Information Warfare Countermeasures
*Note: This article was originally published by the author on November 26, 2018.
The Critical Infrastructure and Key Resources (CIKR) of the United States continue to be the target of cyberattacks by both foreign and domestic adversaries, some of which are more serious threats than others. As a world superpower and leader of innovative technologies, it is not surprising that the U.S. is among the most targeted nations for cyber espionage and theft of intellectual property as well as sensitive government and proprietary information. What is surprising, however, is the fact that the U.S. has repeatedly failed to counteract this threat due to weak federal policy and regulations on private industry.
At the pinnacle of dangerous Internet-based threats are what are known as Advanced Persistent Threat (APT) groups that possess formidable information warfare skills and resources. These APT groups are characterized by their sophistication of skill, patience, organization, customized hacking exploit tools, and funding resources with which they use to penetrate, extract, and process information stolen from protected networks (Arntz, 2016). APT groups are regionally based in practically all developed nations but operate covertly and are very skillful in covering their digital footprints. They are not concerned with abiding by computer crime laws for whichever country they are launching operations against, they are only concerned with collecting strategically valuable information by whatever electronic means are possible.
Over time, the U.S. has spent a mind-numbing amount of money and invested a huge amount of effort into building IT infrastructure that is the communications backbone of the U.S. government and military. Much of this IT infrastructure communications backbone is connected to the Internet and despite the massive amount of spending and effort expended, the number of data breaches and successful network compromises has continued to increase year after year as more and more APT groups have emerged and nations have figured out that they can influence politics and save billions by conducting cyber espionage campaigns against allied and adversarial nation information systems.
Using advanced Web-based vulnerability search tools like Shodan, it is quite alarming to find that there are still U.S. CIKR information systems that remain connected to the Web even in 2017. Meanwhile, cyber-attacks continue to occur at a furious and unending rate, casting doubt on the ability of the government to adequately protect its most sensitive and classified information. This paper will attempt to explore whether it is, in fact, feasible to disconnect, a process colloquially referred to as “air-gapping,” U.S. critical infrastructure from the Internet in order to mitigate risk incurred by APT’s.
Federal Initiatives to Protect CIKR
Contained within the 2013 National Infrastructure Protection Plan (DHS), the U.S. government has established critical infrastructure sectors that serve to organize the nation’s critical infrastructure. The 16 sectors are Chemical; Commercial Facilities; Communications; Critical Manufacturing; Dams; Emergency Services; Information Technology; Nuclear Reactors, Materials & Waste; Food and Agriculture; Defense Industrial Base; Energy; Healthcare & Public Health; Financial Services; Waste and Wastewater Systems; Government Facilities; and Transportation Systems (DHS, 2013, p. 11).
National Cybersecurity and Communications Integration Center
The National Cybersecurity and Communications Integration Center (NCCIC) serves as the hub of cybersecurity for the federal government, the Intelligence Community (IC), law enforcement agencies that are fully staffed and maintained 24 hours a day, 7 days a week. The NCCIC is meant to provide a big-picture status on the current cyber situation as it pertains to cyber attacks, vulnerabilities, and incident response actions (DHS, 2016). Under the NCCIC are the US-Cyber Emergency Response Team (US-CERT) and the Industrial Control System Cyber Emergency Response Team (ICS-CERT), which both respond to cyber incidents and provide cybersecurity information and services to the public and private sector organizations that maintain critical infrastructure and ICS (DHS, 2016).
The Critical Infrastructure Cyber Community Volunteer Program (C3VP) was established to help private sectors of critical infrastructure better improve their cybersecurity posture and resilience (DHS, 2016). Additionally, the Department of Homeland Security (DHS) holds a biennial cybersecurity exercise called “Cyber Storm” that involves federal and state governments in coordination with private industry organizations from various sectors to engage in simulated cyber-attacks and learn how to better protect critical infrastructure if ever there was an actual cyber attack (DHS, 2016). Joint collaborative training exercises such as this help both the government and the private sector to better understand how to work together to avoid the perils of not protecting critical infrastructure adequately.
