The consequences of cyber-spying

Aug 03, 2011

Countries spying on each other is nothing new, but the way they are spying is. James Lewis will answer questions about the evolution of spying, cyber-spying, and the consequences of cyber-spying in this 30 minute chat.

Related:

Report on ?Operation Shady RAT? identifies widespread cyber-spying
Reports of cyberattacks that likely originated in China (Photo Gallery)
NSA is looking for a few good hackers

The usual rules in espionage are not to get caught and not to be seen.  The McAfee report is interesting because  they were able to get somebody's log - a record of all that they've been up to. It's a new window into a usually secret world.   It's an interesitng topic and an issues that's a growing probelm for the US. 

"If it is on the Internet, it has to be true." While that is an old joke, what about what one finds in the world of cyberspying? If someone knows they are going to be spied on, wouldn't there be an advantage to change the information so that bad information is stolen? On the other side, what happens when hackers change the information? Might the world of cyber-spying become one of great mistrust in what information is found?

Harder to do than it sounds, and in many cases people don't know they are being spied on until after it happens.

When can we expect a significant degree of disinformation designed to provide false information to snoops?

Probably never.  It's like asking why don't banks stock counterfeit money to hand to robbers.  It's nto a bad idea, but it is hard to pull it off.

What is it that keeps banking, CIA, etc. computers more secure than the typical business computers? How much would it cost a business to upgrade to more secure levels?

What we've seen is that it migh be a wash - that if companies took what they spend now and used it a bit more effectively, they could be more secure.  Companies need three things, and there is were some agencies have an advantage: trained people, good rules for "hygiene" and the right technologies to see what is going on in their network.

 

We can work in a Harry Potter reference by saying the real secret is "constant vigilance."

How long has cyberspying been happening?

First example I know of is 1982, with the Russians hiring German hackers to break into DOD networks.  There'sa book on this from the 80s - "Cuckoo's Egg" that's still in print - that says something about the duration of the probem.

There have also been major incidents in the late 1990s, int eh ealry 2000s and we'v put up a list of major incidetns since 2006.  It's not always clear who is responsiblme, even thought hte Chinese often get the blame, but several countries have the necessary skills: Russia, the US, the UK, Israel,  and China, and there are a few others coming up rapidly - my favorites to  watch are north korea and iran

(From a Post staffer): One commenter on today's story on "Operation Shady RAT" says "the USA should be able to give as good as it gets in the arena of" cyber-spying. Do you agree? 

We are pretty good at this, and have done some amazing things in politicla and military espionage, but we don't engage in economic espionage - the US govenrment doesn't take technology form foreign companeis (not everyone beleives that but I think it is still true). that puts us at a disadvantage.  On shooting back, the problem is that spying isn't a act of war under international law.  We might not want to change that since we do some spying ourselves. 

(From a Post staffer): China's government is often mentioned as a candidate when we suspect cyber-spying. What other countries have shown the interest and capability to carry out these sorts of efforts against the U.S.?

the National  Counter Intelligence Executive (NCIX, part of the DNI) puts out a long list - about 120 coutnries.  That's probably too many.  It' smore liley that there are 30 or so countries that routinely use hacking and five or six at the top of the list - we're one, China is another.  What's interesting to watch is that more countries are looking into developing their own hacking capablities - it's a growth field for military and intelligence action.   

Do you think this is somebody trying to prepare for some sort of attack, because this is the second time that I have heard about people going after our defense networks.  Or do they just want information so that they can sell/ develop their own technolgies through our ideas?

Right now, it is information, but we know that a few countries have probed US networks to find weakneses they can use for an attack, if they ever need to- the eletrical grid is a popular target.  i usually think of it as just another weapons system: its there, and it could be launched, but no country will start a cyber war on a whim.  Once "non-state actors" can launch cyber  attacks, it may be a differetn story, but so far that is not the case.

If you are hacked, are you better off with a password or a smart card? Thanks.

Passwords don't work at all, especially against a sophisticated opponent.  That's been true for years.  The people who do this kind of stuff for governemtns include people who can do a really hard corssword puzzle in ink in five minutes - they're just really good at getting the right answer from a few clues.  Plus, there are all sorts fo technologies for fidning or guessing passwords. They just don't work.

Seems like the US carries a big stick (i.e., military capabilities, China holding about 9% of US Treasury debt, China benefitting from no US tax on Chinese imports) but is very reluctant to back-off China though we very well could impose mass economic consequences. What is your opinion on why the government is so passive in their response to this type of international negative behavior?

Some of it is that a few companies that are afraid that China might  retaliate by denying market access.  Some of it is unwillingness to admit to the scope of the damage, and some of it is that we haven't thought about how to deal with what's become (as you note) a much larger trade issue.  I expect this will change in the next couple of  years, but right now, it's a problem that we don't compalin enough when something bad happens.   

How much of the blame rests on the hackees for poor defense? Do heads in the US gov't ever roll over security lapses? Are personnel, especially senior and higher-ranking personnel, evaluated on security practices as part of their performance reviews?

It's poor defenses and not enough international engagment on the issue.  We need our side to do better and we need to engage with the other side to reduce the activity.

If you're interested, check out other cyber espionage incidents like Ghostnet or Aurora.  There is  a pattern of activity that suggests that a few countries have long running programs to collect against the US.   The White House put out an "International Strategy" in May that is worth looking at, but we're just starting to get our hands around this probem.  Thanks for chatting.

In This Chat
James Lewis
James Andrew Lewis is a senior fellow and director of the Technology and Public Policy Program at Center for Strategic and International Studies where he focuses on technology, national security, and the international economy. Before joining CSIS, he worked in the federal government as a foreign service officer and as a member of the senior executive service. His assignments involved Asian regional security, military intervention and insurgency, conventional arms negotiations, technology transfer, sanctions, Internet policy, and military space programs.

Follow James on Twitter.
Recent Chats
  • Next: