I know I’ve said this a million times, but you know a security breach or a security threat is big news when it makes the mainstream press or the nightly news. I knew the Mandiant report was going to turn heads and get people talking, but I didn’t realize how much of an impact it meant until I turned on the national news last night and found that it was the lead story. When was the last time a network security story got several minutes, rather than thirty seconds, on the news? Never?
In case you didn’t hear, in a nutshell the Mandiant report points to the Chinese People’s Liberation Army (PLA), which operates a cyber-espionage operation called APT1. The PLA’s goal is to gather as much data as possible from all sorts of targets in the western hemisphere, including both government and commercial networks. This is the group suspected of hacking The New York Times and likely other media outlets.
Not surprisingly, the Chinese government is denying any involvement in the attacks, but it appears that Mandiant has some damning evidence that the Chinese were involved this time around, as this article in Forbes pointed out, describing how Mandiant conducted its research:
Mandiant actually tracked the attackers’ communications back to a compromised “hop point” (middle man computer), obtained the cooperation of the compromised middle organization, and captured the keystrokes of the criminals as they were conducting their “work.”
As this story continues to wind its way through the news cycle, there will be a lot of justified finger-pointing at the Chinese and the very serious risk of a devastating cyberattack. But we have to remember a couple of things. First, we can’t let the guard down to focus on the Chinese when other countries (or at least residents of other countries) are also actively pursuing cyber espionage and attacks. Second, the United States is not an innocent bystander in cyberwar. Third, as A.N. Ananth, CEO of EventTracker, told me in an email, the big-picture takeaway here is that the threat is there and constantly looming, and that’s why we should be worried about the results of the Mandiant report. Where the threat comes from is less important than the fact that there is a threat itself:
Knowing that the attack is coming from China, what specific changes are you expecting to make to your defenses? Even though the attack is by the PLA, its effects appear local to you. What this story highlights is that the effort is of very large scope by the Chinese and it was almost inevitable that some slip up would occur. To put it another way, if someone broke into your house and stole your stuff, would you be more upset if the thief was Chinese as opposed to Canadian? Would you not improve defenses no matter where the attacker originated from?
I disagree slightly with Ananth’s premise because I think the threat’s origins do matter. A rogue bad guy from Canada will require a different response than a state-plotted attack from Asia. But he is right in saying that the defenses have to be improved across the board, to protect against any type of breach. Because in the long run, an attack against the critical infrastructure or against a newspaper is still an attack with serious consequences.