"You need to take some pretty extreme steps," ACLU expert says
Journalists tend to not be savvy about digital security, he says
Attorney: Cyberattacks from abroad are rarely prosecuted
"The Cold War has gone digital," security analyst says
The New York Times’ acknowledgment in its Thursday editions that Chinese hackers carried out sustained attacks on its computer systems should be a wake-up call to any company around the world that trades in information, according to computer security experts.
“When you’re dealing with an adversary with significant resources like the Chinese – or the United States, for that matter – you need to take some pretty extreme steps,” said Chris Soghoian, principal technologist for the American Civil Liberty Union’s Speech Privacy and Technology Project.
“Off-the-shelf antivirus software is not going to be enough.”
That’s because consumer antivirus software from business-supply stores such as Staples will not protect computer owners from state-sponsored actors, he said. “Staples, hopefully, will protect you from a scammer trying to steal your bank account, or a Russian criminal gang trying to put a key logger on your computer. There is no commercial software that is going to keep you safe from a determined government,” Soghoian said.
According to The Times, the cyberassaults took place over four months, beginning during an investigation by the newspaper into the wealth reportedly accumulated by relatives of the Chinese premier, Wen Jiabao.
The Wall Street Journal reported on Thursday that its computer systems also had been infiltrated by Chinese hackers. The hackers were monitoring the newspaper’s China coverage, according to a written statement from Paula Keve, chief communications officer for parent company Dow Jones & Co.
“Evidence shows that infiltration efforts target the monitoring of the Journal’s coverage of China, and are not an attempt to gain commercial advantage or to misappropriate customer information,” it read.
“If you’re a newspaper focusing on issues that are going to upset governments, then you need to invest in security as well,” Soghoian said.
Chinese authorities responded to the Times’ reports on Wen’s family members by blocking access to The Times’ website in mainland China.
The Times said that it had worked with computer security experts to monitor, study and then eject the attackers. It said that by following their movements, it aimed to “erect better defenses to block them” in the future.
Such efforts are becoming more important as the incidence of hacking appears to grow, Soghoian said.
“The first thing you do is make sure that everything you have is encrypted both in storage or transmission,” he said. That way, if a reporter leaves a laptop in a hotel room in Beijing and the police try to copy it while the reporter is out of the room, it is protected, he said.
But such efforts are not cheap. “You have to hire a bunch of internal security people,” he said. “But if you’re the newspaper of record and you’re talking to whistle-blowers who would go to jail or be tortured or arrested if they talked to you, then you need to take adequate steps.”
The same message applies to any journalist who talks to sensitive sources, particularly in government, in the intelligence or defense communities, he said. “Those journalists need to take real steps, take significant steps to shield the identities of their sources.”
Soghoian said that, in his experience, few reporters appear to meet that standard. “Most journalists don’t know much about digital security,” he said. “The number of journalists that I communicate with using encrypted e-mails I can probably count on one hand. The number of journalists who would even know how to open an encrypted e-mail is not something to feel confident about.”
Stories about China are not the only ones that reporters should be cautious about, said Peter Toren, a partner in the Washington law firm Weisbrod Matteis & Copley and a former prosecutor with the computer crime and intellectual property section of the Department of Justice.
“Certainly, if I’m writing a story that implicates somebody who is sophisticated in computer hacking, I would be concerned,” said Toren, whose expertise includes the area of economic espionage. His feeling is that the incidence of such attacks is growing, but he acknowledged that it’s impossible to quantify.
“You only really find out about it when people are caught, and a lot of organizations don’t necessarily report the hacks or the successful intrusions because they don’t want to be embarrassed.”
Toren added, “I think just the mere fact that the New York Times admits they were the victim of hacks is something new.”
Law firms are also frequent targets because they tend to take fewer security precautions than do the companies they represent, “and law firms are in possession of some important information,” he said.
In response, he said, the FBI met last year with security experts at some of New York’s largest firms to help them beef up security.
The threat extends to any organization in which information that is worth money is stored on computers – “which is just about every organization and every business,” he said.
Prosecutions for hacking are rare and almost impossible to win when an attack is launched from outside the United States, a fact that the hackers exploit, he said. “It’s just as easy to hack into an American computer from China as it is from Washington, D.C., given that there are no boundaries in cyberspace.”
One reason companies can get into trouble is because employees are often easy to victimize, said Hemu Nigam, an Internet security analyst and founder and CEO of SSP Blue, which advises companies on Internet security.
“Your security is as good as your weakest link in the company,” said Nigam, who is a former chief security officer of News Corp.
All that’s necessary to introduce malware into a company’s computer system is for an employee to “click on something that sounds exciting,” he said.
From a security perspective, companies tend to be good at blocking access to their computers through the main entryway, but they tend to do less well blocking other entries, Nigam said. “Take a house – you bolt the front door; somebody breaks in the back door; then they can go into every room of your house. Companies have to think about closing all the doors around the house and also put a bolt on every door in the house.”
Finding vulnerabilities is not hard for experts, he said. “Every single client we’ve had, we have successfully broken into their network to identify vulnerabilities, and helped them fix them.”
News organizations tend to be among those with laxer security, he said. “From a philosophical approach, it actually makes sense that they would find themselves open to an attack like this,” he said, since news organizations, by their very nature, tend to be focused on open access to information.
Countries have been using cyber methods to attack each other for at least 15 years, but that fact has only recently gained widespread attention, he said. “People often say the Cold War has ended; the reality is the Cold War has gone digital.”
But the Cold War of the last century rarely affected normal citizens or companies, and that is no longer the case, he said. “Because of the way the world is now connected through the Internet, a regular company can find itself in the middle of Cold War activity, which tells us that every company out there ought to think of security as one of their No.1 activities. Otherwise, they risk becoming a pawn between two governments having a silent battle against each other.”
The United States has its own powerful counterintelligence machine, and that should surprise no one, he said. “If you have a country that knows how to use the power of the Internet and knows how to take advantage of counterintelligence activity through methods like hacking, they will certainly engage in it; otherwise, they will be left behind and they well become sitting ducks.”
Asked about The Times’ allegations on Thursday, a spokesman for the Chinese Foreign Ministry said that “all such alleged attacks are groundless, irresponsible accusations lacking solid proof or reliable research results.”
“What else would you say?” asked Nigam rhetorically. “Of course, you have to say that. If the U.S. government were accused of something similar, the public relations machine would also say the exact same things.”
China has been the victim of cyberattacks and “has laws and regulations prohibiting such actions,” the spokesman, Hong Lei, said at a regular news briefing.
A separate statement from the Chinese Ministry of National Defense said the country’s military “has never supported any hacker activities.”
On Thursday, it appeared that television censors in China were blacking out CNN’s reporting of the hacking story.
Chinese authorities have blacked out the broadcast signal for international television stations such as CNN and the BBC when they have aired sensitive reports about the country.