SAN FRANCISCO — RSA CONFERENCE 2013 — Identifying the human or actor behind a targeted attack — a.k.a. attribution — has been hotly debated over its relevance. But knowing and confirming your attacker could be a key element of ultimately making cyberespionage more costly for nation-states like China, some security experts say.
Dmitri Alperovitch, co-founder and CTO of CrowdStrike, says it’s “mindboggling” to him when people say attribution of the attacker doesn’t matter. “It’s fundamentally critical who your enemy is,” Alperovitch said here in an interview last week. “Don’t you want to know if it’s a murderer that’s inside your house or a guy who stole your TV? You have to know what to protect.”
The industry has evolved over the past year or so from focusing only on blocking attackers from getting in to a more pragmatic acceptance that these determined and well-funded attackers can’t really be stopped and are likely already inside your network. The focus now is on how to stop them from stealing and exfiltrating sensitive information. Alperovitch said that requires a good understanding of who the people and groups are behind the attacks, so you can make it more expensive and risky for them to attack.
And the ultimate solution would be to go after the actual beneficiaries of the stolen information, such as some Chinese businesses. “It’s helpful to know exactly which building, unit, affiliation, and … yes, their faces,” Alperovitch said. “But it’s also helpful to understand the trade craft of that group. The strategic level of attribution is useful … [they are] passing it to local and state-owned companies. Understanding who these companies are is important.”
Many Chinese businesses also are trying to branch out globally and do business outside China, he said. “If [Chinese companies] are using stolen information, you can bring that leverage … for trade sanctions. It may not be against China or the PLA [Peoples Liberation Army], but you could take criminal action against [the companies’] executives,” for instance, he said.
The Obama administration’s newly announced strategy on fighting the theft of intellectual property could help here. “We’re going in that direction with the strategy the administration is trying to lay out with trade sanctions that are not specific to cyber. We need to expand that to cyber,” Alperovitch said.
[The U.S. government will be slow to act against aggressors who attack through the Internet, predict policy and China experts at RSA. See China’s Cyberespionage Will Continue Unabated, Say Experts.]
Alperovitch said raising the cost of doing business for Chinese firms capitalizing on stolen U.S. intellectual property is key. And “naming and shaming” firms under suspicion of spying or being agents of the Chinese government, as with the case of Chinese telecommunications company Huawei, can help, he said.
Take Huawei, which, along with Chinese company ZTE, was called out by Congress recently as risky to do business with here in the U.S. A congressional intelligence committee warned of potential security risks to U.S. infrastructure with the Chinese companies as suppliers. The fallout has made an impact on Huawei’s business aspirations in the U.S., he said. “It has made an impact on their business,” Alperovitch says. “There’s no question that naming and shaming can be very effective.”
But what about the U.S.’s own use of cyberespionage? James Lewis, director and senior fellow of the technology and public policy program at the Center for Strategic and International Studies, in a paper published today explains the differences in how the U.S. and China each employ cyberespionage.
“The US government does not engage in economic espionage and intellectual property laws are more strongly enforced in the United Sates than in many other countries, including China. Nor are American political ‘hacktivists’ encouraged by the US government. The US approach to cyber conflict treats cyber techniques as traditional tool of statecraft, providing advantage in military and political intelligence, and as a new weapon to strike opponents,” Lewis wrote.
“The US uses cyber techniques to monitor and assess Chinese capabilities and intentions, and to gain battlefield advantage in the event of conflict. US cyber actions, unlike Chinese cyber actions, are focused on their competitor’s official government activities and not on economic espionage. US laws effectively preclude economic espionage by government agencies and punish private individuals who breach intellectual property laws,” Lewis writes.