Photo by Kathy Mackey/Wikimedia Commons
By Jason Rivera |
The United States desperately needs a strategy to deter intellectual property thieves from exploiting the U.S. defense industrial base – and it needs it sooner rather than later.
A recent illustration of the threat is the cyber espionage attempts against the U.S. F-35 development project. From 2006 onward, the U.S. military has heavily invested in the capabilities of the Lockheed Martin F-35 Joint Strike Fighter Program. The F-35 represents the future of joint U.S. air operations and is slated to be a primary instrument of U.S. air power for years to come. The alleged series of Chinese computer network operations that compromised the F-35 program have cost the U.S. government an estimated $285 billion. Not only do these intrusions make U.S. systems more vulnerable to the development of military countermeasures, but they also enable duplication, shifting the strategic balance of power toward U.S. competitors.
Companies such as Lockheed Martin, Boeing, Northrop Grumman, and others are part of America’s defense industrial base, a critical component of the U.S. economy responsible for the development of weapons, the provision of critical intelligence assets, and the logistical support of U.S. military operations around the world. The defense industrial base is under constant threat from computer network exploitation, or “cyber-espionage,” a practice that in 2012 cost U.S. corporations $338 billion as a result of down time, intellectual property theft, and cumbersome cybersecurity measures.
In order to meet this challenge, the Department of Defense (DoD) must work with the nation’s largest and most critical corporations to facilitate an active cyber defense framework designed to proactively engage non-physical threats within the virtual domain and change the cost-benefit calculation of the potential cyber intruder.
U.S. government entities must work with the private sector to create deterrent mechanisms. There are four key factors in the cybercriminal’s decision making apparatus: level of expected effort, value of cybercrime, risk of cybercrime, and net reward. The level of expected effort includes the initial capital investment for computing tools and intrusion applications and the continuous level of operational investment. The overall value of committing a cybercrime is most easily understood in terms of composite financial gain. A cybercriminal’s risk calculus, on the other hand, is a function of three factors: effectiveness of preventative measures, quality of detection capabilities, and the harshness of judicial policies for prosecuting cybercrime. The level of net reward equals the level of expected value minus the levels of risk and expected effort. Over the last decade, the expected returns from intellectual property theft, direct financial theft, online banking vulnerabilities, and network-based market manipulations have increased substantially because of the world’s increased reliance on the Internet.
Figure 1 graphically illustrates the cybercrime decision making apparatus.
For the defense industrial base, the most important computer network resource is intellectual property related to defense technology. Given the critical national security value of these corporate secrets, the U.S. government must do more to create public-private partnerships that will help to increase the security of the networks at critical defense corporations.
First, the U.S. government should extend coverage of the DoD’s Non-Classified Internet Protocol Router Network (NIPRNet) to include corporate projects related to the development of sensitive defense technologies. NIPRNet is one of the most secure networks in the world and is defended by an ever-evolving security architecture under the management of the Defense Information Systems Agency (DISA). The extension of NIPRNet to the U.S. defense industrial base would be technically challenging and could face resistance due to corporate concerns regarding cost and government concerns about liability. The U.S. government could help alleviate corporate concerns by offering to shoulder the costs of NIPRNet coverage. In the finally tally, the amount saved by securing the nation’s intellectual property would far outweigh the technical costs of the program’s installation.
Applying the NIPRNet defense apparatus to sensitive development projects will increase the level of effort required by cybercriminals to conduct malicious acts. This would shift the critical mass crossover point to the right, which in turn would lower the total reward of cybercrime (see Figure 2).
Second, the U.S. government should employ honeynets to sabotage cybercrime efforts. A honeynet can best be understood as a network of non-critical resources, or honeypots, that are designed to be compromised. Honeynets give cyber defenders information about host-system vulnerabilities and attacker methodologies and reveal attacker intent. Employing honeynets was once quite costly, but today this cost is lessened by virtual software and servers that create virtual network environments designed to emulate real operating systems. While honeynets are most commonly used for defensive purposes, there are possibilities for active defense applications as well.
