With not even half of the year gone, 2011 is becoming perhaps the ugliest year on record for major attacks, breaches and incidents. Lockheed Martin, one of the larger suppliers of technology and weapons systems to the federal government, has become the latest high-profile target of a serious attack, and while such incidents are bad news indeed for the victims, they may serve a vital purpose in forcing companies to disclose more data about breaches and attacks.
News of the Lockheed Martin attack surfaced late last week as most of the country was readying itself for the long Memorial Day weekend. Reports said that attackers had made their way into the company’s internal networks by compromising the remote-access system that the contractor has in place for employees. The focus then shifted quickly to the fact that Lockheed has a large deployment of RSA’s SecurID tokens, which were the target of the attack on RSA earlier this year.
Experts speculated that if the attackers who penetrated RSA’s network were able to get enough of the right kind of data, they could have spoofed one or more SecurID tokens belonging to Lockheed, giving them an open door to the network. Lockheed has said nothing publicly about whether compromised SecurID tokens were part of the attack, nor is it likely to ever do so. The company has said only that it detected a “significant and tenacious attack” on its network on May 21, and that “our systems remain secure; no customer, program or employee personal data has been compromised.”
In this case, however, it’s not Lockheed’s response to the attack that really matters; it’s the earlier response by RSA that’s most significant. The SecurID tokens are used in some of the more vital companies and organizations in the country, including financial services companies, utilities, government agencies, and, of course, defense contractors. RSA said it has been communicating with customers since it discovered the breach, informing them of what threats might result from the attack.
But if that’s so, either RSA isn’t giving customers enough information to protect themselves or the companies are not paying attention, which seems unlikely given the stakes. The continued fallout from the RSA breach underscores just how little information is available about such attacks and highlights again the disadvantage at which this puts all of the other companies that are trying to defend against similar attacks.
As Steve Bellovin points out, there is little face to be saved by RSA or any other compromised company once the word is out. The damage is done, but being open about the details of the attack and what they mean for customers and other defenders could help prevent future incidents.
“I confess that it isn’t clear to me just what RSA is protecting by not revealing details of the danger. Its own reputation? That suffered a big hit in March. Its product sales? They might drop very sharply now, since it seems that even a sophisticated customer couldn’t protect itself following the breach. What attack was enabled by the stolen data? If the RSA penetration really was an ‘advanced persistent threat’, as they claimed at the time, the attackers certainly had the skills to discover that on their own even if they hadn’t known it already,” Bellovin, a professor at Columbia University, wrote.
In the wake of public attacks like the ones on RSA, Google, Epsilon, Lockheed and others, the default reaction is to turn inward, fix the problem that led to the compromise and keep your head down until the media firestorm passes. But these companies could learn a valuable lesson from organizations such as the Apache Software Foundation and others that, after being attacked, released as much detail as they could gather about the methods, the sources and the results of the attacks in the interest of helping others in the community improve their own defenses.
In his recent International Strategy for Cyberspace, President Obama appealed to private industry and the security community to work together and with the federal government to help improve the country’s collective electronic defenses. He also has sent a proposed national data breach law to Congress as part of a larger cybersecurity legislative package. Good steps, but it might be even more effective if Obama and his administration put a little pressure on corporate America to be more open about these attacks so that the millions of other companies could benefit from that received wisdom.
At a time when U.S. companies and government agencies are being attacked left, right and center by a variety of attackers–sophisticated and otherwise–the time for falling back on old excuses about proprietary information and not disclosing data that might help hackers is gone. The attackers have shown they don’t need any help. It’s the rest of us who do.