It may be generally understood that globalization has resulted, at least in part, in an increase in the dissemination and popularization of technology, information and finance. Smart phones, social media networks, open source technologies, and crowd sourcing (whether for ideas or funding) are some examples of this trend. But when it comes to protecting your intellectual property and privacy in this sphere (e.g., cybersecurity), all that glitters is not gold. This proliferation aids state and non-state actors to level the playing field against a target by working as a multiplier for an individual or group’s ability to wreak havoc.
Whether you are a shoe retailer (e.g., Zappos.com) or a cybersecurity firm (e.g., HB Gary), computer hackers may now directly target and disrupt your business operations with relative ease. See, e.g., Cyber Attacks on IP: A Civil Response. And unfortunately, these threats are not isolated incidents. McAfee® recently published a white paper that analyzed “Project Blitzkrieg,” and a plan hatched by vorVzakone (Russian for “thief in law”) in which he has urged the “underground to join him in attacking 30 US banks.”
These attacks are not driven merely by an anarchistic or crime syndicate. For instance, Bloomberg, among others, reported this last summer that a group codenamed “Byzantine Candor” by the U.S. intelligence community is linked to China’s People’s Liberation Army (i.e., the national military) was behind the hacking of the president of the European Union Council, Haliburton Co. and the Washington D.C. law firm of Wiley Rein LLP. In that report, Bloomberg quoted Shawn Henry, former executive assistant director of the Federal Bureau of Investigation (FBI) in charge of the agency’s cyber division as saying: “What the general public hears about — stolen credit card numbers, somebody hacked LinkedIn — that’s the tip of the iceberg, the unclassified stuff. I’ve been circling the iceberg in a submarine. This is the biggest vacuuming up of U.S. proprietary data that we’ve ever seen. It’s a machine.” Indeed last month, The New York Times reported that Kaspersky Lab (a Russian cybersecurity firm) had announced that “it had identified a sophisticated cyberespionage campaign that has been in operation since 2007,” which targeted “a range of governmental and diplomatic organizations, mostly in Eastern Europe and Central Asia, but also in Western Europe and North America.” The investigation into this campaign showed that “the attackers engineered their malware to steal files that have been encrypted with a classified software, called Acid Cryptofiler, that is used by several countries in the European Union and NATO to encrypt classified information.” However, the New York Times further reported that Kaspersky Lab “said that the digital clues suggested that the perpetrators were Russian-speaking, but that the campaign did not appear to be the work of a nation state.”
These threats are not only real, but traditional security measures are wholly inadequate. In its 2013 Technology, Media & Telecommunications Predictions, Deloitte, recognized that passwords alone are not enough, predicting “that in 2013 more than 90 percent of user-generated passwords, even those considered strong by IT department, will be vulnerable to hacking.” Deloitte thus predicts that “[i]nadequate password protection may result in billions of dollars of losses, declining confidence in Internet transactions and significant damage to the reputations of companies compromised by attacks.” In support for its predictions Deloitte noted that “[i]n a recent study of six million actual user-generated passwords, the 10,000 most common passwords would have accessed 98.1 percent of all accounts.” Further Deloitte noted that “[a] dedicated password-cracking machine employing readily available virtualization software and high-powered graphics processing units can breach any eight-character password in 5.5 hours.” This relative small amount of time will only get shorter as technology continues to improve and tactics leveraging multiple persons and/or pieces of hardware (i.e., “crowd-hacking”) are employed.
In addition to the myriad of governmental agencies’ responses, including the U.S.’s Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT) the FBI’s InfraGard program, and other industry specific programs, U.S. Senator Rockefeller, the Chairman of the Committee on Commerce, Science, and Transportation, continues to explore the possibility for legislation that would increase the role of the federal government in the cybersecurity affairs of the private sector. His staff has recently completed a January 28, 2013 memorandum summarizing about 300 responses to Senator Rockefeller’s September 19, 2012 letter campaign to each CEO of the Fortune 500. The tenor of that memorandum is that the opposition to the Senator’s 2012 proposed legislation was overstated and that the private sector wants the federal government to further intervene. Indeed, the memorandum concludes, “The responses showed that you [Senator Rockefeller] should continue working to advance cybersecurity legislation in the 113th Congress. The Senator has introduced the “Cybersecurity and American Cyber Competitiveness Act of 2013.”
Since the Senator’s efforts it has been revealed that The Washington Post, in addition to The New York Times, and Wall Street Journal, has become the reported target of the Chinese hacking apparatus, thus suggesting that there is no end in sight. As reported by the United Kingdom’s Telegraph, the U.S. administration is considering diplomatic and trade measures to respond. Specifically, the Telegraph quoted U.S. Secretary of State Clinton as sending a “strong message” to China: “We have to begin making it clear to the Chinese – they’re not the only people hacking us or attempting to hack us – that the United States is going to have to take action to protect not only our government’s, but our private sector, from this kind of illegal intrusions. There’s a lot that we are working on that will be deployed in the event that we don’t get some kind of international effort under way. Obviously this can become a very unwelcome and even dangerous tit-for-tat that could be a crescendo of consequences, here at home and around the world, that no one wants to see happen.”
While it is obvious from its own vulnerabilities and standing obligations that the U.S. government must continue to identify and assess the threats to our nation’s security, including the cybersecurity threat, and should develop and release what it deems to be “best practices,” it is difficult to reason that any centralized approach, once developed and then disseminated throughout the private sector could or would be effective against even the publicly revealed threats at this time. Such approach would likely never have enough flexibility, dynamism or capability to evolve in anticipation or response to each and every cyber threat posed so as to be viable for the private sector. Rather, reliance on the federal government may simple reduce the vigilance and commitment necessary by the private sector for it to protect its infrastructure, intellectual property and capital.
A continued joint effort between the private and public sector here in the U.S. and abroad will be the most probable course of action, but the solution will not be driven from the top down. In other words, a public-private partnership is a necessary, but insufficient cybersecurity solution. Thus, with or without government assistance, each private business enterprise must consider its own vulnerabilities and take the steps it deems appropriate to mitigate risk, protect its assets and avoid liabilities.