There was a simple dream: the rapidity and scope of communication would break down barriers between societies and individuals and provide transparency of such magnitude that the age-old dreams of a human community will come into being.
The opposite happened: networked transparency and the absence of privacy has propelled itself into a world without limits or order, forcing us to careen through crises without comprehending them.
Some background
This week U.S. law enforcement officials charged three Chinese hackers who they said had infiltrated law firms over a period of about 18 months by hacking into networks and servers. Once inside, the gang targeted the email accounts of senior partners who worked on mergers and acquisitions. They then bought stock in at least five publicly traded companies which were the target of deals, netting profits of about $4m once the transactions were announced.
Reports of the probe earlier this year had prompted law firms to try to plug gaps, efforts that are likely to be stepped up after this disclosure. And as various legal media pundits have noted, some of the biggest law firms on Wall Street are now scrambling even more to shore up their defenses against cyber attacks.
Note: some law firms are moving vital data networks offline, building systems independent of the Internet. This will not offer airtight security but would probably make it harder to hack.
There is the usual wringing of hands. New York’s Department of Financial Services tried to “add urgency” this week by updating a proposed rule on cyber security regulation, which is due to come into force in March 2017. The rule, the first in the U.S., requires banks and insurers to make certain that their systems, and the systems of third-party vendors such as law firms, can handle the risks associated with cyber threats.
The media are having a field day, coining a new phrase: “outsider trading”. But as noted this month at a cyber security workshop in NYC, both IT experts and government regulators see this “as an increasingly serious threat to securities markets and the horse may very well have left the barn”.
My regular readers know that none of this is new. Earlier this year, Chinese hackers got into dozens of workstations and servers at the Federal Deposit Insurance Corp. And over the summer U.S. authorities discovered a gang of Ukrainian hackers had made $30m in illegal profits by trading on stolen information from 150,000 press releases before they were made public. As Flashpoint (a cyber intelligence company we consult) noted in a report, Ukraine-based and Russian-based hackers have been testing the defenses of big U.S. law firms for well over a year. In March 2016 they put out an alert on so-called “spear phishing” in which hackers use highly targeted emails based on sophisticated profiles they build on users to trick those users into inadvertently downloading software which then attacks their machines. Similar techniques were used in the China attack disclosed this week.
And as numerous cyber experts will tell you, U.S. law firms are soft targets because they have a perceived lack of “proper security hygiene”. As one cyber expert (who works with U.S. law firms) told me:
Digitally classifying data and tracking its movement, employing network monitoring and building rule sets that send alerts when classified data leaves the network, and blocking file sharing websites that are not specifically approved by the law firm are many ways to help deal with the challenge of both an insider threat and outside threat. Yet very, very few of these methods are employed at law firms.
And virtually none of these methods are used on e-discovery document reviews, another suspected source for law firm infiltration. As we noted in my referenced “long read” above, an e-discovery document review in the D.C. Metro area this past summer was under investigation as data was being pulled off the document review platform on an unauthorized basis. Such extraction should not be possible in any such review tool but it was discovered that the security and audit controls around the e-discovery services process was defective and easily compromised. Maybe that explains the influx of Chinese and Russian attendees in the exhibit halls of LegalTech every year.
Granted, the most expensive part of e-discovery is the document search and review process. The review costs arise primarily from two legal activities: (1) search for and identification of the likely responsive or relevant documents, and (2) the study of the documents identified as likely relevant to determine which must be withheld, logged, redacted, and/or labeled. This process constitutes between 60% to 80% of the total cost. Unpredictable, high e-discovery costs were a core problem in civil litigation and accelerated the development of artificial intelligence enhanced software.
But artificial intelligence enhanced software is not good enough, yet, to be relied on exclusively so teams of temporary document review attorneys are still required, usually outsourced to legal vendor controlled document review centers to reduce costs. But law firms … and in-house legal departments … need to look beyond cost savings and focus on security and employ the suggestions noted above: tracking the movement of data, employing network monitoring and building rule sets that send alerts when classified data leaves the network, and blocking file sharing websites. And question such practices as “remote review” (touted as a cost saving device) wherein staffing agencies employ off-site document review attorneys. Several law firms have complained to me that often these candidates are unvetted. Just do your homework.
