Modern field guide to security and privacy

Opinion: What cybersecurity pros can learn from 'Ocean's Eleven'

In the movie 'Ocean's Eleven,' cunning crooks outwitted an elaborate defense system. The same dynamic plays out on the digital front. That's why cybersecurity requires strong threat deterrence and not just stronger locks and taller fences.

|
Warner Bros. Pictures
arts section photo by Warner Bros. (L to r) GEORGE CLOONEY as Danny Ocean, BRAD PITT as Rusty Ryan, MATT DAMON as Linus Caldwell, ELLIOTT GOULD as Ruben Tishkoff and DON CHEADLE as Basher Tarr in Warner Bros. Pictures and Village Roadshow Pictures "Ocean s Eleven," also starring Andy Garcia and Julia Roberts, distributed by Warner Bros. Pictures. HANDOUT Publication Date: December 7, 2001

Remember "Ocean's Eleven," where George Clooney's character Danny Ocean masterminds an elaborate heist of the posh Bellagio casino in Las Vegas?

Mr. Ocean and his accomplices used social engineering, technical smarts, and strategically placed insiders to penetrate the Bellagio’s comprehensive, state-of-the-art security system and abscond with $160 million. In "Ocean’s Eleven" even the best defenses could not immunize the organization against penetration by concerted adversaries.

It is in this regard that "Ocean's Eleven" should serve as a cautionary tale to cybersecurity policymakers.

For more than a decade, US cybersecurity policy has focused on defense – using stronger locks and taller fences to protect government and corporate crown jewels from cyberintruders. A great deal of time and money has been spent beefing up cyberdefenses to prevent network intrusions. And there's reason to believe that certain defensive actions significantly enhance network security. 

Consider, for example, the so-called “Australian Top 4." Those are the four defensive measures the Australian Signals Directorate says could prevent at least 85 percent of the targeted cyberintrusions to which it responds. The Top 4 requires, among other things, patching high-risk vulnerabilities within 48 hours and minimizing administrative privileges. Sure, defensive measures can prevent some cyberintrusions.

But even the best cyberdefenses are no match for certain intruders – nation-states such as China, Russia, Iran, and North Korea – and other concerted adversaries willing to go to almost any expense to penetrate specific networks of value to them.

Imagine, for example, a group of Chinese government-backed hackers are targeting a specific US defense contractor’s data. The hackers will not give up and move on to a different target simply because the defense contractor hardens its networks. More than a decade has passed since the discovery of Operation Moonlight Maze (1998), Byzantine Hades (2002), Operation Titan Rain (2003), and other cyberespionage operations allegedly orchestrated by China. Yet, despite ever increasing government and private sector investments in network defenses we don’t appear to have made much headway on the nation-state sponsored cyberespionage problem.

Recent media reports allege that a number of foreign hacking groups – Dragonfly, Newscaster, Axiom, and Unit 61398 to name just a few – are engaged in sophisticated, multiyear cyberespionage campaigns against a variety of US military and commercial targets.

Reports from US cybersecurity firms have offered a rare glimpse into the activity of these hacking groups. We have learned, for example, that Dragonfly (a.k.a. Energetic Bear) is a well-resourced, likely Russian government-backed, group of hackers engaged in a multiyear cyberespionage campaign that targeted defense and aviation firms before turning its attention to the energy sector in 2013.

Newscaster, a cyberespionage campaign that US researchers recently linked to Iran, has stealthily targeted US military contractors as well as senior US military and diplomatic personnel since 2011. Axiom is a group of highly skilled hackers allegedly backed by the Chinese government. The group is believed to have victimized Fortune 500 companies, governments, and other targets worldwide for at least six years.

People’s Liberation Army (PLA) Unit 61398 is allegedly a Chinese military hacker unit whose existence was exposed by US cybersecurity firm Mandiant in February 2013. Five members of Unit 61398 were indicted in the US this past May on charges of hacking and economic espionage against US industrial giants including Alcoa (the largest aluminum company in the US), US Steel (the largest steel company in the US), and Westinghouse Electric.

In July 2013, McAfee Labs issued a report exposing a massive cyberespionage operation – dubbed Operation Troy – designed to steal sensitive South Korean military and government data. While McAfee's report did not publicly name North Korea as the culprit, the evidence provided pointed to North Korea, and experts generally agree that the operation was attributable to North Korean state-sponsored hackers.

Now, in the wake of the recent Sony Pictures hack, there's renewed interest in Unit 121 of the North Korean People's Army, an alleged military hacking unit of which the US has been aware for more than a half dozen years. Unit 121 is tasked, among other things, with military cyberespionage.

Despite efforts to strengthen our cyberdefenses, cyberespionage continues. In some cases, our adversaries defeat our improved defenses; in other cases, they simply avoid them. For example, adversaries frequently rely on social engineering – tricking people into disclosing information they should not so that the adversary can gain their targets' trust and compromise their networks – a tactic against which it can be quite difficult to defend as it requires, among other things, extensive employee education and awareness.

Our adversaries’ continued success with cyberespionage suggests that, by themselves, stronger locks and taller fences are not enough to stop targeted attacks by determined adversaries; threat deterrence is essential. The goal of threat deterrence is to make cyberespionage so costly that it no longer pays. Cyberespionage can be made more costly through improved detection, attribution, and punishment of cyberintruders.

First, improved detection of cyberintruders is important because a high probability of being discovered can serve as an effective deterrent to would-be intruders.

Second, while effective threat deterrence does not require perfect attribution, we must identify cyberintruders with enough confidence to pursue sanctions, civil litigation, criminal prosecution, and other actions that will make cyberespionage more costly to our adversaries. 

Lastly, we must penalize cyberintruders, whether through criminal prosecutions, trade sanctions, or civil litigation designed to recoup damages from foreign industry recipients of stolen intellectual property.

Shifting from a defense-dominated cybersecurity strategy to one that embraces threat deterrence will not be without challenges, but it is essential if we are to secure cyberspace for the future.

Melanie Teplinsky teaches information privacy law at the American University Washington College of Law as an adjunct professor. She started her career in cybersecurity in 1991 as an analyst at the National Security Agency.

 

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Opinion: What cybersecurity pros can learn from 'Ocean's Eleven'
Read this article in
https://www.csmonitor.com/World/Passcode/Passcode-Voices/2015/0225/Opinion-What-cybersecurity-pros-can-learn-from-Ocean-s-Eleven
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe