Mandiant’s Summers: Companies Mostly Ill-Prepared for Inevitable State-Sponsored Cyber Attacks

Reprinted with permission from HB Litigation.

Fire alarms sounded at the waterfront luxury hotel in Southern California, bringing an early end to the speaker’s presentation.  He was addressing a 200-person audience assembled to learn about avoiding, mitigating and insuring the risks of cyber attacks.  The hotel sirens turned out to be a false alarm, but the message he delivered was not. 

Mandiant Vice President Grady Summers, who delivered the keynote address at the NetDiligence Cyber Risk & Privacy Liability Forum, a twice-annual event produced by HB Litigation Conferences, said it is getting pretty bad in cyberspace when nations are able to take out power grids and water supplies from the other side of the world.   The Mandiant executive, part of the company’s team of highly-sophisticated incident responders who handle many of the higher profile breaches we hear about, said only a small percentage of companies are truly prepared for a cross-functional, cross-departmental response to data breaches — which is exactly what is required. 

Many do not even know who is interested in hacking their systems or how they will do it, he said.  With increasing interest in data from U.S. companies by state-sponsored hackers, and ever-improving levels of sophistication, you do not want to be one of those companies.

Motivation

What motivates a cyber attacker is important to understand because their end-game will determine the seriousness of the threats they present.  Preferring the phrase “threat actors” over characterizations such as “the bad guys,” Summers took the audience through five categories of attacks, from the merely irritating to the terribly damaging variety. 

1.  Nuisance attacks.  These are largely automated attacks executed by people with low skills.  After sustain such an attack an organization is typically up and running in no time. 

2. Data theft.  These attackers are often state-sponsored, advanced persistent threats, or APTs.  These folks want intellectual property to save their R&D teams from troubling themselves with coming up with inventions of their own.  It has been estimated, Summers said, that attacks on U.S. companies from China have netted its government and companies $250 billion’s worth of U.S. intellectual property. 

3.  Cyber crime.  These hackers are motivated to steal money, and they are getting better at it, Summers said.  Gone are the good old days when mere “sequel injection” was employed.  Now they are stealing with the help of advanced persistent threat concepts, meaning companies are discovering malicious software that has been kicking around in their systems for years.  “We found instances where emails from executives had been forwarded outside the company for four years,” Summers said.  “What used to be ‘smash and grab’ attacks have evolved into complex schemes against payment card processors.  These guys are there for six months and can take $10 million dollars a day.” 

Cyber crime — and the business of fighting it — is going to continue to grow, and grow rapidly, Summers said.  This is not something you would know if you only relied on corporate reports to the Securities & Exchange Commission.  Last year a mere 27 companies disclosed the occurrence of cyber events to the SEC.  Mandiant gets thousands of calls about cyber events, the vast majority of which, obviously, are not being reported.  “As events become more visible things will be more public and therefore there will be more reporting,” Summers said.  “As for public companies that don’t choose to report — they are going to have to eventually.”

4.  Hacktivists.  Organizations such as Anonymous and LulzSec claim they hack to support various social causes.  Summers said this category of hacks continues to some extent, but the hackers are not always as sophisticated as they want us to believe.  For example, Anonymous took credit for hacking the Rural Sheriffs Association, ostensibly to protest the association’s alleged mistreatment of immigrants.  But, Summers explained, the group merely grabbed whatever data they could, then crafted a cause to match the data.  They effectively use social media for this purpose, however, Summers said.

5.  Cyber War. “This completely changes things,” Summers said.  Unlike crime and theft — where it is not in the best interest of the hackers to damage the network housing the very data they want to steal — "state-sponsored cyber war combines the desire to destroy with high-levels of technical sophistication," he said.

Five Nations Cyber Armies

Nation states are very active in cyber attacks, Summers said.  Whereas a government simply looks away when cyber crime is taking place, he said five countries lead the pack in actually sanctioning and supporting cyber attacks.

