The Private Frontline in Cybersecurity Offense and Defense

Two reports released Tuesday highlight the important role private actors are playing in cybersecurity defense. Cybersecurity company FireEye released a report on espionage activities by “APT28,” a group FireEye alleges is “sponsored by the Russian government.” In a second report, a coalition of security companies, led by Novetta, identified a sophisticated group dubbed “Axiom” that has directed cyber-espionage against companies, governments, journalists, and pro-democracy groups for the past six years. The report alleges Axiom is “part of the Chinese Intelligence Apparatus” and explains that the Novetta-led coalition performed “the first ever-private sponsored interdiction against a sophisticated state sponsored advanced threat group.” These reports, coupled with ongoing discussion about “hacking back” by victims of cyber intrusions, show the extent to which private actors are increasingly playing government-like roles in the cybersecurity arena.

My recent post on software bug bounties and zero-day vulnerabilities showcased governments acting like private actors by participating as customers in vulnerability markets, but these new reports show the flip-side: private parties acting like governments.

Here’s how.

First, FireEye’s APT28 report is private intelligence-gathering. FireEye bases its allegation that APT28 is Russian-government sponsored on multiple factors, including: use of Russian in APT28 malware, the alignment between malware “compile times” and the business day in Moscow and St. Petersburg, and the nature of its targets—a list that includes Georgian, Polish, and Hungarian government departments, NATO, and the Organization for Security and Cooperation in Europe.

This isn’t the first time a private report has called out a government. In February 2013, Mandiant (a Virginia-based cybersecurity firm acquired by FireEye earlier this year) made headlines for a report calling out Chinese army unit 61398 for hacking hundreds of companies around the world. More recently, cybersecurity firm CrowdStrike published a report in June 2014 identifying another Chinese army entity, Unit 61486, as responsible for hacks of companies worldwide, particularly the satellite, aerospace, and telecommunications industries.

The main difference from government intelligence reports, of course, is that the companies made their reports public.

Second, the Axiom report is a combination of private intelligence-gathering and victim-assistance or counterespionage. Like the FireEye report, the Axiom report analyzes the nature of the compromises and identifies a nation-state—China—as the responsible party. The report alleges that the particular industries Axiom targets “fit in particularly well with China’s strategic interests and with their most recent Five Year Plans,” and notes that Axiom has also “gather[ed] information on domestic Chinese targets.”

The most striking aspect of the report is what the coalition of companies did about the compromises. The report explains that Novetta and Microsoft initially collaborated to counter one malware family Axiom deploys, but ultimately expanded the collaboration to include additional industry partners that could assist in addressing the full scope of Axiom malware. The group then distributed “the corpus of samples, analysis, and knowledge” via Microsoft’s Virus Information Alliance to “64 trusted industry partners in 22 separate countries for their own use, and to protect their customers.” The upshot is that, according to the report, “over 43,000 separate installations of Axiom-related tools have been removed from machines protected by” the partner companies. (The actions against Axiom do not appear to involve “hacking back”; rather, the report suggests that companies involved in the report, like Cisco and FireEye, purged the Axiom malware from machines pursuant to, for example, contractual agreements with their customers.) The Washington Post quotes Stephen Ward, a senior director of coalition member iSight Partners, explaining: “This is the beginning of what will hopefully be a long line of industry-coordinated efforts to expose these threat groups, and to do so without having to use law enforcement.”

Finally, even further along the government action spectrum is private “hacking back.” The terms “hacking back” or “active defense” are used to describe a variety of actions ranging from planting fake data to “beaconing” proprietary data so that it can be tracked if taken off a corporate network to entering a server storing stolen data to destroy the data. Depending on where on the spectrum a “hacking back” action is, the private entity’s actions could look a lot like counterespionage, law enforcement, or even military action. Although U.S. laws, including the Computer Fraud and Abuse Act, prohibit unauthorized access to computer systems (among other things), The Washington Post recently reported that companies are increasingly discussing taking action and quoted sources suggesting that the U.S. government may be softening its prior opposition. According to the Post, “Former federal officials said they knew of cases when companies have reached beyond their own computer networks to find the source of an intrusion or to delete stolen data” and “they have also noticed a quiet acceptance on the part of federal agents.”

Although I’ve focused here on how private parties increasingly act like governments with respect to cybersecurity, the reverse remains true as well: As FireEye released its report on APT28, news broke that the White House’s unclassified computer network had been breached by “[h]ackers thought to be working for the Russian government.” 

About the Author(s)

Kristen Eichensehr

Assistant Professor at UCLA School of Law, Affiliate Scholar at Stanford Law School's Center for Internet and Society, Former Special Assistant to the Legal Adviser of the U.S. Department of State Follow her on Twitter (@K_Eichensehr).