The news that the attack on Google in 2009 also compromised a database holding warrants for lawful intercept surveillance on users has raised fears about the security of national security data on private networks. Cyberspionage operations pose a serious threat to national security, and these attacks are increasing. Dennis Fisher spoke with Anup Ghosh of Invincea about the nature of the threat and what can be done to address it.
Threatpost: We knew about the original attack on Google several years ago, but now with the new details about the attackers going after the surveillance database, it’s changed things. That seems like a pretty brilliant move by the attackers.
Ghosh: From a counterintelligence operations point of view, trying to find out if your agents are burned is a great offensive strategy. What we don’t is whether that [database] was the target of the breach. Google said they lost source code originally and it turned out that the Aurora attack was a massive campaign. The goal appeared to be the intellectual property theft against these companies. Now it comes out years later that they also got this database of warrants served by the FISA [Foreign Intelligence Surveillance Act] court. I don’t know whether it was a targeted operation for counterintelligence purposes and the IP theft was a red herring, or was it that they incidentally came upon [the database].
Threatpost: Do you have a guess one way or the other?
Ghosh: We may never know. What we do know is that really important national security assets are stored on private sector networks. It was a spear phishing attack. Once you get that beach head, you’re looking for assets. The Chinese now have incredible intelligence, and even if they’re not using it themselves, they still have a treasure trove. This was unknown before this week. This was a major loss. Those records aren’t limited to the Chinese. It’s the whole thing. Everybody that they’re able to get a warrant for under FISA is considered a national security risk. It goes to the point that so much of our national security apparatus lives in the private sector.
Threatpost: That’s probably not something that many people realize. Government officials have been talking about how a lot of the critical infrastructure is owned by the private sector, but this isn’t what they’re talking about.
Ghosh: No, they mean utilities and energy networks and those things. A lot of people think of the military as living at the Pentagon, but a lot of this lives in the private sector. So the security of these networks is a matter of national security. The Chinese are not going to stop. Neither are the other groups. This is a treasure trove to be mined by anyone. At what point are we going to say, hey, we need to take this threat seriously and we need to innovate our way out of this problem. We can’t count on every user making the right decision on every email.
Threatpost: A lot of these attacks do hinge on users it seems.
Ghosh: The Google attack came down to a single user clicking on a link that resulted in the loss of all that intelligence. At what point do we say, gosh, I didn’t realize I was depending on the user to make the right decision. We’ve punted security problems to the user? At some point we need to stop kidding ourselves.
Threatpost: One possibility I see is that the government could use an incident like this as a way to grab some more control of private networks they see as critical.
Ghosh: The government should be a leader rather than a mandate-driven organization. If they can prove that they can address spear phishing threats, then they can lead. We discovered that watering hole attack on the Department of Labor site, and it was a zero day against IE 8, no patch or signature available. We only determined it after visiting the site on a tip and it immediately compromised the virtual container we were using. The fact that they compromised another site to get to the Department of Energy and the nuclear secrets is almost making a mockery of our federal security. The old paradigm doesn’t work against the current threats. We need to at least jump up to where the current threats are.