1. China is most active, he said, pointing to APT1, which Mandiant says is a state-sponsored and prolific cyber espionage group that has been in operation since at least 2006, stealing more than 100 terabytes of compressed data — millions of documents — from 141 companies.  They are a cyber espionage factory, with more than 700 servers from which they control their activity, Summers said.  “We tied them back to an army unit and proved actual state involvement,” he said.  For example, when APT1 needed a better internet connection, a communist government official made it happen.  The 76-page Mandiant report can be downloaded at intelreport.mandiant.com.

2. Syria is a more recent entrant, featuring the Syrian Electronic Army (SEA).  The SEA breaks into media outlets, like the Associated Press Twitter account, the Washington Post, and the New York Times.  Syria is getting more serious attention, but primarily it  hacks with the intention of spreading propaganda as it did when it hacked the U.S. Marine Corps website.  They say they are 10,000 strong but in fact they are a very small group.  Despite their small numbers, they are “getting a big return with headlines.”

3. Russia harbors the Russian Business Network, Summers said, characterizing it as an “extensive operation” that is enabling Russia to put cyber operations together in support of conventional military operations. He noted Russia’s attack on Estonia in 2007 during which it took the smaller nation off the Internet so it could not conduct business or financial transactions.  In its attack on Georgia, Russia knocked out news outlets and then sent in tanks, again coupling cyber war techniques with kinetic war tactics.   “Russia is demonstrating the model for what cyber warfare will look like going forward.” 

4. Iran is new to cyber hacking, Summers said, and their intrusions so far have been very quite.  Iran is emulating China, he said, “but they still have their training wheels on.”  He said Mandiant responded to an attack on a U.S. government agency that had all the fingerprints of an attack from China.  It turned out that it was an attack from Iran, which spent days looking for U.S. defense information.  The Iranian hackers downloaded data, but instead of U.S. defense secrets they captured a treasure trove of data on mounting a legal defense for indigent immigrants in the U.S.  “We might laugh at them now,” he said, “but we shouldn’t for long since they surely will have a more destructive intent.”

5. United States, unfortunately, has to be included in discussion of cyber warfare, he said. The government likes to say what the U.S. does is very different from what China or Russia does, that is, "we hack for democracy."  But when the curtains were pulled back on Stuxnet — the U.S./Israel cyber worm created to attack Iran’s nuclear facilities, “that sort of blew the doors off” how our activities differ, or do not, from that of other nations.  Summers said people and nations soon will have a tough time seeing the distinctions between U.S. cyber activity and that of other nations. 

When discussing the revelations of the National Security Administration’s (NSA) “prying eyes,” he tells companies to move on and pay attention to other threats.  If you want to guard your data from agencies like the NSA, then encrypt your data and don’t use a public cloud.  If you want to fight with the NSA you need a lawyer, not a data security company, he said. 

As far as fighting back against cyber attacks, Summers came out against retaliation.  Some clients want to launch counter-attacks or plant the equivalent of cyber grenades in data that is being stolen.  “Any retaliation is foolish because we have an attribution problem in cyberspace.  It was only after seven years we knew APT1 was hacking.  The opportunity for collateral damage is too great," he said.  The APT1 building, for example, was attached to a day care center.  You could launch a cyber attack against an organization and kill a life support device, he said.  Some non-U.S. companies will do this kind of thing for you, but Summers opposes the activity which, among other things, is illegal. 

Summers predicts that, as with actual war, the solution will be a diplomatic one, not a technical one.  “We have to develop norms like we do for human espionage where, for example, spies are not permitted to kill government officials."

Policies for Companies

Summers advocates that companies adopt the FUD approach — one of Fear, Uncertainty and Doubt.   "Organizations are being targeted more broadly than ever.  Compromise is inevitable.  If Syria, Iran or China want your data, they are going to get in.  The logical conclusion is that detection and response are critical.  And it is a smart practice to assess your risk posture."  Are your systems patched? Are your people trained? How many times have you been compromised? How long did it take you to respond?  Are you examining empirical data that is more output based? Do you have a response team or detection system in place?  Do you possess "situational awareness"? What threats would target your company?  Spear fishing?  Do you have a cross-functional incident response team, including expertise from IT to legal?  "Because that is what you will actually do in the event of a breach," Summers said.

