That a number of major western companies and government agencies have been attacked by hackers in the last five years will come as no surprise; we’re becoming increasingly inured to the idea that cyber attacks are now the norm. That those organisations should choose to remain silent about the attacks, however, is unusual.
There are many reasons that so few organisations reveal having been hacked. They might not realise they were hit. If they do know that they were hit, they might not have sufficient information about the attack, and be unaware of where it came from or who perpetrated it. They might prefer not to announce their vulnerability due to the nature of their work: the negative publicity and reputational damage engendered by disclosing a breach can have a significant impact for many companies, especially those in the security industry (for example, defence contractors). In the case of human rights organisations, they might just be afraid.
This raises an obvious question: should it be mandatory for US organisations to inform the public when they’ve been attacked, like the proposed EU data protection legislation recommends in Europe?
Nasa, Coca Cola, and Lockheed Martin have all been hacked in recent years, but in each case it was some time before the fact was revealed. It’s believed that many of these attacks originated in China, but that remains difficult to prove so organisations are hesitant to point the finger. Blaming China also makes it difficult for large organisations to do business with the world’s second largest economy.
The New York Times and Google were also hacked, but are unusual in publicising this information, and for blaming China for their attacks. Indeed, their openness has been seen as a positive step in addressing the effects of international cyber warfare.
US Defense Secretary Chuck Hagel is currently on a 10-day trip to the Asia-Pacific region, and his meeting with Chinese Defence Minister Chang Wanquan on Tuesday focused on Chinese cyber attacks, among other topics. The Pentagon having recently announced plans to more than triple its cyber security staff, the US took the unusual step of trying to reassure China about its cyber strategy, clearly hoping that China would reciprocate by being more open about its use of cyber attacks. China is yet to respond.
For more information on this subject, read 21st Century Chinese Cyberwarfare, which argues that the People’s Republic of China uses cyber warfare to promote its own interests and enforce its political, military and economic will on other nation states.
For a wider view of what cyber security means, read CyberWar, CyberTerror, CyberCrime and CyberActivism, which will help you make the most of international standards and best practices to create a culture of cyber security awareness within your organisation that complements your technology-based defences.
(Image source: Silicon Angle)