Corporate Toolbox: Cyber Security
Updated: Aug 7
Recent increases in cyberattacks have raised alarming questions over corporate network security.
In February 2010 the Kneber botnet virus infected more than 70,000 computers globally, including some at US government agencies. The attack was also believed to have compromised tens of thousands of corporate login details, which could potentially be used for "cyberespionage" or "cyberterrorism" purposes. Then in July last year the so-called Stuxnet computer worm was discovered to have infected tens of thousands of computer systems worldwide, with a particular focus on those used to control critical infrastructures.
As each new threat emerges, cybersecurity experts ask themselves, "Is this the cyberequivalent of Pearl Harbor" or a call to arms to those supporting and maintaining critical infrastructures and governments globally? "I don't know if we have gotten there yet," says J.R. Reagan, the head of consultant Deloitte and Touche's Center for Federal Innovation and leader of the firm's cyberpractice. He adds, though, that some may consider the Stuxnet worm to be a "Pearl Harbor of sorts."
Udo Helmbrecht, executive director of the European Union's Network and Information Security Agency, is one of them. "Stuxnet is really a paradigm shift, as Stuxnet is a new class and dimension of malware," he says. Its complexity and sophistication puts it in a class of its own, he adds, "for example, by the combination of exploiting four different vulnerabilities in Windows, and by using two stolen certificates, and from there attacking complex Siemens SCADA systems [which control national critical infrastructure]. The fact that perpetrators activated such an attack tool can be considered as the 'first strike,' one of the first organized, well-prepared attacks against major industrial resources," Helmbrecht asserts.
With the rapid growth of Internet use, computer systems and the applications they run are increasingly vulnerable to a whole host of threats, including viruses, worms or denial-of-service attacks whereby a target URL is overloaded with requests, rendering a website inaccessible. All of these tools can be used by criminal gangs or individuals to commit cybercrime or for more insidious purposes, such as cyberespionage, where company, individual or government information is obtained secretly for personal, economic, political or military gain. David Blackwell, head of cybersecurity at data consultancy Detica, says many of the large UK manufacturing companies it works with are concerned about intellectual property being stolen, which could have ramifications for the UK economy as a whole. "In a UK knowledge economy, intellectual assets are key to our success as a country," he says. "So the wider-scale targeting of UK intellectual property could have a serious impact on the economy."
While cybercrime is potentially upsetting and costly for victims, as William Beer, director of OneSecurity, PwC, points out, cyberterrorism (which is more politically motivated and could result in violence or cause widespread panic and uncertainty) is even more damaging. "If you have significant numbers of organized criminals attacking the financial system or banks' ATM networks, that could erode confidence in the banking system." Beer says an attack of this nature could be more effective than traditional forms of warfare, as a country's economy relies heavily on a well-functioning banking system.
Although cyberterrorism remains more of a threat than a reality, Beer points to real-world examples, such as the distributed denial-of-service attacks on Estonian government websites in 2007 and the more recent attacks on Burmese Internet sites ahead of the November 2010 elections. Reagan also points to the rise of "hacktivism" where politics and the use of technology coincide. "We are seeing a lot of hacktivism in Southeast Asia," he says, "against countries like Pakistan and India." Hacktivists also mounted a volley of successful attacks on several corporate and political websites after Wikileaks founder Julian Assange was arrested in early December.
The key question for the business world is whether cyberattacks targeting specific countries or organizations will become more of a global threat. And the challenge for those charged with defending countries or organizations against cyberterrorism is that the enemy is usually invisible and often unknown. They may not even be particularly technologically adept. According to Beer, launching a cyberattack does not necessarily require the specialist skill set of a hacker, as the required tools or software can easily be rented or bought on the Internet. "I don't want to paint a picture of doom and gloom," says Beer, "as we have not seen the full force of organized criminals or cyberterrorists. However, most people and organizations have not recognized the dangers or taken the right level of precaution, so the level of awareness is not what it should be."
One group, however, is listening. Last October as part of its national security review, the UK's coalition government highlighted the increasing threat posed by cyberattacks and said it would be prepared to spend between £500 million and £650 million ($790 million to $1 billion) to beef up cybersecurity. Blackwell of Detica welcomed the UK government's recognition of the growing cybersecurity threat. "It is saying this is a genuine threat—it isn't science fiction or fantasy—so it will hopefully catalyze the market to take action and push security up the agenda." While traditional IT security, such as firewalls and intrusion detection systems, may deal with 80% of the problem, Blackwell says the key is to address the other 20%—the more sophisticated and targeted attacks.
Deloitte's Reagan says the understanding of the true nature of the cyberthreat varies widely from region to region. "A lot of countries look to the US to lead this. They have the largest global presence, and their networks tend to get hit first," he says. Awareness of the cybersecurity threat is increasing in Europe, he adds, but it is patchier in regions such as Southeast Asia. And while security managers of critical infrastructures, such as power utilities and water companies, maybe "thinking the unthinkable" in terms of contingency planning, in the US at least, Reagan says, 85% to 95% of critical infrastructure is owned by private companies. "The challenge is, how do you get government and private companies to work together more effectively to address the problems?"
At the government level, the US, EU and NATO have announced plans to collectively combat cybercrime. Simulated exercises have already taken place to prepare pan-European critical infrastructures for a potential cyberattack. The first Worldwide Cybersecurity Summit, organized by US think tank the EastWest Institute, was held in Dallas last May, with speakers focusing on "international coordination," private-public partnerships and education.
Reagan says if national governments are to act in a truly coordinated fashion, they need to include known political adversaries in the discussion. "They want to see these people at the table, and they see it as important to help address the problem on a global basis," he explains. Ironically, perhaps, developing countries may have the edge over the West when it comes to fighting cyberterrorism. Reagan says countries such as South Korea and China have wired security into their IT network infrastructure, whereas organizations in the West are bolting it on afterward to legacy systems. If they get it right, Reagan says, developing countries may be less vulnerable.
In a world where cyberattacks are becoming more common, though, "less vulnerable" is very much a relative term.