Here a Hack, There a Hack, Everywhere a Cyber Attack
Who hasn’t come under some kind of cyber attack or another in recent days? It’s quickly becoming clear — and the recent batch of attacks has only reinforced it — that pretty much every company under the sun is at risk.
The latest victim of digital miscreants is the U.S. Department of Energy, in an attack, the New York Times says, that resulted in the compromising of personal data on “several hundred employees.” It is, of course, hard to know whether this incident is connected to the high-profile attacks upon that newspaper’s computers along with those of The Wall Street Journal (which, like this Web site, is owned by News Corp.), the Washington Post and Bloomberg News.
The apparent targets were journalists who cover China. One can easily imagine a scenario where attackers acting in the pay of Chinese political leaders were tasked with learning as much as possible about “sources and methods,” which — in the intelligence business as well as in journalism — are the twin crown jewels of the trade: Who provides information that shows up in stories, and how that information is shared.
The source of another attack, this one on Twitter, is as yet unknown, and may not be connected to the China-sourced attacks on the media organizations. When one rash of attacks comes to public light, it sort of behooves other companies to disclose attacks that may be wholly unconnected in order to soften the blow to a corporate reputation. When computer security disclosures take place in groups, it’s easy to conflate them and make them all seem like one big story, even if each disclosed incident may be unconnected.
And these are only the companies that have admitted to being targeted in the latest round of incidents. It’s easy to imagine that there are probably more that decided it was not in their best interest to go public with the information, or that haven’t done so yet. In prior incidents, companies like Intel and Google have conceded that they, too, have been attacked by parties working in China.
Disclosure may soon become the rule rather than the exception. According to new rules expected to be proposed Thursday before the European Union parliament, search engines, banks and utilities will be required to disclose attacks against them.
The timing of the disclosures comes as the Obama administration is said to be working on a classified set of guidelines on the conduct and use of cyber weapons. While Twitter or news media organizations aren’t exactly considered critical infrastructure that if attacked would trigger a retaliation, the sheer volume and effectiveness of attacks suggest a time is coming when attacks against systems crucial to the flow of daily life, like power utilities and the banking system, will become more routine.
Last month, government sources disclosed that Iran was thought to be behind a series of denial-of-service attacks against several U.S. banks. Those attacks might have been retaliation against the U.S. for its role, never officially acknowledged, in the Stuxnet attacks against the Iranian nuclear research program.
Effective as the Stuxnet attacks may have been — they are said to have caused some Iranian nuclear centrifuges to explode — they showed the world what is possible, and in time that learning will stick. The ease of Stuxnet-like attacks against industrial systems in particular has already been demonstrated by security researchers, and has long been on a list of things Western policymakers have to worry about when it comes to cyber security.
Consider this just a hunch, but there’s going to be a lot more news like this throughout the year.