BY MARTIN DAKS, CONTRIBUTING EDITOR
NEWARK, NEW JERSEY-BASED Assistant Special Agent in Charge (SAC) Christopher K. Stangl has been with the FBI for more than a decade, investigating criminal computer intrusions, Internet fraud and other issues. The Newark office helped to crack a case involving two Iranian men who were charged in November with deploying SamSam ransomware, which crippled the operations of more than 230 hospitals, municipalities, public institutions and other critical networks in the United States and Canada.
More than $6 million in ransom payments were extorted, and the affected public and private institutions suffered an estimated $30 billion in damages. COMMERCE spoke with SAC Stangl about where the biggest threats to national security are originating, the kinds of cyber-risks companies face and some best practices to guard against hackers.
COMMERCE: Are any businesses at particular risk of a cyberattack? CHRISTOPHER K. STANGL: Many kinds of companies and other organizations, across the spectrum, are affected. The businesses themselves, their employees, their customers and national security are all targeted. Even agricultural companies can be targeted, with attackers seeking their formulas and processes. Competitors want to find out how we engineer and harvest seeds.
Q. Who’s behind these attacks?
A. The No. 1 threat today is the government of China. But the United States is also under attack by Russia—which tried to influence the 2016 election —and Iran. They’re using malware and other means to try to get our intellectual property, and sensitive trade and military information. They’re also targeting the U.S.’s pharmaceutical industry.
Also, when U.S. companies want to do business in China, they often have to first enter into a joint venture with a China-based firm. This provides the U.S. company with access to the China market, but it also opens the door for the China business to steal U.S. secrets. We spend money on R&D, and China spends time and money on reverse engineering our secrets.
Consider the January indictment of Huawei Device Co., Ltd. and Huawei Device Co. USA with theft of trade secrets conspiracy, attempted theft of trade secrets, seven counts of wire fraud and one count of obstruction of justice. The indictment detailed Huawei’s efforts to steal trade secrets from T-Mobile USA and noted an internal Huawei announcement that the company was offering bonuses to employees who succeeded in stealing confidential information from other companies.
Q. When does the FBI get involved, as opposed to a local police department?
A. That’s usually based on federal statutes and international partnerships. We can’t investigate everything.
Q. What can companies do to try to protect data?
A. Assess what information you own— including IP, customer data, blueprints and other sensitive information, and then protect it. Be on guard against cyberattacks, but also remember that companies and foreign intelligence services may send individuals or academics to penetrate a company here and access sensitive data. We support cultural and other exchanges, but we have to guard against subversive attempts.
Q. What are some best practices to secure sensitive data?
A. There are four basic steps. Protection, which involves safeguarding your data and systems. Detection, which involves identifying security events and incidents. Response, which focuses on what you’ll do if you do have an incident. And Recovery, or how you’ll come back from an attack or other incident. Securing your network architecture— including segmenting the network instead of linking everything by a central access point—can help to limit cyber incidents. Also, consider maintaining your most sensitive information on a private network that’s not connected to the Internet.
User-access should be restricted on an “as needed” basis. For example, an employee in accounting shouldn’t be able to access the payroll system. Multifactor authentication—typically a password and something else, like a dongle [a small adapter that plugs into a computer and enables the use of certain software]—should be utilized, and companies should also require employees to use a strong password. On an ongoing basis, employees should be educated about security policies, and the policies and systems should periodically be tested.
Q. What are some other cybersecurity defenses?
A. Encrypt sensitive data [so even if a hacker gets it, the information may not be usable], and maintain your system’s firewalls. Monitor inbound and outbound traffic as a way to detect intruders and compromised systems— for example, is your payroll computer suddenly sending out customer information. Establish a baseline of “normal” computer activity, like the applications that are typically running at certain times of the day, and then monitor the systems and be aware of abnormal activity.
Q. Do you think we’ll ever be totally secure online?
A. That’s a complex question. We deal with constant change and an evolving landscape of hardware and software. We need continuing joint efforts involving developers and private individuals and government resources. We’re getting better but there’s a lot left to do. Once an attacker acquires your IP or other information, we can investigate the attack and perhaps initiate a legal response—but we can’t undo the damage.