Good afternoon. Thank you for the invitation to speak to you today.
Given the recent news about Target and other retailers, I doubt there is much more I could say to drive home awareness of cyber issues.
There is no greater threat to Corporate America than the cyber intrusion. I have said in many forums it is a 21st Century threat that requires a 21st Century solution. The stakes are high; our future is at risk; and we must work together to protect our people, our economic system, our companies and our way of life.
The cyber threat is ubiquitous. It is constantly changing and it comes from without and within, from external hackers and criminal insiders. No less than the former Secretary of Defense and the former FBI Director have said that we hope we don’t have to face a cyber Pearl Harbor or a Cyber 9-11 before we get smart about what we need to do to protect ourselves. Attorney General Eric Holder has noted, “from criminal syndicates, to terrorist organizations, to foreign intelligence groups, to disgruntled employees and other malicious intruders, the range of entities that stand ready to execute and exploit cyber attacks has never been greater.”
The cyber threat goes to our core – our financial institutions are at risk, our power grid is at risk, our water supply is at risk and our air traffic control system is at risk – just to mention a few. And so it is a grave threat that requires an all hands; all tools approach.
Here in Pittsburgh, we have been the target of many of these cyber intrusions. You may recall the bomb threats at the University of Pittsburgh which were cyber based. PNC was a target of the D-DOS attacks against the banking system. There have been several others. The good news is our region is fortunate to have some of the nation’s best resources, including CERT, the Computer Emergency Response Team, a public-private partnership over at CMU, and the National Cyber Forensics Training Alliance (NCFTA) on Technology Drive, which is a public-private partnership that has launched hundreds of criminal investigations into cybercriminals worldwide.
What are the Threats?
The Internet is a system built on the trust that users, data, and applications on the network know and trust each other. However, the Internet, much like the post office, delivers data without prejudice…whether or not it is legitimate or the electronic equivalent of letter bombs. Users trust that email is secure, confidential and reliable. Users trust that public websites are safe, and they trust that applications are developed from a trusted vendor. Circumventing these methods of trust are the primary vectors for all cyber intrusions.
The Threat has many forms. A decade ago, individual hackers were writing viruses like “I love you” or “Melissa.” With advancements in technology has come sophistication in the risk. Today we face four primary challenges in the cyber world: hacktivists; organized cybercriminals; cyber espionage and terrorist groups.
We face hacktivists who use computers and computer networks to promote political ends, mainly free speech, human rights and information ethics. It is carried out under the premise that proper use of technology can produce results similar to those of conventional acts of protest, activism and civil disobedience. This includes Anonymous, an online group that initiates acts of civil disobedience without revealing user identities.
We also confront off shoot groups like LulzSec (r Lulz Security) and AntiSec (Anti Security Movement). LulzSec members are comprised of computer experts who hack systems and damage computers in response to their political causes. AntiSec is a movement opposed to the computer security industry.
We face cybercriminals. We are very active here and brought one of the first large cases in the country involving the theft of what was then a record $82 million dollars by a cyber thief known as the “Iceman.” You may have read about prosecutions by some of my U.S. Attorney colleagues around the country who have taken down organized criminal enterprises like Rove Digital, a company founded by a ring of Estonian and Russian hackers that gained fame as a producer of copious amounts of spam, and as a major distributor of trojans to commit a massive Internet fraud. Operation Cardshop was set up to investigate the practice known as "carding", where hackers steal credit card, bank and other financial information on the web. And Operation ACHing Mules was a scheme which involved the use of a sophisticated banking trojan program and numerous “money mules” to steal from dozens of U.S. business accounts.
Cyber espionage is yet another challenge. We see state-sponsored or corporate spying or use of spies to obtain secret information about another government or a business competitor.
And we face terrorists who use violence and threats to intimidate or coerce, especially for political purposes. Terrorists would like nothing better than to digitally sabotage our critical infrastructure systems.
There are three levels of intrusion:
Threat Level 1 - This is an inexperienced hacker with limited funding. These individuals engage in opportunistic behavior, targeting known vulnerabilities. They use viruses, worms, rudimentary Trojans, and bots. These threats and intrusions are easily detected.
Threat Level 2 – These hackers have higher order skills. They are well-financed and target known vulnerabilities. They also use viruses, worms, Trojans, and bots, but also do so to introduce more sophisticated tools. These criminals target and exploit valuable data. They are detectable, but are often hard to attribute.
Threat Level 3 – They are sophisticated individuals using sophisticated tradecraft. Often, they are associated with Foreign Intelligence Agencies. They are well financed. They target technology, Intellectual Property, as well as general commercial information. Often, they establish covert presence on sensitive networks. To date they have presented detection challenges.
How are they attacking us?
They are attacking us by exploiting our trust.
They exploit the trusted incoming email by adding an attachment with malicious code which the recipient is likely to open.
The email is made to appear to be sent from a trusted source – in some cases the actual mail server of a legitimate client. Sometimes, documents (.doc, .xls, .mdb, etc.) in email have a secretly embedded malicious code.