Defense industrial base network defenders should collaborate with U.S. government application developers to employ honeynets filled with false information and malicious malware designed to corrupt the intruder’s computer operating system. Deploying such techniques would increase both the level of effort required to conduct unauthorized access of information within defense industrial base networks and the risk to cybercriminals, by increasing the probability that the cybercriminal exfiltrate irrelevant and/or harmful data. The overall impact would be a reduction of the expected reward of committing a cybercrime (see Figure 3).
Third, the U.S. government should increase prosecution and public shaming of cybercriminals. In early February 2013, Mandiant, a cybersecurity incident response company, exposed specific actors and methodologies of a well-hidden cyber organization known as Unit 61398. In May 2013, the New York Times reported that this Chinese unit had, according to computer industry security experts and American officials, significantly lowered its intrusion-related activities for three months after it was exposed. (However, it did return to its former rate of cyber-espionage thereafter.) If one report by Mandiant could decrease the cyber-espionage activities of a major Chinese cyber unit for three months, the benefits of public identification of cybercriminals by U.S. government cyber professionals could be enormous.
DoD systems absorb approximately 360,000,000 probes, scans, and intrusion attempts per day; this equates to millions of opportunities to identify and publicly expose malicious cyber actors and put pressure on host-governments to prosecute them. A brighter spotlight would force force cybercriminals exert more effort concealing their attacks and assume higher levels of risk, pushing the threshold for committing a cybercrime to the right and reducing the expected reward (see Figure 4).
By increasing the required effort and risk of committing a cybercrime, the U.S. government can reduce the number of cyber-espionage attempts against its defense technology projects. Collaborative efforts between DoD and the defense industrial base may help mitigate the compromise of critical defense-related intellectual property and preserve the U.S. strategic military advantage over its adversaries.
Jason Rivera is an MA candidate in Georgetown’s Security Studies Program and an active duty U.S. Army Officer. All views and information expressed originated solely with the author and do not represent the official positions or opinions of U.S. Cyber Command or the U.S. Department of Defense.
 Lockheed Martin, “History: F-35 Program Timeline,” Lockheed Martin, 2013, https://www.f35.com/about/history (accessed 1 Mar. 2014).
 Nicholas Burns, Securing Cyberspace: A New Domain for National Security, (Washington DC: The Aspen Institute, 2012), 131.
 Department of Homeland Security, Defense Industrial Base: Critical Infrastructure and Key Resources Sector-Specific Plan as input to the National Infrastructure Protection Plan, (Washington: GPO, 2007), 5.
 Josh Rogin, “NSA Chief: Cybercrime Constitutes the ‘Greatest Transfer of Wealth in History’,” Foreign Policy: The Cable, 9 July 2012, http://thecable.foreignpolicy.com/posts/2012/07/09/nsa_chief_cybercrime_constitutes_the_greatest_transfer_of_wealth_in_history (accessed 1 Sep. 2013).
 David Icove, et al., Computer Crime: A Crimefighter’s Handbook, (California: O’Reilly & Associates, Inc., 1995), 25.
 McAfee: An Intel Company, “The Economic Impact of Cybercrime and Cyber Espionage,” Center for Strategic and International Studies, July 2013, 6.
 Greg Slabodkin, “Defending DOD networks with a single security architecture,” Defense Systems: Knowledge Technologies and Net-Enabled Warfare, 19 July 2013, http://defensesystems.com/articles/2013/07/19/dod-single-security-architecture.aspx (accessed 2 Sep. 2013)
 John G. Levine, “The Use of Honeynets to Increase Computer Network Security and User Awareness,” Journal of Security Education, vol. 1, no. 2/3, 3.
 VMWare Website, “Virtualization,” http://www.vmware.com/virtualization.html (accessed 2 Sep. 2013).
 Why We Are Exposing APT1, “APT1: Exposing One of China’s Cyber Espionage Units,” Mandiant, (2013), 6.
 David E. Sanger and Nicole Perlroth, “Hackers From China Resume Attacks on U.S. Targets,” New York Times, 19 May 2013, http://www.nytimes.com/2013/05/20/world/asia/chinese-hackers-resume-attacks-on-us-targets.html?pagewanted=all&_r=0 (accessed 2 Sep. 2013).
 Louis Borek and Robert Phillips, Introduction to Cyberthreat Analysis Course: Student Guide – UNCLASSIFIED (Washington DC: Defense Intelligence Agency, 2013), 2-10.