Cybersecurity Information Sharing Act
Congress passed the Cybersecurity Information Sharing Act (CISA) in 2015 which leverages technology to automate the sharing of threat indicators amongst federal and private sector organizations (DHS, 2016). CISA established the NCCIC as the central cyber hub for the U.S. which then developed the Automated Indicator Sharing (AIS) system which serves as a mechanism by which cyber threat information is exchanged bi-directionally and assigned a credibility rating score before it is disseminated to participating organizations (DHS, 2015). This sharing of cyber threat intelligence and indicators helps improve the overall cybersecurity of critical infrastructure provided that the responsible organizations actually assimilate the shared information into their cybersecurity posture.
Advantages of Connecting CIKR to the Web
The advantages of connecting information systems to the Internet are that networks can communicate with one another, share information, be remotely administrated, and receive software update patches in a timely and automatic manner. However, with the convenience of Internet-connected critical infrastructure devices comes many risks such as viruses, malware, hackers, denial-of-service attacks, APT’s, and the list keeps ongoing. The reality of the situation is that Internet-connected information systems are extremely vulnerable to all manner of external threats, and what is worse is that some organizations probably do not even realize that their devices are reachable from the Web (King, 2014). In a 2012 published research report, Infracritical Inc. found that the U.S. had over 600,000 critical infrastructure devices connected to the Internet which was the most of any nation at the time (King, 2014).
Perhaps the most disturbing part of this information is that critical infrastructure devices are often ICS or Supervisory Control and Data Acquisition (SCADA) systems that are used to control things like waterways, dams, natural gas, mining operations, emergency operator phone systems, power grids, nuclear power plants, traffic lights, transportation systems, railroads, and healthcare systems to name but a few (King, 2014). Imagine the havoc that a well-crated cyberattack could wreak upon any one of those types of critical information systems, let alone a combination of multiple systems such as the U.S. might face in a well-coordinated cyber-attack perpetrated by a nation-State.
Organizations are advised to disable Web interfaces, Simple Network Management Protocol (SNMP), Telnet, and remote configuration interfaces, as well as use firewalls and virtual private networks (VPN) to further protect traffic and systems that must remain connected to the Web (King, 2014). Still, however, critical infrastructure devices seem to remain connected to the Internet simply due to convenience in most cases so that the people administering the systems do not have to travel to remote locations and other similar reasons. The habit demonstrates how the human element continues to be the biggest threat to security but more specific information system security, a habit that typically involves people taking shortcuts or skipping best security practices for the sake of convenience. This flawed mentality continues to pervade and persist in every organization and represents the ignorance of the threats at hand. A change of mentality concerning information system security is desperately needed for the sake of protecting U.S. CIKR.
Aging Information Technology Infrastructure
Another valid concern standing in the way of progress is the aging Information Technology (IT) network infrastructure of the federal government and military. It is very costly to upgrade IT equipment, especially on a national scale across the entire federal government, military, state governments, and even private industry which manages much of the U.S. critical infrastructure. Understandably, equipment upgrades are rarely ever if only infrequently performed simply due to the cost and hassle of reconfiguring the network. However, the cost whatever it amounts to is necessary and the technology must be refreshed on a consistent basis, preferably every three to five years if the government and military expect to keep up with the demands of modern technology which as Moore’s Law states are ever-expanding exponentially. Information is arguably America’s most important commodity and warrants spending whatever costs are associated with its protection.
The Advanced Persistent Threat
APT’s employ a variety of cyberattack methods to include scripting sophisticated custom malware that exploits zero-day vulnerabilities in software code in order to penetrate networks and exfiltrate sensitive information that is of strategic value to their national or criminal interests. While all APT groups are persistent and they are threats to any information system, they are not necessarily advanced in their methods of attack. The manner of delivery for these APT malware exploits is often simply a well-crafted phishing or whaling email, or a malware-infected website link (i.e., a watering hole attack) (Huwieler, 2015). APT’s must also have the financial support and resources to be able to interpret massive amounts of information written in foreign languages which is where the tie back to the Intelligence Community (IC) comes into play. During the interpretation and analysis of the exfiltrated data phase, if it is discovered that valuable information exists it is sent onto the foreign adversary’s intelligence organizations for further analysis.
