The Defense Security Service (DSS) Counterintelligence Office recently reported, in the 2006 edition of its annual report entitled Technology Collection Trends in the U.S. Defense Industry, that the number of suspicious contact reports, or possible incidents of espionage, has increased 43 percent over the past year.
Unreported suspicious Internet activity
Unfortunately it is likely that the DSS is underreporting the scope of the problem. According to the DSS, the most frequent method of operation for hostile actors intent on committing espionage are through direct requests for information; the direct acquisition of controlled technology; and the solicitation of marketing services. Combined, these three methods of operation comprise 76 percent of the reported incidents. Surprisingly, suspicious Internet activity only represented 5.3 percent of all reported incidents.
Given the recent media attention to a number of high profile cyber intrusions on computer networks at the State Department , Department of Energy , Commerce Department , and Naval War College this number seems surprisingly low. It is very likely that many additional cyber intrusions against government agencies and defense contractors are undetected or go unreported, and therefore the percentage of suspicious Internet activity as reported by the DSS is artificially low.
Methods of Attack
To understand how many cyber intrusions may go undetected or unreported it is useful to study the techniques, tactics, and tools used by attackers in previous cyber intrusions. In many previous cyber intrusions, the attacker has utilized a 0-day exploit, an exploit that targets an un-patched software vulnerability, to gain access to the targeted computer network. Typically, these 0-day exploits are delivered to selected members of the targeted organization via an email attachment such as a Microsoft Office document. In some cases, the attacker has installed a rootkit, a stealthy piece of software, to avoid detection . Given these advanced techniques it is unlikely that every cyber intrusion is detected.
Moreover, even if an intrusion is detected it may go unreported. According to Allan Paller, the director of the SANS Institute, ?the American strategy in the last couple of years has been to keep it secret.? Paller added, ?the problem is thousands of times bigger than what you hear.? Many companies, defense contractors included, do not want to suffer the public embarrassment or loss of investor confidence associated with a damaging cyber intrusion. Therefore, many companies choose not to report these incidents. As Paller stated, ?the depth of the penetration is more than anybody is even admitting. People are trying to hide this because they?re embarrassed.?
Future Trends
Although the scope of the problem will likely remain underreported, it is likely that future DSS reports will show a marked increase in suspicious Internet activity as a method for espionage. The current DSS report rightly observed, ?the potential gain from even one computer intrusion makes it an attractive, relatively low risk, option for any country seeking access to sensitive information stored on U.S. computer networks. The risk to sensitive information on U.S. computer systems will increase as more countries develop capabilities to exploit these systems.? Simply stated, the risk to reward ratio for cyber intrusions is tilted heavily in favor of the attacker. Therefore, cyber intrusions will continue to increase in the future. As these intrusions increase it is likely that the percentage of reported intrusions would increase in parallel.
