Operation Buckshot Yankee: The Primary Point of Weakness
By Jeffrey Higa
Operation Buckshot Yankee is a catastrophic event that was a turning point in cyber security for the U.S. government. This incident established the current dominating war fighting domain known as cyberspace and established the need for increased cyber security. I would like to highlight the event known as Operation Buckshot Yankee, how and why it happened, a possible solution that could have prevented this, and similar events synonymous to this situation. I would like to highlight the main point of weakness from my perspective on the situation and propose how this weakness can be strengthened with proper people management and training. I will provide explanations and examples to provide a clear view on how this situation could have possibly be prevented, and statistical data to back up my findings as well as a personal example of a real situation recently occurring in my career. By being able to estimate the possible costs of damages in both monetary and reputational damage caused in these situations, these numbers can prove how valuable data can be and what the costs of a simple mistake such as using a mysterious flash drive can cause. In conclusion, I would like to mention a possible solution to the problem and my personal view on the situation and how it applies to us not only in this event, but also has an impact on our everyday lives in the field of IT and IT security.
Operation Buckshot Yankee is based on a cyber security incident which took place in the Middle East in 2008. This cyber attack event was a turning point in the history of U.S. cyber defense, and caused drastic losses of data from secret government databases. Operation Buckshot Yankee was the name of the operation to stop a malicious code that was contained on a flash drive an American soldier found in the Middle East. This flash drive was then inserted by a government employee to a laptop connected to Central Command networks and caused the code to spread throughout classified and unclassified military networks allowing the enemy to steal valuable information on these systems.
According to an article by Lynn (2010), U.S. government systems are constantly probed and scanned by adversaries millions of times daily, but this attack was an example of a successful cyber attack. The military lost thousands of data files including weapon and operational plans as well as surveillance data stored on classifieds U.S. networks. Having this incident happen, the government has realized the need for increased cyber security and work to create a secure international network. In response to this attack, the government declared cyberspace as an official war fighting domain, and initiated plans to regulate cyberspace crimes and safety.
Up to this attack in 2008, Operation Buckshot Yankee is said to have been the most significant breach of U.S. military computers to date according to an article by Nakashima (2010). According to Lynn (2010) this type of attack is the introduction of a new type of war fighting that opens up the new domain known as cyberspace where traditional war laws do not apply. Cyberspace has now become the primary point of attack, as these types of attacks are relatively inexpensive as they only required trained individuals and computers, rather than large expensive equipment such as tanks and jets.
According to another article by Nakashima, the NSA was alerted by a signal in the U.S. system trying to send messages back to the code creator. The NA then found a program that infected their classified network and was sending data out. They sourced the code to the aforementioned thumb drive and found that the code would look for important documents and spread itself to other thumb drives connected to the network. The malicious program was called Agent.btz and infected the host computer and spread over the network to other computers. Any other flash drives connected to already infected computers were then also infected and caused further spread throughout the network. The article also mentions that the code had already been out for months prior to the attack, and was floating around the internet but did not have access to government systems due to them being isolated from the public networks. Due to the government not being able to scan public networks thoroughly, the code was bypassed until the incident. This situation highlights the danger of insider threats, whether intentional or accidental. In the case of Buckshot Yankee, the carelessness of an individual was the cause of the insider threat which compromised an otherwise secure system isolated from outsider threats.
Operation Buckshot Yankee is the planned government operation of shutting down Agent.btz and putting a stop to the stealing of government data. The government analyzed the code and saw that it was looking instructions on what actions to take. The NSA Tailored Access Operations team created a plan to force the code to deactivate itself by sending their instructions for it to shut down. The operation was a success and the instructions were sent out across the network once testing as done, and the malicious code was shut down. Though this code was put to a stop, many important government documents had already been stolen, but the incident was put to a halt.
This incident led to the banning of thumb drives on Department of Defense systems as a security measure from preventing a similar incident from happening again. The flash drive was sourced in the Middle East and according to an article by Goodin (2010) the source code was said to have been from Russia but there is no solid evidence directly proving this. The article by Goodin also describes that Government systems are constantly under the threat of cyber attack, and that a dozen computer hackers could drastically cripple U.S. government networks if a network vulnerability is found. This is a perfect example of how drastically times have changed, and that cyberspace is the new arena to commence attacks. According to the article as an example, a dozen people at computers could possibly bring a country down in an extremely cost and labor efficient manner. Losses of life would be minimal for adversaries compared to a kinetic attack, and damages caused could be in the form of disruption of services or staling of valuable data as described in Buckshot Yankee. A great example of disruption of services would be the event in Estonia as described by Richards (2009). A Distributed Denial of Service attack was launched against Estonia in protest of moving a politically valued statue. These attacks lasted three weeks and were strategically launched targeting banks and other essential services to cripple the technological systems of Estonia. Having essential services shut down can cause chaos and leave a country vulnerable to attacks if an adversary were to take advantage of the situation. Taking that into account, resulting damages of cyber warfare and cyber attacks could essentially have worse effects than kinetic war or possibly result in additional kinetic war.
