Cybersecurity: Stuck Between Advanced Hackers, Government Regulators, and Liability

Through trickery and social engineering, attackers tricked users into downloading Poison Ivy, an off the shelf Trojan. This was a targeted attack directed at at companies involved in the research, development and manufacture of chemicals and advanced materials. After the compromise, the attackers issued instructions to the compromised computers, looking for passwords and data exfiltration.

Cyber attacks occur every second of every day. The frequency and sophistication of the attacks continues to rise. With the increased sophistication and the proliferation of corporate espionage and nation-state actors, the days of curious teen hackers trying to prove their worth are behind us.  Now the threat is bigger and better financed, the stakes are higher, and government intervention changes the landscape. Cybersecurity is now a top priority for businesses and government.

We start with a brief summary of some of the recent major cyber attacks. This list is purposely kept short as to show only the more “elite” type of attacks that are shaping the new cyber landscape.  Given their level of sophistication, these attacks frequently require in-depth analysis by computer forensics experts. Here, we are focusing on the legal aspects only.

Advanced Cyber Attacks of 2010: One Word: STUXNET

Stuxnet makes clear that cyber attacks have escalated to new heights. The Stuxnet worm damaged Iranian uranium enrichment centrifuges. Stuxnet temporarily knocked out some of the
centrifuges at Iran’s Natanz nuclear facility. This caused a delay to Iran’s uranium enrichment program.  This attack was very effective and stealthy, giving birth to the new cyber warfare.

Advanced Attacks of 2011

China: Its “Comment Group” penetrated the Diablo Canyon nuclear plant operated by Pacific Gas & Electric Co. The breach was reportedly facilitated through a breach of a senior nuclear planner’s computer. There is no indication of intent to damage the target.  Reconnaissance is the name of the game, no need to break it if you can own it.

Canada: The Canadian government reported a major cyber attack against its agencies, including Defence Research and Development Canada, a research agency for Canada’s Department of National Defence.  This particular attack forced the Finance Department and Treasury Board, Canada’s main economic agencies, to disconnect from the Internet.

US Department of Defense, July 2011: in a speech unveiling the Department of Defense’s cyber strategy, the US Deputy Secretary of Defense mentioned that a defense contractor was hacked and 24,000 files from the Department of Defense were stolen.

The Nitro Attacks: Through trickery and social engineering, attackers tricked users into downloading Poison Ivy, an off the shelf Trojan. This was a targeted attack directed at at companies involved in the research, development and manufacture of chemicals and advanced materials. After the compromise, the attackers issued instructions to the compromised computers, looking for passwords and data exfiltration.

Duqu Trojan: Industrial Control Systems (ICS) are compromised by the Duqu remote access Trojan (RAT).  Its purpose was to steal data. However, RATs can also be used to control the systems. If you don’t believe that this is a serious threat, think of nuclear power plants and imagine what could happen.

Advanced Attacks of 2012

Saudi Aramco: A destructive Trojan horse (the kind that steals data and then wipes files), Shamoon, is allegedly used in an attack that disabled thousands of computers at Saudi Aramco, the national oil company of Saudi Arabia. The attack wiped the hard drives of 55,000 computers or 75% of Aramco’s corporate computers.

Flame: Another Iran related malware and a very sophisticated one. Flame is believed to have caused data loss incidents at Iran’s oil ministry. The alleged use of the malware was to collect intelligence about Iran’s computer networks that would facilitate future cyberattacks on computers used in Iran’s nuclear fuel enrichment program.

U.S. Natural Gas Pipelines: The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), U.S. Department of Homeland Security, issued an alert warning of ongoing cyber attacks against networks of U.S. natural gas pipeline companies. The alert stated that the campaign involved narrowly focused spear-phishing scams targeting employees of the pipeline companies. The alert urged utilities to monitor Internet-facing control systems for activity by hackers attempting to gain remote access through brute force authentication attacks.

U.S. Banks: Distributed Denial of Service (DDOS) attacks were launched against U.S. Banks, including Citigroup, Wells Fargo, Bank of America, and U.S. Bank. The U.S. accused Iran of staging these attacks and Defense Secretary Leon Panetta warns of potential for a cyber Pearl Harbor; against critical infrastructure. Panetta also called for new protection standards.

Red October Returns: Kaspersky discovered a worldwide Red October attack. Red October had been around since at least 2007. Attackers gathered information through vulnerabilities in Microsoft’s Word and Excel. The malware collected information from government embassies, research firms, military installations, energy providers, nuclear and other critical infrastructures.