Often, the attack is through the publicly available trusted web site of appropriate business interest or the download of trusted code from a trusted and authorized vendor; or the trusted protocols for data transfer; or the trusted external client server; or the inherent trust of the internal corporate network.
So you can see, there are many points of entry.
We also deal with an advanced persistent threat represented by a sophisticated and organized cyber attack to access and steal information from compromised computers.
The usual targets are the Defense industry, financial industry, manufacturing and research industry.
The difference between a criminal hacker and an advanced persistent threat is the persistence of the threat and the resources available to the hacker.
These high level hackers use tools that are “less noisy” and can circumvent anti-virus. These threats can last several years without detection.
What can we do to combat the threat?
We need attribution. We need proactive investigations and intelligence gathering operations to attribute the origin of these threats.
We need disruption. Once we identify the attacker, we need to expose and prosecute them.
What can you do?
To reduce the risk of cyber intrusions and trade secret theft you must protect your network.
Best practices include the following types of security measures:
- network surveillance;
- encrypting and physically securing sensitive information;
- using redundant firewalls;
- conducting internal trade secrets audits;
- restricting access areas, passwords, and clearance levels;
- limiting employees’ access to information on a “need to know” basis;
- identifying and labeling confidential information with appropriate classification markings;
- requiring employees to enter into written confidentiality and non-compete agreements; mandating clearance requirements for visitors; issuing employee handbooks that detail provisions regarding protecting trade secrets;
- conducting background checks on employees; and,
- scheduling entry, exit, and additional meetings with employees to inform them of their continuing confidentiality obligations.
When an attack happens, follow your emergency plan and start protecting your data. Your response must begin within hours not days to be effective. Contact Law Enforcement and report cyber attacks promptly so that we can preserve evidence and identify and increase the potential to prosecute.
Your Cyber response must preserve original media as evidence.
- Conduct analysis from a copy (if possible);
- Review all logs (DNS, Firewall, Proxy, System Event Logs);
- Contact ISP for additional logs and possible filtering; and
- Begin damage assessment (including damage valuation).
We recognize the importance of collaboration to fight cybercrime. Information sharing and partnerships between the private sector and law enforcement will be critical to win the battles we face in cyberspace. The FBI can and will help you.
What can Directors do?
I know I was invited here to specifically address the question of what Corporate Directors can do.
Let me begin with a couple of caveats. This is a serious matter involving your legal obligations. You should trust your lawyers and follow their advice; I am not your lawyer – for this! But, as we are in this together and we are partners in the effort to build an effective cyber defense network, I offer the following observations:
The SEC offered guidance in a 2011 Directive on disclosures. This issue is still fluid but Directors must press management to take steps to prevent cyber intrusions, discover cyber hacking and work with management to assess materially for disclosure obligations.
Cyber security legislation is again before the Congress. We stay out of legislative debates and there is much debate. I suggest you engage; the stakes are too high.
President Obama has signed an Executive Order in February of 2013 to ease the anxiety and increase the comfort level of the private sector to report incidents and cooperate with the government to address cyber intrusions. The Executive Order allows private companies to get security clearances to better understand and share details about cyber attacks and tasks the National Institute of Standards and Technology to come up with sector specific standards for cyber security and then requires companies to engage with their regulators to decide upon how those standards will be implemented until then.
Directors need to ensure that companies are aware of and adequately addressing the growing threat of cybersecurity.
Directors need to determine if there are procedures and policies in place to address the threat and how they are being followed.
You should request that management report regularly to the board on what the company is doing to mitigate cyber threats and whether the company is appropriately addressing those risks.
You need to communicate the need to address cybersecurity issues and create a culture that views cybersecurity as a corporate social responsibility.
Don’t wait until an intrusion happens to build relationships with federal, state and local authorities who handle cyber cases. Know their names; have them on speed dial. Brief them on your company and its lines of business, types of threats you are seeing—before anything happens, so they are prepared to respond when it does.
Compare notes with others in your industry about common threats. Don’t be a lone defender in your sector.
Notify law enforcement as soon as a significant breach occurs. When you wait for days and weeks, you really make our job difficult on many levels.
Do not assume that we will take your network infrastructure and display it on a large screen at trial. We work with victims all the time to protect sensitive aspects of their systems so they are no re-victimized in the trial.
Do not give up if the trail goes overseas. We are telling ourselves the same thing, and DOJ’s track record of making overseas arrests is quite strong. We have worked hard to build relationships all over the world, so let us use them to help find who committed the attack and to arrest and extradite them.
Don’t forget that insiders are an enormous threat—perhaps the biggest threat. Make sure that you have strong internal policies and levels of access.
Make sure you have banners allowing your review of computers connected to your systems. Make sure when someone leaves—particularly someone with administrative access—that you take appropriate measures.
Be merciful with your own network administrators when an intrusion occurs. It is impossible to prevent everything.
In summary, the Administration in general—and the Department of Justice in particular—have been busy working on this issue. Our goal is to promote an ongoing dialogue within the private sector to encourage sharing ideas to prevent data breaches and trade secret and other commercial data theft. Today’s discussion is an important step in reaching that goal.