Suddenly everyone is talking about cyber attacks, cyberwar, cyberespionage, cybergeddon. Ok, that last one was my own invention.The truth is we should have been talking about this a long time ago. And we should have been forcing companies, governments, organizations to be more upfront about what is going on.
Take the IMF, for example. It disclosed earlier this month that it was the victim of a cyber attack. This is good — that they’re disclosing it, I mean. It’s also good that its sister organization, the World Bank, cut its data links between the two once the attack was confirmed. (Not that this information was released in press statements, or in anything that can be found on the organization’s website.)But what about a similar reported attack back in 2008? You may not have heard about it, because the IMF denied it happened. As did the World Bank about a similar reported attack a few weeks earlier.
In fact only one news organization, Fox News of all people, reported these attacks, based on emails from and interviews with officials of the two organizations. Fox has stood by its reports despite the denials that anything serious happened.
The point? We now have two incidents, two and a half years apart, about which we know relatively little. Are we supposed to just have confidence that these organizations know what they’re doing? Given that they didn’t seem to learn any lessons from the first — reported — breach, I’d wager they don’t.
They’re not the only ones. Take RSA, a company that manufactures security devices used by hundreds of thousands of employees at thousands of companies to access sensitive information on corporate computer networks. The company has been criticized for playing down a data breach in March that compromised its SecurID tokens, coded devices used to facilitate remote access to corporate networks.
That may have contributed to subsequent breaches at Northrop Grumman and Lockheed Martin, American defense contractors, both of which use SecurID tokens.
RSA took two months to admit that the company’s security devices could have been compromised.
Indeed, the IMF attack may have been related.
But we don’t know, because the only people who know are the people who did the attack. Instead we are left to wonder what the hell happened, whether our SecurID dongles are safe and whether we should abandon the Internet — banking, shopping, email, taxes — and just switch everything off. The problem, I suspect, is twofold. Companies and organizations, and governments, have never been very good about owning up to security breaches until the bad guy has been caught. It makes everyone feel safer, and makes law enforcement look good. But on the Internet you rarely catch the bad guy — especially in attacks as sophisticated as these. The best we can go on is mention a country: China is the most common one.
The other part of the problem is that there’s a lot of money to be made out of cybersecurity. Companies that do this kind of thing were left out in the cold and now it’s pay day for them. So expect them to talk up the threat, but be coy on specifics, because they want their clients to feel safe. And one telecoms executive told me the other day that the usual response in his industry to cybercrime is “Hey, don’t worry, we’ll make even more money selling customers security products.”
We need to change this mentality. We need to know when attacks occur because we need to see a paper trail of report, investigation, conclusion. And, frankly, we need to know just how safe our own stuff is. Right now, given all the obfuscatory noise, I’d say not very.
Tidak ada komentar:
Posting Komentar