwell time is extremely high relative to … somebody like China.\u201d<\/p>\n
Moscow is looking for assets such as code from the U.S. defense industrial infrastructure, he said. It also focuses on broad compromises of organizations, targeting network and security providers, he noted weeks before the FireEye breach was announced.<\/p>\n
Those companies \u201cwould be high value targets because if they can compromise a security technology that is broadly deployed, you can imagine the havoc that that would attain,\u201d he said. \u201cThat\u2019s not an easy thing to do. You\u2019re not just going to hack into the average security company and steal their code. But if you were successful, and if you spent two years or three years doing that and had great success, you can imagine the havoc that would happen.\u201d<\/p>\n
Cyber attacks are also coming from the Korean Peninsula and the Middle East, but China and Russia remain the most pressing concerns, Howard noted.<\/p>\n
Meanwhile, the U.S. government is taking note. At the Pentagon\u2019s Joint Artificial Intelligence Center, officials are reminded every day that the AI space is a competitive environment and that adversaries are interested in stealing its work, said Marine Corps Lt. Gen. Michael Groen, director of the organization.<\/p>\n
\u201cWe are wide awake to the threat posed by foreign actors especially who have a proven track record of stealing intellectual property from wherever they can get their hands,\u201d he said. \u201cWe\u2019re going to try to provide an effective defense to ensure that doesn\u2019t happen.\u201d<\/p>\n
The organization has developed a number of cybersecurity tools that can help industry better detect threats in their networks, he noted during a briefing with reporters in November.<\/p>\n
\u201cWe have to be able to ascertain our data,\u201d he said. \u201cWe have to know its provenance. We have to know that the networks that we pass that data on are sound and secure.\u201d<\/p>\n
What can contractors do to help stem the hemorrhaging of critical information? They should always assume that they are being targeted, said Richard Chitamitre, a federal sales engineer at Corelight, a network security company based in San Francisco.<\/p>\n
\u201cYou should always assume that you are compromised and that adversaries are hiding in plain sight and pretending to look like normal traffic,\u201d he said. \u201cThe moment that they start to take data it\u2019s … usually going to be a bit too late because by the time you find out and you\u2019ve installed the security camera, they\u2019ve already walked out the door.\u201d<\/p>\n