With yesterday's announcement that the U.S. has indicted five Chinese military hackers for economic espionage and other offenses directed at U.S. industries, the comments of General Michael Hayden, former CIA and NSA Director, to executives attending last week's MAPI Executive Summit resonates.
— MAPI - Manufacturing (@MAPI_Mfg_Info) May 15, 2014
Indeed, the indictment, the first-ever prosecution of state actors over cyber-espionage, might come as a surprise to attendees. General Hayden noted the tightrope on which the U.S. government balances as it attempts to deal with cybersecurity, especially with China--and especially following Snowden leaks alleging that the U.S. hacked Tsinghua University in Beijing.
Initial response to the charges support Hayden's assessment:
"The U.S. wants to send a message to Beijing that industrial espionage is not fair game -- that's the real point behind criminal charges against five Chinese hackers, analysts say," asserts a report on cnbc.com.
"I would be surprised if this goes all that much further. I think that Washington is trying to send a message that says 'hey we're onto you guys,'" Alexander Kliment, director at the Eurasia Group, told CNBC.
"It would be very difficult for the U.S. to substantially change Chinese behavior in this area without a massive escalation in these charges or a broadening of those charges that could really start to affect the economic interests of the U.S.," he added.
Three Steps to a Secure Network
To combat the threat, Hayden advises companies to protect themselves at three levels:
1. Defend at the wire: The widely applied defense, says Hayden, is to practice good cyber-hygiene. This includes strong system administration, firewalls, virus software, and strong passwords.
This approach, he says, would--"if you do it perfectly, and you won't--wipe out the less capable 80% of all the attacks you would face."
2. Counter breaches: The next level of protection is to "ensure resilience upon attack, to keep going even if you've been attacked," Hayden says. This level, assumes the "presumption of a breach." He adds, "If you're a lucrative target, and if a really talented adversary wants to, they're penetrating your network."
Hayden notes that with this approach you "wrap your most precious data more tightly and be aware of when they are getting in." It employs intimate knowledge of how your network works, and often deploys big data to continuously monitor your network, checking for anomalies that suggest a breech, and then countering it.
3. Identify Future Threats: A higher level of protection is to conduct cyber-threat intelligence, which, instead of defending against the abstract, defends against the specific. By conducting cyber-threat intelligence, you go out and get the intelligence... it's these specific people, coming after you in this specific way, and they're coming for this, Hayden asserts.
With this approach, companies use tools like web crawling, port scanning, infiltrating chat rooms, and other intelligence gathering methods. "It's not intelligence-like or intelligence-lite," declares Hayden. "It's no-fooling intelligence."
A fourth level, cyber-insurance, is not quite fully defined, says Hayden. With cyber-insurance, the idea is to share the cyber-threat risk with others. "What's the model for cyber-insurance?" asks Hayden. Among other ideas, it is "insuring you against the loss of your data, the loss of your network and your losing everyone else's data (the class action)."