Cyber-espionage and Cyber-warfare poses the greatest threat to our society today. No longer are massive militarized forces with the most advanced weaponry the force to fear. The forces to be feared now are computer geeks. A single person or just a few cyber-savvy individuals working together as a team now possess the power to bring down entire military forces, governments and companies with gentle keystrokes. The pen is no longer mightier than the sword; the keyboard is.
On a national scale, Cyber-espionage and Cyber-warfare gives the nations sponsoring the attacks a leg up in diplomacy and in the event a conflict arises, in warfare. There are many examples available, many more that no doubt are unpublished probably because we are not aware that the compromise has occurred or to reveal the successful breach creates its own publicity challenges. Some notable examples of published events are in September 2007; Israeli fighter aircraft launched an offensive across the Syrian border and bombed a nuclear reactor construction site. Syrian radar screens showed nothing but peaceful skies. The Israelis had hacked into the Syrian air defense computer network and seized control of the software system. Another example would be our very own Government. In August 2010. the Pentagon acknowledged that the secret American SIPRNet defense network was hacked two years earlier by a foreign intelligence service using the Internet.
On a corporate scale, Cyber-espionage presents a business competition advantage to be taken. Why invest years and capital in research and development efforts when you can simply pluck the fruit from your competitor’s tree instead? The recent wave of cyber-attacks against companies should be a wakeup call for corporations everywhere. For all the improvements that the government needs to make, the private sector lags further behind. Corporations must bolster their information security, but it is apparent that companies are still reluctant to spend on competent security professional and technology. I believe that without significant duress, change only occurs at the procrastinators pace. Unfortunately it seems that governments and companies alike will continue to be reactive rather than proactive. While I don’t wish for or condone cyber-threats, I do value the change potential these events bring with them. It takes an occasional poster child to make the other kids safer doesn’t it?
If this bit of news does not induce a call to cyber-arms, I don’t know what would except most assuredly a shutdown of electrical grids, but news of a massive long term series of breaches has been revealed this month. Known as Operation Shady Rat, the goal didn’t appear to be financial gain or usernames and passwords, but competitive intelligence that could be used by a government, most likely China. The attacks, which in several instances, occurred for more than two years without the victim’s knowledge, were orchestrated by a by a single hacker or group of hackers. They penetrated multiple U.S. government agencies, the United Nations, foreign governments in India, South Korea, and Taiwan were targeted and many technology companies including defense contractors. One high-profile target was the International Olympic Committee.
These attacks were primarily orchestrated through spear-phishing, a targeted social attack on an employee or employees, allowing them to take control of the recipient’s machine and then move through the network. The phish contained malware that, when downloaded, would connect to the command-and-control server; others in the group would then attack via the infected machine, moving elsewhere through the network and establishing new virtual bases of operations. The scariest part of the whole scheme wasn’t that it impacted so many organizations around the world, but that it has been going on, undetected, for the past five years.
This technological threat is not going to subside or disappear. On the contrary, it will only increase. These technology terrorists are becoming bolder and more skilled, better funded and better protected. Our computer geeks are no less technologically savvy or intelligent. Information is the new currency. Intellectual property, business processes, schematics and topology diagrams among a plethora of countless other digital items are the prizes up for grabs. Governments and corporations cannot secure our valuable information assets on a budget of the lowest bidder or buzzwords. One of the biggest challenges the world faces is that unqualified people make information security decisions. Part of this conundrum is a result of inadequately trained and skilled security practitioners while another part of the problem is technically incompetent leaders who see security as a cost center rather than a competitive advantage. A business person would not approve a project or initiative that does not produce a return on investment right? Avoiding risks satisfies this requirement from an opposing point of view. In simple terms, no data, no business. The CFO can say goodbye to the balance sheet if the company dies a catastrophic death due to the complete loss of intellectual property. A company makes money from competitive advantage.
The challenge is the same for government and corporations alike which makes the solution universal and simple to grasp. When making security decisions, enlist the advice of qualified professionals. Consider not only depreciation and capital expenses but also business continuity or disaster recovery expenses. These are fundamental risk management principles every security professional, business leader and government representative should be knowledgeable in.
One statement that I make on occasion when asked why I love my work as an information security professional and executive is that I can never get ahead of the challenge and there is always someone better out there. This stokes the inner fire to be better, to up the game, increase my skills and take down my opponents with surgical precision. The keyboard is my weapon of choice and yes, the geek shall inherit the universe.