Frequently, I am asked about the most egregious vulnerabilities in our nation’s critical cyber infrastructure. It’s not surprising, as I have spent the last 20 years focused on different aspects of information security within governments, NATO militaries, and the Fortune 100. I’ve been fortunate to have made my way from a 3rd tier helpdesk technician to being a specialized Cloud Identity Architect just as Identity has become the control plane for information security. In the journey, I spent 5 years defending one of the most attacked address spaces on the Internet, and I am all too aware of the numerous vulnerabilities presented by various types of phishing, social manipulation, poor software development practices, inadequate background checks, gaps and delays in account management and lackadaisical vulnerability patching.
When I am asked what keeps me up at night, I don’t picture an anarchist hacker with “mad skilz.” The systems that are key in our nation’s critical infrastructure are mostly not connected to the Internet. They are, instead, “air-gapped,” which simply means that there is no connection between those systems and the Internet. Neither are there systems that connect to both at different times (Stuxnet’s path to the Iranian centrifuges).
Instead, what worries me is a series of what, to most people, are mind-blowing threats – embedded malware in hardware, backdoor access routines in firmware and drivers and other, more evil methods for achieving access and, ultimately, success for our enemies.
There is a worse one. The greatest concern is an individual who is exactly what they appear to be. A person that obtained their job without subterfuge and held permissions allowing them legitimate access to critical systems. When hired, they would have been a perfect fit for the job with exceptional skills and significant experience and references.
They would also have significant family in, or in a country adjacent to, China. That is where our scenario for this article begins.
The Chinese government is not like ours; they openly do unspeakable things to their citizens to accomplish their goals, secure in the knowledge that meaningful resistance is beyond the reach of the population they control. Welding citizens infected with the CCP Virus into their apartments to die, forced abortion, execution of dissenters (and billing the family for the round used to kill them), systematic rape, forced starvation, etc. are their modus operandi. These methods are standard and even expected in China. Their depravity, in pursuit of accumulation and retention of power, is boundless.
Let’s call the person at the center of this article, “Shénme.” Shénme holds a Master’s degree in Computer Science and specializes in integrating systems. She has significant experience and excellent references from employers in the United States and in China. She is highly intelligent and physically attractive. She even worked for a software company that devised some of the critical integration software used in the organization she will target. Shénme, herself, is also a perfect target.
Shénme was happy in her job. She had several friends/coworkers that she spent her off time with, and her manager was appreciative of her skills and relatively low salary. She lived the dream in SoCal and had even begun dating another developer with whom she could foresee a happy future, hopefully as a citizen of the United States.
Shénme was also a diligent daughter. She spoke to her father every Tuesday night. She knew her father enjoyed their conversations and looked forward to them. He was often alone on his nights away from the factory since Shénme’s mother had passed giving birth to Shénme’s sister.
Her parents had always wanted more children but had always worried that they would be unable to provide. This changed in 2003 when Shénme’s father joined the Party and was able to get a job at a new factory 200 miles away. They lived in a rural area in China and were therefore permitted to have a second child since their first had been a daughter.
One Tuesday night, Shénme called her father, and, on the call, she could tell by the way her father spoke that something was terribly wrong. Her father cut short Shénme’s attempt at small talk and abruptly told her that someone else needed to speak with her and put the other person on the line.
The new person gave his name as Mr. Lau. He did not say who he represented but told Shénme that he had a job for her. Shénme replied that she was happy in the job she was currently working and was not seeking another. Mr. Lau abruptly ended the call.
A few minutes later, Shénme’s phone began to ring with a ringtone that announced an incoming video conference call from her father’s phone. Shénme answered the call and gasped when she saw the video stream appear. In the jerky stream, she could see the main room of her family’s home in China. Her father, restrained in a chair and bleeding from an apparent beating, struggled against his restraints as Shénme’s youngest sister, who at 16 still lived with her father, was roughly and disrespectfully handled by four Chinese People’s Liberation Army soldiers.
The video shifted to show a man whose voice caused Shénme to recognize as Mr. Lau, dressed in a red shirt that identified him as a mid-level member of the local Chinese Communist Party (CCP).
“If you do not do as we wish, we will return every night to beat your father and rape your sister until they die from the misfortune of having such a stubborn daughter and sister,” said Mr. Lau.
Shénme, shocked to her core by what she was seeing, quickly said, “Mr. Lau, I am sorry. I did not understand. Please don’t hurt them. I will do as you say.”.
Mr. Lau spoke roughly to the soldiers, and they immediately stood back from Shénme’s sister. She scuttled over to Shénme’s father and hugged his leg as she cried softly.
“You will apply for a job at Acme Energy as an integration architect,” said Mr. Lau. “When you have accomplished this, you will tell your father on your normal Tuesday call. He will notify me.”.
