Cyber Espionage Over the last several years, cyber espionage has become a major problem that is impacting a variety of organizations. This is because hackers and other groups are actively seeking to exploit vulnerabilities in security networks. Evidence of this can be seen by looking no further than the below tables (which are illustrating the motivations and targets of attacks).

Motivations behind Attacks on Computer Networks

Percentage

Cyber Crime

Hactivism

Cyber Warfare / Espionage

("Cyber Attack Statistics," 2012)

Distribution of Targets

Percentage

Government / Infrastructure / Defense / Law Enforcement / Economic

E Commerce / Sports / Political / News Media

31%

Industry

21%

("Cyber Attack Statistics," 2012)

These figures are showing how cybercrime and espionage are areas that are continually being exploited by hackers. What makes this troubling is the fact that organized groups could target specific infrastructure projects that are vulnerable. When this happens, classified information is stolen that could be used to shut down entire networks and infrastructure. The close relationship between private contractors and governmental entities is only increasing these risks further. ("Cyber Attack Statistics," 2012)

In the case of China, they have been aggressively involved in a number of cyber-attacks against the military, public and civilian targets. One of the most damaging is the case called Titan Rain. To fully understand what is happening there will be a focus on: the different aspects, how it was conducted and an examination as to how the attack could have been prevented. Together, these different elements will highlight the way these issues are a threat to national security and possible strategies for mitigating them.

Background

The threat of cyber espionage is increasing exponentially. This is because technology and coding techniques have improved dramatically. Over the course of time, this has been used as tool by nation states to steal illicit information from military, government and private contractors' computers. Recent evidence of this can be seen with comments from Jonathan Evans (the Direction General of Britain's MI5) who said, "The amount of hostile activity being generated by foreign states in cyberspace is astonishing. We have investigated threats across the Internet; our personnel are discovering industrial-scale processes involving many thousands of people lying behind both state-sponsored cyber espionage and organized cybercrime." Moreover, the Pentagon recently observed in a report that this threat is becoming more challenging (especially since one of the primary countries conducting these activities is China). Commenting about these issues the report observed, "China will continue to be an aggressive and capable collector of sensitive U.S. technological information, including that owned by defense-related companies, and represented a growing and persistent threat to U.S. national security." This is showing how the threat of cyber espionage is increasing exponentially every day. (Blitz, 2012)

The case involving Titan Rain started in 2003. What happens is the Chinese government has formed tens of thousands of cyber militias around the country. This is where the Peoples' Liberation Army (PLA) will seek out part time civilian hackers to identify vulnerabilities in U.S. And European networks. The basic idea is to use these individuals to continually target a number of different security flaws, exploit them and steal classified information undetected. (Witman, 2011)

The way Titan Rain worked was to seek out vulnerabilities using a scanner program that searched for weaknesses inside the Department of Defense (DOD) systems. This was accomplished by identifying single computers that were most vulnerable. After the scan was completed, is when a list of targets was selected and the hackers returned to steal information without being detected. This process was repeated over and over again (by going after any computer that they felt was vulnerable). Over the course of the night and early morning hours, is when these attacks were conducted. This is because the operator would more than likely be off the machine (which allowed hackers several hours to go through the files). Below is a list of a few of the most significant targets attacked on November 21, 2004. (Thornburgh, 2005)

10:23 PM: The U.S. Army Information Systems Engineering Command at Fort Huachuca, Arizona.

1:19 AM: Defense Information Systems Agency in Arlington, Virginia.

3:25 AM: Naval Ocean Systems Center (a defense department installation in San Diego, California).

4:46 AM: United States Army Space and Strategic Defense installation in Huntsville, Alabama. (Thornburgh, 2005)

For nearly two years, this group was able to anonymously attack hundreds of DOD computers. This gave them access to select...

Once this occurs, is when the data could be used to exploit future vulnerabilities or to completely shut down entire networks. (Thornburgh, 2005)
The reason why these attacks were conducted was to provide the PLA with information about DOD operating procedures. Single computers had limited amounts of security blocks and they could provide access to a range of documents. When this happens, these individuals can use the information to conduct more coordinated attacks in the future.

Evidence of this can be seen with comments from Maj. Gen. William Lord (the Director of the Air Force's Office of Warfighting Integration and Chief Information) who said, "China has downloaded 10 to 20 terabytes of data from the NIPRNet (DOD's Non-Classified IP Router Network). They're looking for your identity so they can get into the network as you. Chinese hackers had yet to penetrate DOD's secret, classified network. This is a nation-state threat by the Chinese." (Onley, 2006) These comments are showing how there is a concentrated effort to steal the identity of U.S. military personnel and use this as way to access classified information. Although this has not been successful in accessing top secret information, the odds only increase that the group will be successful in achieving these objectives. (Onley, 2006)

How were the attacks conducted?

Like what was stated previously, these attacks were conducted using a single scanner program that targeted vulnerabilities of individual computers inside the DOD. This allowed the hackers to compile an updated list of computers that were the most susceptible. Moreover, the customized the program focused on specific IP addresses. This allowed the group to search specific categories when looking for vulnerabilities. Once a computer system has made the list, is when hackers will return within one to two days and begin quickly exploiting these weaknesses. Over course of several hours, is when they will steal as many documents as possible.

Since this time, these kinds of attacks have been increasing in frequency. A good example of this can be seen with an attack on Britain's Ministry of Defense computers in 2007 (which briefly shut down the House of Commons network). What made the situation worse is single computers were exploited for their vulnerabilities. The information that was collected was used to conduct future attacks that were more devastating. This is illustrating how Titan Rain is using a simple scanner program to identify and exploit potential weaknesses. Once this is discovered by hackers, is when they will return (during times where there is a low probability of being detected). (Taylor, 2007)

As result, these coordinated attacks are designed to steal information and identities (which can be used to gain access to more classified information). Over the course of time, this has led to a focus on improving these techniques. Once this took place, is when these attacks began to move beyond the DOD and focus on U.S. allies / contractors. In many ways, one could argue that the simplicity of the techniques and lack of system vulnerabilities are what is making them so successful.

How the attack could have been prevented?

To prevent these kinds of attacks there needs to be better amounts of coordination. The way that this can occur is to improve the security provisions on single computer systems. One possible approach is to integrate different security procedures together to increase the total amounts of protection against eternal threats. This would make it difficult for hackers to exploit these simple vulnerabilities. (Thornburgh, 2005) ("Federal Plan for Cyber Security," 2012) ("Improving Our Nation's Cyber Security," 2011)

Moreover, some kind of monitoring will need to take place. During these kinds of situations, some kind of software could be installed that will detect and report possible vulnerabilities to the user. This will make it more difficult for hackers to be able to quietly break into and exploit the vulnerabilities on individual computers. (Thornburgh, 2005) ("Federal Plan for Cyber Security," 2012) ("Improving Our Nation's Cyber Security," 2011)

Once this occurs, is when increased amounts of collaboration will need to take place. In the case of Titan Rain, what made it so successful is the lack of communication among DOD officials about potential problems. Evidence of this can be seen with Shawn Carpenter. He is a 36-year-old intelligence analyst that worked with Sandia National Laboratories. At the same time, was working as a confidential informant for the U.S. Army and the FBI. His assignment was to track down where this threat was coming from and the overall scope of the breach. In the beginning he thought that this would lead to series of isolated incidents. (Thornburgh, 2005)

However, after his employer was attacked, is when he began to compare notes with a friend who worked in military intelligence. What he determined is that there were…