Cyber Espionage: What the five Chinese officials did and how to protect your organization

by Mike Bailey

Attorney General Eric Holder's announced the indictment of five Chinese officials for computer crimes against corporations including Alcoa, U.S. Steel, Westinghouse, Allegheny Technologies, United Steelworkers International Union, and SolarWorld sent shock waves through the world. Previously there have been numerous allegations of Chinese hackers attacking U.S. corporations, including the New York Times, Google, and many others. But this is the first time that the United States has taken such a bold stance against China's hackers. Beyond political implications, the issue of cyber espionage is just one on the growing list of cyber threats faced by corporations every day.

What does cyber espionage look like?

Cyber espionage is much simpler than the name would imply. It doesn't necessarily include a collection of screens spewing green numbers. It typically involves techniques that are well-known and documented.

According to an article by the Pittsburgh Business Times the attack on U.S. Steel, part of the indictments of the five Chinese officials, originated in a specific type of email phishing attack.:

"That's exactly the situation faced by about 20 U.S. Steel Corp. employees who received an email in early 2010 from the then-CEO John Surma. But that email wasn't from Surma at all. It was instead the vanguard of a sophisticated cyber attack by a group of tech-savvy Chinese military officers bent on gaining access to U.S. Steel's computer systems, according to a federal indictment released Monday.

At least one, and possibly several, U.S. Steel (NYSE: X) employees fell for the trap, allowing the hackers to install malware that helped them gain access to the steelmaker's system.

That's a technique called spearphishing, where specific people — usually at a company — are targeted in an attempt to gain access to a computer system."

Cyber espionage in this case is nothing more than a Nigerian prince with some targeting from social networks and a new identity. Yet companies worldwide keep suffering these types of attacks by not training their end users of the warning signals and safe behaviors to protect themselves and their employer.

What are the economic costs of cyber threats?

According to a report released by the Center for Strategic and International Studies, United States corporations lose $100 billion every year due to cyber-espionage. This doesn't include the loss of intellectual property and data breaches, which is estimated to have a $1 trillion effect on the global economy. The U.S. Cyber Command says there are 6 million attacks a day just on government networks.

Beyond the direct economic costs mentioned above, firms need to consider the indirect costs of having a competitive advantage over their competitors. The allegations by the Attorney General is that these cyber breaches by Chinese hackers are for the benefit of Chinese state-owned companies, and there appears to be truth behind that statement. According to an article from the Pittsburgh Post-Gazette about the indictment:

"In 2007, Westinghouse signed contracts with a Chinese government-owned company for the construction and operation of four nuclear reactors, according to the indictment. Unit 61398 then stole specifications that would allow the Chinese to build similar plants without any of the research costs incurred by Westinghouse, prosecutors allege. "In total, between in or about 2010 and in or about 2012, members of the conspiracy stole at least 1.4 gigabytes of data, the equivalent of roughly 700,000 pages of email messages and attachments, from Westinghouse's computers," the indictment said. In 2010, the defendants accessed U.S. Steel's computers while the Downtown-based steelmaker was engaged in anti-dumping litigation involving seamless steel pipes that Chinese firms were selling to the U.S. at unfair prices, investigators alleged."

The direct and indirect economic costs are terrifying in and of themselves, and they are not going away. In fact, they're increasing- quite dramatically. According to a report by the World Economic Forum in conjunction with McKinsey, the cyber security threats could cost the global economy $3 trillion by 2020, an estimated 200% increase in under 6 years.

We are the weakest link: Stop sitting on the sidelines

Many organizations, analyst and experts consider humans to be the weakest link in cyber security. And yet day after day we hear about new breaches and don't do enough to prevent breaches from happening in the first place. An article just released by Bloomberg confirms the opinions held by so many in information security. Trained end users can be your best front line of defense in detecting intrusions and dealing with breaches quickly.

End users must first be aware of the threats, but also trained effectively in identifying and reporting suspicious links, attachments, text messages, applications and other forms of communication. This organizational change in most cases doesn't happen overnight, even if you equip yourself with training and start building an education program immediately.

So how do you get started? First, if end user security awareness and training is something that is not a priority at your organization, you need to build a business case. We have a great resource that shows you how to do just that, a replay of a webinar we recently conducted on the same topic.

Doing the training- right

Beyond awareness and building a culture, you need training. Before you look in the direction of consultants or a company that can provide manual training, consider this: Is the solution scalable?

If it isn't, the solution will likely cost so much money that your business case for training will fall apart. In-person instruction and training is not only expensive, but severely hampers productivity, requires dedicated classroom space, and cannot be implemented quickly due to the logistics.

The second question you need to consider is: Will the solution work?

Applications that engage users are the future of learning and retaining information. They're more effective than traditional in-person instruction, videos, or presentations. Additionally, users want to be engaged. Apple recently released their most popular app categories, and #1 was the games category, while #2 was the education category. The opportunity to engage and train your end users is out there and available.

It really comes down to this: Do you need a security and awareness training platform given all the facts and recent stories about cyber threats? We're leaving that up to you to decide.