World War E

Cyber attacks can disable power grids, wreak havoc with financial systems and take down communications networks. Are we ready for this new battlefield?

In early 2013, US security firm Mandiant released what The New York Times described as an unusually detailed 60-page report on the apparent activities of a cyberwar cell in China’s People’s Liberation Army. “Unit 61398,” according to the study, was suspected of operating out of a nondescript mid-rise on the outskirts of Shanghai, and appeared to be implicated in scores of attacks on governments and corporations, especially those involved with “critical” infrastructure. The group was also known as “Comment Crew” for its practice of dropping hidden comments on the websites of target firms.

One of the companies alleged to be on Unit 61398’s hit list was Telvent Canada, the Calgary-based division of a firm that creates software allowing oil and gas pipeline companies to remotely control valves and gauges on its networks. The company, now owned by a French electrical equipment giant, had access to digital files containing details about much of North America’s energy pipeline grid. According to the Times — which itself was the victim of hacker assaults in the summer of 2013 by the Syrian Electronic Army — the theft of Telvent’s strategically crucial information was one of Unit 61398’s “most troubling attacks.” The company, according to a CBC investigation, advised its clients of the security breach in September 2012.

It was hardly the only serious and apparently orchestrated cyber attack on vital Canadian targets. In 2010, for example, the Saskatchewan resource giant Potash Corp., then the subject of a $38-billion takeover bid by Australia’s BHP Billiton, found itself on the receiving end of a hacker attack. In an interview with the CBC, which broke the story, Daniel Tobok, a Toronto security forensic and cyber expert hired by the firm, described the incursion as “very sophisticated and highly targeted.” The goal: internal information relevant to the takeover bid, which was ultimately blocked by the federal government, itself the target of Chinese hackers in a high-profile attack on three department websites in 2011. (China denied being responsible for the attack.)

In the case of Nortel Networks, hackers had systematically infiltrated the firm for about a decade before anyone noticed the incursion, observes Salim Hasham, national lead for the cyber resilience practice for PricewaterhouseCoopers Canada. All the while, he notes, the company “was being reduced to rubble” as other technology firms were emerging elsewhere, possibly armed with insights gleaned from Nortel’s internal documents.

There’s little dispute that cyber conflict and information warfare has become a fixture of geopolitics in recent years. WikiLeaks founder Julian Assange and the fugitive former intelligence contractor Edward Snowden unleashed reams of highly sensitive documents into the online world. Among the revelations: that a top-secret US agency is monitoring email traffic both domestically and internationally, irritating traditional allies such as Germany in its attempts to track terrorists. Even Canada has gotten into the act, facing accusations that a secretive Ottawa intelligence agency was carrying out cyber espionage against Brazil’s mining ministry.

Perhaps none of this should come as a surprise. For years, public and private sector organizations spent untold billions to secure their perimeters against viruses and other cyber weapons travelling through digital networks. But in the age of cloud computing, social media, USB keys and mobile communications, the organizational perimeter has become profoundly porous, with attackers using a host of other entry points and techniques. Assaults on websites have become old hat as cyber crime syndicates, shadowy government linked hacker armies and all the shadings in between grow ever more sophisticated, patient and business-minded. “The attack vectors,” warns Nick Galletto, leader of Deloitte Canada’s information technology risk group, “continue to evolve at a rapid pace.”

In fact, over the past half-decade, according to security experts and government officials, there’s been a sharp escalation in the sophistication of new forms of electronic conflict perpetrated both by highly organized hacker mafias and state-sponsored groups like Unit 61398. And the goal isn’t just swiping credit card numbers.

Some observers fear these groups could launch crippling attacks on highly visible political and economic targets, such as government institutions, power plants and stock markets. As a 2011 assessment by the RCMP predicted, “Cyberspace will become as much a theatre of war as the battlefield. Governments will have to guard against such attacks by protecting their critical infrastructures against hackers.”