It was at about that point that the fire alarm sounded and Summers wrapped up his address.

This article was written by Tom Hagy, Managing Director of HB Litigation Conferences, co-producer of the conference referenced in the article. Hagy is a former Vice President at LexisNexis and former publisher of Mealey’s Litigation Reports. Click here to see the original article.

Emerging Security Risks in Healthcare Exchanges: Meshing Public Entities & Private Sector

A Q&A with Lynn Sessions of Baker Hostetler LLP
Now that the Affordable Care Act (aka Obamacare) is law, states potentially now have cyber public entity liability exposure, due to their role in managing PHI in connection with the healthcare exchanges, the data hubs that will centralize and route private information through government agencies and related businesses. This new model has already led to privacy data breach incidents, well before the act went into effect this past October (see example). To sort through the complications the ACA poses to public entities, I spoke with Lynn Sessions, counsel at Baker Hostetler LLP.

Can you explain the emerging healthcare exchange system and what type of private data will be in the care, custody and control of state officials?
The most immediate answer is that it’s unclear at this point exactly how personal information will be protected. Will state officials have to comply with HIPAA in protecting this data? The answer is probably yes, but how they will essentially take care of this information and who is responsible for it legally are the kinds of questions we’re now asking. Healthcare organizations have been asked to streamline their functions into what are called Accountable Care Organizations, which allow for opportunities for organizations to receive payments from the government, if they meet certain quality and efficiency milestones, but it’s unclear how partnering entities that are regularly exchanging information will handle it. We know that most of these entities are already covered and subject to HIPAA—hospitals, physician groups, and health plans—but in the case of a data breach it’s unclear as to who would be held responsible. As we see healthcare evolving over the next several years, I think we’ll see new privacy concerns arising and patients who become more concerned over their information. We know the Office of Civil Rights will be scrutinizing these organizations to make sure they are in compliance with HIPAA. It will continue to be a challenge for organizations to ensure that the information stays safe as they move into the new model of care.

What civil and regulatory liabilities can you foresee?
As I mentioned, HIPAA/HITECH likely applies. One thing to consider is that the health information exchanges were created when the data world was already dealing with the component of the American Recovery Act of 2008 that helps healthcare providers implement electronic health records. You also have these organizations holding on to the data for meaningful use in communications with providers. Seamless communication is all well and good, but if it butts up against HIPAA it exposes the organization to regulatory and legal liability. We have found early on if there are a lot of controls in place, the information may not flow freely and easily among providers. From a liability standpoint, the hardest thing is again figuring out whose data is whose and who is responsible for a breach.

Are there any areas of known concern that might lead to future breach events?
Encryption continues to be an issue in stolen and lost laptops and other mobile devices. Healthcare organizations are not encrypting at all or not encrypting sufficiently and we’ve seen how large data breaches can occur from this oversight. The Office for Civil Rights (OCR) is really focused on making organizations explain why they’re choosing not to encrypt. If you can’t or won’t encrypt for some operational reason, such as a medical device that can’t function with encrypted data, then it’s up to the covered entity to prove how you’re otherwise safeguarding the PHI. Another concern is that we have seen incidents caused by business associates in the past few months. Sometimes the healthcare provider doesn’t have control over the business partner’s employees accessing the medical records. Sometimes a vendor has PHI on an unencrypted laptop. We continue to see this tension with business associates, whether it’s negotiations for a contract—how to delineate the responsibilities for a covered entity—or issues after a breach occurred. What remains to be seen is how the OCR will handle jurisdiction over business associates involved in breaches.

Are there any immunities for public entities?
Yes, but it depends on the state or particular municipality. For instance, the Texas and Federal Tort Claims Acts say that you “can’t sue the king”—the state has sovereign immunity—but in some local districts a local suit can be brought against a public hospital or hospital district, but it depends on the Tort Claims Act in the specific state. The amount of damages you can recover from a state entity might also vary. Ultimately, there is usually some limitation to liability protection afforded public entities.

