Now, China's denying any involvement in this, of course, and making a show of hurt feelings while they offer to step up their cooperation with other governments on facing down cybercrime.
While I doubt it, given the noises China's making about how the US is a big finger-pointing bully, it may even be true that China was uninvolved. Who knows? That's the difficulty of cyberwarfare and cyberterrorism: anybody with the know-how and some decent equipment can get in on this action. As I mentioned before, nations can even hire freelance cybercriminals to do this stuff, allowing governments plausible deniability with effectively no ability to prove their involvement.
But as David Vellante says over on Internet Evolution, there's another element to all this. Namely: Google was hacked. There are a couple of alarming things about this.
1: Google is the bannerman of cloud computing. Now, I love my cloud. Oh boy, do I. But my stance is that cloud computing is going to enjoy its day in the sun before it crashes and burns over the issue of security (I expect it'll have a slow and ultimately successful climb back to the top after that minus the initial starry-eyed wonder). It's one thing to be able to access your grocery list from any computer you want, but as the cloud integrates more deeply in daily life, we start to see increasingly sensitive information being put out there. And here's the thing about cloud computing: if you can access your information from any computer in the world, then so can other people.
2: The most significant force standing between cyber-threats and the bloodflow of the world's information maintained by companies like Google, Microsoft, Yahoo!, Facebook, and Twitter is...the companies themselves.
The magical thing about the internet is that nobody tells it what to do. It's a giant morass of largely unregulated private endeavor, but in some ways that's also a weakness. While they have access to the technological and law enforcement resources of multiple nations, the gatekeepers of the internet are not official authorities.
I'm fundamentally okay with that. These corporations are right in there on the cybersecurity issue and possess an agility in response and evolution that surpasses almost any government. But. They don't own the internet either (even if it feels like Google does, sometimes), and there's nothing stopping anybody--a government, another company, a private individual--who has the knowhow and equipment (not too hard to come by these days) from chopping their way in and availing themselves of that dataflow. Sure, there are laws and international groups that'll try to do something about it after the fact, but as usual society evolves faster than the rules can change to keep up with it.
I'm not attempting to fear-monger here. There are things that can be done. George Kurtz points out in McAfee's Security Insights blog that the attack penetrated through a vulnerability in Internet Explorer (incidentally, you can see here an example of the kind of communal interaction I alluded to above, with multiple tech companies involved as well as government). And once again, it comes down to the people involved.
As with most targeted attacks, the intruders gained access to an organization by sending a tailored attack to one or a few targeted individuals.
As usual, the best thing that can be done is make sure the people on the "front lines"--the users--are as educated and aware as possible. But it can be difficult. a high-level operation like Aurora may involve some extremely well-planned methods of infiltration.
All told, I think this is maybe the third salvo in a new war, after the infrastructure attack on Georgia during Russia's invasion and the success of Twitter as a coordinating technology during Iran's student uprising. Mr. Kurtz sums up my thoughts pretty well in his post, so I'll leave you with his final words.
All I can say is wow. The world has changed. Everyone’s threat model now needs to be adapted to the new reality of these advanced persistent threats. In addition to worrying about Eastern European cybercriminals trying to siphon off credit card databases, you have to focus on protecting all of your core intellectual property, private nonfinancial customer information and anything else of intangible value.
No comments:
Post a Comment