The US Department of Defense went even further in its 2013 annual appraisal of China’s military “capabilities,” which included an analysis of the country’s capacity for “electronic warfare” (EW) as a means of offsetting America’s superiority in conventional military weapons. For years, China has conducted aggressive cyber espionage and stealth web attacks against Western targets, including companies in vital sectors. The country is also in the process of building a firewall around itself to block politically inconvenient information from getting inside. But the Pentagon was looking ahead to new and more terrifying applications. “Effective EW,” the report observed, “is seen as a decisive aid during military operations and consequently the key to determining the outcome of war.”

While global security experts had been bracing for some years for the so-called militarization of cyberspace, the first bona fide military-style cyber skirmish occurred only in 2007, after the Estonian government announced plans to relocate a war memorial. Hacktivists in Estonia and allegedly Russia responded by orchestrating a massive “distributed denial-of-service” (DDoS) attack on the country’s ministries, banks and other institutions, causing chaos that lasted for three weeks. The attacks were thought to trace back to Russia, and raised questions about whether the DDoS amounted to military aggression.

“If you have a missile attack against, let’s say, an airport, it is an act of war,” an Estonian official told The New York Times. “If the same result is caused by computers, then how else do you describe that kind of attack?”

No airports were destroyed during the attack, however. “While the cyber-terror attacks on Estonia shocked the international community, they could have been significantly more devastating,” noted military analyst Stephen Herzog in a 2011 essay in the Journal of Strategic Security. “In future assaults, hackers may target a state’s traffic lights, water supply, power grids, air traffic controls, or even its military weapon systems.”

Since then, embattled or authoritarian governments have certainly made more aggressive use of cyber surveillance and Internet censorship to crack down on dissident groups. During Iran’s so-called Green Revolution and then amidst the Arab Spring protests in Cairo’s Tahrir Square in 2011, authorities moved to limit the use of social media, filter access to political websites and even shut down domestic access to the Internet in a bid to contain anti-government uprisings, according to research conducted by The Citizen Lab, an Internet surveillance watchdog group at the University of Toronto’s Munk School of Global Affairs.

Then, three years after the Estonian DDoS incident, intelligence agencies in the US and Israel allegedly moved to sharply raise the ante on cyberwar by dispatching a worm, known as Stuxnet, into the Iranian computer systems that control top-secret centrifuges capable of creating weapons-grade uranium. The worm accelerated the speed of the centrifuges, ultimately destroying them and thus setting back Iran’s deeply controversial nuclear energy program. Previous attacks on nuclear facilities in Iraq and Syria came in the form of air strikes from Israeli fighter jets.

Despite the notoriety of such incidents, what’s become increasingly clear is that the era of global cyberwar will include specific economic and corporate targets, as well as tech firms supplying sophisticated software to hostile governments.

Two years ago, for example, Citizen Lab analysts discovered that several Syrian and Hezbollah government and media organizations were leasing server space from Canadian web-hosting firms. The group’s researchers also identified a handful of North American web security companies that were supplying “filtering” technologies to repressive regimes in Burma, Yemen and Syria, allowing government agencies to block traffic to politically sensitive websites. One, a California firm called Blue Coat Systems, is partially owned by the Ontario Teachers’ Pension Plan.

“Filtering technologies produced by companies, some Fortune 500, in the US and Canada are currently being repurposed for state-sanctioned censorship,” noted a 2011 report by OpenNet Initiative. “This is not simply a case of a general purpose, neutral tool being used for an end not contemplated by its maker. The filtering products of today engage in regular communications with their makers, updating lists of millions of websites to block across dozens of content categories, including political opposition and human rights.”

While repressive regimes use these technologies against their own citizens, other groups — many of them well-financed, meticulous and state supported — are focusing attacks on key economic players, says Rafael Etges, Ernst & Young’s leader of information security. Unlike relatively unsophisticated webbased incursions by basement hackers or thefts of credit card lists perpetrated by organized crime groups, these attacks are often focused on specific executives with access to highly privileged information. Etges says attackers will typically spend weeks or months tracking the company and making connections with their victims through social media and fake emails, which become the conduit for viruses programmed to retrieve documents with highly sensitive technical data or internal information about acquisitions.

