NEW YORK–The long list of high-profile cyberespionage and cybercrime attacks that have surfaced in the last couple of years has led to broad discussions in the security community, government circles and elsewhere about the scope of the problem. Those discussions now are just starting to reach into the boardroom, and security experts say that any CEO who isn’t concerned about this problem is living in the past.
Attackers have been targeting large corporations and government agencies for decades, pilfering data, product plans, military schemes and whatever else was available to them. The game itself is nothing new. What’s changed are the tactics, tools and methods that the attackers–and defenders–are using and how difficult it is to identify and stop them. The rise of the Internet has tilted the playing field heavily in favor of the attackers, especially those with considerable financial and organizational resources.
In other words, government attackers and their affiliates. These are the groups responsible for the majority of the attacks such as Flame, Stuxnet, Red October and while those attacks sometimes are conflated with run-of-the-mill cybercrime operations designed to steal credit card numbers. That’s a mistake that corporations can’t afford to make, experts say, as underestimating their adversaries will not end well.
“Everything gets lumped together in the government sometimes. I like to put them in separate boxes. There’s cybercrime and then there’s the spy versus spy things, which will always take place,” Howard Schmidt, the former White House cybersecurity coordinator, said during the Kaspersky Lab Cyber-Security Summit here Wednesday. “We have to understand that the theft of intellectual property is different from trying to turn the lights off or kill people [with a cyberattack].
“There has to be some recognition that these things are different but the fundamental vulnerabilities that exist are the same across all of the sectors. They just get exploited by different groups.”
Schmidt, who is now retired, spent time advising both President Barack Obama and George W. Bush on information security, and also worked for a long time in law enforcement and as the CSO of Microsoft. During a discussion at the event with Eugene Kaspersky, CEO of Kaspersky Lab, Schmidt agreed with Kaspersky’s assertion that there are few, if any, companies or industries that can consider themselves to be off the target list for cyberespionage attacks.
“I’m afraid that every industry can be a victim of a high-profile attack,” Kaspersky said. “All of them are vulnerable. Communications, transportation, military. Can the military be a victim of such an attack? Yes, of course.”
Executives in some industries–especially technology, defense and manufacturing–have had to learn the hard way how successful such attackers can be with simple tools such as spear-phishing emails and commodity Trojans. The attacks don’t necessarily need to include tools such as Flame to get the job done. But getting that message across to top executives can be difficult.
“There are some executives that are now very aware of it. If they’ve been a victim, I guarantee it’s on the agenda at the next board meeting,” Schmidt said. “But usually that security message is filtered by the time it gets to the CEO. We are now having meetings with top-level CEOs, sitting down and saying, here’s what’s going on out there, whether it’s theft of intellectual property or disruption of activity. Those meetings are on the increase, but not nearly where they should be.”
In addition to educating CEOs and other officials about the scope of the problem, Kaspersky said that there’s a dire need for more security personnel at every level.
“Companies don’t have enough expertise,” he said. “There are not enough IT security experts. I don’t know any country that has enough security resources.”