Operation Buckshot Yankee is a perfect example of how battles will most likely be fought in this current era and going into the future. Cyber attacks are en extremely inexpensive and efficient method of causing a significant amount of damage with minimal effort. Due to the nature of cyberspace, attacks are also very difficult to pinpoint and regulate. Traditional laws do not apply here as there are no clear boundaries in the world of cyberspace. As described in an article by Mjr. Gen. Charles J. Dunlap USAF (2009), the definition of cyberspace itself is yet very unclear and undefined. Without proper definition, it is difficult to make accurate laws to apply to this new war fighting domain. The only real protection as mentioned in this article is for nations to take responsibility for their own actions and their citizens. In the case of Operation Buckshot Yankee, this was the unintentional irresponsibility of a U.S. citizen. Due to difficulty in specifically sourcing threats and the limitless boundaries of cyberspace, it is almost impossible to place blame on a certain country or individual, especially if they are located in another country. As in the case of Buckshot Yankee, though the incident was caused in the Middle East, the code is theoretically sourced from Russia, but there is no way to truly prove it.
This brings me to the point that the primary point of any cyber security system is human error. I believe that people cause the most problems in any technology environment regardless of the situation. Computers are controlled by people that cause the problems. Another great and synonymous example is the recent event of credit card information being stolen from Target. An article by Riley, Elgin and Matlack (2014) malware had been installed on Target’s computer system to steal credit card information as it was swiped. Target had installed a detection system by FireEye to detect malware prior to the event happening, but the system was ignored even when alerts were given to the companies’ IT and management. According to the article, about 40 million credit card numbers and 70 million other pieces of information were stolen before the situation was acted upon. This is another prime example of a system working properly but being held back by people. Had this situation been acted upon as soon as the alert was announced, many peoples’ valuable information would have been saved, and the company would have saved possibly avoidable expenses.
As described in a book by Harris,S., & Kumar,P.V. (2013), the most important part of cyber security is people. Operation Buckshot Yankee is a perfect example of how human error can cause catastrophic damage. Whether it be due to improper training or carelessness, this event started with the actions of a single person and turned into a widespread situation with catastrophic damages. If proper training was initiated and due diligence was practiced, this situation could have been avoided. Most would consider a random flash drive found in an adversary country to be suspicious and would not try to plug it into any computer, let alone a secure government system, but user errors such as this are the primary cause of incidents regarding technology.
Wilshusen (2013) shows statistics from government agencies explaining that 20% of cyber incidents are due to improper usage; only secondary to incidents still unexplained or under investigation. This statistical data is a definite indicator that people are the primary cause for problems in even federal government agencies. By having solid statistics based on real reports from 2012, it is irrefutable evidence that people are the primary cause of concern and outlines the need for continuous training and testing of knowledge. By keeping people properly trained and reducing the number of unknowing individuals having access to network resources above their knowledge these numbers could possibly be greatly reduced.
A great personal example is at my place of employment. I work for a government sponsored healthcare company which handles patient data on a daily basis that is regulated by HIPAA. There are a few employees who are older aged (50-60) and are relatively unfamiliar with computers regardless of training given. A prime example is one employee in particular who is in upper management. I cannot think of a more perfect example of a prime target for any type of cyber attack, from social engineering to spam emails, she has fallen victim to them all and constantly does to this day. Upon sitting at her computer, all her usernames and passwords can be found on sticky notes on her desk or under her keyboard. She also opens every email and attachment regardless of what it says or who it is from. We recently had a couple simultaneous incidents happen with her in the past few weeks. The first sign was her email account being locked by our service provider. We called and they said her email was being used to send thousands of spam emails while logged in from China. Upon fixing this and changing her passwords etc., we scanned her computer only to find more than 17,000 malware installed on her computer. We constantly inform her about how to properly inspect email and about not giving out personal information or opening every attachment. Even with antispam programs on our server, some emails will always slip through, and she will always open them. I find this to be a prime example of human error and carelessness to perfectly describe how an incident such as Buckshot Yankee can occur.
