In the growing conflict between China and the U.S. over hacking attacks, the landscape has shifted, thanks to a 74-page report (PDF) by security firm Mandiant that painstakingly lays out some of the best evidence yet that proves China’s involvement in a string of attacks dating back seven years. While the report answers many questions about China’s involvement, it also raises important new issues.
What is striking about the report is the seeming lack of sophistication on the part of the Chinese hackers. From the data, one would conclude that the Chinese were able to compromise computers by simply sending targeted employees e-mails with a nasty payload—a program that can remotely control their machines. That is essentially the same style of attack virus authors used back in the 1990s. It is an exploit known to most security professionals and it’s one that is easy to guard against. Apparently, there has been no need for the Chinese to use more advanced tools to compromise their targets.
The U.S. government and companies operating in the U.S. should pause to reflect on the fact that such basic hacking techniques have been so successful. (The report also gives China’s military a lot to think about as it relates to their operational security and how they can do better.) The first reaction is shock and embarrassment. As we move beyond those emotions to take action, we must proceed with caution and skepticism before we blindly swallow proposed solutions to this problem. While it is apparent that U.S. companies must get better at defending against cyber attacks, the solutions proposed by government officials are too often based on convoluted new laws that could trample on Internet freedoms, all in the name of protecting us from our nation’s latest boogeyman.
The Cybersecurity Act of 2012, for example, contained numerous proposed provisions, many of which the Electronic Frontier Foundation—among others—thought overstepped any government right to monitor private communications. The good news is that most of these proposals were defeated, but they keep resurfacing in different ways that go too far and infringe on private citizens’ rights. What we really need is to hold technology companies to higher standards of security so they don’t produce the next vulnerable version of Java (ORCL) or an insecure SCADA system that is easy to take over, allowing control of industrial machines that run our power plants and other critical infrastructure.
Laws will never replace the ultimate accountability of organizations that must make security a priority—from the chief executive officer on down. Security reporting should be mandated, as with other aspects of a business such as financial reports. In regularly scheduled updates, CEOs should communicate about security improvements made to the organization, or about risky incidents. CEOs do not need to become experts in these things any more than they must become experts in how their products or services are built from end-to-end, but they need to learn the metrics and, more important, make sure they have someone on the payroll responsible for security in a relationship of trust and accountability.
Those organizations with senior managers who lead a culture of security and accountability—not just as lip service but as a factor no less important than the quarterly numbers—will have stronger security. Those who do not will soon show up in the headlines.