Category Archives: Cyber

Incentivizing Responsible Cybersecurity in the Private Sector

Computer code on black background

By Joshua McGee, Center for Technology and National Security Policy

“Businesses care more about protecting their public image during an intrusive cyber incident than avoiding the loss of the intellectual property itself.”  This was the comment by a panelist at a July 18th Bipartisan Policy Center event.  His experiences with companies in Silicon Valley was that they seemed more concerned with headline-grabbing cyber incidents by hacktivists than with the discreet loss of intellectual property[1] that is said to cost the U.S. economy billions of dollars every year.[2]

Why might a private company have these priorities?  One would imagine that the loss of intellectual property is something that a company would take seriously, just as seriously as protecting their public image.  Recent publicized cyber intrusions show that many companies have lax security protecting vital intellectual property and consumer data.[3]  It seems as if current free market forces are not directing companies to implement up-to-date cybersecurity strategies.  Instead, these forces may be simply directing companies to create public relations contingency plans to reassure the public and shareholders after-the-fact?  Ultimately, intellectual property is important to national security, and the resiliency of the United State’s high-tech, information and services-based economy.  The following is a thought experiment in order to discuss and explore a few of the conundrums and issues that surround the loss of intellectual property in the private sector via cyber intrusions, the incentives for companies to prevent and react to these cyber intrusions, and how the government may play a role in preventing the loss of vital intellectual information held by the private sector.

For the most part, detected private sector[4] cyber intrusions can be placed in two categories:  cyber intrusions that are publicly known, and those that are not. [5]  In each of these situations, there are different company assets at stake:

  • Publicly Known Breach – Loss of intellectual property (content) and bad PR (thus tarnishing the corporate brand and consumer confidence).
  • Undisclosed Breach – Loss of intellectual property (content)

In both situations, content is being stolen, but the difference is that the corporate brand of the company is severely jeopardized with a “headline-grabbing event.”  Recent studies show that corporate executives are extremely protective of their corporate brands, and that many times, a corporate brand may be more important than the intellectual property that they produce. [6]  For this reason, there is a lot at stake when a company is a victim of a cyber intrusion conducted by groups like Anonymous or LulzSec, who purposely publicize such intrusions.[7]  This fear of a tarnished brand thus could lead companies to prioritize public relations campaigns and not necessarily focus on the cause of these intrusions (both public and undisclosed):  poor security.  It is also difficult for companies to quantify losses associated with the disclosure of intellectual property and consumer data.  This further complicates a company’s cost benefit analysis on whether it should invest in increased security or public damage control.

While a tarnished brand could greatly affect the company’s profits, the stealing of intellectual property and consumer data is not only a concern for the company, but also for national security, particularly when it involves government contractors.  Such loss of intellectual property also affects the overall resiliency of the U.S. economy (which is  largely based on innovation in high-technology, information and services).  As discussed above, it seems as if companies may not be properly incentivized to protect themselves from cyber intrusions, but are more prone to address the public relations fallout that arise from a small number of intrusions that become publically known.

Should the government create the incentives for companies to make it their first priority to secure networks rather than engage in public relations campaigns?  There is much at stake for the (security and economic) well-being of the U.S.  Such legislation may include cybersecurity requirements for industries critical to national security or create a safe space for the private sector and government to collaborate on information sharing and best practices for cybersecurity.  Many companies are also hesitant to fully disclose their cybersecurity intrusions because they are unsure whether or not they will be held legally and financially liable for lost information.  Regardless, it is important to understand this problem as an issue of incentives that current government legislation and the free market provide to private companies.  Through such a lens, stakeholders can better discuss the issues at hand.


[1] Bipartisan Policy Center, “Improving Cybersecurity Information Sharing,” Washington DC, July 18, 2012.

[4] For the purposes of this article, “private sector” excludes owners of critical infrastructure, whose situation is unique compared to other businesses.

[5] Private disclosure to the government is another possibility, but the legal ramifications of a private company admitting to a security breach are unclear, and there are currently no known legal benefits for private companies to voluntarily disclose such information to the government.

[6] http://www.iwu.edu/economics/PPE17/lewis.pdf – “The Coca-Cola Brand is far more valuable than the ingredients that go into a can of Coca-Cola” (p. 47)

Leave a comment

Filed under Cyber, National Security Reform, Strategic Studies, Uncategorized

Geomagnetic Storms and National Security Policy

Image

By Mr. James Burchill and Ms. Meghann Murphy

On June 7, 2012, the Center for Technology and National Security Policy (CTNSP) hosted an event on the Hill for the United States House Subcommittee for the Department of Homeland Security (DHS) on Cyber-security, Infrastructure Protection, and Security Technologies on severe solar storms and national critical infrastructure.