The statistical cost provided in an article by Ponemon Institute (2012) has shown in a survey that the average cost to a company of a successful cyber attack is about $214,000. This shows that the damages can be significant, and that data is extremely valuable. In the case of buckshot Yankee, the data which was stolen containing weapon plans, and confidential operations and surveillance data is of significant value and could result in catastrophic damages to the U.S. in both costs and possibly loss of life. If this data is placed in the wrong hands it could be used maliciously and the damage could be limitless. In the situation of my workplace, losing patient data could also be a significant loss, leading to possible lawsuits and compromising of patients’ personal information. In the case of target, had the situation been handled properly and the security system been utilized, it could have prevented the significant leaking of data. In a journal by Espenchied (2012) of Microsoft, Operation Buckshot Yankee took almost 14 months to clean up from Department of Defense and Pentagon networks. In all of these situations damages would not only cause significant monetary damage, but also damage the reputation of the data holder. For companies like Target, fixing the damages caused has resulted in an estimated $61 million in expenses and 9 lawsuits according to Riley, Elgin, and Matlack (2014). Had they acted quickly, these damages as well as damage to their reputation could have been minimized.
In conclusion to these findings, I would like to stress the importance of proper continued training of employees in any type of computer related job, as proper use of computer systems is the best method of preventing such events from occurring. Though proper training can be expensive, it can end up saving more money as well as reputation of the company as exampled given in each situation mentioned. Though the U.S. government has a highly sophisticated and expensive cyber security system, it was compromised by a simple mistake. The importance of due diligence and due care is extremely relevant to Operation Buckshot Yankee, as had the zero source individual been informed, they would have considered the mysterious flash drive a threat, and would not have compromised the system by carelessly using it.
Because of how difficult it is to find and hold any party responsible in the domain of cyberspace, the best preventative measure is to make sure that your systems are not exposed to internal threats. Most threats from outside can be filtered with hardware and software, but inside threats are the largest problem. As described by Wilshusen (2013), user error is the leading known cause of cyber incidents in federal agencies at 20%, followed by malicious code at 18% also due to user carelessness; with direct threats such as unauthorized access and probing last at 17% and 7% respectively. The personal example I had given in my place of employment is another example of an insider threat compromising the network due to user misuse and carelessness.
The only solution to keeping U.S. cyberspace safe is by ensuring that all hardware and software systems are up to date with current threats, and properly maintained in addition to informed system users. By regulating who has access to data resources, and making sure they are trained to the necessary level of knowledge, we can prevent these future mistakes from happening, and minimize possible damages due to data loss. These concepts apply not only in a government setting, but apply to use at work and even on our personal computers at home. Keeping cyberspace safe is the responsibility of all computer users, and is of utmost importance in this era where we are so dependent on computers.
Beidleman, Lt. Cl. Scott W. ” DEFINING AND DETERRING CYBER WAR”, (2009): 1-40
Espenchied,J.A. (2012). A Discussion of Threat Behavior: Attackers & Patterns.
Goodin, D. (2010, August 25). Pentagon confirms attack breached classified network • The Register. Retrieved from http://www.theregister.co.uk/2010/08/25/military_networks_breached/
Harris,S., & Kumar,P.V. (2013). CISSP all-in-one exam guide, sixth edition. New York: McGraw-Hill.
Lynn, W. J. (2010, October). Defending a New Domain | Foreign Affairs. Retrieved from http://www.foreignaffairs.com/articles/66552/william-j-lynn-iii/defending-a-new- domain
Nakashima, E. (2011, December 8). Cyber-intruder sparks response, debate – The Washington Post. Retrieved from http://www.washingtonpost.com/national/national- security/cyber-intruder-sparks-response-debate/2011/12/06/gIQAxLuFgO_story.html
Nakashima, E. (2010, August 24). Defense official discloses cyberattack. Retrieved from http://www.washingtonpost.com/wp- dyn/content/article/2010/08/24/AR2010082406495.html
Ponemon Institute (2012, May 24). Infosecurity – Cybercrime costs companies an average of $214,000 per attack. Retrieved from http://www.infosecurity- magazine.com/view/25966/cybercrime-costs-companies-an-average-of-214000-per- attack/
Richards, J. (2009). Denial-of-Service: The Estonian Cyberwar and Its Implications for U.S. National Security. Retrieved from http://www.iar-gwu.org/node/65
Riley,M., Elgin,B., & Matlack,C. (2014, March 13). Target Missed Warnings in Epic Hack of Credit Card Data – Businessweek. Retrieved from http://www.businessweek.com/articles/2014-03- 13/target-missed-alarms-in-epic-hack-of-credit-card-data
Wilshusen, G. C. (2013). CYBERSECURITY. A Better Defined and Implemented National Strategy Is Needed to Address Persistent Challenges, 36.
Wilson, G. C. (2013). CYBERSECURITY. A Better Defined and Implemented National Strategy Is Needed to Address Persistent Challenges, 36