A View from Tom Simonite
America's Vulnerable Digital Border
The chief technology officer of RSA discusses the fallout from this year’s cyberattack on his company.
Bret Hartman’s life changed after he got hacked in March this year—and so did the perception of America’s vulnerability to cyberattacks in the minds of many experts. As chief technology officer of computer security company RSA, Hartman was used to working with companies that learned the hard way that they were unprepared for a cyberattack. But in March, RSA become such a victim. Hartman learned that attackers had infiltrated the company’s network to steal data that could be used to in turn attack clients relying on RSA security software. There are unconfirmed reports that defense companies Lockheed Martin and L-3 Communications were attacked as a result.
Hartman told me at the Techonomy conference in Tucson, Arizona, yesterday that RSA—and the customers that rely on it—got off lightly. “As a result, it was a pretty positive thing,” he said, explaining that investigating the attack on RSA has taught him that cyberwar and espionage is a more serious threat than anyone realized. He’s come to conclude that the attackers are currently on top.
“The biggest misunderstanding is that the targets are a relatively small group of organizations, like military. It’s important to understand that all organizations are targets and that the attackers are much more organized and capable than the defenders,” said Hartman.
Despite security being RSA’s business, it was pure luck that the attack was discovered. A system administrator happened to noticed that a user had been doing things that didn’t fit with what the admin knew about that person. “No alarms were tripped,” said Hartman. “It was exactly like an attack from the inside because the actions were taken by the account of one of our employees.”
The attack on RSA was an example of what Hartman calls an “advanced persistent threat.” It began with a targeted spoof e-mail, sent to only a handful of RSA employees with a fake planning spreadsheet attached. It’s an approach known as spear phishing. “Targeting people like that is made easier by the easy access of personal data on Facebook or LinkedIn,” said Hartman. “I can target someone with an e-mail I know they’ll open, for example a free gift from a golf magazine.”
One RSA employee retrieved the message from their spam folder and opened the malicious payload. It exploited a previously unknown vulnerability in Adobe’s Flash player to stealthily take control of their computer. The real work of the attackers could begin, and they explored RSA’s internal network to find the valuable data they wanted.
Hartman won’t provide exact details of what he knows about the attack, but it’s striking how little that he could know. It’s unknown how long or how extensively the attackers explored inside RSA; it’s also hard to know exactly what was taken in such attacks. Attackers don’t get stolen files out by sending them attached to e-mails, rather they are bundled up and encrypted before being trickled out over the Internet in many small chunks. Hartman will only say that he learned enough to be sure that the attackers’ intention was to infiltrate companies that used RSA’s SecureID keyfobs to protect user accounts, a product seen as the highest level in account protection.
The whole experience has led Hartman to conclude that the U.S.—and other countries—are at severe risk of attacks that could be described as cyberwar. “The government of course has been dealing with [such attacks] for a long time,” says Hartman, and as a result have systems much more sophisticated than those in use by businesses. Unfortunately, that leaves a lot of the nation’s most important infrastructure vulnerable. Government, power grids, the Internet and pretty much everything else rely heavily on private sector corporations—they effectively form the nation’s digital border. As RSA’s experience shows, that border is far from secure.
Hartman says that the attackers assailing that border are a mixture of nation states—“China and Iran among others”—as well as anarchist and terrorist groups. Those different types of actor even work together when it’s expedient.
That’s something those defending against attacks can’t or won’t do, says Hartman. “The problem today is that attackers are more effectively sharing information than the defense,” he said. Companies that are victim to or successfully resist an attack rarely share their experiences with authorities or anyone else. Worries about the effect on a company’s public profile are just part of the reason why. Antitrust regulation, privacy laws and liability fears all limit sharing of much information about attacks.
Changing that is one of the two prongs of Hartman’s strategy to rebalance the odds in favor of the defenders. He’s working with authorities, legislators and other companies to try and hash out protections and protocol that encourage sharing of information about attacks, defenses and attackers. He’s also having technologists in RSA’s labs create tools that automatically defend against or report on attacks and that could automatically package up data that could help others.
Software that automatically collects data from across a company’s network and flags suspicious activity to relevant experts is one major priority. RSA now has a product that copies every data packet that leaves a company, making it possible to reconstruct anything that was sent out at a later date (although it can’t help much if the data sent out was encrypted). Hartman’s researchers are also testing ideas like having vulnerable systems be virtual rather than installed conventionally on a computer, running in a kind of Matrix provided by a large server. Those virtualized systems can be frequently reset and recreated to prevent an attacker from gaining a foothold.
Talking with Hartman, though, I got the clear impression that it is the more political prong of his strategy to level the playing field that most troubles him. Whether you consider them cybercriminals, soldiers or mercenaries, the attackers have a healthy, almost collegial ecosystem that’s producing innovation in the science of hacking that outstrips the rate of new defense techniques. “We’re not sharing what we know and until we fix that basic asymmetry we will be stuck in the same rut and we’re vulnerable,” said Hartman.