Two decades after computer security began generating billions by selling expertise and software designed to protect unwanted network intrusions, experts say those networks are more vulnerable than ever. Florida-based Internet security firm Team Cymru said in a report released today, shared exclusively with The Verge, that analysts there uncovered a massive overseas hacking operation that is making off with a terabyte of data per day. Some of the victims include military and academic facilities and a large search engine. The report doesn't identify who might be behind the attacks, but Team Cymru director Steve Santorelli conceded that, given the amount of resources behind the attacks, it is obvious the group is state-sponsored. "This is Internet theft on an industrial level," said Santorelli, a former detective with Scotland Yard.
The United States is under siege. Team Cymru's report follows on the heels of similarly damning research issued last week by security firm Mandiant, a document that could be read as an indictment of the entire cyber-security sector. Mandiant detailed how a group of cyber commandos employed by China has electronically raided the computer networks of hundreds of American companies over several years to pilfer precious trade secrets. In a story about the Mandiant findings, The New York Times reported that Washington now believes China also has the ability to use the internet to sabotage water supplies, shut down power stations and hobble our financial system.
But security experts say China is only one of dozens of different threats bearing down on the United States and it's been that way for a long time."Washington is going crazy right now," said Richard Forno, assistant director of the University of Maryland, Baltimore's Center for Cybersecurity. "Everyone is pointing fingers at the Chinese. That's not a strategic response. We should be asking why did China have this type of access for so long? What are we doing wrong? The attitude is: 'How dare you?' But if you're worried about fire, then why build an all-wood house."
"Washington is going crazy right now."
What's unprecedented about the hacking, according to Santorelli, is how successful it is and how much data is being ripped off. Team Cymru found the hacker group is using a network of 500 computer servers to "Hoover up" trade secrets and other data from thousands of companies across the globe. The hackers began targeting commercial interests in 2010, according to the report and among the victims are a large Australian mining operation, government agencies in Eastern Europe and Asia, and embassies both foreign and domestic.
It could be any one of a dozen countries behind the attacks, which is part of the problem. While China has been grabbing all the headlines, the experts interviewed for this story say the threat to U.S. intellectual property and Internet infrastructure is much broader than a single country. According to analysts and researchers our networks are attacked every day by an assortment of digital desperados, electronic spymasters and terrorist groups. Some of these hackers are developing custom-made software designed to help them take control of computer systems. The simple fact is the security industry has failed to keep pace.
"Our strategy is based on a passive defense," said Dmitri Alperovitch, one of the founders of security firm Crowdstrike. "It's about castle building and constructing tall walls. What's happening is our adversaries just build taller ladders at a fraction of the cost. We've been doing it this way for three decades but the situation only keeps getting worse."
At a minimum, the reports from Team Cymru and Mandiant are indictments of the cyber-security industry, say analysts and researchers who work in the field. When you combine the threat of more sophisticated cyber espionage agents with ineffective security and a government that largely leaves the defense of much vital internet infrastructure to private companies, and the question arises: is this an environment that can produce a solution?
Dr. Herbert Lin, chief scientist for the computer science board of the National Academy of Science said he's hearing a lot of talk about how only a dramatic event will bring about significant change. "I don't support this myself," Lin said, "but I've heard a lot of people say the only way we're going to get action on this issue is if there's a cyber catastrophe."
The only way we're going to get action on this issue is if there's a cyber catastrophe
It's clear Washington knows the status quo cannot continue. The President said during his recent State of Union speech that he had signed an executive order designed to protect US government and businesses from what he said was a "rapidly growing threat of cyberattacks." But history has shown that few places on earth are safe from hackers. In March 2011, security firm RSA, the maker of the plastic dongles that issue authentication codes at fixed intervals, reported that someone had penetrated the company's servers and made off with info that could be used to compromise the dongles' security. At the time of the breach, the dongles were used by banks, government agencies, and defense companies, such as Lockheed Martin. Some suspect that the RSA heist was how China's cyber agents allegedly were able to boost secrets about the F-35, a super-secret jet fighter that Lockheed was helping to build.
Jericho is the handle used by a former black-hat hacker who is now one of the people behind Attrition.org, a website dedicated to taking a critical look at the computer-security industry. He derides the ease with which an intruder can exploit software vulnerabilities. The problem is that software like Adobe's Flash and Oracle's Java have become part of the fabric of the web, but their developers have given little thought to hackers until recently. Java vulnerabilities were blamed on some of the most recent hacks at Twitter, Facebook, Apple and NBC.com.
And the anti-virus part of the security industry doesn't escape criticism either. According to Josh Corman, director of security intelligence at Akamai, the content delivery network, the least effective methods are generating the most revenue and that's not productive. "The entire security industry is wired so that the oldest and least effective methods will profit most," Corman said. "If all we do is line the pockets of people who have the least impact, we're wasting resources. I'm not saying there is zero value in it. I'm just saying let's look at efficacy of these methods."
The security industry is wired so the oldest and least effective methods will profit
When asked what can be done to fix the problem or at least improve our cyber defenses, the security experts couldn't agree on much. Alperovitch from CrowdStrike says technology by itself isn't the answer and that the country's cyber defenses won't be improved without government intervention. He wants to see the Obama administration hit China and other bad actors with trade sanctions. He said that other angles to pursue include civil suits or even criminal prosecution of those foreign officials involved in electronic theft. Jailing a foreign dignitary would be tough to accomplish, Alperovitch concedes, but would be symbolic and might act as a deterrent.
Some want to see companies fined if they fail to secure their servers and Forno strongly argued for the government to remove vital infrastructure from the Web and for the government to pay the costs. He also said the US needs to slap tariffs on products that we know are derived from stolen data. He acknowledged that many of these ideas would be unpopular with corporate America. "I've argued that we need to build a national will for a cyber strategy," Forno said. "We need to make a commitment similar to the one the country made with the Manhattan Project (the US effort to build the atomic bomb). We really have to bite the bullet and do what's needed."
Others see the problem as hopeless. Asked what he would do if the government suddenly made him Cyber Czar, Jericho responded: "I'd quit." "I'm serious," he continued. "It's a losing battle. You can implement policy and make a lot of people rich but in the end you won't accomplish any good. The problems are too pervasive."