US cyber officials worry 'milware' will target infrastructure

It’s no secret cyber threats are becoming more widespread and advanced. Just look no further than Ukraine’s power grid that was knocked out in a first-of-its-kind coordinated cyber attack.

Current terminology and lexicon appear to be outdated to describe how sophisticated threats today are. “We all know what malware is, right? We’re starting to use the term milware,” Philip Quade, special assistant to the director for cyber for the NSA’s Cyber Task Force said. “It’s not a scientific term but what it represents is the sophistication of attacks, whether it’s the targeted attack, for example it might be a defense target or other systems of national importance, it’s often a type of malware that’s been customized by government. Sometimes it starts with plain old malware available elsewhere and [then is] customized, but more and more importantly, it often is a planted attack – some parts of it might be physical, some parts might be otherwise. The Ukrainian malicious activity has many of these attributes.”

Quade, in an address at an event hosted by AFCEA’s Bethesda chapter April 19, delved into the types of threats facing the U.S. and their characteristics. Russia, which remains the top cyber threat, tends to focus on intelligence, influence operations and preparing for future contingencies, Quade said. He warned that, often, front companies working either on behalf of the Russian government or in Russia’s interests can mask their intent. He urged the audience to “think about the services that you might be getting from companies” because some companies that provide network services might “have a back office back in Russia and sometimes there’s back offices in Russia that have affiliations with the Russian government.”

China on the other hand, is more interested in using cyberspace for economic advantage and the reverse engineering of products already on the shelves. Quade, Director of National Intelligence James Clapper and Commander of the U.S. Cyber Command Adm. Michael Rogers have all noted recently that the jury is still out in terms of Chinese compliance with an agreement, minted in September, not to engage in cyber activity for the purpose of economic advantage. The Intelligence Community is continuing to assess China’s compliance, although “[China’s] activity level is somewhat lower than prior to September 2015,” Rogers told lawmakers on the Senate Armed Services Committee earlier this month.

China does “continue to show an interest in critical infrastructures and key resources – their intent’s not well known there – but it is, Director Clapper acknowledges, their persistent interest in learning more about our critical infrastructures,” Quade added.

Rogers has told lawmakers that Russia – and to some measure China – has the capability to inflict serious harm on U.S. infrastructure. “We continue to see [China] engage in activity directed against U.S. companies,” he said. “The questions I think that we still need to ask is, is that activity then in turn shared with the Chinese private industry? We certainly acknowledge that states engage in the use of cyber as a tool to gain access and knowledge. The question or issue we’ve always had with the Chinese is, while we understand we do that for nations to generate insight, using that then to generate economic advantage is not something that’s acceptable to the U.S.”

The United States has also turned to indicting hackers and those that use cyberspace for malicious purposes as a means of demonstrating attribution capabilities and attempting to deter future actions. Many have called the first of these indictments – in 2014 against members of the Chinese People’s Liberation Army – a watershed moment.  Although those indicted are still within China, David Hickton, U.S. Attorney in the Western District of Pennsylvania, refuted common criticisms that the U.S. will never be able to get a hold of these individuals, noting that the same was said of Columbian drug lords 20 years ago.

In terms of the U.S. potentially going as far as bringing disputes against the Chinese to the World Trade Organization, leading to the possibility of large fines or even expulsion, he said at the AFCEA event, “I believe that we are headed that way.” 

Quade was less specific when it came to the other two nation-states typically included among the top cyber threats – Iran and North Korea. “Iran is hot and cold in terms of malicious cyber activity,” he said noting recent malicious activity against the U.S. Navy, financial sector and critical infrastructure. Rogers, in his Senate testimony, noted that Iran is improving its capabilities in cyberspace, but could be focusing its activity elsewhere. “We have not seen the same level of activity from them that we have seen historically in the past. I have seen some of that same activity directed at other nations and other groups around the world,” he told the Senate panel.

“North Korea is a nation of big words but it’s also looking to back up those big words by big actions,” he said, only adding that, aside from the Sony hack, it’s important to note that when a nation is backed into a corner, they generally have no choice but respond. 

Quade also briefly mentioned non-state actors such as ISIS but offered no details on U.S. actions against these groups or their capabilities. Currently, non-state groups such as ISIS have proven adept at coopting cyberspace to disseminate propaganda and incite violence but have not demonstrated a capability to inflict direct harm using cyber means. However, these groups are trying to develop these capabilities and the eventual “weaponization” of cyberspace by them is something that Rogers says keeps him up at night.