“It will take some time for me to prepare.” said Shénme, “I have many projects I will have to hand over at my current job.”.
“Take whatever time you need to avoid undue attention,” said Mr. Lau. “but you must move without pause, or I will begin to believe that you are not adequately motivated to do what we require.”.
“I understand,” Shénme replied, and the video call ended.
The next day, Shénme made a list of her projects and spoke with her manager, telling her that she felt the need for a change. Her manager was surprised but wanted to be supportive of Shénme’s ambitions. She worked on arranging an offer of promotion and a raise, but, in the end, Shénme left.
Shénme ended the relationship with her boyfriend and became distant from her coworkers. She had decided she would have to do whatever it took to keep her father and sister safe. She had developed a love for America and its freedoms but her family…..
The narrative above is only one of many possible combinations. The compromised individual doesn’t have to be Chinese. I have seen evidence that this can also happen to citizens from other countries neighboring China. Chinese intelligence services have no fear of crossing borders and kidnapping people, nor do North Koreans, etc. The international news often covers such occurrences. Shénme, from our story above, is a Chinese national in the United States on a work visa. It could just as easily be a “Frank” that grew up in the American Midwest and subsequently fell in love with and married a “Shénme” whom he met in college. Her family could easily be leveraged in the same manner.
Even the strictest commercial background check will not identify threats like our theoretical Shénme. American companies and their management are so naïve that all they see is the low salary and high expertise, and they jump to possess it. Coerced, deep cover assets like Shénme may remain in place for years, never doing anything suspicious, until they are either moved by their handler or activated, becoming more and more trusted by the organizations they are there to betray.
If they are activated, it may be to simply steal information that they have legitimate access to or, in other scenarios, it could be to completely disrupt their company’s information systems at a key time.
They have no choice in what they do. If they are discovered, they go to prison, and their families are punished by the CCP. If they are not, the impact on their lives is still disastrous as the stress of their double life builds up.
That is what keeps me up at night. No hacking cell can do the long-term, undetected type of damage one of these assets can do. This is one of the greatest threats we face today in information security. American-based corporations spend, by some estimates, hundreds of billions of dollars per year on solutions to keep their companies secure, but every Chief Information Security Officer’s nightmare is insider hacking.
It is estimated that only ~20% of security breaches occur through outside hacking. The other 80% are due to actions by employees. To be fair, these actions may be something as simple as losing a laptop with company data or sending credentials to a hacker in response to spear phishing, but very few are complex scenarios such as the one above.
In Shénme’s case, she was directed to join a fictitious electrical company that controls the power grid for much of the Northeastern United States. That company then placed Shénme in a critical role that provided access to the systems that control the grid, helping them to integrate mergers and acquisitions. Even after being warned about the potential for “irregularities,” Shénme’s references, expertise, dutiful demeanor, beauty and subtle sharing of her dislike for her home country’s government convince them to trust her. It’s why she was chosen, after all.
The real concern, of course, is that it wouldn’t just be one Shénme. The larger concern stems from the expectation of multiple levels of Shénmes, spread across every company and governmental entity that our enemy’s plan call for disabling. Imagine the impact of the grid going down, governmental disaster communications going offline, and the financial systems of the largest banks and supporting government infrastructure dropping simultaneously, then “hiccupping” or flagging erratically. All would take varying times to bring back online and stabilize, but some, because of the people running them, might be unrecoverable for some time (sabotaged backups or recovery plans, for instance). The hit to markets would be severe, and disastrous stability issues would more than likely emerge within our society.
The worst part about this vulnerability is that American organizations are now addicted to these cheap resources and will fight tooth and nail to retain access. More than 430,000 Chinese nationals have traveled to the United States since January of this year (and there was a ban on travel for a portion of that time). They hold positions of importance in our corporations, government, our universities, and with consulting companies. Their advanced degrees are coveted by government contractors due to the requirement for such degrees written into our government’s procurement processes. The normalcy biases our civilian institutions are afflicted with is so strong that they are blind to the malevolent potential, even when presented with these scenarios by government authorities. Their pursuit of profit and rising stock prices blinds them.
The FBI, who are responsible for our nation’s counterintelligence efforts, would probably never identify Shénme. Her communications are entirely with her father, and, having been in the US for some time, this communication behavior would not raise any eyebrows. The infrequency of instructions and reports back would further reduce the likelihood of compromise. The first trip home would bring a fast crash course in spycraft.
It is only recently that deep cover threats like Shénme have been acknowledged in information security. Nobody likes to talk about it because there isn’t a reliable way to identify who may pose such a threat, and discussion of this nature immediately opens one up to charges of xenophobia.
What each of us can do is keep our eyes open for suspicious behavior. If you work in a critical, targeted industry, you may find that a Shénme sits next to you and goes out to lunch with you every day.
The best lie is, after all, always a truth with omissions.