Tobok, whose security consulting firm was acquired last year by Telus, notes that in the past two or three years there’s been a surge in such “spear phishing” and “spoofing” attacks. The perpetrators, who draw on information available online or through social networks such as Facebook, send high-level executives authentic-sounding emails that appear to be from colleagues, and may include links or attachments that contain viruses. Indeed, security experts urge senior corporate and government officials to be highly cautious about their social network presence and the people who appear to be part of their networks. “Every day I get phishing attempts through LinkedIn,” Tobok says. “I just hit delete.”

“People are still your weakest link,” adds Robert Steadman, vice-president of security and compliance at The Herjavec Group. He cites cases where hackers have left USB keys or CDs lying in the parking lot outside a corporate building. Out of curiosity, an employee may retrieve these memory devices and insert them into the drives of a company computer terminal, thus unwittingly admitting a virus programmed to retrieve documents or knock out certain IT systems.

Sophisticated attacker organizations, Etges adds, may well be perpetrating broader cyberwar campaigns targeting several companies in key sectors. When Potash Corp. became the target of a cyber attack during the takeover bid by BHP, several Bay Street law firms also discovered they’d been hacked, with intruders looking for documents pertaining to the deal.

In that case, the law firms and Potash executives discovered that the attackers had multiple targets. But security experts say many companies tend to keep such discoveries to themselves for fear of incurring what Etges describes as “reputational risk.” Of course, as he points out, when companies keep this kind of information under wraps, they play into the hands of sophisticated hacker groups.

In other instances, senior executives don’t fully recognize the broader impact of an attack if the theft doesn’t involve financial assets, such as credit card data. Illustrating this “disconnect,” PwC’s Hasham recalls dealing recently with executives at a company that was hacked by a foreign entity. Documents that were copied and removed outlined internal processes for dealing with certain operational problems. “The company said the data that was taken wasn’t that important,” he recalls. “But states are very patient and strategic.” The theft, Hasham adds, appeared to be a tactical move in a broader effort on the part of some external entity to understand the workings of the energy sector.

Kevin Lo, managing director of digital forensics and e-discovery at Froese Forensic Partners in Toronto, points out that executives are unlikely to report such thefts to law enforcement officials because there’s no obvious monetary loss that the police could help recover. He adds that the attackers may actually be after internal corporate documents that reveal strategically useful information about the company’s suppliers.

Lo and Hasham also point out that senior managers in many corporations still don’t quite understand the security threat environment. Consequently, they view internal security systems as costly line-items and “push this too far down in the organization,” says Hasham. In his view, understanding the role of security belongs in the C-suite, and may be well suited to the portfolio of the chief financial officer, who is ultimately responsible for risk management.

According to EY’s Global Information Security Survey 2013, however, only about 10% of the companies surveyed require their security executives to report directly to the CE O. Etges says corporate IT security experts within vulnerable sectors are now making more effort to share information about attacks among themselves in order to determine if detected intrusions are part of something bigger. “I want to know if the company across the street is being targeted.”

There may come a day when regulators — and law enforcement or intelligence agencies — will demand that companies hand over this kind of information. In the US and the European Union, securities regulators are developing voluntary disclosure rules about “significant” or “material” breaches that result from cyber attacks. “It’s a sign of things to come,” says Hasham. (The Canadian government, which has come under criticism from the auditor general about failing to bolster its own cyber defences, remains on the sidelines in this discussion.) Despite some lingering resistance from C-suite executives who haven’t paid sufficient attention to cyber security issues at the corporate, sectoral and national levels, there’s little doubt that media coverage of the US National Security Agency leaks has shone a blinding spotlight on the gritty mechanics of information leakage. “Security,” says Steadman, “has become more top of mind for a lot of people.”

But to turn that awareness into better defence, Tobok says organizations need to move beyond the assumption that large investments in technology will bring an end to security breaches. Rather, ongoing employee education, security policies such as background checks, and careful governance of internal procedures are necessary to complete the puzzle. “The institutions that do security governance well are well protected,” he says.

