CHINESE GENERATOR MAKES WAVES
This week The Guardian reported on how the theft of five laptops in 2011 from Scottish wave-energy developer Pelamis Wave Power possibly led a Chinese competitor launching a strikingly similar product some years later. The break-in appeared to be a targeted and came several weeks after a high-level Chinese government delegation visited the company. Coincidence or espionage? My experience suggests the latter.
There was certainly a motive. China’s goal is to become a world leader in renewables and reduce its dependence on coal. The delegation included Li Keqiang, the then vice-premier and now premier of China, proving high-level Chinese interest in the technology. We can safely assume there was an aspiration to replicate the company’s achievements back in China – and stealing intellectual property could cut costs and development times dramatically. China has some form in this area.
Why might a state use its intelligence gathering capabilities to facilitate technology transfer to a private sector company? Far from being an independent commercial operation, ‘No 710 Research Institute’ is a fully owned subsidy of the ‘China Shipbuilding Industry Corporation’, which in turn is 100% owned by the Chinese state – two of over 100,000 companies in which the state holds a stake and whose success is closely linked to wider economic prosperity and political stability. However, as The Guardian notes, “there is no suggestion that the Chinese premier is connected with the company or that he knows anything about the burglary.”
That said, the case certainly passes the espionage ‘duck test’. But how could a company in Pelamis’s position have defended itself better? Securing papers and laptops in locked cabinets when not attended (a ‘clean desk’ policy) would have mitigated the impact of a burglary and protected business-critical data. Encrypting hard drives would also significantly reduce the risk of a stolen laptop yielding valuable IP. Keep in mind: sophisticated adversaries do not rely solely on cyber attacks.
~~~~~~~~~
OFFICIAL ACCUSATIONS LEVELED AT RUSSIA
The Wall Street Journal reported on an official accusation that the Russian government was behind the recent leaks of documents and emails belonging to the Democratic National Committee as well as other entities and individuals. The joint US intelligence community statement claims the attack was an attempt to interfere with the election process and “only Russia’s senior-most officials could have authorized these activities”. The Kremlin responded to say the accusations were “nonsense”.
The White House has promised a “proportional response”, according to The Wall Street Journal, “but isn’t likely to announce one in advance”. While offensive cyber attacks are a strong possibility, economic sanctions are also an option, though the article notes “sanctions could end up impacting European countries that have indirect business with Russia and had no involvement in the cyber-attacks”. Sanctions were previously used against North Korea as a response to the 2014 attacks on Sony Pictures Entertainment.
~~~~~~~~~
G7 CYBER RISK FRAMEWORK
The Wall Street Journal reported on a non-binding agreement among G7 countries to bolster the cybersecurity of the financial services sector. The agreement establishes common strategies for fortifying financial infrastructure and coordinating responses to mitigate impact. No new regulations are involved. David Finn, the former head of cybercrime at Microsoft, said: “The risk-focused approach could be helpful in reframing cyber issues for senior management at financial firms”.
The full document is well written and accessible to non-technical readers. It gives a thorough description of the elements of cybersecurity and senior level responsibilities from strategy and governance, through the lifecycle of an attack, to ensuring an organization keeps refining its processes. Far from being exclusive to financial services, this document is an excellent set of guidelines for any organization looking to improve the way it approaches cybersecurity.
~~~~~~~~~
UNANSWERED QUESTIONS
BBC News reported that when French TV network TV5Monde was taken off-air in April 2015, the attackers were in fact Russian hackers, rather than terrorist group ISIS who appeared responsible from messages left on the company’s website. Director General Yves Bigot said the only unanswered questions related to why they had been targeted and who had sponsored the attack. The impact was months of disruption from not being connected to the internet and $5.6m in remediation and network security costs.
According to the report, the impact was mitigated to some extent by the coincidental presence of technicians onsite. Many companies have plans in place for third party incident response specialists to assist in the event of an attack, but without a signed agreement and agreed daily rate delays can occur, exacerbating the impact. Having a retainer in place with an incident response company (or more than one for contingency purposes) ensures that expertise can be onsite immediately to assist and restore business operations.
~~~~~~~~~
FATIGUE RAISES RISKS
A National Institute for Standards and Technology report suggests the majority of computer users experience ‘security fatigue’ stemming from frustration of having to remember multiple passwords and the inconvenience of security checks. The effect of the weariness can be risky online behavior and poor security choices. Interestingly, the study had not set out to focus on security fatigue but the issue emerged as a strong theme.
It is perhaps no wonder that the average user is bored of cybersecurity. Doing the right thing every time and staying secure takes a certain amount of effort and involves inconvenience. Different logins, different types of authentication, different policies for password length and complexity are a serious turn-off, even for those working in security. Certain groups, such as the over-55s, struggle more than others to stay secure.
~~~~~~~~~
SECURITY ETHICS
Threatpost reported on a panel session at the Virus Bulletin conference in Denver exploring the ethics of security companies publishing details of attacks they uncover. Disclosing online counterterrorism operations could damage national security, for example, but not everyone agrees on who is a terrorist; some states label dissidents and bloggers as ‘terrorists’.
I think another important question is the motivation for publishing reports. The primary objective of these reports is to aid marketing efforts by demonstrating a company’s ability to detect and analyze attacks. Reports are circulated to demonstrate the threat to customers and emphasize the importance of security solutions and incident response consultancy, not to make the world a safer place. The national loyalties of security staff, many of who will have worked for governments during their career, further complicates the picture.
Loading...