Whether it’s carried out by Chinese agents, Russian hackers, or even rival American companies, cyber espionage is believed to occur nonstop around the world, hurting the bottom lines of major corporations and keeping them on the defensive.
Underscoring the seriousness of the threat, a Senate report released earlier this week revealed that last April China briefly rerouted through its servers 15% of the entire world’s Internet traffic, including commercial sites such as those of Yahoo! (NASDAQ:YHOO) and Microsoft (NASDAQ:MSFT).
“It’s not a matter of if or when. It’s continuous,” said Jeff Bardin, a former code-breaker at the National Security Agency and currently the chief security strategist at XA Systems.
So what exactly is cyber espionage? It can loosely be defined as using secretive means to infiltrate a network and steal information to receive a competitive advantage. The spying could be aimed at gaining a technology such as blue prints for a new type of micro processor, finding out strategic plans such as a potential acquisition or confidential data from a lawsuit.
“Even knowing what someone is not going to do can give you an advantage,” said Jim Rickards, a threat finance consultant at Omnis who has worked with the Department of Defense and NSA.
While many cyber hacking events go unreported by red-faced companies, there are a number of high-profile examples from the past few years alone.
The Chinese incident disclosed by the Senate panel is believed to be one of the largest diversions of Internet traffic ever. While the investigators weren’t able to say whether or not it was intentional, the incident still demonstrates China’s growing cyber capabilities.
In 2008, the FBI discovered that valuable data about oil discoveries were stolen from energy companies ExxonMobil (NYSE:XOM), ConocoPhillips (NYSE:COP) and Marathon Oil (NYSE:MRO). Some evidence pointed to China’s hand in the incident.
Last year the Air Force’s $323 billion F-35 fighter jet program, which is run by Lockheed and is believed the most expensive defense programs ever, was infiltrated by hackers. Later in 2009 Google (NASDAQ:GOOG) and 33 other companies, including banks and defense contractors, were hacked into in an effort to gain access to source code.
NetWitness earlier this year reported that more than 75,000 computer systems and 2,500 companies in the U.S. and around the world were hacked by cyber criminals.
Despite greater awareness in the business community and new defenses, the cyber threat does appear to be growing.
The DOD said the number of reported malicious cyber activities on its systems jumped by 31% last year to 71,661 events. The agency said more than 100 countries are currently trying to break into U.S. networks and NATO has said its headquarters are attacked at least 100 times a day.
The Senate report concluded that today’s cyber espionage has become increasingly sophisticated, more focused on social media like Facebook and developed a nexus with criminal software and techniques.
“It’s kind of like an arms race,” said Rickards. “Security has certainly improved but vulnerability is certainly greater and sophistication is greater.”
Cyber Warfare vs. Cyber Espionage
Even though cyber espionage is happening continuously, cyber warfare, which is still in its infancy, tends to get all of the press.
“Cyber warfare is still an immature science out there. We’re still building those capabilities,” said Bardin.
To be sure, there is a history of cyber warfare, but it mostly occurs on a large-scale during actual military conflicts, such as during the first Gulf War and the intervention in Bosnia.
On a smaller-scale, many denial-of-service attacks have been carried out, such as a 2009 attack launched by North Korea that impacted government agencies and commercial sites, including as those of the New York Stock Exchange (NYSE:NYX), Nasdaq (NASDAQ:NDAQ), Amazon.com (NASDAQ:AMZN) and Washington Post Co. (NYSE:WPO).
But given how interconnected the global economy is, it wouldn’t be in most nations’ interests to carry out an attack that would take down the world’s greatest economic power.
“Only an irrational state or terrorist group would conduct an attack that would result in its own demise,” Jeffrey Carr, a cyber intelligence expert, wrote in an article about cyber warfare.
Security experts say China and Russia are running neck and neck for the title of worst offender of cyber espionage.
China is said to have a coherent, centralized effort that benefits its military and intelligence communities, but also its commercial interests.
It’s easy to see how major American companies like Boeing (NYSE:BA), Chevron (NYSE:CVX), Intel (NASDAQ:INTC) and Merck (NYSE:MRK) could be targets as Carr said China’s main priorities include high-end microprocessors, next generation mobile devices, large-scale oil, gas and coal mining, advanced aircraft design and pharmaceuticals.
The ensuing seizure of data has provided China’s engineers and scientists with a way to “accelerate its technological growth beyond anything that we've seen before,” Carr wrote, noting that China’s patent filings over the past five years have increased fivefold compared with the previous five-year period.
On the other hand, Russia’s espionage efforts are often more amorphous, carried out by agents of the government as well as elements of the Russian underworld like hackers and gangsters. Carr said Russia focuses on its strategic objectives in nanoelectronics, robotics, cloud services, information and communications technology, semiconductors and photonics.
Mounting a Cyber Defense
So are American businesses ready to protect themselves from these cyber spies? It appears some industries are more prepared to deal with the threat than others.
While banks are still losing money to cyber crime, they have been defending themselves from hackers for years. Less prepared sectors include health-care companies, law firms, retailers that already deal with razor-thin profit margins and utility companies operating critical infrastructure like electric grids.
Security experts urge major companies to go beyond simply installing a firewall that is a mainstay in most homes now. Companies need to also consider other options, such as encryption software, server scrubbing, intrusion protection devices, anomaly detection software that looks for changes in network traffic and deep-packet inspection services.
Underscoring the growing demand for security services, Intel scooped up computer security stalwart McAfee (NYSE:MFE) in August for $7.68 billion.
To defend against the cyber threat, companies also need skilled technicians to operate the systems and sound processes to respond to incidents.
Rickards also advises companies to use some good old-fashioned trade craft: make sure sensitive information is kept in tight circles. For example, if working on an acquisition, keep the team small, use code names, deal out special BlackBerries and meet in secret.
Should the U.S. Go on Offense?
Some argue the U.S. needs to take off the gloves and follow the sports motto that the best defense is a good offense.
Rickards said it would be “nice” if the White House was less reluctant to unleash some of America’s offensive capabilities, adding, “If you can run up your score on your opponent, the damage they can do to you is reduced.”
However, others say the cautious approach is smart because it’s not clear what the implications of a cyber counterattack would be.
“In the Internet there is no 12-mile boundary [around our territorial waters]. There is no airspace. If you do a cyber attack, do you risk a physical response?” said Bardin.