Early 2013 Cyber Attacks: 2013 Is The Year The Government Gets Serious

South Korea: South Korean financial institutions as well as the Korean broadcaster YTN had their networks infected in an incident said to resemble past cyber efforts by North Korea.

The list goes on and on. As it should be obvious by now, cyber attacks, particularly those by sophisticated attackers and nation-states can be very dangerous to business and society. While money is a motivator, the exfiltration of valuable data has become a major issue. There is also the potential threat to life and business. With that in mind, the government is in the process of drafting and enacting sweeping cybersecurity laws and regulations.

Congress failed to reach a consensus on cybersecurity legislation. Following that, in early 2013, President Obama issued a cybersecurity Executive Order 13636 to enhance the security of the critical infrastructure of the United States.

A very raw outline of Executive Order 13636 is as follows:

What? (Purpose): Help owners and operators “identify, assess and manage cyber risks”
Who? : NIST will coordinate development of “Cybersecurity Framework”
End Result: “Voluntary consensus-based standards and industry best practices”
But? (Caveats): Participation is voluntary but the Framework will most likely be used to judge a company’s cybersecurity practices. For example, Sec. 7(b) states that it “shall include guidance for measuring the performance of an entity in implementing” the Framework.

The Executive Order requires federal agencies to share information about cyber threats and to work with the private sector to develop a cybersecurity framework to protect the critical infrastructure. For now, participation is voluntary and the Executive Order requires federal agencies to develop incentives for private sector adoption of the framework. Our guess is that some of the recommendations included in the develop framework would eventually be seen as the exercise of due care by the courts when determining liability for cybersecurity breaches.

Cyber Intel Notices: The Executive Order provides for the issuance of Catastrophic Target Notices. These notices identify “where a cybersecurity incident could reasonably result in catastrophic regional or national effects.” It is unclear how the notices may affect a business in the determination of due diligence. You can fore
see a case where a Court would decide that DHS put the company on notice of a cybersecurity vulnerability and that the company had the obligation to act in accordance with this notice. A party may have a difficult time challenging the validity of the notice, given that the information may have been derived from classified sources.  Whether the Cyber Intel notices will became a source of notice for due care determination remains to be seen. However, we are getting guidance on how the Courts are leaning regarding cybersecurity due care issues.

An example is the case of Patco Construction Co. v. People’s United Bank, 684 F.3d 197 (1st
Cir. 2012). The events occurred in 2009. During a one week period, a bank in Maine authorized fraudulent electronic withdrawals from Patco Construction’s account. The bank’s cybersecurity system had flagged the transactions as high-risk. However, the attackers were able to answer the account security questions and the transactions were allowed. Patco Construction filed suit against the bank alleging that the bank’s cybersecurity practices were not “commercially reasonable” under Article 4A of the UCC.

The bank was successful in obtaining Summary Judgment. In December 2012, the United States Court of Appeals for the First Circuit reversed, holding that by the authentication scheme utilizing the security questions for every transaction exposed the bank’s customers to increased risk. The Court recognized that malware often logs keystrokes. The bank had a duty to monitor the suspicious transactions that had been flagged by its cybersecurity engine or provide notice to Patco Construction. In other words, the Court of Appeals decided that the bank’s cyber security practices were not “commercially reasonable.”

Not unexpectedly, the FTC already filed a case against HTC, a manufacturer of smartphones and other devices.  The case is In the Matter of HTC America Inc., FTC File No. 122 3049. The case stems from multiple flaws and vulnerabilities in mobile devices that HTC created or failed to remediate.

Some of the faults identified include:

1. Permission re-delegation vulnerabilities in its preinstalled applications. According to the FTC, HTC’s custom voice recorder could be exploited to allow third-party access to the device’s microphone without the user’s consent. This flaw could allow an attacker to record conversations, track a user’s location, or perpetrate other fraud.
2. Carrier IQ implementation: According to the FTC, In order to assist carriers in their implementation of the Carrier IQ diagnostic software, HTC developed a “CIQ Interface” that would pass the necessary information to the Carrier IQ software. HTC used an insecure communications mechanism which allowed third-party applications on the user’s device to communicate with the CIQ Interface.

The FTC and HTC entered into a settlement. Under the terms of the settlement, HTC must patch the vulnerabilities and establish a comprehensive security program. HTC must also undergo independent security assessments every other year for the next 20 years and is prohibited from making false or misleading statements about the security and privacy of consumers’ data on its devices.

We will continue to keep you informed of the latest issues arising from cyber security, cyber threats, government regulation of cyberspace as well as what it all means to your business.