In 2007, a U.S. Air Force colonel working on cybersecurity had urgent, actionable intelligence — but no easy way to turn his classified information into a warning the defense industry could act on. The Chinese government was conducting a deliberate, focused campaign of cyber espionage that threatened the entire defense industry.
This was different from opportunistic hacking; it was a strategic, long-term effort to attack targets, regardless of how strong their defenses appeared to be.
To make his point and rally a defense industry response, the Air Force officer, Col. Greg Rattray, coined the term “advanced persistent threat,” or APT. The name stuck. “There was a concerted effort from that point forward to partner with industry,” Rattray explained in a CyberWire podcast interview. “‘Advanced persistent threat’ was an Air Force term which turned into a DoD-wide effort to partner with the defense industrial base.”
Over time the specifics of what constitutes an advanced persistent threat have changed. Attacks by foreign state actors are more sophisticated and potentially more damaging. But the dangers posed by advanced persistent threats remain clear: The defense industry must practice constant vigilance because some adversaries will never give up.
In this interview, Michael Tanji, director of cybersecurity for MxD, the National Center for Cybersecurity in Manufacturing as designated by the U.S. Department of Defense, discusses what APTs mean for manufacturers and how suppliers can realistically defend against them.
Define the term “advanced persistent threat” as members of the Defense Industrial Base (DIB) should understand it.
Michael Tanji: The origins of the term “advanced persistent threat” or APT go back to the mid-2000s. It was a way for people who were working on very specific classified cyber threats from a particular part of the world to be able to reference the problem with people who didn’t have security clearance, but still needed to be aware of what was going on in order to combat the threats. As the name implies, these actors are not run-of-the-mill hackers. They have the ability to develop and deploy capabilities above and beyond what ordinary hackers might be able to muster (“advanced”). More to the point, they have the ability to hide, adapt, and linger (“persistence”) in systems despite defensive measures that would stop most attackers.
Why are advanced persistent threats so serious?
M.T.: Outside of the largest prime contractors, most manufacturers and suppliers are not resourced to deal with APTs head-on. They simply don’t invest in the people or technology required to mount a credible defense. This doesn’t make them negligent or uncaring; it’s just a reflection of the fact that the vast majority of the sector is inadvertently being forced to fight in a much heavier weight class, with predictable results.
APTs are instruments of state power, operating in support of national strategic objectives. For the most part, but not exclusively, they’re not in it for the money or to prove how good they are, they’re trying to gain access to information or resources they don’t have in order to steal it (denial) or impede our ability to use it (disruption). Intellectual property theft was a goal for a long time, but today APT activity from certain regions is less about stealing data and more about assessing — and potentially degrading — our ability to manufacture, scale, and sustain capability.
Why is operational technology (OT) a major target area for APTs?
M.T.: If you can disrupt or destroy OT, you can directly impact production — one of the core objectives of America’s adversaries. APTs are staffed with very smart people. Because of their connections to states, they have access to information and resources that allow them to develop capabilities beyond commodity IT (the domain of ordinary hackers) and into the OT domain.
The challenge with OT is that it was never designed with cybersecurity as a primary requirement. It’s designed to be installed and operated for years, and because it is hard if not impossible to update or upgrade (depending on the nature of the device), this makes APT activities in the OT domain particularly risky.
All digital manufacturing is vulnerable to APTs because of interconnectedness within manufacturers and supply chains. What’s the proper cybersecurity mindset?
M.T.: A connected supply chain reaps all of the benefits a connected company derives, at scale. So too do the risks expand up and down a supply chain. The smaller and further down the supply chain a company sits, the more attractive it becomes as an entry point, and the more likely its trust relationships will be exploited.
Having subs or partners agree to contractual terms that specify that they will meet certain security requirements can be a powerful tool, albeit after the fact. Falsely attesting that you meet a standard can be grounds for a suit. It can also signal to the market that security is something to be taken seriously; you are not going to work with us unless you level up your cybersecurity game.
What are the first steps to take in defending against APTs?
M.T.: Unless you’re a large prime with a highly capable cybersecurity team, you can stand up to an APT, but you should not expect to defeat one outright. What you need to do is make that loss as costly and time-consuming as possible, and you want to communicate and coordinate your actions afterward.
Strong, unique passwords, two-factor authentication, anti-malware defenses, a firewall; all the fundamentals are critical. They will be overcome in one way or another, but every hour and every dollar more you can impose in cost on them the better.
When your response is complete and you’re back up and running, communicate up and down the supply chain to make sure people know what happened and what you did in response. There is no shame in letting people know you’ve been compromised; it happens to everyone. The more people know that someone they deal with has been targeted, the more attention the entire chain will pay to anomalies and suspicious events (is it a benign accident or an attack approach you haven’t seen before?).
You also need to notify the government. The more data points and evidence they have of APT activity, the more malice they can attribute to adversaries, the more consequences they can impose via political, economic, or other means.
