Most cyber experts attribute the huge data breaches at Equifax and Home Depot to criminals, but Ontario’s security advisor backs those who think they were done by nation-states as he warned CISOs they’re in a new era of cyber war.
“I suggest it [Equifax] is a nation state play,” Ray Boisvert told a workshop for CISOs Thursday in Toronto sponsored by the Information Technology Association of Canada (ITAC). “This was not an organized criminal play.
“There’s lots of occasions where there’s a convergence of interests, where organized criminal groups can operate with impunity in certain countries,” he said “Then you’ve got an opportunity where the best in malware, best in advanced persistent threats are shared [by governments] with criminal groups. So they move from nation states to criminal groups because there’s money to be made by everybody.
“I moreover I think the Home Depot [breach] is a good example of that.” He suggested the thinking went, “We can use you [criminal group] to further our national interests because we’re going to get you to communicate a message to that foreign government – in the case of Home Depot it was about Western sanctions against Russia over Ukraine. We’re going to get you to hurt one of those U.S. businesses to communicate a very soft, subtle somewhat unattributable message.”
The possibility a country was behind the huge breach at credit rating giant Equifax, where personal data on 143 million people in the U.S., Britain and Canada was stolen, was raised by Bloomberg News in a Sept. 29 article, which quoted unnamed sources knowledgeable with the investigation believing the hack was so sophisticated it had to be done by a nation-state. Others in the investigation, the article added, aren’t so sure.
In an interview Boisvert, a former assistant director of intelligence at the Canadian Security Intelligence Service (CSIS) said pointing the finger at countries for these breaches “would seem to be pretty solid opinion in a few areas of cyber security research. Like all these things, there’s no 100 per cent certainty, but there seems to be a preponderance of attributable information from reliable researchers that would indicate the motive in Home Depot, for example, could have been criminal in the sense it’s about profit [from selling stolen data], but it’s also in the interest of Russian nationalists, is the argument.”
In his keynote address Boisvert warned CISOs that today there are 100 countries that can “deliver APTs (advanced persistent threats) and live on your network and do anything they wish.” There are many “areas of the world where there is collusion between crime and national interest.”
“We have to accept we’re up against a set of increasingly skilled threat actors.”
One of the problems, he said is the lack of international governance on cyber norms. “It’s at the root of everything. Unless we deal with that we’ll continue dealing with symptoms.”
In July a United Nations Group of Government Experts failed to reach unanimity that some principles of current international law apply in cyberspace. The Group, with an expanding number of countries, has been meeting since 2004 to agree on how laws and rules limiting conventional war – such as an “armed attack” and the right to self-defense – apply in the cyber world.
That lack of agreement was also referenced by another workshop speaker, John Hewie, Microsoft Canada’s national security officer. Earlier this year Microsoft president Brad Smith called for a “digital Geneva Convention that will call on the world’s governments to pledge that they will not engage in cyber attacks on the private sector, that they will not target civilian infrastructure, whether electrical, economic or political variety.”
NOTE: Microsoft’s proposal will be discussed at a panel at next week’s annual meeting of the United Nations Internet Governance Forum in Geneva.
“Our biggest concern is we have nation states that are weaponizing our products and other commercial products,” said Hewie, “and using that to attack other commercial infrastructure and commercial organizations, who are also our customers.”
It’s a challenge to get countries to agree on international cyber norms he said, in part because the holes in digital infrastructure give all countries an advantage for attacks. “We work with intelligence communities around the world and they reserve the right to hold onto vulnerabilities they believe are in their national interests.” The number of nations with offensive cyber capabilities is growing, he added.
In addition to countries having enforceable criminal cyber crime legislation, Microsoft would like to see binding international agreements roughly based on the nuclear and chemical non-proliferation treaty with 10 proposed commitments (for example, signing countries promise not act against security and safety of private citizens, intellectual property, journalists, the electoral process, systems key to the global economy or tamper with mass market commercial tech products. Any cyber weapons have to be as targeted as possible).
There would also be a tech sector accord (for example, no support for offensive cyber operations, co-ordinate on sharing the discovery of vulnerabilities, promise to assist customers anywhere and not hold back patches) that would include the creation of an independent peer-reviewed organization – with government participation — to attribute cyber attacks.
Hewie also had dark news for CISOs: Cyber attacks like NotPetya will increasingly be rapid, automated and disruptive – NotPetya was not merely disruptive, he made clear, it was also destructive. One company had 66,000 PCs infected in 60 minutes, he said. All had to be rebuilt, the damage was so bad to their hard drives.
What is most worrisome about NotPetya is the professional way it was packaged, he added, containing a number of exploits.
Other trends he mentioned are what he called the “weaponization of Office documents left on a file share” with a catchy file name staff are likely to open, thus spreading malware; the increasing market for stolen corporate access credentials; lazy software developers who cut and paste open source code without verifying where it came from; and the compromising of software companies code or upgrade mechanisms for spreading malware, which is how NotPetya got started.
“This is an industrialized attack industry,” Hewie said.
As for what CISOs can do, Boisvert said there are lessons from his years at CSIS:
–Have situation awareness.“If you don’t understand the situation you’re in, how are you going to defend yourself?”
— “There should be no barriers to information sharing”
— Have a plan A, a plan B and a plan C.; “You always have to think about the worse that can happen.” The organization should regularly conduct table top exercises on what to do in the event of a cyber attack – and remember to apply lessons from these exercises.
“Complacency will kill you,” he warned infosec pros.