Coming on the heels of recent cyberespionage news, the Wall Street Journal reported today on Pentagon plans to create a new military command focused on cyberwarfare. The new command will coordinate both offensive and defensive cyberwarfare efforts, focusing, in the latter case, on assisting the National Security Agency (NSA) and the Department of Homeland Security’s National Cyber Security Division (NCSD), the lead agency for domestic cybersecurity efforts.
This development is not surprising, given that cyberespionage is a rapidly growing and serious threat. Earlier this month, the Wall Street Journal published a story on cyberespionage attacks originating from China against the U.S. power distribution grid (reported earlier in this blog). And yesterday the Journal reported that computers holding data concerning both the developmental F-35/Joint Strike Fighter (JSF) and the United States Air Force’s air-traffic-control system had been breached. In the case of the Joint Strike Fighter breach, it appears that hackers were able to copy several terabytes of design information on the aircraft, potentially including information relating to its electronics system. Lockheed Martin, the lead contractor in the Joint Strike Fighter program, disputes the article’s representation of successful attacks, claiming that “there has never been any classified information breach.”
Further evidence of the extent of cyberespionage activities and capabilities was recently uncovered by researchers at The SecDev Group, a Canadian think tank, and the Munk Center for International Studies at the University of Toronto, who published a 52-page study in March on their efforts to track and uncover GhostNet, a malware-based cyberespionage network. GhostNet, which appears to have originated primarily in China, consists of at least 1295 infected computers in 103 countries. It was initially detected by the researchers while they were engaged to investigate reports that the computer systems of the Office of the Dalai Lama, the Tibetan Government in Exile, and several Tibetan NGOs had been penetrated. However, in tracking the source and nature of the penetration, the researchers discovered that it was connected to a much larger cyberespionage network. In fact, the Canadian researchers eventually learned that GhostNet had compromised computers in the ministries of foreign affairs, embassies, and offices of at least 21 different nations and international organizations, even including an unclassified NATO computer. Through GhostNet and its malware infections, operators are capable of taking full control of infected computers, including searching and downloading specific files, and attacking attached devices.
The Defense Department’s recent Annual Report to Congress on Chinese military capabilities, released in March, notes China’s focus on the development of “Non-Contact” Warfare capabilities, including both offensive and defensive Computer Network Operations (CNO). These capabilities might be used both to enable China’s access to sensitive and highly-controlled dual-use technologies, and to enhance its development of offensive asymmetric/cyberwarfare capabilities against military and civilian networks – especially communications and logistics nodes. It should be noted that China has repeatedly denied involvement in cyberespionage attacks and has called the Defense Department’s report “severely distorted facts, and was absolutely groundless.”
Intelligence collection, including through espionage, against logistical, infrastructure, and non-military targets is nothing new. And China is not unique in its efforts to develop cyberwarfare capabilities. Indeed, computer network attack and defense are basic building blocks of United States Information Warfare Doctrine. But the large volume of information concerning national infrastructure and even military logistics that remains in unclassified networks connected to the Internet is cause of stepped-up cybersecurity efforts. The GhostNet example demonstrates that a cyberespionage effort can quickly compromise and exploit a tremendous amount of data, including dual-use (both military and civilian application) technologies and political information. Corporations and other organizations should be concerned about cyberespionage threats even if they are not handling classified information. While Lockheed Martin may be correct, in the case of the JSF attacks, that classified information was not compromised, that does not mean the cyberespionage attacks were benign.