Recently, I had a conversation with a business owner regarding the “Chinese problem” of hacking. His position was that China represented a serious security threat and therefore we needed to do something about it. My response: Do what? Hack them back? Impose sanctions? Cut off all power to the garbage mashers on the detention level?
The answer, you should do nothing about the Chinese or any state-sponsored hacking. That is not the problem. The problem is us, not them.
The Manchurian Candidate
I attend a lot of conferences and meet with a lot of different business leaders. Invariably, I run across a few “frothers” who like to ramble on ad nauseum about the Chinese, cyberattacks, critical infrastructure, and a whole load of fear-laced language about how “those people” who are icky, evil, and probably smelly. “Those people” are naturally hell-bent on taking away our freedoms, data, systems, money, and the secret to stopping hair loss.
When I dismiss cyberwar and Chinese hacking as irrelevant, these people usually throw some kind of tantrum on how misguided and uninformed I am. They of course always have some acquaintance of dubious credentials who is in the FBI, NSA, CIA, Trilateral Commission or similar shadowy agency that has given them the inside scoop how “those people” are all out to get us.
The typical argument is that these criminal organizations and state-sponsored attackers are destabilizing our country and hurting our economy. However the data simply does not support this. There have been absolutely no serious Internet disruptions that were the result of any kind of hacking. Moreover, I have never seen a statistic that shows that state-sponsored hacking has any significant impact on our economy. That is not to suggest it has no effect, but a tornado or railroad strike probably has more direct economic impact than any cyberattack.
Having seen the insides of thousands of companies I can say with absolute certainty the reason the Chinese (or any attacker) can get into these places is because they are so poorly defended, and not because they have some super-powerful cyberweapon.
When I say poorly defended, I mean:
- Perimeter security that fails to effectively control access, content and applications
- Weak or ineffective fundamentals, such as patch management , anti-virus and intrusion prevention
- Security technologies that are so poorly configured, they offer almost no protection at all
- Ludicrous organizational processes that discourage effective security practices
- Poor IT and security leadership who fail to inspire people or encourage best practices
- Pointless focus on metrics and reporting without any understanding of context
- Ridiculous compliance efforts that are merely busywork coupled with checkbox audits providing zero value to overall security
- Security teams that have no strategic planning capabilities and are constantly just gasping for budget and voice
- An obsession with buying the latest technologies, with little regard to its need or alignment with strategic initiatives
We see a lot of poorly defended organizations, large and small. The list of excuses is a mile long: no budget, no plan, no authority and so on. For attackers, these excuses are why it is so easy for them to get in and steal whatever they want. The current attacker, regardless of nationality or motive, does not need to be some uber-hacker. They do not need advanced tools, expert skills or even zero-day payloads. Using point-and-click tools, like Blackhole, your average criminal can launch a highly destructive attack that exploits well-known vulnerabilities.
In short, lack of effective defenses has enabled these state-sponsored hackers.
Book ‘em Danno
All crime has two fundamental components, which you can learn from just about any cop show: motive and opportunity. There is little any of us can do about the motives for Chinese or any state-sponsored hackers. This is an issue that none of us, individually, are capable of handling or changing. Even as a country, we are pretty weak to tackle these issues as well. You are never going to diminish the motivation of criminals through rhetoric and posturing.
Opportunity, on the other hand, is a problem we can tackle. We can take away the opportunity for state-sponsored attackers, criminals and hacktavists to carry out their attacks. We have technology, we have good practices, we have smart people and we have ample experience dealing with these attacks. If we put all that to work building more secure networks under the watchful eyes of skilled security professionals, we can thwart a huge percentage (like 99 %) of attacks.
When you analyze the data from attacks, such as Chinese espionage attacks, there is a unifying factor. All of those attacks began with exploiting fairly well-known vulnerabilities. It is rare for these attacks to use completely unique or zero-day attacks. Which means these attacks could have been easily thwarted with rudimentary security controls like patching, intrusion prevention (IPS) and anti-virus protection. All of which are tried and true technologies that, quite frankly, are very easy to deploy and manage.
However, according to Anitian’s own internal data, 80% of the organizations in the USA are seriously deficient on one or more of these fundamentals. In the organizations Anitian has assessed over the past 10 years, we found nearly 85% of the companies lacked a reliable patch management program. Moreover, 75% had weak or no intrusion prevention controls, and 53% had incomplete anti-virus coverage.
To Thy Own Self Be True
If your own organization cannot handle fundamental security controls, you are in no position to begin lecturing others about Chinese hackers, APT, hacktivism, cyberwar or any other sensationalist issue.
Moreover, if you are a security leader, security fundamentals should be your primary concern. Once these fundamentals are in place, there is a whole list of other sound security practices, like user awareness, event management and incident response which should be your next priority. State-sponsored hacking, cyberwar, Anonymous and such are way down the list of issues that should command any of your attention.
Unfortunately, the industry has become so enamored with these topics, it has utterly lost perspective on the problem. Every tradeshow and event is riddled with presentations from “experts” decrying the state of security and obsessing over every infinitesimal attack tactic. There is a non-stop torrent of posturing, posing and impotent fist waving from various industry luminaries, all of which accomplishes next to nothing. Everybody seems to have an opinion about cyberwar, and none of those opinions have amounted to any significant decrease in the number of attacks. We have groups, committees, teams, associations, organizations, task-forces and blogs all frothing night and day about cyberwar, none of which has stopped a single attack or improved our defenses even a little bit.
As such, it is time to shut up about state-sponsored hacking and get busy fixing the real problems. The security industry needs to grow up and stop the endless one upsmanship of who can be the most indignant and derisive. If you are mad about the Chinese hacking America, then go log on to your firewall and audit every single rule and make sure it makes sense. If you are enraged about Anonymous, then triple check your patch management system and make sure it patches everything, always, without any excuses whatsoever. If you are angry at how criminals are stealing data and ruining businesses, then stop complaining about it, and go optimize your IPS to block all serious attacks and not just the defaults the vendor put in place so you will never call support. If PCI compliance angers you, stop shaking your fist at the PCI Standards Council and use PCI to actually improve your security and fire that checkbox auditor who signs you off every year without actually looking at anything.
Stop complaining and put your anger to use. The Chinese are not the problem. They are merely a nation state engaged in espionage using modern tools to carry out their country’s objectives. That is not an endorsement, but it is a statement of fact. You can shake your fists at the sky and curse the Chinese all day, but honestly the only people we have to blame are ourselves. If we want to stop state-sponsored hacking, then we need to improve our defenses to make it more difficult for attacks to be successful.
This is why we need more security practitioners focused on defense and protection, and less focused on frothing about attackers. While it is always interesting to learn tactic and details of an attack, unless that information is used to improve defense, it is not very useful.