Cyber technology, cyber warfare and law firms
In “World Order”, Henry Kissinger notes:
For most of history, technological change unfolded over decades and centuries of incremental advances that refined and combined existing technologies. Even radical innovations could over time be fitted within previous tactical and strategic doctrines: tanks were considered in terms of precedents drawn from centuries of cavalry; airplanes could be conceptualized as another form of artillery, battleships as mobile forts, and aircraft carriers as airstrips. For all their magnification of destructive power, even nuclear weapons are in some respects an extrapolation from previous experience.
What is new in the present era is the rate of change of computing power and the expansion of information technology into every sphere of existence. Cyberspace — a word coined only in the 198Os — has colonized physical space and, at least in major urban centers, is beginning to merge with it. Communication across it, and between its exponentially proliferating nodes, is near instantaneous. As tasks that were primarily manual or paper based a generation ago — reading, shopping, education, friendship, industrial and scientific research, political campaigns, finance, government record keeping, surveillance, military strategy — are filtered through the computing realm, human activity becomes increasingly “datafied” and part of a single “quantifiable, analyzable” system.
I want to focus on a few issues discussed this month at a cyber war forum, noting attacks on law firms and corporations.
“Defense is futile”
One overriding theme at the forum was that all the complexity is compounded by the fact that it is easier to mount cyber attacks than to defend against them, and that has encouraged an offensive bias in the construction of new capabilities: “Defense is futile”. Says “Zak L.” (my “black hat” friend and frequent conference companion):
There are ways to communicate securely, of course. You could use, for example, an encrypted chat program such as Cryptocat, ChatSecure or PQ Chat. But that approach isn’t the solution, because the same app has to be on both ends of the conversation. As a result, those chat programs will never be as universal as e-mail.
And there are “unhackable” services, too. Techcrunch recently ran an article and noted names like Tutanota and Posteo. But there’s a charge to use them-so once again, they’ll never become universal.
One wag noted:
The harness-and-amplify characteristic of cyberattack as a destructive instrument
The U.S. law enforcement report that opened this post noted that China has been focused externally on information dominance and espionage, with law firms considered a treasure trove. Earlier this year Trend Micro and Cylance (a cool company that offers advanced threat prevention using some advanced artificial intelligence programs) issued reports on Chinese cybercrime underground activity and Russian cybercrime underground activity. We noted several points in our “long read” referenced above.
One of the more interesting points was that barriers to launching cybercrime have decreased. Toolkits are becoming more available and cheaper; some are even offered free of charge. Prices are lower and features are richer. Underground forums are thriving worldwide, particularly in Russia and China. Cybercriminals are also making use of the Deep Web to sell products and services outside the indexed or searchable World Wide Web, making their online “shops” harder for law enforcement to find and take down.
And their destructive capability is growing. In September 1996 an internet service provider in New York was taken down by a flood of traffic. Computers elsewhere on the internet, controlled by hackers, were sending it up to 150 connection requests every second, far more than it could handle. It was the internet’s first major distributed denial-of-service, or DDoS, attack. Peter Neumann of SRI International, quoted in the New York Times, said:
“In principle, most of the denial-of-service attacks we see have no solution. The generic problem is basically unsolvable. And it can only get worse.”
Twenty years on, he is right on both points. DDoS attacks have increased exponentially in size, and vast swathes of the internet remain vulnerable. Experts say the proliferation of new but vulnerable connected devices, such as thermostats and security cameras, as well as the architecture of the internet itself, mean DDoS attacks will be with us for the foreseeable future. And rather than a mere annoyance that takes your favorite websites offline, they are starting to become a serious threat.
Arbor Networks is an internet monitoring company that also sells DDoS protection, and at a cyber war forum this month a representative noted the volume of global DDoS attacks has grown by more than 30 times between 2011 and 2014. And the attacks are also getting more intense. A string of them in September and October, which set records in terms of the volume of traffic (in gigabits per second, or Gbps) in each attack, proved that DDoS can overwhelm the internet’s best defenses. Among those they took down or threatened were a hosting service, a domain-name services provider (whose clients, including Twitter and Spotify, thus became inaccessible across entire regions of the US), a major content-delivery network, and the internet’s best-known blogger on security matters, Brian Krebs. These are the most powerful DDoS attacks each year, by Arbor Networks’ count.
