This article can also be found in the Premium Editorial Download "Information Security magazine: Filling the data protection gap."
Download it now to read this article plus other related content.
For years, we've heard expert types tell us about targeted attacks against business units or even specific individuals inside an organization. We hear about reconnaisance done against these targets with hackers scouring messageboards, discussion forums, LinkedIn, Facebook and other places where people dump all the minutae about their lives. The experts' anecdotes are rich in speculation about the profiles organized attackers build against companies in order to craft their malicious messages and lure targets into their traps.
But despite all this cloak-and-dagger color from the experts, there had yet to be a high-profile example of such an attack made public until Google decided to share details about its intimate experiences with the Chinese.
It's no secret that China, whether through a state-sponsored operation or run by a criminal element there, has been stealing U.S. corporate, government and military secrets for a long time. Hacking is a cultural pastime in China and they've been passing time going through fighter jet plans, critical infrastructure networks and poking around information systems at some of the biggest companies in our country. This time, one of the victims decided to talk.
Google, which has been struggling against China's Baidu for search engine supremacy, opened up in January about an infiltration against the Gmail accounts of suspected Chinese human rights activists. Google also said the
Since the attacks, we've been inundated with details about how the attackers exploited a zero-day vulnerability in Internet Explorer 6 to gain access to Google's infrastructure. Malicious PDFs were used as well to launch attacks on more than 30 other IT and large American corporations, including big financial firms and defense contractors. There have been whispers that the Chinese have people on the inside at Google who helped facilitate the attacks. There have also been whispers that this is an act of cyberterrorism or cyberwar, but it's not. It's plain ol' espionage and theft. Companies and countries have been doing it for years; surely the U.S. isn't an innocent victim here.
What is signifcant however is that the parties are talking. And they're talking to be heard. The stuff about zero-days and infected PDFs is great inside baseball stuff for security geeks, and important problems to be solved. But lawmakers and decision makers don't think on those levels. They need big-picture, high-profile incidents in order to react. They need a multibillion dollar entity such as Google to start pounding its shoe on the table demanding action.
All last summer we heard cries for President Obama to name a cybersecurity coordinator. Paul Kurtz, Jim Lewis, Melissa Hathaway et al spent their time on the speaking and interview circuit talking about exactly this problem and how the United States needs a coordinated response in cyberspace. They talked about the threat to our economy that state-sponsored hackers pose. They talked about the danger to our financial well-being posed by organized criminals running a profitable black market chock full of malware, credit card numbers and personal and corporate data, all to be had for a price.
Now those cybersecurity advocates have a face for their cause. Granted, Google's motives in China likely have more to do with business than cybersecurity, but that's no reason not to leverage what happened for the greater good.
The new cybersecurity coordinator Howard Schmidt has an opportunity here to evangelize. Leverage Google's disclosures to the hilt as an illustration of the problem to Capitol Hill. Show the suits in the Senate and the House that, yes, we have a problem and here's how it can affect us all; here's how it's affecting big business right now and right under our noses. This is a great opportunity for Schmidt to put a strong foot forward and make a solid first impression. Seven months was too long to wait for a cybersecurity coordinator; don't make us wait for action.
Michael S. Mimoso is Editorial Director of the Security Media Group at TechTarget. Send comments on this column to firstname.lastname@example.org.
This was first published in February 2010