04:27 PM
Connect Directly

Using Intelligence Against Companies That Benefit From Cyberspionage

'Naming and shaming' the ultimate beneficiaries of stolen trade secrets can work

SAN FRANCISCO -- RSA CONFERENCE 2013 -- Identifying the human or actor behind a targeted attack -- a.k.a. attribution -- has been hotly debated over its relevance. But knowing and confirming your attacker could be a key element of ultimately making cyberespionage more costly for nation-states like China, some security experts say.

Dmitri Alperovitch, co-founder and CTO of CrowdStrike, says it's "mindboggling" to him when people say attribution of the attacker doesn't matter. "It's fundamentally critical who your enemy is," Alperovitch said here in an interview last week. "Don't you want to know if it's a murderer that's inside your house or a guy who stole your TV? You have to know what to protect."

RSA Conference 2013
Click here for more articles.

The industry has evolved over the past year or so from focusing only on blocking attackers from getting in to a more pragmatic acceptance that these determined and well-funded attackers can't really be stopped and are likely already inside your network. The focus now is on how to stop them from stealing and exfiltrating sensitive information. Alperovitch said that requires a good understanding of who the people and groups are behind the attacks, so you can make it more expensive and risky for them to attack.

And the ultimate solution would be to go after the actual beneficiaries of the stolen information, such as some Chinese businesses. "It's helpful to know exactly which building, unit, affiliation, and ... yes, their faces," Alperovitch said. "But it's also helpful to understand the trade craft of that group. The strategic level of attribution is useful ... [they are] passing it to local and state-owned companies. Understanding who these companies are is important."

Many Chinese businesses also are trying to branch out globally and do business outside China, he said. "If [Chinese companies] are using stolen information, you can bring that leverage ... for trade sanctions. It may not be against China or the PLA [Peoples Liberation Army], but you could take criminal action against [the companies'] executives," for instance, he said.

The Obama administration's newly announced strategy on fighting the theft of intellectual property could help here. "We're going in that direction with the strategy the administration is trying to lay out with trade sanctions that are not specific to cyber. We need to expand that to cyber," Alperovitch said.

[The U.S. government will be slow to act against aggressors who attack through the Internet, predict policy and China experts at RSA. See China's Cyberespionage Will Continue Unabated, Say Experts.]

Alperovitch said raising the cost of doing business for Chinese firms capitalizing on stolen U.S. intellectual property is key. And "naming and shaming" firms under suspicion of spying or being agents of the Chinese government, as with the case of Chinese telecommunications company Huawei, can help, he said.

Take Huawei, which, along with Chinese company ZTE, was called out by Congress recently as risky to do business with here in the U.S. A congressional intelligence committee warned of potential security risks to U.S. infrastructure with the Chinese companies as suppliers. The fallout has made an impact on Huawei's business aspirations in the U.S., he said. "It has made an impact on their business," Alperovitch says. "There's no question that naming and shaming can be very effective."

But what about the U.S.'s own use of cyberespionage? James Lewis, director and senior fellow of the technology and public policy program at the Center for Strategic and International Studies, in a paper published today explains the differences in how the U.S. and China each employ cyberespionage.

"The US government does not engage in economic espionage and intellectual property laws are more strongly enforced in the United Sates than in many other countries, including China. Nor are American political 'hacktivists' encouraged by the US government. The US approach to cyber conflict treats cyber techniques as traditional tool of statecraft, providing advantage in military and political intelligence, and as a new weapon to strike opponents," Lewis wrote.

"The US uses cyber techniques to monitor and assess Chinese capabilities and intentions, and to gain battlefield advantage in the event of conflict. US cyber actions, unlike Chinese cyber actions, are focused on their competitor’s official government activities and not on economic espionage. US laws effectively preclude economic espionage by government agencies and punish private individuals who breach intellectual property laws," Lewis writes.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.