The September 2016 and October 2016 attacks are thought to have been carried out using Mirai, a piece of malware that allows hackers to hijack internet-connected devices such as security cameras. These are often sold with weak default passwords that their users don’t bother (or know how) to change. Mirai tracks them down, takes them over, and incorporates them into a “botnet” that launches DDoS attacks as well as finding and infecting other devices.
I note that because the U.S. law enforcement report on Chinese hacks mentioned Mirai. Correct, botnets aren’t new, but Mirai takes them to a new level. In a paper I read over the holidays from the Institute of Critical Infrastructure Technology (and now on-line; click here) it was noted that Mirai was a “development platform” for hackers to customize: the code was made public on a hacker forum, and people are free to innovate and build on it.
In the past couple of months it’s thought to have been used to cripple the heating systems of two residential buildings in Finland and the online services of several Russian banks, plus an attack on a law firm. The researchers speculate that hackers could tailor Mirai to do far bigger damage, such as bringing down a power grid. In September, security expert Bruce Schneier pointed to evidence that a large state actor – China or Russia, most likely – has been testing for weak points in companies that run critical parts of American internet infrastructure. It’s not outlandish to imagine that in the future, DDoS attacks powered by something like Mirai, harnessing the vast quantity of weakly secured internet-connected gadgets, could become part of a new kind of warfare.
At the moment, the main defense against a DDoS attack is sheer brute force. This is what hosting companies offer. If a client suffers a DDoS attack, the hosting provider simply assigns more servers to soak up the flood of traffic. But as the latest attacks have shown, the power of botnets is simply growing too fast for even the biggest providers to defend against.
Robbie Palmer from Crowdstrike:
There is a fix that would prevent a common type of DDoS attack – a “reflection” attack. This is where a hacker sends messages out to a botnet that seem to come from the target’s IP address (like sending an email with a fake reply-to address), causing the botnet to attack that target. The proposed fix, a security standard known as BCP38, which would make such fake return addressing impossible, has been available for 16 years. If all the ISPs on the internet implemented BCP38 on their routers, the most powerful DDoS attacks would be far more difficult to launch.
But the sheer number of networks and ISPs on the internet makes this idea wishful thinking. Steve Uhlig (of London’s Queen Mary University, who specializes in the internet’s routing protocols):
“Remember that the internet is made of more than 50,000 networks. If the most important and influential networks implement the fix, but the countless smaller operators don’t, DDoS attacks can continue to exploit spoofing. Larger networks in the internet core can and do filter. But they reduce the attacks by only a limited amount.”
Some perspective
I implore you … if you have the time and budget … to attend Black Hat and/or DEF CON, although the best of the those hacker presentations are a click away on YouTube.
It really comes down to the foundational basics of cybersecurity: a strong identity and access management programs that include securing and protecting user names, passwords, keys, certificates and domain name service (DNS). It also has to include an accurate hardware and software asset inventory and a program that keeps these assets securely configured. None of this is new or sexy, but it’s more important now than ever.
What this all means is that you have to make sure you are not only doing the right things, but doing the right things in a way that really improves your security posture.
Coming in Part 2 …
Of course, the above isn’t the only example of the harness-and-amplify characteristic of cyberattack as a destructive instrument. Fresh in our consciousness is the recent Russian hack on the U.S. election infrastructure. In this hack, the actual cyberattacks were pretty trivial – purloined emails. But the selective leaking of these emails to legal (if shady) distribution channels such as Wikileaks had enormous impact on the election, and the leaking was inspired by a deep understanding that in today’s “fact-free” political environment, such channels amplifying the noise and confusion already surrounding the election campaign. A trivial technical hack, but an enormously significant political hack.
Until now, the Internet has mainly created new avenues for old behaviors. Roughly nine of 10 computer breaches involve theft or business espionage. For individuals, these can be devastating. For companies, they represent unfair competition that, for some firms, may be fatal. Still, in an imperfect world, these are familiar evils.