Q & A on APTs

Last Friday, Matthew Gregory, a reporter for the Georgetown University newspaper The Hoya, got in touch with me to ask a few questions about Internet security, and Advanced Persistent Threats in particular.  Given that this blog has been pressing that issue, I thought that the format of answering his questions might be more useful than another essay on the subject.  It is terrific that students are a part of this conversation and in some institutions may even help to “coach up” the message to senior administration.

Q: Have you noticed an upsurge of cyber attacks in recent years? Have particular types of attacks increased in prevalence, such as phishing, viruses, or attempts to disrupt university infrastructure?

Internet security has and remains a significant challenge.  The technical protocols upon which the Internet was built were purposefully designed to be open.  That openness creates obvious vulnerabilities for those who choose to act criminally.  Criminality in cyberspace exists as it does in physical space.   

Given that the Internet is now the foundational, world-historical backbone to global commerce, communications and culture, those vulnerabilities become the means for technical exploitation that gains access to the real “gold,” information.  In a global information or knowledge economy, access to information is a means of access to power, money and strategic advantage in any number of sectors: military, industrial and even academia.

There are essentially three types of security threats: common criminal (for money, for example: breaking into banking systems to steal money; identity theft; industrial espionage); hacktavists, a broad category that includes everyone from adolescent vandals to purposeful political activists (Aaron Schwartz for example); and what are now called "advanced persistent threats" or "APTs," intentional security intrusions that are either sanctioned or implicitly supported by governments that seek information from designated targets such as other governments military, or national utility grids, industry or higher education. 

Q: Are the sources of the attacks that you have encountered primarily domestic hackers, or are the majority of attempts to penetrate university systems originating from countries like China? Have they increased in frequency in recent years, and have you succeeded in repulsing these attacks?

To the best of my knowledge, APTs always derive from outside the United States, although with the ability to “bounce” attacks from different servers, or use proxy servers as a medium, it is certainly possible to make these threats appear as if they were coming from a domestic server. 

Please allow me a digression about Internet governance.  Security attacks within the U.S. are subject to U.S. law that prohibits them according to the Computer Fraud and Abuse Act of 1986.  There is no international Internet governance, and so it is the proverbial "wild west" in terms of crime and law enforcement global.  To the degree that international law exists, it is largely set out in treaties and trade agreements. 

Those instruments are very primitive means to deal with the nature and purpose of these attacks.  No treaty expressly on the subject of Internet security addresses this subject.  Internet governance, such as it is, derives from U.S. control of the root domain name servers; the Internet Corporation for Assigned Names and Numbers is its administrative arm.   Within its limited charter, that “corporation” – which is an extension of the United States Commerce Department – has neither the scope nor the representation internationally to address these issues.

Two organizations, the United Nations and the International Telecommunications Union, have challenged United States control over the Internet.  While raising critical questions of governance, but unfortunately prompted less by altruist desire for objectivity and more from competitive nation-state sectors that desire greater influence and control themselves (Russia, for example), neither of these venues has been successful at altering the current governance model.

From a political science perspective, one might note a similarity of these nation-state attacks to terrorist attacks.  No match for superior military strength of the United States, competing states or groups within those states resort to a politically motivated form of resistance to law and actual intrusion and/or compromise of the systems and data to which they are able to achieve technical access.  In the case of APTs, the added motivation of gaining information to leap frog into the twenty-first century militarily, industrially and intellectually without having to agree to conditions or pay for the information is too tempting a path not to take, especially given technical access and an international landscape lacking requisite law.

[The subject of my last blog addresses the U.S. perspective on this matter, U.S. persistent electronic surveillance, which exists at least in some part also as the result of an absence of international Internet governance and law.]

PRC has been identified as a significant source of APTs but probably no more so than would be proportional to their population, size have the country, available resources, and stage of development as a dominant nation-state in the twenty-first century.

Q: Are there particular policies and tactics that Cornell has employed to prevent these cyber attacks from succeeding? Do you know how your methods compare to those of other major American universities?

Cornell, like all research universities, is maximizing its administrative, technical and physical security measures to meet the challenge of these threats.  It is my opinion that the greatest challenge for higher education in general is not the technical aspect of information security, but the administrative aspects.  A divide between administrative and research data lies at the core of this challenge.  IT policy for administrative data has become quite robust in the last decade.  In many research universities, those polices either do not extend to research data or are not monitored or enforced adequately. 

In earlier years of policy development there was a rational for this divide: rather than address pushback from faculty reluctant to adhere to centrally administered rules over their research, the divide allowed policy development to occur more or less commensurately with the implementation of large, central administrative systems. In light of these external threats, that divide now appears not only to be anachronistic but harmful to the security of the research data and the integrity of institutional intellectual property. 

The very nature of research as deeply individualized, introspection protected by the mystical bonds of the Ivy Tower continues to create significant obstacles to getting the message of this new, advanced and targeted threat across to individual faculty members, as well as to deans and provosts and presidents, who come from faculty ranks and who share that culture and its traditions.   Moreover, the belief within academic culture that "information should be free" compounds this problem because it fails to recognize the underlying assumptions that support this belief.  In short, while those ideas may have worked in twentieth century practice, they must now be reviewed in light of an altered technological and global nation state competitive landscape of the twenty-first century.  The goal is not to throw the proverbial baby – intellectual autonomy and shared research – out with the bathwater of our current network security challenges, but that faculty must accept a greater degree of administrative and technical control over their data as a means to preserve and protect its integrity.  For that reason, presidents, provosts and deans would do well to prioritize this issue.

Q: Are universities specifically targeted by domestic and international hackers? Do you know what particular information they are seeking to obtain?

Originally APTs were directed to military information; then industry, and most recently higher education.  The purpose of these attacks is to obtain as much data from academic libraries, scholarly journals, research and institutional intellectual property as is possible.  Often it is simply to have the information available in the event that it might be useful rather than always a finely tailored search for a discrete data set or patent.  I can put it more plainly.  Do you know the famous joke about Willy Sutton, the bank robber?  When asked why he robbed banks, he replied, “That is where the money is.”  The same could be said analogously about intellectual capital in higher education.   Research universities are a target because that’s where the information is. 

Q: Could you comment specifically about phishing at Cornell? It has become common at Georgetown as of late, so perhaps you could describe how your university is encouraging students to protect themselves from this threat.

Because the sophistication of the attacks is forever on the increase, and touches the weakest link in the chain of technical security -- human error -- there can almost never be too much communication about phishing.  Real time alerts to specific attempts are particularly helpful.  Phishing has proven to be a very effective method of launching an APT, so all the more reason to be sure that our campus communities educate, educate and educate.