The Cyberspace Explosion: Five Tips for Survival
The new digital world of easy communications and social networking is so surprisingly open that many no longer see the problem as one of Big Brother watching us. It’s more a matter of us being obsessed with watching each other. And sharing, too. As The New York Times put it in September, “Your parents probably told you that sharing was simply the right thing to do. But on the Web, inducing people to share links has become big business, all about driving traffic back to a site and increasing revenue.”1 This is music to the ears of cyber-crooks and hackers.
The notion of being open and passing everything on is bolstered by stories like the following, which suggest that because everyone’s participating in one way or another, we can easily sit back and enjoy the freedoms that come with this ‘global electronic community’.
Until recently, the wife of the new head of the British Secret Intelligence Service – the country’s external spy agency, commonly known as MI6 – had a Facebook page. It had no privacy protection so details of the family’s London home, daily transport arrangements, vacations and friendships with other senior British officials were freely available to some 200 million users around the globe. The page was speedily removed when its contents were published in the media, raising more than a few eyebrows in the intelligence world in London and beyond. You see, Sir John Sawers, who was Britain’s ambassador to the United Nations when his appointment was announced in mid-2009, was once an MI6 officer himself and should have been aware of the implications of his family’s networking profile well before his new job was broached. After all, he had worked in places like Yemen, Syria, Egypt and Iraq, and also been closely involved at the policy level with Iran, Iraq and Afghanistan.
James Bond would have smiled wryly at that one, especially at the unflattering image of Sawers at the beach in his Speedos. “How could the Chief himself be party to the trivialisation of something so inherently dangerous?” he might have quipped.
The impression that openness is the name of the game in social networking is reinforced when we read about the activities of someone like Barney Jopson, who is the US ambassador to Kenya. Though he’s a diplomat, he has made himself a thorn in the side of the coalition government in Nairobi because of his constant use of Twitter to hector political leaders over the need to quicken the pace of political and economic reform. Posting under the name of USAMB4REFORM, he comments regularly on events that strengthen his message, greatly annoying his hosts.
It’s logical that many people ask why, if an ambassador can enjoy the freedom of cyberspace in this way, should they not also liberally indulge. The short answer is they can, so long as they remember two things. One is that freedom comes with obligations – such as guarding the knowledge you acquire through your work – and the other is that while the world of cyberspace is good fun for most of us, it’s not all cosy and benign. It can often be highly destructive. The byways of cyberspace are devoid of traffic lights, zebra crossings, patrol cars and road rules. Cyber sharks with razor-sharp teeth and sometimes hunting in packs lurk where you least suspect them, and only those observers highly skilled in detecting malicious intent can forestall an attack.
An illustration of this came in the US in October when the FBI thwarted an international terror plot, codenamed the Mickey Mouse Project, to kill the cultural editor of the Danish newspaper that had published the cartoons of the Prophet Mohammed back in 2005. Court papers show that the Chicago-based plot, supported by a Pakistani terror group, was hatched last year by a US citizen, David Headley, 29, who had changed his name a few years ago from Daood Gilani. He had posted a message about the cartoons with an Internet discussion group, stating that, “I feel disposed toward violence for the offending parties.” The FBI and other related authorities picked this up quickly and acted.
For a would-be terrorist like Headley to boast of his disposition in this way was naïve, as was the Sawers family Facebook page. The fact is that most terrorists and cyber criminals don’t make such mistakes. They’re usually deadly accurate in what they do, which is why governments around the world devote enormous amounts of money, manpower and technology to staying ahead in this fast-moving game. The intelligence apparatus of democratic nations is therefore increasingly focused – collaboratively – on thwarting those who seek to exploit the vulnerabilities of cyberspace. The irony is that the governments of other states use that same intelligence prowess for their own political, economic and technological gain, often in a disruptive and destructive manner.