The event was organized by Dr. Alenka Brown, Mr. James Burchill, and Ms. Meghann Murphy, from the National Defense University, Institute for National Strategic Studies, Center for Technology and National Security Policy.
Panel participants included: Mr. Scott Pugh of Department of Homeland Security (DHS), Mr. Bill Murtagh of National Oceanic and Atmospheric Administration (NOAA), Colonel Daniel Edwards of the United States Air Force (USAF), and Dr. Alenka Brown of NDU.

Congressman Dan Lungren,  Chairman of the Subcommittee, wanted his subcommittee members to become educated in two areas:  1) solar storms and the impact of these storms on US critical infrastructures, and 2) the difference between a severe geomagnetic storm and an electrical magnetic pulse. The request to CTNSP was based on two October exercises that CTNSP/NWC conducted between Oct. 3 and 5, 2012.   These exercises were conducted to address the possibility of a severe solar storm, similar to the Carrington Event of 1859 (one of the largest solar storms to be recorded in US history), and the possible effects to the US national grid prompted by such a solar storm.

We know that geomagnetic storms are caused by fluctuations in the Sun’s magnetic field, and these often occur in growing frequency within an eleven year cycle known as the solar maximum. We are currently approaching its zenith. This is of concern as sufficiently large geomagnetic storms can cause numerous issues to critical infrastructure. Satellite operations and communications can be disrupted throughout the storm which can last many hours. Potentially longer term effects can be seen in the disruption of the electrical grid, e.g.,  high-voltage transformers which are critical to operation of our long distance transmission lines and large power plants.

The panelists were to educate the subcommittee members and senior professional staffers on the basics of geomagnetic storms and the effects on US critical infrastructures. The audience consisted of Congresswoman Richardson, and senior professional and junior staffers.  Chairman Lungren apologized for his absence and those of his other colleagues due to an unexpected classified briefing.

The panelists began by discussing the underlying science concerning solar storms given by Mr. William Murtagh, NOAA.  Mr. Scott Pugh, DHS, followed with an explanation of the difference between a severe solar storm and electric magnetic pulse.  He walked the audience through a severe geomagnetic storm exercise describing possibly consequences to our critical infrastructure based on a severe outage of the national electrical grid.  Dr. Alenka Brown, NDU, spoke on cascading effects should a solar storm occur, with emphasis on the population, the financial sector, and cyber.  Colonel Daniel Edwards, United States Air Force, Space Weather Group, gave a brief on how the military might engage during a solar storm event.

The outcome was a follow up future event that would provide a more in-depth analysis of severe geomagnetic storms in relationship to the US critical infrastructures to the subcommittee members. It was proposed that the National Defense University in collaboration with the Department of Homeland Defense would host the event.  In addition, a one-pager has been written and will be sent to the key panelist and Congressman Dan Lungren’s office.

Leave a comment

Filed under Cyber, Energy, Strategic Studies

Lords of Dharamraja: A New Vector for Disinformation and a Call for an Organizational Response

By Fletcher Schoen, Research Assistant
Edited by Dr. Christopher Lamb, Distinguished Research Fellow

In January, 2012, a ‘hacktivist’ group called “The Lords of Dharamraja” released information obtained by penetrating the secure servers at the Indian embassy in Paris.[1] One document was a memo detailing a purported deal between the Indian government and the international telecom firms Apple, Nokia, and Research in Motion. The companies allegedly provided Indian intelligence agencies with a technical backdoor into their mobile devices like the ubiquitous Blackberry or iPhone in return for greater access to the Indian telecom market.  Indian Military Intelligence utilized this backdoor to read the emails of the U.S.-China Economic and Security Review Commission (USCC), a bipartisan panel that reports to Congress on the security and economic relationship between the United States and the People’s Republic of China.[2]  The USCC has not denied that it was the victim of a cyber attack and it has asked the FBI, the lead agency on cybercrime inside the United States, to begin an investigation. The investigation however is not concentrating on Indian intelligence, despite the memo.  The origins of the attack are not what they seem.

At first glance, the memo seems genuine. It has an official layout, some redacted text, and is consistent with Indian bureaucratic language.[3] But according to the Times of India, which interviewed a number of Indian military and intelligence sources, the memo is replete with inaccuracies.  The most glaring is the wrong agency logo at the top of the page.[4]  The letterhead and signature block were lifted from authentic documents but the signatories do not work for the organization that produced the document.  Other sources familiar with Indian Intelligence said text is never redacted in internal documents.[5]  Finally, the Directorate General of Military Intelligence (Foreign Division) deals with defense attachés and foreign military cooperation not signals intelligence.[6] The Times of India’s conclusions are backed by investigations undertaken by The Guardian and Reuters.  All three investigative reports agree the memo is most certainly a forgery.

