Don’t blame China for hacking

There has been a lot of news recently about the alleged state
sponsored hacking by the Chinese government. Here is a recent article
about a report release by McAfee
http://www.ibtimes.com/articles/191690/20110803/cyber-attack-china-cyber-warf…

The reality is, all governments hack. Sometimes they hack companies,
sometimes individuals but more often they hack other governments. Been
happening for a long time. China is in the news, but I guess Russia
and the USA are much more active in this space. What these articles
point out more than anything is the ease in which these targets fell
victim. All of the hacks were performed using “off the shelf” tools
that anyone with a little time and dedication could have done.

Other voices have recently started to speak up that make a much more
important point about the state of global security. What the general
public is starting to understand is something security auditors and
the security industry has known forever. Once an attacker is within
your corporate network, the game is over. Here is a article in
Business Week about how the fundamental concept of security
“protecting the network” is flawed and has miserably failed.
http://www.businessweek.com/news/2011-08-04/hacker-armageddon-forces-symantec…

Expect a shift in the security industry because of the shifting trends
towards computing in the cloud. The start-ups of today, the Groupon’s,
the Zynga’s and the Twitter’s of the world will be the future IBM’s in
terms of size and reach and these companies are no longer rely on “the
network” infrastructure to conduct business. Everything is done in the
cloud. When your data is in the cloud, the focus of security becomes
keeping people out of your data as opposed to the network. That should
have been the focus of the security industry anyway.

But its very difficult for a security company to protect data. Often
times data protection requires changing the process of computer usage
that all users have become accustomed too. It becomes a cumbersome
interference into business as usual. The responsibility for ensuring
data protection should have been handled by Microsoft, but they failed
at that. So companies focused on trying to keep hackers away from
their Microsoft products. Its ultimately a losing battle because as
the articles have shown, it is just too easy to gain access to the
network.

And so now that the data is increasingly moving away from Microsoft
products and into cloud based services there should be a new crop of
security companies, companies like Duo Security
http://www.duosecurity.com/ that add additional password protection to
almost any web based service. Or Cloudflare
https://www.cloudflare.com/ that transparently blocks bad guys from
web services. But this is just the start.

Eventually to catch up to this new security reality security companies
like Symantec and McAfee will be forced to acquire these new crop of
cloud based security as a service providers. In the meantime I think
there is a lot of opportunity for innovative security folks to benefit
current gap in perception.

The story being sold today is that a new form of “Persistent Attacks”
by nation states is making the world insecure. See Jeff Carr;
http://jeffreycarr.blogspot.com/2011/08/with-shady-rat-mcafee-indicts-itself-…
But the truth is a little more like “It’s really hard to keep hackers
off your network if they really want to get in. Microsoft and nearly
all products built on Microsoft are super easy to hack, so you are
screwed once a hacker is on your network.” And another thing people
should be talking about is “We haven’t really figured out how to
secure services that run in the cloud, so you are on your own for
protecting that stuff too.”

Too bad China is taking the brunt of the blame for what is really a
structural problem with how companies approach security. It has the
danger of blinding people to the real problem.

Leave a Reply

Your email address will not be published. Required fields are marked *