In the last decade, it became apparent that the hackers that target businesses were no longer just misguided teenagers, but organised criminals with money on their minds. More recently, state-backed hackers seeking politically sensitive information have joined the ranks of the cyber criminal underground.
Last year was something of a throwback, then, as the information security profession was brought to its knees by a rabble of young, Western hackers, whose apparent motivation was revenge and amusement.
Most respondents to the Information Age survey (74%) reported that security is now an issue that is taken seriously by their board of directors. But if there had been hold-outs at the start of the year, their view would have changed in April, when Japanese electronics manufacturer Sony suffered a campaign of attacks that gravely tarnished the company’s reputation.
The attacks were launched in retaliation for Sony’s decision to sue a computer scientist who had written code that allowed its Playstation 3 games console to run other operating systems. In the retaliatory attack, the company’s online gaming network was taken offline and the personal data of 77 million customers was stolen, making it one of the largest data breaches in history.
A group of hackers calling themselves Lulz Security claimed responsibility for the attack. The group encouraged customers whose details it had stolen to “blame Sony” for its lax security defences.
The Sony attack marked the start of a month-long reign of terror as LulzSec claimed more victims, including The Sun newspaper, the NHS and the Serious Organised Crime Agency (SOCA).
Eventually, LulzSec gave up the ghost and was assimilated into the Anonymous hacktivist group. Four British men have been charged with computer crimes and face trial later this year.
During its brief moment in the spotlight, the group had drawn the public’s attention to the woeful shortcomings in security practices, even among some of the world’s best-known organisations. One security expert went so far as to say that he and his peers were “secretly getting a kick out of watching these guys”, because it demonstrated what they had been saying all along – that “there is no security”.
Of course, LulzSec was conspicuous because it tried to generate as much publicity as possible. Elsewhere, the true scale and nature of the information security threat was as elusive as ever in 2011.
The spectre of state involvement seemed to lie behind many high-profile cyber attacks during the year. In June, for example, an unnamed source told the Bloomberg news agency that a sophisticated and “very major” cyber attack on the International Monetary Fund was “state sponsored”.
The choice of some targets also suggested government sponsorship. In March, it was reported that the French finance ministry had fallen victim to a cyber attack in advance of the G20 Summit in Paris. Later, UK chancellor George Osborne revealed that the Treasury had been targeted by a similar attack, although it was thwarted.
Military contractors including Booz Allen Hamilton, Lockheed Martin and Mitsubishi Heavy Industries all fell victim to cyber attack, and at one point a virus was discovered on a US Army unmanned military drone. In April, a nuclear energy research facility in Tennessee was shut down after its network was found to have been breached.
The prime suspect for all of this was, of course, China – which denied any involvement at every opportunity.
The closest thing to direct evidence of the Chinese government’s involvement in ‘cyber warfare’ came in August, when a state TV broadcast appeared to demonstrate a Chinese solider using a tool to launch denial-of-service attacks on various enemies of the state.
Before that video, there had only been circumstantial evidence linking cyber attacks to the Chinese government. “Circumstantial evidence makes it quite clear that there’s Chinese nationals involved [in cyber crime], but largely it’s people who believe in the motherland and take it upon themselves,” Sean Sullivan, security adviser at F-Secure, explained at the time.
But, he added, the Chinese government could still claim “plausible deniability” on the video.
The cost of cyber crime
Meanwhile, the impact on business was equally difficult to assess. In February, the Cabinet Office published a report in conjunction with BAE Systems-owned security vendor Detica claiming that the cost of cyber crime to the UK economy is £27 billion annually.
The report was roundly rejected by London School of Economics information security professor Peter Sommer, who said that the research methodology was seriously flawed. “Pretending they’ve got reliable figures out of this is nonsense,” Sommer told Information Age. “It’s a great pity the government has allied themselves to a grubby piece of puffery.”
Detica’s technical director, Henry Harrison, defended the report as a “first effort” at quantifying the cost of cyber crime. “There’s a real information issue in the market,” Harrison said. “Most of the stuff that is going on out there isn’t being reported, either because it isn’t being detected or because the victims don’t want to talk about it.”
The government responded to this information issue in its Cyber Security strategy, published in November 2011, in which it proposed a ‘hub’ to encourage greater data sharing between businesses, intelligence agencies and the police in the fight against cyber crime.
More conspicuous than cyber attacks behind closed doors were two incidents that exposed serious shortcomings regarding the fundamental infrastructure of the web.
In August, it emerged that hackers had compromised a company called DigiNotar, a certification authority that issued SSL (secure sockets layer) certificates that web browsers use to learn if a website can be trusted.
The hackers stole certificates relating to a number of websites, including those of MI6, the CIA, Facebook, Google, Yahoo!, and Microsoft. They could have used these to trick web surfers into entering their personal details into phishing sites, although the browser manufacturers patched their software as soon as the breach was revealed.
A month later, Turkish hackers compromised a domain name system operator called NetNames. This allowed them to redirect people trying to access high-profile websites – including those of The Telegraphnewspaper, Betfair and Vodafone – to a page proclaiming their victory.
In this case, the damage was merely cosmetic. However, both episodes served as a reminder that while the web has become an integral part of so many facets of business and society, its underlying infrastructure is perilously fragile in parts.