A Year In Review

I'm going to take a stab at a 2011 review and 2012 predictions of all things cyber.  I wanted to have both done by the New Year, but seeing as how I nursed ginger-ales for most of today, it just didn't happen.  I'll be aiming to roll out the prediction thread tomorrow.  I linked all of the biggest stories of the year at the bottom of this post.  Note that these links only extend to August 2011, so mostly it's a half year in review.  Also, the linked stories don't give a comprehensive view of everything that happened; I'd check the categories feature on the sidebar for more.  Nevertheless, they do represent the biggest stories of the past few months.

That leaves us with the review post.  I started writing for this blog in August, and needless to say, this has been a hell of a year for cyber-related news.  2011 was dubbed the year of the hack, and it certainly lived up to that reputation.  Consequently, I wonder if 2012 will be dubbed the year of more hacking.  Whatever the case, there was a media deluge of cyber-related news, and I often had trouble keeping up with it all.

That leads me to my first point: everybody is a lot more aware of cyber-related issues.  At least they should be.  The media was quick to cover any story related to cyber-attacks, hacking, or cyber-espionage.  I mention this because a few years ago, cyber-related issues just didn't get the same amount of focus.  Now we have massive media responses to a water pump burning out in Illinois.  It's certainly a change, and I believe overall it's a positive one.  The only drawback is that this new attention may hype threats.  I love writing about cyberattacks that could bring down the US power grid; that stuff is exciting is read.  It's also very unlikely to happen.  For all this new-found attention, we must be careful to separate the spectacular cyberattacks that could happen (i.e. an attack on the US power grid) from the more mundane cyberattacks that are happening (like systematic Chinese cyber-espionage). 

As for the Chinese, they dominated the year in cyber-news.  I realize that China doesn't get much love on this blog, and I may focus on their hacking efforts (as opposed to other countries) too much, but damn they make it easy.  It seemed that every other day there would be a new report about Chinese cyber-espionage.  Moreover, the pervasiveness of their cyber-espionage just blew me away.  I'm not going to get into every cyberattack, but Chinese hackers broke into almost every industry on a world-wide scale.  Moreover, anger began to grow over Chinese cyber-espionage.  Over the past few months, I've noticed an increase in rhetoric that called for a strong response to Chinese cyber-espionage.  I'm thinking of the various op-eds, US lawmaker's comments, the ONCIX report naming China as one of the world's greatest cyber-thieves, the London Conference all but naming China as one of the world's greatest cyber-thieves, and articles considering whether the US and China are headed towards cyberwar.  In essence, 2011 was the year that we learned of the full extent of Chinese cyber-espionage.

2011 also saw US cyber policy come under review.  Unfortunately, that policy is still unclear.  We had some clarification on offensive cyber operations, but nothing specific.  We didn't get rules of engagement for cyber-operations.  We also didn't get a definition of when the US would engage in offensive cyber operations (all we know is that the DOD can respond to "hostile" acts).  This lead many commentators to question the deterrent value of our offensive cyber-capabilities.  More importantly, it looks like the US is worried about establishing a strong cyber policy.  The Obama adminisration decided against using cyberattacks in Libya for fear of establishing a precedent that would allow for attacks against US systems.  In essence, 2011 showed that the US cyber policy needs work.

2011 brought us new cybersecurity legislation.  The two major peices of legislation were the PrECISE Act and CISPA.  Both acts seek to increase threat-sharing on cyber threats between the US government and US corporations.  However, the bills place cybersecurity authority in different hands.  The PrECISE Act places cybersecurity authority in the hands of DHS, while CISPA places that authority with the NSA.  Needless to say, a few were worried about the privacy implications of the NSA having broad cybersecurity power within the US.  

2011 also brought us a renewed concern about the vulnerability of critical infrastructure.  Remember the supposed cyber-attack on the Illinois water plant?  Ok, that wasn't a cyberattack, but that entire story still had huge implications.  Even though it wasn't a cyberattack, it seems like the threat of a cyberattack on critical infrastructure finally became real to people.  We've heard for years that critical infrastructure was at risk, but it really took a water pump burning out to drive the message home.  I still believe that the threat is an unlikely one.  However, the entire episode drove a review of critical infrastructure protection, made SCADA systems famous, and proved that this sort of cyberattack can actually happen.