APTs as one might suspect are normally very careful about cleaning up and covering their digital tracks after network intrusions, but trained and skilled network forensics specialists are sometimes able to correctly attribute APT group cyber activity by studying evidence such as metadata containing times and dates that change was made to a system that might indicate a particular timezone the actions were committed against target systems. These types of evidentiary details are often recorded in the system or network security event logs and if they were not altered or backed up externally before the logs could be altered by the cyber intruders, these audit logs can be a goldmine of information for digital forensics investigators (Stone, 2016). Additionally, it is often possible to positively attribute cyber espionage and/or attacks to a particular nation-State sponsored APT by process of elimination with respect to which nation stands to gain the most of the pilfered information data and also which APT’s are known to possess the technical acumen to successfully perpetrate such an attack (Stone, 2016).
APT Stages of Operation
APTs operate in stages to achieve their targeted objectives. Rob Joyce served as the head of the National Security Agency’s (NSA) elite hacking unit known as the Tailored Access Organization (TAO) that is arguably one of the most sophisticated APT groups in the world and which is alleged to have been at least partly responsible for the ultra-complex Stuxnet malware code that crippled Iran’s nuclear enrichment facility at Natanz in 2008 (Zetter, 2014). To provide a sense of how APT’s operate, Joyce stated that TAO adheres to a six-step process for hacking targets after a target selection is made. First, reconnaissance of the target is conducted, then initial exploitation, persistently repeated attempts, custom exploit tool installation, lateral movement across systems, all of which culminates in the collection and exfiltration of sensitive data from the target system (Ferran, 2016). APT’s are relentless and extremely persistent, these groups will continue to poke until they find a way into a network. They are even sometimes able to custom-craft a zero-day exploit unique to an operating system or application to penetrate a network (Ferran, 2016).
Certain industries are more valuable as targets of cyber espionage than others. For the most part, these targeted industries can be categorized as national critical infrastructures such as Aerospace, Aviation, Energy, Healthcare, Pharmaceutical, Technology, Defense, Government Officials, NATO, Embassies, Research Facilities, and large enterprise companies which all have at one time or another been victim to cyberespionage attacks conducted by APT’s (Martin, 2016). The Angler-EK APT group is believed to be Russian-based and its Angler Exploit Kit (EK) has been hugely prevalent in recent years where it was implanted on several notable websites (e.g., Lenovo’s customer portal and The Guardian) where unsuspecting visitors click on links and inadvertently download the malware to include Tesla Crypt (a.k.a. Cryptolocker) ransomware and even more advanced cyber-espionage hacking exploit tools (Martin, 2016).
Of recent notoriety are the Russian APT groups Fancy Bear and Cozy Bear. Both groups are believed to be Russian intelligence agency-affiliated and were discovered to be involved in the 2016 U.S. Presidential campaign and election hacks that continue to be the source of political controversy (Stone, 2016). The Fancy Bear APT group is also referred to as APT 28, and the Cozy Bear APT group is also referred to as APT 29 (Stone, 2016). The Cozy Bear APT group has conducted cyber attacks against the White House and U.S. State Department while the Fancy Bear APT group is more hacktivist in nature and is focused on information warfare (Stone, 2016).
The Butterfly APT group is thought to be Chinese-based but is comprised of native English speakers operating from the Eastern U.S. and is characterized by their use of zero-day exploits, and custom-crafted malware that has been used to target Twitter, Facebook, Apple, and Microsoft for cyber espionage information collection efforts (Martin, 2016). If an APT group is able to steal research and development (R&D) information from a company like Apple and then distribute that information to a similar company in their country, the receiving company could use that information to create a similar technology only without having to invest the time and money it took Apple to develop it. The same holds especially true for the defense contractor industry with respect to space and weapons systems technologies.
