For years U.S. corporations have been loath to discuss corporate espionage conducted against them. But Google has shattered that inhibition with its declarations about cyberattacks originating from China.
For years U.S. corporations have been loath to openly discuss instances of corporate espionage conducted against them online or through social engineering, but Google this week has shattered that inhibition with its declarations about cyberattacks originating from China.
Without directly accusing the Chinese government, Google said that in mid-December it became aware that sophisticated attacks from China had resulted in theft of intellectual property. Attackers also tried to access the Gmail accounts of Chinese human rights activists, with limited success, Google revealed. Google went public and insisted it will no longer adhere to the Chinese government's online censorship rules, even though that may mean ending business operations there. In doing so, Google has taken a stand that could have historic ramifications politically and defies conventional reactions to security incidents, many say.
"When these kinds of attacks happen, no company wants to step forward and say 'it happened to us,'" notes Mary Landesman, senior security researcher at ScanSafe. But Google, which "has the technological ability to make credible assertions" by declaring it happened to them, "is shedding light on a problem that everyone in the security industry has been talking about and worrying about."
Google's boldness to push forward on human right issues in the face of what might otherwise be seen as a "company's worst nightmare," and discuss cyberattacks that may well have originated with a foreign government is historic, Landesman points out.
"This takes a tremendous amount of chutzpah," Landesman says, noting Google's stance is one of the "best things that could possibly happen." In general, she adds, companies will have to continue to assume that online communications across the globe will be hostile and dangerous.
Many security industry veterans appear to share a sense of history in the making.
"It's a watershed event in security," says George Kurtz, worldwide CTO at McAfee, about Google's actions. "It's a leader in the industry coming forward" to publicly discuss what few are ever willing to discuss.
"I've never seen a gorilla this huge in the industry say definitely they've been attacked, they're fed up and they're going to take action about it," Kurtz says. "It's a watershed event in security that has people thinking about security in their daily lives, and about privacy and censorship."
Meanwhile, information is emerging that the attack against Google appears to have also struck about 30 other companies in the December timeframe. "It's the tip of the iceberg," Kurtz says.
McAfee, in fact, is examining some of the malware code on behalf of some of those victim companies.
One method of malware delivery McAfee sees associated with the attacks is "spear phishing," in which individuals are targeted with e-mail containing dangerous attachments. McAfee's analysis so far shows it was a browser-based attack, not a PDF exploit, and some of the malware delivery may have come from the Web.
In any event, "It's a zero-day exploit," Kurtz says. "It's a sophisticated piece of malware to extricate data [that has] command-and-control structure to it [and] was designed to harvest data" from victims. McAfee will be detailing more about its malware findings shortly.
The Google stance on China is highlighting policy issues, some say.
Two decades ago, security firm PGP Corp. was in the midst of the battle for privacy and use of encryption when the National Security Agency, federal law enforcement and the Clinton White House sought to suppress use of strong encryption by the public by trying to enact new rules that would give the federal government access to encrypted data through escrowed encryption keys.
The reason given was worry that terrorist and criminals were exploiting the power of encryption to hide their actions. But the battle over key escrow, as it was known then in the United States, was stymied by long and fierce objection from civil libertarians and technology vendors and users. Today, Phil Dunkelberger, CEO at PGP, says Google's public stance once again puts the spotlight on technology policy.
"It's become a policy issue," Dunkelberger says. "It's questions about data collection in government -- what is legal, what is moral, what is right?"
He said PGP knows that in China, citizens don't get much protection as far as encryption goes because if a corporation there has its employees using encryption -- which is allowed as long as the proper forms are filled out -- the Chinese citizen must turn over his encryption key to the government. "You have to give the key so the government can unlock the file if they need to," Dunkelberger says. "That's their rules, and they have a clear cut and well-understood policy on this."
At this point, the same rules don't apply to foreign nationals in China, he says.
Dunkelberger also sees Google's outspoken challenge against censorship and for data privacy in China as a watershed event because "Google is trying to do the right thing. It's a question of whether they can do business there or not."
"I think it's quite historic," says Kristen Dennesen, an analyst with VeriSign's iDefense division, which has been working behind the scenes with some of the companies impacted by what is now seen as multiple attacks emanating from China. "It's really the first time a private company has come out so publicly on an event like this. Google has set a new tone."