If you had asked me a few years ago, I might have predicted that the rise of large scale hacking and network-based Advanced Persistent Threats (APTs) would spell the end of old-school espionage (poison-tipped umbrellas, office break-ins, dangles and the like). Those of us who fancy ourselves logical, savvy cyber security specialists can be forgiven for thinking such analog antics wouldn’t persist in a digital world.
And yet, human espionage remains a nagging issue. A Russian spy ring was disrupted in New York in January. New stories about employees stealing trade secrets from their employers regularly make headlines, such as this one in May. More than one article alleges that Vienna and Lausanne (home to recent Iranian nuclear negotiations) are swarming with spies from Tehran. And these are just the stories that get reported.
There is no question that spycraft is changing with the times. Recent, damaging breaches of US government employee information—amply documented elsewhere—provide some interesting hints as to how:
- Re-prioritized: In some cases, information is accessed via a contractor, sometimes a foreign national. This is nothing new; spies have walked through the front door with contractor badges before. But now, what they want is not stored inside a locked file cabinet, inside a locked office. It’s in a marked folder. It’s easy to find. It fits in a pocket.
- Spies and criminals work within budgets too, so they go after ‘bang for the buck’. Traditionally, classified government systems were the big prize, but the value of corporate data and trade secrets is rising. It may actually be cheaper to recruit an employee with access at a targeted company (or its partner) than to breach firewalls remotely.
- Hybrid: For spies (as opposed to criminals), personal information may not be valuable in and of itself. It is a means to an end. Admittedly, the blackmail value of personal information of cleared government employees may be overstated, but combined with frequent flyer or health information, it could give intelligence services valuable ammunition for social engineering. Comparatively un-glamorous bureaucracies may get less attention and protection than fully classified government networks—until they are ransacked and their collateral value becomes the topic of Congressional hearings.
- The point here is that APTs almost always involve multiple steps: some digital, and some time-honored espionage tradecraft. Malware is combined with social engineering to compromise digital certificates, for example. If your information is valuable, someone will find a way to get around your defenses. It may start with HR files.
- Opportunist: Spies have always been opportunists. In the old days, that meant an unlocked door or a propped-open emergency exit. What’s different now is what the ‘bad guy’ finds when he walks through the door, and the ease with which he can walk out with it literally in his pocket.
- We should not be surprised when we hear that stolen data was either stored or transmitted in the clear. Failure to encrypt is not a laziness problem. Security software is notoriously difficult to use. If information security experts are to enforce encryption and security requirements, it needs to be easier to use. There are no networks that are 100% secure, but having reliable, easy-to-use systems would go along way toward increasing adoption and implementation.
With old-school espionage alive and thriving in the digital world, security specialists may want to keep these old tricks in mind.