Another group known as APT 1 is attributed to the People’s Liberation Army (PLA) Unit 61398 of China and is the subject of a massive report published by a computer security firm known as Mandiant that was later bought by FireEye (Mandiant, 2004). The report details how Unit 61398 has been involved in hundreds if not thousands of cyber espionage campaigns which exfiltrated hundreds of terabytes of data from targeted networks around the world. The report also details APT1’s connection to the Chinese government for which the group stole the information. Dating back to at least 2006, this particular APT group is thought to be quite large, upwards of a thousand people in fact, due to the physical footprint of its buildings and its attack infrastructure which includes over 1,000 servers that it launched attacks from (Mandiant, 2004, p. 3).
APT 1 had special fiber optic cabling installed for its networks by China Telecom and uses “hop point” systems from which they launch attacks to further obfuscate the group’s true identity (Mandiant, 2004, p. 39). The group’s members are required to be bilingual in both Mandarin and English and trained in computer network security (Mandiant, 2004, p. 3). The APT 1 report demonstrates how an APT group can be tracked and monitored over time by the exploit tools it employs against targeted systems.
As if to confirm that cyber espionage is the new norm in the Digital Age, former Director of National Intelligence (DNI) James Clapper acknowledged in a statement that the U.S. has also been involved in cyber espionage campaigns (Stone, 2016). This admission was not a surprise but only lends credence to the claim by Kaspersky Lab’s Global Research and Analysis Team (GReAT) that the ultra-sophisticated APT group dubbed the Equation Group for its use of strong encryption in all of its exploits is tied to the National Security Agency (NSA) which had their hacking exploit kit hacked in 2016 by another hacking group known as the ShadowBrokers (Kaspersky, 2016).
These exploits, some of which contain zero-days, have since been made freely available online and as such, are completely irrelevant to the NSA or whoever created them. Software vendors will quickly create patches to remedy the discovered vulnerabilities which will render the exploits obsolete so long as everyone updates their software. Therein lies the window of opportunity for malware infection. APT groups know that a substantial amount of organizations will not patch immediately, perhaps even for years, if ever.
Air-Gapping Critical Infrastructure and other Hardening Techniques
Air-gapping a computer is a security control that involves disconnecting a computer from the Internet and other computers, making it a standalone system. Air-gapped systems are everywhere, but the practice is often employed for classified military networks, financial transaction systems, and ICS that control CIKR information systems (Zetter, 2014). The U.S. military has adopted the principle of the air-gapping systems for its Secret Internet Protocol Routing Network (SIPRNET) and the Joint Worldwide Intelligence Communication System (JWICS) (Kramer, Starr, and Wentz, 2011, p. 54).
As there is no such thing as a perfectly secure system, air-gapped systems are vulnerable to malware infection from Sneakernet data transfers performed by persons using external storage devices such as CD/DVD’s, USB drives, or external hard drives (Zetter, 2014). Additionally, the Israelis demonstrated that it is possible to exfiltrate data from air-gapped computers through radio frequency (RF) signals that are emitted from a computer’s video card that is responsible for displaying image graphics to the monitor from the computer’s central processing unit (CPU) (Zetter, 2014).
Despite the fact that there are ways to hack an air-gapped computer, it is somewhat of a risky proposition because it relies on gaining physical access to the machine either by Sneakernet media infection or actually getting within close physical proximity to the computer which may not be possible depending on the level of security in place at the facility. Also, many classified military networks have banned the use of external media such as USB drives for this same security reason.
Other security controls that can be implemented to harden CIKR information systems are to encrypt data-at-rest and data-in-transit using strong encryption protocols. Compartmentalizing information using drive partitions and folders that can be restricted to only individuals who are granted access by the information owner is a type of access control known as Discretionary Access Control (DAC). Every computer should have anti-virus/malware software that is updated frequently with virus definitions due to the fact that even the most sophisticated malware-enabled exploits have a shelf life, and when they are discovered their digital fingerprints will be added to every anti-virus software around the globe making the code irrelevant (Huwieler, 2015).
