Last fall at the ICS Cyber Security Conference, I spoke personally with Thomas Quilty, international president for the High Technology Crime Investigation Association (HTCIA) and chief executive officer at BD Consulting & Investigations Inc.
The HTCIA is an international non-profit member organization open to law enforcement, corporate high-technology crime investigators, academia, and software or hardware vendors who provide products focusing on high-tech crime investigation. BD Consulting & Investigations provides software analysis tools and processes, supported by investigative consulting to help their clients protect their intellectual property. This protection includes patents, trademarks, copyrights and trade secrets.
With the recent information released from Mandiant Intelligence Center Report, APT1: Exposing One of China's Cyber Espionage Units, I thought Quilty's opinion on this validated cyber espionage would be of great interest. Following is a recent interview I had with him.
The Mandiant report on APT1 is very detailed and informative. What is important is their analysis of the threat information which potentially identifies the source and intentions.
Mandiant is a business entity that provides software and services to help protect information. InfraGuard is affiliated with the Federal Bureau of Investigation (FBI) and was created to share information regarding threats to the U.S. to our infrastructure and terrorism. InfraGuard is an excellent organization. Much, not all, of the information from InfraGuard is shared upwards instead of going to the entire organization. The HTCIA is a global organization for sharing information and providing high-tech crime investigation training to our members. Most of our training is free to members. Members can pose and respond to questions or requests for information posted on HTCIA’s listserv or in one of our website forums. Each member who has information to share makes their own determination as to what information is shared.
The FBI, federal and state law enforcement agencies normally have strict policies on the release of information. There are good reasons for these policies. The consequences of misidentifying an innocent person as a suspect, compromising informants or undercover agents, and danger to the public can result from premature release of information. When a case is closed (normally by a completed prosecution of those involved) and the information does not present a risk to the victim(s), an agency may decide to release information related to the case. Again, the release is subject to many restrictions. Law enforcement’s ability to share ongoing investigative information or even the fact that they have an investigation in progress limits their effectiveness as a source of information.
Mandiant's decision to release the information and techniques, though informative and beneficial to the public, is ultimately a business decision on their part. The information released may positively or negatively affect their business. As a business entity, they will either benefit or pay the price for release of the information. Personally, I applaud the release of their research as a wakeup call. The HTCIA is not a business, but a non-profit, and currently does not fund research into these activities. If the HTCIA had sponsored research, it would be available for the use of our members and with approval the public in general. The HTCIA does sponsor a cybercrime survey, but the information gathered is open source and gathered from practitioners in the field.
How a company should protect its information is the subject of many books, articles and studies. I don’t know of any company that would want to see their company name in the press identifying them as a victim of information theft. Each company has to determine its risks, likelihood of risk occurrence, and what resources are used to manage the risks. This is a very simplified overview. How a company balances protection of its information versus usability is always a battle within a company. Many times, ease of use wins over protection of information. Add in the increased costs, infrastructure, personnel and access time for additional protective measures, and a company has to again balance the costs versus risks along with likelihood of occurrence.
For many companies, especially those here in Silicon Valley, protecting their intellectual property (trade secrets, patents, trademarks, copyrights, etc.) is very important. The first step in protecting any IP is an understanding of what needs to be protected and assessing the risks. This is followed by threat identification, likelihood of occurrence (prioritization), infrastructure and many other factors. Note: I have shortened a very complicated process into two sentences, which doesn't do it justice. Once the risks and all related factors are understood, a company has to make a decision on how to protect itself using available resources. This includes staff, hardware or software such as Mandiant’s, or a combination of all these resources. In my opinion, a company may take all of these steps and more, and still be a victimized. There is no single 100 percent solution to protecting a company’s IP, which is why companies deploy multiple overlapping solutions.
In Silicon Valley, intellectual property theft -- especially trade secrets -- have been occurring for many years. Mandiant’s report highlights the theft of data from commercial organizations. The stolen data will most likely be used to provide a competitive advantage in the commercial market. China is most likely not the only country attempting to gain access to critical commercial information. My response to your question regarding whether further attacks are eminent, is that every organization, commercial and government maintains information that may be useful to one or more countries. The gathering of intelligence from U.S. companies and entities has occurred for many years and will most likely continue in the future. Whether to call this an attack or normal intelligence operations is a decision for our government. With the exception of industrial control systems, the technologies to stop most, [but] not all, security vulnerabilities are available. One of the links above speaks of a company taking steps to stop most vulnerability. Many companies do only that which is thought minimally necessary.
We are on a recruiting drive to bring in more members from law enforcement, biotech and the industrial control system world that can benefit from the relationship with HTCIA and share their experiences. Many law enforcement and commercial organizations are reluctant to join the HTCIA for fear they may accidentally release information. The value of the HTCIA is the ability to find contacts or information which assist in the investigation of high-tech crimes. Several of our chapters and the International Conference will have training in the investigation of industrial control systems (ICS). As an organization, we constantly have to look beyond the here and now to the future of high-tech crime investigation. Our relationships with the Information Systems Security Association, ISACA [previously known as the Information Systems Audit and Control Association] and other groups are being strengthened to help close any gaps between the traditional IT groups with IT Security, ICS and Investigations.
Larry Karisny is the director of Project Safety.org, a cyber security expert, consultant, writer and industry speaker focusing on security solutions for the smart grid and critical infrastructure.