On Monday, the U.S. Department of Justice charged five Chinese military officers with cyber espionage against U.S. organizations in the metals and energy industries. While the media have focused their news coverage on the spy vs. spy nature of the story and the tension the indictment adds to already tense international relationships, there’s a more compelling angle to this story.
The specific U.S. organizations that were targeted have surprised many cyber professionals. They weren’t defense contractors, critical infrastructure operators or other typical high-value geopolitical targets. They were traditional manufacturing companies such as Alcoa Inc., United States Steel Corp, and Westinghouse Electric Co. One of the targets was a trade union!
Presumably these targets were chosen to obtain economic advantage, as opposed to military or political advantage. These targets are not only valuable themselves, but also as critical launching points to other participants in their industries and important supply chain elements of other industries. This clearly demonstrates that, in today’s highly connected digital world, no company can assume that it isn’t a worthwhile target any longer.
This clearly demonstrates that, in today’s highly connected digital world, no company can assume that it isn’t a worthwhile target any longer.
While many of you reading this blog already know this, for the majority of companies, this is either news or hasn’t spurred them to significant action yet. The era of set-it-and-forget-it security controls such as firewalls, anti-virus, and intrusion prevention as well as the era of focusing solely on compliance objectives are at a close. Either mindset seems negligent in today’s threat environment.
Attacks already, and with increasing regularity, come in forms never seen before. It is futile to rely on defenses that require a prior knowledge of the attack methodology. This is not to say that firewalls and anti-virus aren’t important – just that they are not nearly sufficient to protect companies today. Companies need to move from prevention-focused strategies to one focused on detection and response. As everyone is aware by now, breaches are inevitable, no matter how strong your defenses.
It is equally dangerous for security monitoring programs to rely on security information and event management (SIEM) solutions that get their visibility into an environment through the antiquated controls mentioned above, and are largely designed to ensure compliance objectives are met. All you have to do is look at all of the PCI-compliant retailers whose breaches have been exposed over the past six months to see the incompleteness of that strategy. Your security program’s goal needs to be the security of your networks and data. If you do that well, compliance takes care of itself as an automated, natural output.
Another angle in this story – one to which we would be wise to pay attention – is the complex set of motives and objectives in international cyber policies. As evidenced by the news coverage over the past year, it is likely that just about every government on the planet who has the capabilities to do so is actively engaged in cyber operations of various forms and fashions. This should be no surprise to anyone, as intelligence gathering has been standard operating procedure as long as nations have existed.
What is different today is that cyber espionage offers a lower cost of operation, ease of mounting a successful attack, difficulty in providing great defenses, tremendous troves of valuable information on computer systems, difficulty in attribution, limited international cooperation in law enforcement, plausible deniability, poorly understood international norms of behavior, the ability to influence public opinion, and asymmetric advantage in cyber activities. The list can go on and not surprisingly mirrors what we see in the world of cyber crime. The complexity of motives and actors on the world stage tells us that companies should rely on only one actor to protect their interests – themselves – and that they should take the time to understand their risks and invest in the modern security capabilities needed to protect those interests.