December 12, 2017
This article was written by TRAPWIRE President Dan Botsch and Director Michael Maness. Dan and Mike were senior officers and managers with the Central Intelligence Agency, covering issues ranging from counterterrorism to foreign intelligence operations. Their real-world experience, like others working at TrapWire, brings a unique perspective to our counterterror and counterintelligence services.
At its core, espionage is social engineering. Despite the Hollywood film and spy thriller depictions, being a good spy relies much more on understanding and manipulating people than on sophisticated technological gadgets. In an ideal situation, this social engineering occurs without the target ever being aware of the subterfuge. Hacking and other cyber operations work under the same principles: If I can learn your behaviors, motivators and triggers, I can often get you to do my bidding.
The following articles are great examples of this type of operational approach: German spy agency warns of Chinese LinkedIn espionage; Iranian Hackers Have Been Infiltrating Critical Infrastructure Companies.
Whether it is Chinese efforts to develop business intelligence sources via fake LinkedIn accounts, or (suspected) Iranian operations targeting critical infrastructure; in both instances social engineering came into play. In the latter example, the alleged Iranian hackers infiltrated an employee’s email account, and then created legitimate looking correspondence based on the employee’s email history. Contrary to some public perceptions, these “cyber-attacks” are not solely technical operations. Their ultimate goal is to contact and subvert a human being, thereby obtaining access and influence. Exactly what real spies have done since time immemorial. The targets of these operations cannot simply rely on firewalls and other technology solutions, they must educate themselves and their workforce to recognize and report contact with suspicious actors.
The greatest vulnerability to any espionage operation is detection, and detection is most often achieved through information sharing. Catching a spy usually requires various organizations sharing information to detect a pattern of activity. This type of information sharing is applicable to cyber threats as well. The sheer volume of hacking and phishing attempts that occur on a daily basis makes it nearly impossible for law enforcement to run effective countermeasures; however, a common reporting database where both the private and public sector can analyze and share cyber threats could help all involved detect common trends and patterns, and significantly narrow the target list for investigations. The motivation for the private sector is clear: the growing problem of IP theft by various nefarious actors, including hostile foreign intelligence services, is a problem that costs US corporations hundreds of billions each year.