2011 brought us a new look at our old pal Stuxnet.  Mostly we learned of Duqu, and how it was the son of Stuxnet.  However, two significant stories came out.  The first explored how Stuxnet, Duqu, and Conficker may have been coordinated to work together.  Remember that Conficker was dubbed the worm that could destroy the internet; it currently has millions of computers under its control.  To think that Stuxnet, one of the most advanced computer viruses ever seen, was somehow interacting with Duqu and Conficker just blows my mind.  Then comes the second story: Duqu and Stuxnet were reportedly created on the same software platform.  Moreover, the two viruses communicate with each other, and there may be three other computer viruses built off of the same code as Stuxnet.  I find this fascinating.  We know Duqu is traipsing about the world, peeking into industrial control centers and causing all sorts of mischief.  We know Stuxnet is still around.  Conficker is just hanging out, controlling millions of computers.  Something is going on.  And there has to be a nation-state behind it.  I believe (and hope) that the US is behind Stuxnet, and that the US has a far more advanced offensive cyber-capability than previously thought.  Whatever the case, 2011 showed us that there is more to the Stuxnet story, and there is certainly more to come.

Finally, 2011 also brought new attention to this blog.  We've got a pretty diverse audience from all over the world.  I'm not going to release specific numbers, but we have seen an increase in traffic.  For that, we thank you.  Thank you for coming to the blog, and thank you for reading it.  We also rolled out a new Twitter account, and would very much appreciate it if you could follow us @cyberlawblog  

Below you will find links to the biggest stories of the past few months. 

***

 

 

Cyberattacks

• We learned that Anonymous offshoot Anti-Sec hacked into security company Stratfor and leaked customer info.

• We found out that China-based hackers broke into the US Chamber of Commerce's networks.

• We discovered that the Iranians may or may not have spoofed/taken control of a US RQ-170 stealth drone.

• Chinese hackers broke into the networks of over 760 companies and stole "everything not bolted down."

• Computer viruses Stuxnet, Duqu, and Conficker may have all been coordinated with each other to delay the Iranian nuclear program.

• Chinese hackers broke into the networks of a Canadian law firm to learn more about a potash deal.

• A water pump in Illinois was, then wasn't, the victim of a cyberattack, sparking a huge worry about the vulnerability of SCADA systems controlling critical infrastructure.

• A hacker claimed that he broke into a Houston water plant; this one was never confirmed, or denied.

• We were introduced to Duqu, a cousin of Stuxnet, and followed its travels across the globe.

• We learned that the Chinese were involved in cyberattacks on US chemical and defense firms.

• The Chinese hacked the networks of Japan's parliament.

• Hackers broke into NASDAQ and spied on company directors.

• Authenticator RSA was hacked with the intention of further hacking US defense contractors.  Along the same lines, hackers broke into security certificate issuer DigiNotar.  Hundreds of fake security certificates were then issued, and DigiNotar ended up going bankrupt.

• We learned that the USAF's Reaper fleet dealt with a malware infection.

• A cyberwar broke out in Syria between pro-government Syrian hackers and protesters.

• Hackers broke into the networks of Japanese defense contractors, some who manufactured US military equipment.

• We learned about Operation Shady RAT, an APT that targeted over 70 public and private organizations for more than 5 years.

 

China

• We found out that China-based hackers broke into the US Chamber of Commerce's networks.

• The Washington Post spoke out against China's pervasive cyber-espionage and called for a stronger response from the Obama administration.

• Several writers considered whether the US and China are headed for a cyberwar.

• Chinese hackers broke into the networks of over 760 companies and stole "everything not bolted down."

• We discovered that the NSA has successfully tracked cyberattacks back to several Chinese hacking groups, and was able to even identify individual members within the groups.  Attribution solved?

• The Chinese hacked the networks of Japan's parliament.

• We learned that the Chinese were involved in cyberattacks on US chemical and defense firms in Operation Nitro.

