Is this the Golden Age of Hacking or is Pandora’s Box Yet to be Opened?
Posted by Nathan Sportsman
Over the past few months the public has witnessed a recent string of high profile breaches. Targeted attacks by state sponsored organizations, civilian hacktivist groups, and small hacking crews have penetrated the likes of Sony, RSA, Lockheed Martin, Gmail, IMF, PBS, Citibank, and ADP. Story after story has caused cybersecurity to become front of mind (at least temporarily) for many companies, and the public can’t seem to get enough of the online shenanigans. To accommodate the increase in interest, the online news outlets, blogospheres, and twitter feeds are happily giving us the play-by-play as things progress. Not to be outdone or out scooped, the cable news networks are full steam ahead on their own coverage, and nowadays even Mad Money front man, Jim Cramer, is providing stock tips on software security companies.
In addition to peeking people’s curiosity, the (perceived) jump in hacking activity has raised some interesting questions. PC Pro went so far as to suggest we are in a golden age of hacking. The very same question (phrase in fact) is not a new one and has been posed over the years. Here is an example, courtesy and circa, 2002. Perhaps someone should qualify what period of time constitutes an “age”, but I digress.
Invariably, the term “Golden Age” is bestowed retroactively, when the period in question has ended and is compared with what followed in the specific field discussed.
The truth, and perhaps an even more interesting story, is that we have not witnessed an uptick in hacking activity over the last few months. The uptick in activity has been steady for the last few years. What has increased in recent months is the number of compromises that have forced companies into public disclosure. The word “public” is the key point and the crux of this blog post. I believe three major reasons account for it:
- Some of the recent breaches are so large and potentially harmful to a company’s customer base that they have no choice but to notify.
- It is difficult for a company to remain silent on a compromise when the group that did it is flogging them in public and freely offering evidence of the breach.
- The recent string of compromises provides cover for other companies to admit that they too have been victims.
Some of the recent hacking blitzes by folks such as Anonymous and Lulzsec reminds me of the days of 2001 where hacking was driven more by political statements, website defacements, bragging rights, and shout outs. Since those earlier days, motivations for hacking have changed. Today, hacking is primarily driven by monetary and intellectual property gains. Under that context, saber rattling by perpetrators and admissions by companies are equally rare.
I’ll provide a simple example. Between 2008 and 2010, a sophisticated attack, now known as Operation Aurora, infiltrated Google along with several other high profile technology firms such as Adobe, Symantec, and Rackspace. While Google moved quickly to openly admit they had been breached, other companies were slower to disclose and eventually only did so under the cover of Google’s admission. When all was said and done, only a handful of companies publicly admitted to the breach and the media speculated as many as 30 to 40 companies were compromised during the operation. Those providing digital forensic and investigative services for the event, such as HB Gary and Mandiant, estimated hundreds of companies had fallen victim. Ironically, Anonymous’ breach of HB Gary and subsequent public dump of the company’s email records provided the proof of this and additional high profile names were added to the public’s known list of victims (Du Point, Northrup Grumman, Intel, Juniper, Dow Chemical, and Morgan Stanley). If you listen to someone who is most likely more in the know than anyone else, such as Peter Zaktos (aka Mudge) of DARPA, you’ll find the estimate is once again revised upward and hits closer to between 3,000 and 4,000 companies.
As the example illustrates, most companies will only publicly disclose a compromise when they absolutely have to. I believe attempts to quantify the number of breaches in a given year, such as Verizon’s 2011 Data Breach Report, only represent the proverbial tip of the iceberg and they only account for those incidents that have been reported. A matrix that compared the total number of private sector compromises to those companies that notified the FBI, OAG, and/or customers would be an interesting chart indeed.
In other words, the only difference between the last few months and the last few years is that the recent compromises have just become more visible to the general public. So unless you are defining an “age” as 15+ years….then no… we are not in a golden age of hacking .