Hacking, Espionage, and Surveillance

The subject of this lecture is the surveillance of American citizens by a foreign government through cyber means. In this lecture, you’ll learn about three aspects of this issue. First, you’ll consider why foreign surveillance might be more common today in cyberspace. What is it about the domain that enables surveillance? Second, you’ll learn about how cyber intrusions and surveillance happen. Third, you’ll consider what this all means in terms of the surveillance of Americans.
Foreign Surveillance
● Only a few years ago, the topic of foreign surveillance on American soil would have been a subject of little concern. Such spycraft, when it occurred, would have been limited to instances of physical or electronic surveillance that were few and far between. This was mostly because virtually all personal surveillance required a physical presence in the United States as a condition of successful action.
● Today, that paradigm has changed. The Internet telescopes time and space. It allows almost instantaneous action at a distance. That’s a sea change in our conception of surveillance.
● The history of human interaction is, essentially, one of the increasing distance at which our interactions occur. Over time, the necessity for close proximity has weakened.
● Cyberspace is a quantum leap in that direction. Action in the cyber domain occurs at the speed of light and crosses immense distances almost instantaneously.
● Whether the object is warfare, terrorism, espionage, or crime, it is no longer necessary for the malevolent actor to be anywhere near his or her objective. As a consequence, America today is more vulnerable to foreign surveillance and espionage than ever before.
How Cyber Intrusions and Surveillance Happen
● How does a foreign government get into your computer? Typically, the attack arrives through an email message, or some other innocent form of communication, often from someone in your address book (and you’re in the sender’s address book, as well). Often, the message consists of just a website address—a hyperlink for you to click on. Such links will take you to web pages where embedded malware lives. And that could be the start of your computer being compromised.
● More than 200 billion emails are sent every day, some of which are the source for roughly 150 million different phishing attacks (in which the bad link is the bait and you are the fish). Even if only a tiny fraction of a percentage of these attacks succeeds, it still means that a massive number of people are affected by these types of attacks.
● Still, that kind of simplistic attack is not what a moderately cautious, sophisticated user should be afraid of. A more subtle type of attack is a malicious intrusion called a Trojan horse (or, simply, a Trojan). They are called Trojans because, typically, the malware is hidden inside a program that looks like an innocent piece of information—just like the famous Trojan horse that had Greeks soldiers hidden inside.
● Usually, an attack begins with the simple Trojan communication. Often, it is just an email to someone. This is often called a spear-phishing email, because it targets a specific individual or recipient, much like a spear used to catch a particular fish.
● Instead of a generic message that fits almost anyone, it will have a message designed specifically for you (or a narrower target group). These spear-phishing emails are designed to appear as though they have come from an innocent source, but they will have a malicious program hidden within—either in the email itself or possibly in an attachment.
● When the unsuspecting recipient clicks on the attachment, the malware begins the automated download of a controller program. This program then opens up a backdoor communications channel, allowing outside individuals to access the programs that control the target’s system.
● When the communications open up, the attackers flood the system, much like a tank brigade moving through the breach in a defensive line. Some of the attackers create new breaches; others use their position to promote themselves within the system and give themselves authority to access all of the data available. If it is a quick hit-and-run attack, they begin removing information from the target system, such as your login codes or financial data.
● The intrusion doesn’t have to be a quick hit-and-run. There is another class of attacks that are called, generically, advanced persistent threats (APTs), which are intrusions that are developed over time, using sophisticated attack methodologies that are directed at specific targets. Once inside a system, the APT might stay resident in the target for a long period of time and, in effect, make the target computer vulnerable to continuous monitoring from the outside.
● These types of intrusions are common forms of surveillance operated by foreign governments (and doubtless by our own government overseas).
● An example of a successful spear-phishing expedition was the Chinese attack on the U.S. Office of Personnel and Management (OPM). Sadly for the U.S. government, OPM manages the security clearance process for federal employees. As a result, it’s thought highly likely that every file associated with the OPM-managed security clearance process since 2000 was exposed.
● That’s data on roughly 22.1 million people who work in America’s security community, and it includes 1.1 million sets of fingerprints, as well as the detailed financial and health records of all these employees and their spouses. It is the greatest espionage surveillance coup of all time.

● With the data from this intrusion, China now knows the names of almost everyone in America who has a security clearance. That means two things: First, it makes it much more difficult for the United States to stage covert operations when the identity of many of its spies is already known to the Chinese. Second, it means that the Chinese now have information about those who work in our intelligence and lawenforcement communities that they can use to extort cooperation from them upon threat of public disclosure.
The Surveillance of Americans
● The espionage and surveillance of average Americans is usually just a tactic aimed at a larger strategic objective. Chinese attacks on OPM, for example, are stepping-stones to bigger and better things. It is a source of both traditional national security intelligence and, in the end, a means of stealing intellectual property and advancing the Chinese economy.
● The American security companies Mandiant (now owned by FireEye) and Crowdstrike have identified two arms of the People’s Liberation Army—known by their Military Unit Cover Designators as Units 61398 and 61486—as special operations aimed at hacking foreign economies.
● It appears that these units are tasked with the object of attacking and intruding into the system and database of business enterprises and research institutions in order to steal trade secrets, technical talents, and any useful data from and through the Internet.
● In Unit 61398 alone, several hundred operators worked for more than 5 years, penetrated more than 140 known corporate and government systems, and stole more than 6.5 terabytes of data, according to FireEye. Nearly 90 percent of the victims were in English-speaking countries, and nearly 98 percent of the attacks were based on systems using a simplified Chinese language input. The Chinese government denied everything.
● The FBI warned U.S. health-care companies specifically that malicious threat actors were targeting them in an attempt to steal intellectual property and personally identifiable information. However, FireEye revealed that a Chinese hacker group also had systematically stolen data and information of the U.S. medical device manufacturers and pharmaceutical companies.
● How should we assess these Chinese activities? Are they significant threats? Should we credit the routine denials that China makes, disclaiming responsibility?
● First, there is little basis for accepting Chinese denials of awareness and responsibility. Nobody who seriously studies the issue doubts that the attacks on American systems are part of a systematic campaign that could not really occur without Chinese state approval.
● Second, we should think about how one should respond to this sort of activity, if at all. The response, if any, must come from the U.S. government. The American private sector has virtually no leverage to use to modify Chinese behavior.
● To date, we’ve seen at least two different types of U.S. government action in an effort to restrain Chinese surveillance and espionage. The first is the deployment of the American criminal system.
● For example, in one well-publicized instance, the Department of Justice indicted five Chinese military hackers who were believed to be part of Unit 61398. They were charged with computer hacking, economic espionage, and other offenses directed at six victims in the U.S. nuclear power, metals, and solar products industries. This was the first time that charges were brought for cyber offenses against individuals presumed to be acting on behalf of a nation-state. China did not agree to extradite the five individuals, and there seemed to be no real prospect that they would be brought to trial.
● So, the U.S. government turned to a broader tool: economic sanctions. President Obama issued an executive order: “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities.” Under this directive, the Treasury Department was authorized to freeze the assets of any individual or entity found to “be responsible for or complicit in … cyber-enabled activities … that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.”
● In announcing this policy, the White House said that hackers and their sponsors from China, Russia, and Iran are the targets of the sanctions. However, at least initially, no sanctions were actually imposed; it seems that the White House hopes that the mere threat of sanctions will cause a change in behavior.
Questions to Consider

1. Typically, we fear surveillance by our own government more than by a foreign government. Why?
2. What do you do to protect yourself against a cyber intrusion?