The attacks on Google and more than 30 other Silicon Valley companies by agents allegedly working for China is focusing renewed attention on the issue of state-sponsored cyber attacks and how the U.S. government should respond to them.
The U.S. has no formal policy for dealing with foreign government-led threats against U.S. interests in cyberspace. With efforts already under way to develop such a policy, the recent attacks could do a lot shape the policy and fuel its passage through Congress.
In a revelation that was surprising for its boldness, Google on Tuesday said that agents possibly working on behalf of the Chinese government had hacked into its computers -- and those of more than 30 other multi-national companies. Also hit: Adobe .
This is not the first time Beijing has been accused of state-sponsored espionage. Over the past five years, China has been implicated in dozens of attacks involving U.S. commercial, government and military targets. The most sensational of these involved a Chinese hacking group called Titan Rain , which in the early 2000s is believed to have stolen U.S. military and nuclear information.
For the most part, the official U.S. response to the attacks amounted to little more than expressions of outrage and protest by lawmakers. On Tuesday, Secretary of State Hilary Clinton released a statement asking the Chinese government for an explanation for the attacks, which raised "very serious concerns and questions." On Wednesday, Sen. Joseph Lieberman (I-Conn.), the chairman of the Senate Homeland Security and Governmental Affairs Committee, said that attacks like the one against Google must be confronted "aggressively and with all available means."
"The official response will be, 'We are highly upset about this and we demand you stop it,'" said Ira Winkler, president of the Internet Security Advisors Group. (Winkler is also the author of Spies Among Us and a Computerworld columnist.) "The reality of the situation is we are screwed. The political reality is that China, in large part, is funding the U.S. deficit. We have no leverage.
"We just can't cut China off," he said.
Articulating a response to government-led cyber attacks isn't easy.
"We have to keep one thing in mind -- it is extremely difficult to attribute a cyber attack to a foreign government," said Greg Nojeim, senior counsel at the Center for Democracy and Technology (CDT), a Washington-based think tank. "There is often a lack of certainty in that regard that makes it really difficult to decide what kind of response to make."
And even if the evidence is there, it's futile to launch any kind of cyber-retaliation, he said. "That's something that should be off the table. You don't want to have a cyberwar where you fight fire with fire. That could burn the whole house down."
Instead, what's needed is a measured diplomatic response, where the issue is raised with China when it wants U.S. cooperation on other matters, he said. "The State Department has to make it clear that these attacks are so serious they warrant a diplomatic response. I am not sure that level of commitment has been demonstrated yet," Nojeim said.
Any victories gained from cyber-retaliation are likely to be temporary, at best, Winkler said. "If you can identify the systems that are attacking us and make sure you are attacking the right systems, theoretically, that might work" to head off another attack, he said. "But that's like throwing sand in the eyes of somebody who is beating you up." It can be effective -- but only for a while, he said.
That doesn't mean, nothing can be done. U.S. organizations that are targets of attacks from China first need to bolster their defenses, said Amit Yoran, former director of the U.S. Department of Homeland Security's National Cyber Security Division. The continuing success Chinese agents have in penetrating U.S. networks points to ineffective security -- and sophisticated attackers, Yoran said.
"Companies such as Google have very, very sharp security teams, but the technologies they rely on are inadequate," said Yoran, who is currently CEO of security vendor NetWitness Corp. "We have developed a technology base in modern computing that is indefensible against modern threats."
What's needed is a security approach that focuses on continuous monitoring of networks and data, not one based solely on prevention.
"Whining about this won't stop it," said Alan Paller director of research for the SANS Institute, a Bethesda, Md.-based security institute. "Cyber-based military espionage and economic espionage are radically effective programs for the Chinese government," and it's unlikely that policy statements are going to do any good, he said. "There are simply too many attackers with too many motives to think that a policy of deterrence would be more than minimally effective."
At the federal government level, at least, "it is [security] skills with good tools that allow organizations to defend themselves," Paller said. "Sadly, these skills are in radically short supply."
The U.S government has fewer than 1,000 people with the advanced skills needed to fight in cyber space at "world-class levels," he said. What's needed are between 20,000 and 30,000 cybersecurity warriors. "Our competitors have even more."
