We are in a cyber war with China and your college or university may be ground zero. That is according to a report by The Epoch Times which describes a documentary of a Chinese military program propaganda that inadvertently revealed software design to wage a cyber war that was developed at a Chinese military university. During the demonstration the software was used to set up a cyber war attack against Falun Gong web site using the University of Alabama in Birmingham (UAB).
The Epoch Times article includes the translation of the screen and the video around the still shot shown above and offers the following details:
The screenshots show the name of the software and the Chinese university that built it, the Electrical Engineering University of China’s People’s Liberation Army—direct evidence that the PLA is involved in coding cyber-attack software directed against a Chinese dissident group.
The software window says “Choose Attack Target.” The computer operator selects an IP address from a list—it happens to be 220.127.116.11—and then selects a target. Encoded in the software are the words “Falun Gong website list,” showing that attacking Falun Gong websites was built into the software.
A drop-down list of dozens of Falun Gong websites appears. The computer operator chooses Minghui.org, the main website of the Falun Gong spiritual practice.
The IP address 18.104.22.168 belongs to the University of Alabama in Birmingham (UAB), according to an online trace.
The shots then show a big “Attack” button on the bottom left being pushed, before the camera cuts away
Cyber War Security
Very few colleges or universities CIO’s concern themselves with cyber war let alone the security requirements to safeguard institutional assets and its reputation. We certainly do have a number of universities engaged in research or other activities covered by export controls. But ITAR and EAR are just not quite up to the challenge as they focus on the activities governed by export controls and are therefore not all encompassing. It is possible one or two universities are covered by the requirements of the National Infrastructure Protection Plan but as with export controls, it is not all encompassing.
No, the vast majority of campus CIO’s have enough of a challenge with FERPA, HEOA, HIPAA, Red Flags, GLBA, PCI, and a few others. My own experience was filled with challenges getting anyone to take cyber threats seriously enough to go beyond the bare minimum where the thinking was “who is going to attack us” and if they did “who would sue a public college?” That is the “we don’t need to be world class” mindset that is unfortunately all too common until someone’s email account gets compromised from human error then we drop everything.
Cyber War is Escalating
Many argue the recent news stories of cyber attacks and hacks are just the beginning as private and foreign interest execute their attacks as a dress rehearsal for the big one yet to come. Many CIO’s and college executives might catch a story from time to time but the target is always someone else which contributes to CIO’s becoming desensitized to the growing threat level.
I don’t subscribe to using FUD to promote security so let me illustrate with some recent events.
- Aug 20th a cyber attack hits 350,000 Epson Korea customers. Phone numbers, email addresses, names and coded data were compromised
- Aug 3rd a massive cyber targets UN and US sites in what is considered one of the largest espionage attacks to date.
Many of these cyber war attacks are likely to have been carried out in the same manner as the method shown in the documentary. An operator opening a utility and selecting the target and a third party to vector the attack through and click it’s done. Just in case you are not convinced, here is the full documentary which begins with the cyber attack demonstration.
Cyber War Threat Mitigation
CIO’s for institutions of all sizes need to consider more robust models for mitigating the threat from cyber war. Again, this isn’t so that you can protect your own assets and high value targets for compliance, it is so that your assets are not compromised and converted for use as threat vectors in the war.
At a minimum a review of FIPS and FISMA are a great place to start for federal programs as well as NIST and ISO. But this is where it gets tricky. Many of the organizations compromised recently would presumably have had to comply with one or more of these standards. So is this just another form of security theater? Perhaps, but if you do not exercise due care your are more likely than ever before to be found negligent and liable should there be an incident.
In the end it all begins with a reasonable top-down approach that is risk-based. A risk assessment is essential and already required by several compliance programs higher education must comply with. IT controls need to be documented and regularly tested by management and by independent third parties. There must be formal (that means documented) IT governance in place complete with policies, procedures and standards.
But that is just the mechanics of threat mitigation. Real cyber war security comes through culture which starts with leadership. That is the only pathway to defense in depth and reducing your threat profile sufficiently that you minimize the likelihood of being compromised.