Recent reports about the ongoing FBI investigation further undermine the memo’s authenticity. American sources say the e-mails were stolen as part of the first stages of a “blended attack” on the USCC rather than alleged Indian signals interception of USCC communications.[7]  Blended attacks involve finding email servers that regularly communicate with the main target but have relatively lax cyber security.  Hacking them can eventually provide access to the harder to infiltrate main networks. Most of the stolen emails came not from the more secure USCC servers but from the personal email account of a former USCC Chairman, William Reinsch, who now heads the pro-trade organization, The National Foreign Trade Commission.  American officials with knowledge of the investigation point out that it is much more likely that hackers associated with Chinese rather than Indian interests would know who Reinsch was and would bother taking the time to track him down.  In any case, the intrusion into Reinsch’s email suggests some third party unconnected with Indian Intelligence committed this cyber attack against the USCC.

Hackers have always taken great care to hide the electronic and national origins of their attacks but this forged memo demonstrates that defensive misdirects can become offensive information warfare tools. Cyber attacks and the subsequent revealing of stolen data can act as a means for disseminating disinformation in a manner that compounds the damage done by the release of sensitive information. The size of a massive electronic data theft would make it difficult to sort out what was real and what wasn’t and the sensitivity of the real documents would make commenting on the fakes a delicate undertaking for the U.S. government. The effects of this kind of attack can be extrapolated from this recent incident. The forged Indian memo was just one document and yet it managed to morph a relatively routine cyber attack into an uncomfortable supposition of espionage between allies that will only be sorted out through careful investigation. All the while the real perpetrators can continue their work.

Dealing with this kind of sophisticated attack in the future will require a coherent interagency approach that combines cyber security with counter-disinformation and strategic communications.  Unfortunately, the response to this cyber attack and forgery has been anything but coherent.  The lack of comment by the FBI about its ongoing investigation is understandable only because revealing details of the attack gives free damage assessment to its adversaries. However the lack of any government response to the forgery is troubling. An information vacuum allows the forgery to have its intended effect. Forgeries like this one are relatively easy to expose and may seem relatively unimportant, but if ignored, over time such disinformation will erode and seriously damage U.S. political relationships.

Sources inside the U.S. government have told me that the United States has a counter-disinformation capability, but I have yet to see an official denunciation of this forgery and it is unclear if the alleged capability is working with the FBI on countering the new cyber vector for disinformation.  This should change, and quickly.  After all, this is not the first time the United States has confronted state-sponsored disinformation on a large scale.  During the last decade of the Cold War the State Department led an interagency working group that became adept at dealing with the Soviet Union’s frequent use of forged U.S. government documents.  Despite spending nearly $300 million on their disinformation apparatus, Soviet forgeries never withstood official American scrutiny and denunciation. Eventually an exasperated Soviet leadership foreswore the use of disinformation.

As China increases its cyber attacks on the United States it would be safe to assume the use of disinformation to support these attacks will increase as well.  China’s political system gives it monolithic control over information management but the United States and its open society retain the supreme advantage in information warfare.  Open expression of ideas will always triumph over manufactured information—eventually.  In the meantime, we need to energize the organizations that can convert this advantage into a concrete response.

Fletcher Schoen is a research assistant with INSS and co-author of “Deception, Disinformation and Strategic Communications: How One Interagency Group made a Major Difference,” a forthcoming study on the Active Measures Working Group to be published by NDU Press. 


[1] Yatish Yadev, “Hackers Invade Server of Indian Embassy in Paris,”  December 17, 2011. http://indiatoday.intoday.in/story/servers-of-indian-embassy-in-paris-hacked/1/164664.html

[2] The USCC also provides “recommendations, where appropriate, to Congress for legislative and administrative action.” http://www.uscc.gov/

[3] Frank Jack Daniel “Fake Memo but real code?  Indian-U.S. Hacking Mystery Deepens.” January 12, 2012.

[4] Charles Arthur and Agencies, “US Accuses China of Hacking emails,” The Guardian, January 20, 2012.

[5] Mark Hosenball, “US probes Commission Hack ,” Reuters, January 10, 2012.

[6] Josey Joseph, “Fake Letter Blows lid off Hacker’s Espionage Claim,” The Times of India, January 12, 2012.

[7] Charles Arthur and Agencies, “US Accuses China of Hacking emails”  The Guardian, January 20, 2012.

Leave a comment

Filed under Asia, Cyber, India, Intelligence, Regional Studies, Strategic Studies