• Chinese hackers broke into the networks of a Canadian law firm to learn more about a potash deal.  The deal would have had economic implications for China.

• Jack Goldsmith, of Lawfare fame, wrote a great op-ed in the Washington Post where he noted that Chinese cyber-espionage is the most persistent threat that the US faces, and that the new US offensive cyber capability does not deter Chinese cyber-espionage.

• We learned (or just reaffirmed) that computer chips produced in China are built with hidden back doors that have plagued US missile defense.

• A nice article about China's pervasive level of cyber-espionage and the legal problems with responding to cyber-espionage.

• We found out that Chinese hackers actually put a UK firm out of business.

• US lawmakers, on both sides of the aisle, publicly decried China's cyber-espionage, calling it "intolerable."

• In a humorous turn, the Chinese accidentally put up a video on state television demonstrating their cyber-attack capability.

• The ONCIX report that pegged China and Russia as the world's greatest cyber-thieves.  This report stated that the US lost billions of dollars of intellectual property to foreign cyber-espionage.

 

Critical infrastructure

• An interesting MIT report that proposes that DHS should control the US electric grid.

• A water pump in Illinois was, then wasn't, the victim of a cyberattack, sparking a huge worry about the vulnerability of SCADA systems controlling critical infrastructure.

• A hacker claimed that he broke into a Houston water plant; this one was never confirmed, or denied.

 

Legislation

• A great article from the Economist on SOPA and PIPA's pros and cons.

• SOPA's negative effects on US cybersecurity.
  

• In a suprising show of force, users on the social site Reddit organized a boycott of SOPA-supporter GoDaddy.  GoDaddy dropped their support of SOPA a few hours (and thousands of lost domains) later.

• We've got the PrECISE Act floating around Congress: it would give DHS cybersecurity responsibility, and establish a national cyber clearinghouse.

• We've got CISPA floating around Congress: it would give the NSA cybersecurity responsibility.

• An interesting opinion piece that for whatever cybersecurity legislation Congress passes, it must provide for flexibility.  A rigid, regulatory approach to cybersecurity legislation is a mistake in the fast-paced world of cybersecurity exploits. 

 

The Internet

• An article concerning calls for international regulation of the internet.  China approves of the idea, the US does not.

• Does anyone control the internet?  DNS handled ICANN comes the closest, but that's not saying much.  No one governs the internet.

• Two great articles from the Economist over the debate behind internet governance, and how a lil' chaos ain't all that bad.

 

Reports

• The Department of Energy's 2011 cyber road map.

• The ONCIX report that pegged China and Russia as the world's greatest cyber-thieves.  This report stated that the US lost billions of dollars of intellectual property to foreign cyber-espionage.

• DHS cyber road map.

 

Viruses

• We were introduced to Duqu, a cousin of Stuxnet, and followed its travels across the globe. 

• Computer malware Stuxnet, Duqu, and Conficker may all be related and coordinated with each other to delay the Iranian nuclear program.  Moreover, we just learned that Stuxnet and Duqu were created off of the same software platform by the same team.  There are apparently three other strains of malware similar to Stuxnet that remain undiscovered.

• We met Conficker, the worm that could bring down the internet.

• We considered whether the US is the leading force behind Stuxnet.

 

Policy

• Congress authorized the Pentagon to wage offensive cyber-war.

• A fantastic article from the Washington Post explaining how a cyberattack sparked a huge federal response that has basically created Cyber Command.  This article succinctly highlights the legal challenges behind crafting a comprehensive cyber policy and explores how each US federal agency has some say in the matter.  If you read one article, read this one.

• DOD clarified its policy on offensive cyber-operations by saying it would launch offensive cyber operations, at the direction of the president, in response to hostile acts.  That's a clarification?

• A great post from Prof. Snyder on cyber strategies from around the world.

• A great article on US cyber policy and effective deterrence.

• We learned that the Obama administration considered, but ultimately decided against using cyberattacks against Libya.  Why didn't the US use cyberattack?  It feared setting a precedent for other nations.

• Again, calls for clarity in US cyber policy.

• A review of the Pentagon's cyber-strategy, one year later.