Google attacks, Web 2.0 fuel FUD at RSA

Analysis: Both themes attract a lot of attention at annual security trade show

SAN FRANCISCO -- Fear, uncertainty and doubt is an integral part of the security industry. Vendors sell FUD, the media loves reporting it, and trade shows thrive on it.

So it's not surprising that the RSA Security Conference held here this week had vendors, analysts and assorted others serving up huge dollops of FUD.

But two themes in particular appeared to be fueling much of the trepidation at this year's show; the recent attacks against Google and the change being forced on enterprise security models by the increasing adoption of mobile and Web 2.0 technologies by users.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

SAN FRANCISCO -- Fear, uncertainty and doubt is an integral part of the security industry. Vendors sell FUD, the media loves reporting it, and trade shows thrive on it.

So it's not surprising that the RSA Security Conference held here this week had vendors, analysts and assorted others serving up huge dollops of FUD.

But two themes in particular appeared to be fueling much of the trepidation at this year's show; the recent attacks against Google and the change being forced on enterprise security models by the increasing adoption of mobile and Web 2.0 technologies by users.

The attacks on Google and dozens of other high-tech companies including Intel and Juniper Networks, by operatives apparently based in China have stirred a lot of emotions. Although there has been some discussion on exactly how sophisticated (or not) those attacks really were , the mere fact that even such technology savvy companies could be compromised for an extended period of time, is stirring considerable anxiety.

The attacks clearly appear to have convinced many in the industry that U.S. government, commercial and military networks are being systematically targeted in an escalating campaign to steal trade secrets and intellectual property. Many see the attacks as being state-sponsored and focused increasingly in scope almost daily.

Off the record, some say that the attacks against Google were not really about merely stealing e-mail accounts. Rather, they see a more fundamental compromise of the company's networks at a time when it is migrating more corporate and government accounts to its cloud infrastructure. The fact that the company has asked for the National Security Agency's (NSA) help and has threatened to walk away from China are indicative of a far more serious problem than has been let on.

FBI director Robert Mueller gave voice to some of those concerns during a keynote address at RSA where he warned about hackers making subtle changes to software source code in order to create a "permanent window" into a company's operations. Such changes, he said, were resulting a bleeding of data and intellectual property.

Tom Kellerman, vice president of security awareness at Core Security Technologies and a member of a commission that developed a set of cybersecurity recommendations for President Obama last year, says it's time for the government to deal with the problem with the seriousness it deserves.

Over the past two years, there's been a 200% increase in attacks against government targets. Global supply chains and the virtual networks behind them are also under constant attack, Kellerman said. Alhough the U.S continues to host the most number of bot-infected computers, almost all of the servers controlling them are based overseas, Kellerman said.

Dealing with the issue will require concerted action on the part of the U.S government, he said, Cybersecurity needs to be to become an item on the agenda at the next G20 summit, Kellerman said. The U.S also needs to raise the issue at the World Trade Organization under the premise of IP theft, he said.