Firewalls on local machines should be configured to deny all traffic except that which is necessary to perform its functions. Services that are not needed on a system or server should be disabled by default so that they do not pose additional security risks. These are just a few security controls that can be implemented to harden critical information systems, but there are many more options available. Care must be taken not to make a system too secure, however, because then security will have become an impediment to progress. A functional balance must be achieved for every system, but air-gapping a CIKR information system is a major step towards improving its security.
There are many threats to U.S. CIKR information systems in cyberspace, not the least of which are APT groups. The threat is no longer the single hacker behind a keyboard, albeit that threat cannot be ignored either. The U.S. needs to establish a robust cyber policy that affords it the ability to counterstrike using cyber warfare when it is attacked. Given the numerous cyber threats facing U.S. critical infrastructure, it is worth the academic discussion as to the feasibility of air-gapping all of the information systems that are categorized as CIKR to prevent a successful cyberattack from crippling America’s critical infrastructure systems regardless of the difficulty of perpetrating such an attack. Security must never be allowed to be an afterthought.
In order for it to work, it has to be woven into the initial design concept. It cannot be added on afterward like a band-aid once the system is already operational and is bleeding from attacks. Whatever the cost air-gapping CIKR information systems would incur, it is less than the potentially economy-crippling after-effects of a sustained cyberattack that shuts down a major metropolitan area’s electrical grid for a week or longer. Air-gapping is certainly not the be-all, end-all cybersecurity solution.
However, its implementation on all U.S. CIKR information systems would be a gigantic, positive step towards making Americans and the everyday services it relies on more secure. To go even further would require the U.S. to retaliate offensively using cyber warfare against nations that employ APT’s against U.S. systems and deter future attacks.
Arntz, P. (2016, July 26). Explained: Advanced persistent threat (APT). Retrieved from https://blog.malwarebytes.com/cybercrime/malware/2016/07/explained-advanced-persistent-threat-apt/
Department of Homeland Security. (2013). National infrastructure protection plan. Retrieved from https://www.dhs.gov/national-infrastructure-protection-plan
Department of Homeland Security. (2016, January 19). Protecting critical infrastructure. Retrieved from https://www.dhs.gov/topic/protecting-critical-infrastructure
Ferran, L. (2016, January 28). Head of NSA’s elite hacking unit: How we hack. Retrieved from http://abcnews.go.com/International/head-nsas-elite-hacking-unit-hack/story?id=36573676
Huwieler, J.B. (2015, November 25). Cyber warfare: Combat evolved, or combat at all? Retrieved from https://huwieler.net/2015/11/25/would-you-recognize-an-act-of-war-if-you-saw-it/
Kaspersky, E. (2016, August 16). Rare implementation of RC5/RC6 in ‘ShadowBrokers’ dump connects them to Equation malware. Retrieved from https://securelist.com/blog/incidents/75812/the-equation-giveaway/
King, R. (2014, October 8). Researcher: U.S. tops the world in critical infrastructure devices connected to the Internet. Retrieved from https://blogs.wsj.com/cio/2014/10/08/researcher-u-s-tops-the-world-in-critical-infrastructure-devices-connected-to-the-internet/
Kramer, F.D., Starr, S.H., and Wentz, L.K. (2011). Cyberpower and National Security. Washington, D.C.: National Defense University Press.
Mandiant. (2004, October 25). APT1: Exposing one of China’s cyber espionage units. Retrieved from https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
Martin, S. (2016, April 16). 8 active APT groups to watch. Retrieved from http://www.darkreading.com/endpoint/8-active-apt-groups-to-watch/d/d-id/1325161
Stone, J. (2016, June 15). Meet Fancy Bear and Cozy Bear, Russian groups blamed for DNC hack. Retrieved from http://www.csmonitor.com/World/Passcode/2016/0615/Meet-Fancy-Bear-and-Cozy-Bear-Russian-groups-blamed-for-DNC-hack
Zetter, K. (2014, December 8). Hacker lexicon: What is an air gap? Retrieved from https://www.wired.com/2014/12/hacker-lexicon-air-gap/