What might a public entity do to mitigate their liability exposure?
I think it’s all about the basics: You need to have a good security program with appropriate controls in place to begin with, and a good privacy program that allows you to address any complaints you might get or respond to customers if an incident arises. If you do these things well, you lower your chances of exposure and litigation. I’ve had several public entity clients in the healthcare space purchase insurance because they know they need to be prepared with a good product as well as advice from experts. We continue to see the OCR being very active and interested in healthcare data breaches and it always comes back to the basics: doing a risk assessment of the entire enterprise, and if you have a breach, getting to the root cause of it, responding appropriately and preventing it from occurring again.

In summary…
In addition to what Ms. Sessions has outlined we feel another vital initial task for organizations is to inventory and map sensitive data and network relays to ensure reasonable safeguard practices are in place (easier said than done). For example, it’s important to understand the type of data an organization is collecting, storing, sharing and transmitting, and how it flows to external connections. (See examples of employer-state-fed sharing here or an exchange chart here.)

Understanding New Findings from the Ponemon Institute

A Q&A with Ozzie Fonseca of Experian® Data Breach Resolution
Organizations are increasingly addressing cyber risk, and Ponemon Institute’s new study titled “Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age” explores the current attitudes business leaders have toward managing security threats and the steps they are taking to minimize them. I spoke with Ozzie Fonseca, senior director, Experian Data Breach Resolution, about what the survey uncovered.

What were some of the most surprising findings of the Ponemon survey?
To me, the most surprising finding was the fact that most companies are now viewing cyber risk as an equal or greater threat than natural disasters, business interruption and fires. For the longest time, cyber insurance was around but it was not accepted as a need. Recently, over the last couple of years, that has really changed. While the study itself doesn’t go into the reasons why, I think we can assume this is happening because companies are:

  1. Witnessing the very pervasive nature of data breaches—they are happening all of the time.
  2. Realizing the significant financial burden that these incidents pose on an organization.
  3. Understanding that they have to be ready and arm themselves with all of the tools out there and cyber insurance policies are an important tool.

What do companies most need to know about cyber risk insurance policies? What is the current perception out there?
I think it’s important for an organization to make sure that they thoroughly read and understand what’s covered and what’s not and how their policy works. In our study we found that 70 percent of companies that have been affected by data breaches are now looking to get a policy. For these organizations, the costs are no longer hypotheticals—there are real numbers at play. And 62 percent of companies we spoke to feel that cyber insurance premiums are quite reasonable. A few are still skeptical as to whether these policies are useful or not but of the people surveyed 70 percent either have or are actively looking for insurance while only 30 percent have no interest in purchasing a policy at this time. Several years ago it was the other way around, so that’s a big difference.

The study shows that 62 percent of companies felt their security “posture” improved when they purchased insurance. What are the reasons for this?
In a nutshell, insured companies are more confident and prepared to deal with the threat of cyber breaches. When you have a policy the insurer will ask you tough questions you’ve never asked yourself and in answering them you will learn much more about the risks out there and how to mitigate them. Moreover, often the insurer will ask the client to undergo a NetDiligence® cyber risk assessment to reaffirm reasonable safeguard practices and suggest improvements for any weak spots. You will also grasp the policies and services that need to be in place, such as notification support and credit monitoring.

What are the ramifications of this study, for companies and for insurers?
For everyone, the main takeaway is that having a policy will better prepare you to deal with a data breach. At the same time, cyber risk insurance is getting to the point of mass adoption so insurers can spend less time educating the market about cyber insurance—they can concentrate on fielding requests because they will continue to see growth in this area in the future.

In summary…
This research reinforces a positive trend, that risk managers are becoming more knowledgeable about their cyber risk (including their significant legal liabilities should they suffer a breach caused by anemic security practices), and the many cyber liability insurance solutions available to help them cede this risk exposure. Our own NetDiligence 2013 Cyber Liability & Data Breach Insurance Claims study (click here to download or see the eRisk Hub) shows that even a modest data breach in a small organization can still result in sizeable dollar amounts being paid out to remediate and respond to the event. As such, cyber breach insurance coverage is no longer a luxury.

No more posts.