Galletto adds that companies and large organizations also need a clear framework and proactive approach for monitoring and managing cyber risks, which means assessing and understanding the threat landscape. That landscape, he notes, must include a company’s supply chain and the access third-party contractors have to the firm’s databases and computer networks. Finally, the framework should include clearly defined incident response protocols. “Many organizations today typically scramble when something happens,” he says.

In at least one highly visible case, there’s been a concerted effort to take a much more proactive stance in a sector that sits at the very epicentre of the global economy: the US securities industry. Last summer, Deloitte & Touche LLP and the Securities Industry and Financial Markets Association (SIFMA ), which includes the largest players in the US equity markets, carried out an exercise called “Quantum Dawn 2,” a simulated cyber attack on the financial markets perpetrated by highly organized hackers. The US Department of Treasury, the FBI and other federal agencies also participated. (Not coincidentally, the hacker group Anonymous tweeted news of the exercise to its followers.)

During the stress test, The Wall Street Journal reported, hackers with stolen passwords triggered an automatic sell-off and then bombed the system with misleading information. The goal, according to an after-the-fact analysis prepared by Deloitte, was to test crisis management procedures and examine what would happen if the attack knocked out critical infrastructure in the financial services industry, requiring regulators to close the markets. During the exercise, the hired hackers succeeded in carrying out the attack, revealing that existing protections weren’t adequate. The simulation was also meant to examine what would be required to re-open the markets in the aftermath.

“The exercise scenario,” Deloitte and SIFMA’s assessment explained, “included multiple attack vectors originating from both external sources and malicious insiders. Motives for the attacks included the desire to steal large amounts of money, disrupt the equities market, and degrade a firm’s post-trade processing capability.” The stress test, which simulated a two-day attack compressed into six hours, included the introduction of counterfeit telecommunications equipment and phony press releases. In some ways, the exercise appeared to mimic the cyber equivalent of the 9/11 attacks on the World Trade Center.

Following the Quantum Dawn attack, SIFMA and Deloitte recommended a range of improvements geared at enhancing the coordination among a range of players, including exchanges, securities dealers and government agencies. Not wanting to tip off genuine attackers, the organizers have declined to provide a detailed account of how the response procedures failed, or how they’ll improve the system’s defences.

It’s not clear whether Canada’s securities industry and the banking sector have undertaken similar sector spanning exercises to prepare for a concerted attack. A spokesperson for the TMX, which owns the Toronto Stock Exchange, declined to discuss its own security preparedness, except to say that the firm makes significant investments in security systems. Tobok says the banking industry has been proactive in fortifying itself. But Avner Levin, director of Ryerson University’s Privacy and Cyber Crime Institute, says Canada’s banking sector has shown no interest in disclosing information about the sorts of security threats its members face. His researchers have also identified the potential for security gaps in some third-party mobile banking apps used by consumers. According to Levin, the banks are indicating they won’t cover hacker-related financial losses that occur due to the use of these kinds of external apps, suggesting that such platforms may be vulnerable to hackers.

Such anecdotes raise tough questions about whether Canada is, in fact, ready to defend itself against highly orchestrated cyberspace attacks on the infrastructure that keeps the country’s economy afloat and its citizens safe. In a report to Parliament in 2013, federal auditor general Michael Ferguson pointed to a disturbing finding. In 2005, Ottawa established the Canadian Cyber Incident Response Centre to not only provide continual monitoring of international cyber threats but to also coordinate emergency response among provincial governments and private sector organizations operating in strategically significant sectors.

Almost a decade on, Ferguson said, the coordination efforts remain spotty at best. “We also found that the Cyber Incident Response Centre did not always have a full picture of the national and international cyber threat environment because it was not always given timely or complete information. Without complete awareness of the cyber threat environment, the centre’s ability to analyze and provide advice on threats is limited.”

As if to punctuate the point, Ferguson added this chilling detail about the centre, which was supposed to monitor and analyze cyber threats around the clock: “It has never operated on a 24/7 basis as planned, nor are there plans to do so.”