Rewards may far outweigh risks for savvy hackers
A malicious computer hacker has to find just one way in.
Like soldiers defending a fort, however, anyone trying to protect a website or online business must try to close every potential breach. A single coding mistake, in the wrong hands, could be an opening to be exploited.
When a computer attack begins, it can be hard to detect — harder still to identify the perpetrators, locate them and bring criminal charges.
“It's the right place to set up shop if you're an ambitious criminal,” said Ari Juels, director of RSA Laboratories, a Cambridge, Mass., data security research company.
Potential rewards versus the risk are great, too. Someone with a computer and know-how might be able to steal corporate secrets for an airplane design or information on newly discovered oil and gas fields.
The haul could be worth millions, if not billions.
“It's simply too easy to orchestrate these types of intrusions,” said Dmitri Alperovitch, co-founding chief technology officer of CrowdStrike, a security technology company based in Irvine, Calif.
“It's cost-free, even if you get caught,” he said. “If there's a nation-state sponsor, nothing is going to happen to you. No one is going to arrest you. You're operating freely from the confines of your own country, supported by your own government.”
Adversaries of the United States are arming themselves for computer espionage as well as potential attempts to cause disruption or destruction, the Government Accountability Office reports .
In 2010, the Department of Defense developed a Cyber Command to oversee computer security, primarily for the Defense Department. The move occurred around the time Stuxnet, a computer worm that struck Iran's nuclear program, was discovered.
No one has taken credit for the attack, but some suspect the United States and Israel.
Iran responded to the attack by announcing plans last year to create a “cyber army,” and an Iranian group in September took credit for hacking into 370 Israeli websites.
Army Gen. Keith Alexander, the head of CyberCom, has warned the Defense Department cannot protect itself. The Defense Department announced plans to hire 4,000 people for computer security, but the military has 15,000 computer networks at 4,000 locations worldwide.
“The number of potential vulnerabilities, therefore, is staggering,” the department reported in 2010.
Since Stuxnet, unknown hackers introduced other malware — shorthand for malicious software — to collect information that could be useful for an attack, said Liam O Murchu, a manager of security response operations at Symantec, a computer software security company in Mountain View, Calif. Those viruses mainly targeted Middle Eastern companies involved in pipelines and industrial control systems, he said.
“We did think it was science fiction until we saw Stuxnet, and we saw that a virus could interact in a very sophisticated way with specific equipment that made it work in a very predetermined manner,” O Murchu said. “It's definitely possible that another attack could be mounted.”
More malware recently targeting Middle Eastern marks included a virus aimed at Saudi Arabia's state-owned oil company in August that wiped out more than 30,000 computers, replacing system files with an image of a burning U.S. flag. A similar attack hit a natural gas producer in Qatar. Defense Secretary Leon Panetta called the malware the most destructive computer attack ever on the private sector.
Taking down a gigantic infrastructure network in the United States would require a sophisticated attack by an advanced nation-state, Alperovitch said. China, for example, might trigger a computer virus attack only during a hot war with the United States.
Individual researchers, however, could proliferate that technology.
“Is there a danger that they may decide to rent their services out to a rogue nation-state or to a terrorist group?” Alperovitch said. “People worry about that sort of thing … and that's certainly a valid concern.”
The world's largest companies fall into two groups, according to security technology company McAfee : “Those that know they've been compromised and those that don't yet know.”
Those that are safe don't have anything valuable or interesting that hackers consider to be worth stealing.
“When it happens, we may not hear about it,” said Ting-Fang Yen, principal research scientist at RSA Laboratories. “You don't want to admit you're being attacked, most of the time. Or people don't know that they are attacked.”
Andrew Conte is a staff writer for Trib Total Media. He can be reached at 412-320-7835 or firstname.lastname@example.org.