Companies Want National Policies to Combat Cyber-Spies
Following a classified National Intelligence Estimate that reportedly blames China for the majority of cyber-espionage attacks targeting U.S. agencies and businesses, security experts called for the government to take a harder policy line to deter such attacks.
The classified intelligence report, released by the Office of the Director of National Intelligence, aims to identify threats to the nation. The latest report, released over the weekend, claims that a wide variety of critical sectors—such as energy, finance, IT and aerospace—have been targeted by hackers in the past five years, according to a Feb. 10 article in The Washington Post. China is the top perpetrator of such attacks, but some also come from Russia, France and Israel, the article stated.
While companies need to attend to their own defenses, asking U.S. businesses to take on any nation is not reasonable, security experts said. Instead, the United States needs to work hard to establish a set of policies for dealing with economic espionage in cyberspace and promote information sharing on attacks.
"A place for no-penalty full-disclosure is imperative," said Anup Ghosh, founder and CEO of Invincea. "In addition, trade sanctions and diplomatic pressure is essential for discouraging cyber-attacks, which at the end of the day are a new form of illicit trade warfare."
The National Intelligence Estimate brings together the conclusions of the U.S. intelligence community, a group of 17 government agencies. While the latest report is classified, some details of the report were leaked to the press.
However, the conclusions of intelligence officials are no surprise. The report echoes the sentiments of the U.S.-China Economic and Security Review Commission, which released a report in November 2012 stating that economic espionage is part of China's national strategy.
"Although it is unclear whether the Chinese state directs all of this activity, the theft of industrial secrets through cyber-espionage is apparently Chinese state policy," the 2012 USCC report stated. "The state controls up to 50 percent of the Chinese economy, and industrial espionage appears to be a key mission of the Chinese intelligence services."
Attributing attacks is difficult, and some Internet security experts have cast a skeptical eye on any claims that source attacks to China. However, the body of evidence that points to the Asian giant at the source of the attacks is rapidly growing. In the recent incidents of hacking against The New York Times, The Wall Street Journal and The Washington Post, for example, network forensics evidence and contextual indicators pointed to China as the source of the attacks.
Yet the poor security of many Chinese networks gives the country built-in deniability. The Chinese Computer Emergency Response Team (CN-CERT) has reported that almost 11,000 Websites were controlled by overseas Internet addresses, and nearly 50,000 attacks targeted 49,000 Chinese computers in 2011, according the USCC report.
Given the likely state support for attacking government agencies and U.S. companies, U.S. businesses need to have government policies backing them up, said Rocky DeStefano, founder and CEO of consultancy VisibleRisk.
"The focus of government should be to enforce the many laws we already have and work more diligently on international cooperation," DeStefano said. However, he added that the government should not be counted on to help companies protect themselves. "The government entities responsible for cyber are limited on resources and expertise and, most importantly, handcuffed by lack of policy."