The New York Times’ publication of sensational charges by security contractor Mandiant about Chinese cyberattacks directed by a unit of the People’s Liberation Army led experts to note that the threat of cyberattacks is growing worldwide.
Besides the New York Times Co. (NYSE:NYT), other companies, including the Washington Post Co. (NYSE:WPO) and News Corp.’s (NASDAQ:NWS) Wall Street Journal have acknowledged break-ins. Technology giants including Apple Inc. (NASDAQ:AAPL), Facebook (NASDAQ:FB) and Twitter have said they’ve been hacked, too.
Last week, President Barack Obama signed the first executive order specifically written to improve “critical infrastructure security” by bolstering national defenses against computerized attacks against networks, power grids, transportation hubs and telecommunications companies.
White House Press Secretary Jay Carney said Tuesday, “We have repeatedly raised our concerns at the highest levels about cybertheft with senior Chinese officials, including in the military, and will continue to do so. This is a very important challenge.”
Carney declined to say if any retaliation is planned. On Wednesday, he said there could be possible trade restrictions imposed on China.
But experts say the documented attacks from China are far from isolated. While not unusual for a government like China to use technology to acquire secrets and break into the networks of foreign enterprises, most documented cyberattacks have been linked to Eastern Europe, with the remainder linked to the U.S. and only a handful to China.
“There are too many people right now saying, ‘the sky is falling,’ without proposing cost-effective solutions, which is causing a lot of confusion,” said James Hendler, professor of computer science at Rensselaer Polytechnic Institute in Troy, N.Y.
New thinking is required for “a layered approach” to security, Hendler said. Just because one company was hacked doesn’t mean all are or that they need the same protection, he said. “My house doesn’t need the same security as a bank or a military base.”
Indeed, while experts say the threat from China may actually be understated because it now has sophisticated computer networks and thousands of trained engineers, many with Western educations, the threat from other “sovereign” attackers may not be as high.
Iran and North Korea, which are thought to be users of state-directed cyberwarfare, “probably don’t have the skills sets” of the Chinese, said Derek Manky, senior security strategist for Fortinet Inc. (NASDAQ:FTNT) in Sunnyvale, Calif. While they may seek to disrupt U.S. or other defenses, most likely they would hire “third-party actors” who have the skills.
A few years ago, for example, the so-called Russian Business Network (RBN) organized dozens of attacks against banks and financial institutions that hadn’t adequately protected themselves. Russia and China have been where some of these cyberattackers originated.
The U.S. has been the home of several notorious cyberattackers, including McColo, in San Jose, Calif. That company was a Web hosting service provider that was found to be generating so much malicious software, or malware, and botnets that it was closed down. Its mastermind turned out to be a young Russian hacker.
With enterprise networks, the Internet and now mobile networks that allow access to enterprise computer networks, a new threat has come into play because the leading networks are now worldwide, providing access from China and virtually everywhere else in the cloud.
Experts like Rensselaer’s Hendler acknowledge that but say “key technologies are under export control,” so not everything is available abroad. Also, most of the open software systems, like Linux, “have the best resistance to attack,” which means they’re “the best to ensure early detection and fixing security holes.”
Many of the most advanced cloud services are being designed on Linux servers, such as those from International Business Machines Corp. (NYSE:IBM). Linux development pioneer Red Hat Inc. (NYSE:RHT) said Wednesday it will roll out all its software for future cloud development this year, so that all developers can benefit.
The experts also say nothing can prevent all cyberattacks, because there will be insiders willing to accept cash for providing access. Other employees, who may be improperly educated about email and passwords, can open so-called Phishing emails that can then unleash viruses throughout a company.
Even large companies often use lax passwords for entire systems.
“How many companies have we found that use ‘Password 1’?” said Phil Dunkelberger, CEO of security start-up Nok Nok Labs in Palo Alto, Calif., which has devised new authentication techniques. The company is working with the PayPal unit of eBay Inc. (NASDAQ:EBAY), German chip giant Infineon Technologies (FRA:IFXA) and China’s Lenovo Group (PINK:LNVGY) on secure software that can be embedded in new phones and PCs.
That approach may be one method by which enterprises will try to protect themselves from the so-called “bring-your-own-device” (BYOD) phenomenon.
Security software providers including IBM, Citrix Systems Inc. (NASDAQ:CTXS) and LANDesk Software have devised secure methods of allowing employee access. Usually, they allow for “wiping clean” a device like a stolen laptop or phone and don’t allow further access into a network.
Similarly, there are more sophisticated tools available now to beef up security, said Fortinet’s Manky. Rather than use one password for every PayPal transaction, that service now can authorize new ones for subsequent transactions, reducing the risk of being compromised.
Companies that are actively monitoring cyberattacks will work more closely with their main security providers, experts say. The industry has a network of security operations centers that work well together, especially when they are aware of deliberate attacks. They can also be marshaled against theft of services.
One part of Obama’s directive, though, still raises challenges: how the government will obtain data from electric, transportation and water companies whose data are mainly held in the private sector. “I don’t see how this is going to work,” said C. Warren Axelrod, a veteran security expert and author of the new “Engineering Safe and Secure Software Systems.”
Not requiring the private sector to share its data with the Department of Homeland Security and other departments charged under the new order is a “mistake,” Axelrod said. Obama’s order stipulates a “voluntary” information sharing program that might also allow utility executives to work for the government for a short period.
Fortinet’s Manky, though, worries that data sharing could pose a huge problem. “Private networks like that are a completely different ballgame because there’s a custom solution for each one,” he said.