The United States, because of its size and global interests, tracks developments in this field very closely. An October 2009 report2 in the US made the following observation, which sums up the situation for many of us:
Foreign intelligence services have discovered that unclassified US government and private sector information, once unreachable or requiring years of expensive technological or human asset preparation to obtain, can now be accessed, inventoried, and stolen with comparative ease using computer network operations tools. The return on present investment for targeting sensitive US information in this way (the intelligence gain) can be extraordinarily high while the barriers to entry (the skills and technologies required to implement an operation) are comparatively low. Many countries are in the process of developing capabilities to either respond defensively to this threat or build their own offensive network operations programs, however, China is most frequently cited as the primary actor behind much of the activity noted in media reporting, and US officials are increasingly willing to publicly acknowledge that China’s network exploitation and intelligence collection activities are one of this country’s most consuming counterintelligence challenges.
Wherever a Chinese footprint appears, a Russian one usually isn’t far behind. In a much more limited way, North Korea is sometimes accused of cyber attacks, as it was recently on the United States, Japan and South Korea.
The abovementioned report comes to important conclusions that resonate well beyond America’s shores. It finds that a review of the scale, focus and complexity of the overall campaign directed against the US and, increasingly, a host of other countries around the world strongly suggests that these operations are state-sponsored or supported. Moreover, such operations are succeeding in part because current industry and government information security paradigms are largely based on reactive controls such as traditional signature-based anti-virus vendor models, common host and network defensive measures that are often inadequate against advanced attackers. Attackers exploit this reactive defence model and have the resources necessary to develop and exploit previously unknown vulnerabilities that are often missed by signature-based IDS/IPS and endpoint protection software.
Crucially, the report concludes that the overall effort involved in such attacks likely consists of multiple groups and skilled individuals operating against different targets given the high operational tempo and diversity of targeting observed to date. Analysis of forensic data associated with penetrations attributed to sophisticated state-sponsored operators suggests that in some operations multiple individuals are possibly involved, responsible for specific tasks such as gaining and establishing network access, surveying portions of the targeted network to identify information of value, and organising data exfiltration. These attackers have also demonstrated a high degree of awareness of a targeted organization’s information security measures according to forensic analysis of attacker activity, and appear able to alter their operations to avoid detection, reflecting the meticulous reconnaissance that they – or others on their behalf – conduct.
This activity can lead to unprecedented warnings from government, such as that from Jonathon Evans, the director-general of MI5 – Britain’s domestic security agency – in 2007, alerting 300 British businesses to the fact that they were under cyber attack.
The Washington Times highlighted in an article early this year, “The Silent Cyberwar”, how such attacks are carried out on a massive scale the world over.3 Even ostensibly friendly nations, it claimed, zap each other’s electronic nerve cells frequently, and with reckless abandon. On a single day in 2008, would-be intruders hit the Pentagon 6 million times in a 24-hour period. Before September 11 2001, the highest annual figure for cyber attacks against that establishment was 250,000. But the US is keeping well ahead of potential adversaries in cyberspace. Last year, an American military computer reached the astronomical processing power of more than 1 quadrillion calculations per second. That’s 1,000 trillion. If 6 billion people used calculators 24 hours a day, seven days a week, it would take them 46 years to do what that computer, known as Roadrunner, does in a day. And that’s before you consider the massive electronic eavesdropping and analytical capacity of the National Security Agency – a much larger organization than the CIA.
Add to that the combined electronic and intelligence analysis capacity of countries like Britain, France, Germany, Japan, Canada and Australia and you have some idea of the energy being focused on cyber threats.
The big mistake that many of us make in all this is to assume that because what our humble company or organization is involved in isn’t so “sexy”, we won’t be targeted – whether by large-scale or small fry attackers. The prize for the latter may be a mere missing link in a chain, a link that we regard as inconsequential. Then again, they may aim to steal a company’s entire manufacturing process, all of its data and its R & D results as well. The nub is that any or all of this can be accessed from numerous vantage points in today’s ever-expanding electronic world. A missing link or the crux of a firm’s negotiating position are just as likely to be gleaned from indiscreet banter on a social networking site or via email as they are from hacking into the organization’s computer system.
