The absurdity of a Seth Rogen movie precipitating an international incident may have obscured that episode’s significance as a bellwether in international cyberterrorism. Companies around the world have experienced massive thefts of intellectual property and disruption to their operations. Yet there’s no clear way forward for them. Three dramatic episodes illustrate.
Destruction of a Target’s Network
Remember Sony’s 2014 dust-up with North Korea? Given the reviews, The Interview would likely have quickly sunk into obscurity had The Hermit Kingdom not made an escalating series of threats, saying release of the film would be considered an act of terrorism. While the U.S. State Department was telling Sony it wasn’t in the business of censoring movies, North Korean hackers were penetrating Sony’s computer system top-to-bottom.
Our government was clueless about the company’s peril. Says David Sanger, “hackers working from laptops somewhere in Asia were not the kind of security threat [the NSA] was established to detect. And movie studios weren’t the targets the American intelligence community was focused on protecting.” The result was a worldwide takedown of the company’s computer systems.
The NotPetya code, the malicious product of Russian military hackers, ultimately hit two thousand targets worldwide and cost companies an estimated $10 billion. Among the worst affected were the U.S. pharmaceutical giant Merck, FedEx’s European subsidiary, a French construction company, and Danish shipping company Maersk. Maersk, which lost some $300 million, salvaged its business only because a domain controller in Ghana already had been knocked offline when the malware struck.
You’re probably familiar with how three Chinese hackers stole some 630,000 computer files related to the development and design of Boeing’s C-17 military transport plane, saving the Chinese government decades and billions in R&D. When the Chinese plane—the Xian Y-20—debuted at a Zhuhai air show, parked near the American C-17, the similarity between the two planes was inescapable. A gift to the Chinese from U.S. taxpayers.
According to a recent Wired article by Garrett M. Graff, “China’s extended campaign of commercial espionage has raided almost every highly developed economy, but far and away its biggest targets have been the military secrets of the United States.” He says many American companies were aware of the hacking, but have kept quiet to keep the huge China market.
Such intrusions demonstrate that it isn’t enough to assume every company can (or will) sufficiently protect its own networks. “An individual company simply doesn’t have the resources or the capabilities to defend against a committed nation state attacker,” said Jamil Jaffer, founder of George Mason University’s National Security Institute in a recent Cipher Brief interview. Yet, for a host of reasons, government can’t do protect every business either.
Jaffer believes companies in key industries must start sharing threat data with each other. Though that’s against the grain, in a small way, it’s beginning to happen. Government may have a role, too, in some cases, depending on the target, the severity of the threat, and applicable law. But this strategy will take time, and as all these complex relationships and responsibilities are being debated and worked out, the hackers hurtle full speed ahead.
As an Amazon Associate I earn from qualifying purchases—a few pennies to put in a jar to pay my WordPress bills. When you make a purchase through the link on my website, you help me fill the jar. Thank you!