The cyber war is real — and our defenses are weak

I used to think “cyber war” was the most overhyped security buzzphrase of all time. And it was — until Stuxnet and APTs (advanced persistent threats) arrived. Now, as Bob Violino detailed in his recent InfoWorld article, all-out cyber war has begun.

The 2010 Stuxnet worm is arguably the most sophisticated, successful, and targeted malware of all time. Strongly linked to both Israeli and U.S. government teams, Stuxnet effectively interrupted the Iranian nuclear program. Make no mistake: When one government attacks another government’s infrastructure, we are clearly at war, even though malware is the weapon of choice rather than missiles or boots on the ground.

[ Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from InfoWorld’s expert contributors in InfoWorld’s “Malware Deep Dive” PDF guide. | Don’t look now, but your antivirus may be killing your virtualization infrastructure. InfoWorld’s Matt Prigge shows you how to detect the warning signs. ]

In response to the Stuxnet attack on the Iranian nuclear program, an Iranian hacker has been quite successful at compromising multiple, trusted, public CA (certification authority) vendors. True, these weakly secured CAs have been hackable all along. The Iranian hacker took advantage of that fact, and after two decades of just a few digital certificates being compromised, we’ve had a wave of compromised CAs and hundreds of fraudulent certificates.

Chinese APT continues to be found in nearly every large company and government throughout the world, although particularly in the United States. Whether or not the Chinese government is directly involved hasn’t been publicly confirmed, but clearly, the perpetrators are gaining access to private intellectual property that the Chinese government has interest in. Chinese APT likely has unfettered access to every major company you can think of. In fact, I know of only one company that appears to remain uncompromised out of the dozens that have invited me to conduct an investigation.

The most recent high-profile Chinese APT attack was the compromise of the New York Times. In truth, I don’t feel the Times story deserved that much attention. Why are we worrying about a hack of a media site when foreign hackers have become endemic to our whole digital ecosystem? It’s like worrying about how carjackers will treat your brakes after they’ve stolen your vehicle.

Moreover, I’m sure the Times, like every other company that calls me because they’ve been hacked, has been hacked for years. All the stories about the Times hack seem to suggest the Chinese were retaliating in response to a story about Chinese politicians. That’s rich! The Chinese may have poked around looking for particular information related to that story, but the Times has likely (I’m speculating without specific knowledge, but I virtually guarantee it) been compromised for years.

I guess I’m jaded. Yes, thanks to Iranian retaliation for Stuxnet and aggressive Chinese APT penetration — which has likely resulted in the theft of untold billions of dollars in intellectual property — you can credibly say that today, at this moment, we’re in the midst of a cyber war. But the fact of the matter is, we’ve been losing the war against malicious hackers for years, mainly because efforts to shore up our defenses have largely been pathetic.

Almost nobody is doing the basics right. No company I know of patches correctly or prevents users from running things they shouldn’t. Almost every company has no clue about what is really running on each user’s system — and each user’s system can contact nearly every other computer in the enterprise, even when there’s no reason for it. Antivirus really doesn’t work. Neither do firewalls, strong passwords, or encryption. The cause of these failures is simple: Endpoint defense can’t fix the problem.

To stop cyber crime, we need to rebuild the Internet. Nothing short of that will work. No one who has taken the time to really examine the systematic problems would disagree. With existing protocols, we could add the needed protections to the Internet today, and it would be backward compatible. I’ve even written a fairly detailed plan (PDF) describing how this could be accomplished.

Unfortunately, we don’t have the critical mass of public opinion and determination it will take to implement the solutions that will work. We’ll get there one day. But apparently it will take many more billions of dollars stolen, more foreign Stuxnet worms attacking each other’s critical infrastructure, and a million more New York Times compromises before we reach that tipping point.

This story, “The cyber war is real — and our defenses are weak,” was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.