In essence, governments are now deeply involved in fighting the cyber threat, whether it’s from a powerful state-sponsored attack, cyber-criminals seeking credit card numbers and bank account details, or from someone engaging in industrial espionage. The sophisticated systems and technology emerging from this process would do James Bond proud, though you’re unlikely to see them featured in a movie any time soon.
It is a complex, churning, dog-eat-dog world. Here then, are a few tips you might find useful in your quest to safeguard your organization’s operations:
1. Examine Your Internal Security.
From a protective point of view, one of the most prominent features of today’s “electronic community” is the lack of security consciousness among users. It is a world in which friends, not editors, shape Internet habits. Many users are blissfully unaware of the dangers involved, despite a wealth of publicity, and believe that somewhere mechanisms are in place to shield them from cyber threats. The reality is that the traditional watchdogs and gatekeepers have been taken away. As an Australian security journal put it recently, “Participants in digital communities need to look after themselves and each other … in time, most people will come to realise that self-management plays a key role in Web 2.0 security. Until then, many need encouragement and protection.”4
The onus is on management to ensure that staff are briefed and regularly updated on the threats involved, not just within the broader community but also specifically in terms of your business or organization.
2. Hire the Right Cyber Expertise.
Make sure you call in a professional team of experts with a proven track record, both domestically and overseas. They’ll be able to carry out a forensic audit of your organization, of your computer system and of your electronic exposure as a whole. They can highlight your vulnerabilities and detect penetration that may already have occurred. They can also brief your staff, and in more explicit terms, your senior management team.
Of equal importance is the fact that the best professional experts are generally in contact with your country’s intelligence apparatus, sometimes advising and working alongside them. They can brief you on the sort of assistance your government offers to private organizations being targeted, or likely to be.
3. Review Your Method of Employing Staff.
Make sure that the employment agency and executive recruitment firm you’re using are on top of this game. Don’t just accept their assurance that they are. Check out for yourself how they go about it.
4. Disseminate Information.
Start circulating information inside your organization on the threats involved. Useful articles appear in newspapers and journals regularly, some specifically relating to your industry. Don’t assume that your staff will hear about the most relevant cases on the TV news and digest their significance. Bring in an occasional outside presenter to keep the subject fresh in the minds of your staff. A Japanese corporation recently brought in a speaker to address the question of how technological innovation in modern history has, per se, basically not provided competitive advantage. Rather, it’s the clever and resourceful harnessing of technology that does the trick. Reference to vulnerabilities and the role of human foibles was included in this talk as a bi-line.
5. Acknowledge Changing Realities.
If your business operates in one or more multi-cultural societies – like the US, Canada, Australia, France and The Netherlands – you will need to make your staff aware of the fact that a threat might come from within. This is obviously a delicate matter, as is the issue of privacy, and must be handled with care. Questions of age and demographics arise as well. As The Financial Times noted in September, “Unlike previous generations of Web users, today’s digital natives don’t just go to the Web to find information. They go to be entertained and to network with their peers.”5 A recent survey by Nielson Online in Australia showed that that country’s Facebook habit soaks up around a quarter of all time spent on the Internet. Older managers are often flummoxed by the short attention spans that many young people have.
These sorts of things have to be taken into account when you consider your organization’s security. Don’t hesitate to call in experts who can articulate them properly.
1 Brad Stone, “On the Web, sharing is about turning a profit”, The New York Times, Global Edition, September 28, 2009.
2 “Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation”, prepared for The US-China Economic and Security Review Commission, October 2009.
3 Arnaud de Borchgrave, “The silent cyberwar”, Washington Times, February 19, 2009.
4 Bruce Arnold, “Security Two Point Oh? Security, Sharing and Web 2.0 – Who is Watching You?”, Security Solutions, No. 62, November/December 2009.
5 Jessica Twentyman, “Technology shows what’s on a customer’s mind”, The Financial Times, September 17, 2009.