Companies outsourcing work to China, or doing business there or in other developing nations such as India, also need to be aware of the heightened risks to their intellectual property, Winkler said. "Companies need to look at things much more strategically," he said. While it may be cheaper to outsource manufacturing in countries such as China and India, the long term costs could be high if they're not careful.
"Many are not looking at the strategic risks of a rival stealing their technology and selling counterfeit goods," he said.
As for official government cyber policies, just because the U.S doesn't have an official policy for handling attacks doesn't mean it's sitting on its hands, said one analyst who asked not to be named. "One reason why the U.S might not have come up with any rules of the road is because the NSA and other intelligence agencies are involved in the same kind of activity," he said.
Näytetään tekstit, joissa on tunniste Cyber. Näytä kaikki tekstit
Näytetään tekstit, joissa on tunniste Cyber. Näytä kaikki tekstit
torstai 14. tammikuuta 2010
Security experts say Google cyber-attack was routine
Google revealed its move following attempts to hack Gmail accounts of human rights activists.
The search giant said analysis showed that the series of attacks originated from inside China.
"This wasn't in my opinion ground-breaking as an attack. We see this fairly regularly. said Mikko Hypponen, of security firm F-Secure.
"Most companies just never go public," he added.
"Human-rights activists are the biggest target," said Mr Hypponen. "Everyone from Freedom for Tibet to Falun Gong supporters and those involved in Liberation of Taiwan are hit."
F-Secure has been monitoring such attacks against Chinese human-rights activists since 2005.
Google has operated in China since 2006 and has now said it was no longer willing to censor results on its Chinese search engine as the government required.
China has responded to Google and said that foreign firms were welcome to trade in the nation "according to the law". The spokesman added that the net was "open" in China.
Other victims
Of the attacks, Google said only two Gmail accounts were accessed and that hackers got very limited information. This included when the account was set up and the subject line rather than content of e-mail messages.
The company said that the accounts of dozens of US, China and Europe-based users who are advocates of human rights in China had been routinely accessed by third parties.
The cyber-criminals broke in using a tactic known as "phishing" where a legitimate e-mail is sent claiming to come from someone the user knows and trusts.
Typically these e-mail messages have a booby-trapped attachment that, once opened, places malware on a computer.
Once an e-mail account is compromised, attackers can piggyback on it to get access to confidential files and systems throughout an organisation.
"The attacker really did their homework finding out first who to attack, who the key people were in the organisation and how to attack them," said Mr Hypponen.
Google has said publicly that another 20 companies were hit. Adobe is the only other company to go public with this information.
But many security experts say the figure is much higher.
"This goes on all the time. Of the Fortune 100 companies, all 100 are under some sort of attack all the time."
Mr Day told the BBC a host of those targeted were technology and software companies based in Silicon Valley.
Google has revealed that finance, chemical and media firms were hit.
Blame game
Questions are now being asked about who orchestrated the attacks.
"We are not saying one way or another these attacks were state sponsored or done with the approval of the state," said David Drummond, Google's chief legal officer.
"We do know they were highly organised and we believe the attacker came from China."
The inference being drawn across the security community is that the Google attack and those on other US companies were sanctioned by government.
"Sources indicate that they believe the attack is the work of actors operating on behalf of or in the direct employ of official intelligence entities of the People's Republic of China," said iDefense Labs in an e-mail to the BBC.
iDefense also revealed that this incident resembles one that took place in July 2009 against nearly 100 IT-focused companies.
"A nation state getting into the business of hacking companies is a really big shift," said Dan Kaminsky, director of penetration at security firm IOActive.
"The question now is are we going to see a significant increase or decrease in these kinds of attacks?"
Safe and secure
Google has stressed that users have nothing to fear about the security of the information it holds.
"The fact that they have come out and are transparent about what has happened is good for user trust," said Terremark's Mr Day.
General security advice for all users is have a strong password that is changed regularly and includes letters, numbers and symbols.
All security patches should be up-to-date and users should never open attachments unless they know the person they are being sent by and are expecting them.
Tilaa:
Blogitekstit (Atom)
