Cybersecurity Tops the Agenda in U.S.-China Weekend Talks
There's no doubt international cyberespionage is a thorny issue, but it may also be too big for just two nations to handle -- even if the countries in question are the U.S. and China. "Cyberconflicts are a global governance issue, and are not an issue that can be resolved with bilateral talks between two countries," maintained FireEye CTO Ashar Aziz.
Jun 10, 2013 11:54 AM PT
Among the issues on the agenda for the talks over the weekend between China's President Xi Jinping and U.S. President Obama were cybersecurity and hacker attacks on U.S. targets by hackers based in China.
Even if China had the will to act against hackers within its territory, doing so wouldn't be easy, noted FireEye CTO Ashar Aziz.
"The technical means to validate true reduction in cyberoffense are not very good since the advantage belongs overwhelmingly to the attacker in cyberspace, and existent security techniques are generally poor in their detection capabilities," Aziz told TechNewsWorld.
Moreover, as powerful as the United States and China are, espionage and lawlessness in cyberspace may be more than two nations alone can handle, Aziz added.
"Cyberconflicts are a global governance issue, and are not an issue that can be resolved with bilateral talks between two countries," he said.
"The number of countries and nonstate groups with sophisticated offensive capabilities in cyberspace is growing at an alarming rate," Aziz continued. "So even if one or two countries decide to show restraint, it is difficult to see how that will result in fewer attacks on the U.S and other countries given the global and highly distributed nature of the problem."
Earlier in the week, of course, the Obama administration -- already reeling from several scandals -- was hit by another controversy when The Guardian reported that a snooping program called PRISM run by the superspooks at the U.S. National Security Agency has been routinely rifling through user data stored on the servers of such tech giants as Microsoft, Google, Apple and Facebook.
Senior executives at the companies targeted by the NSA all denied any knowledge of the program.
Citing a top secret document, The Guardian reported that PRISM allowed the NSA to access emails, chat conversations, voice calls, documents and more on the high-tech companies' servers.
The PRISM revelations came on the heels of another Guardian scoop that a secret court order had been issued against the U.S. telecom giant Verizon requiring that it turn over telephone records for tens of millions of its customers to the NSA.
PRISM was authorized by U.S. federal judges under the Foreign Intelligence Surveillance Act, or FISA.
Band-Aid for a Botnet
Then there was Microsoft's latest anti-cybercrime effort, code-named Operation b54, by which Redmond joined forces with law enforcement agencies to disrupt more than 1,000 botnets based on a malware program called Citadel.
It's estimated that the zombie nets raked in US$500 million in ill-gotten gains and affected five million people before Microsoft's intervention.
As praiseworthy as Microsoft's efforts were, the problem they address may be too big for even the Windows King to dent, maintained Kevin O'Brien, an enterprise solution architect at CloudLock.
"The actions Microsoft has taken as part of Operation b54 are a Band-Aid," he told TechNewsWorld.
"Motivated criminals have demonstrated that they can exceed vendors' ability to provide software-based fixes, and it is reasonable to assume that future account and information crime will reflect an ever-more-sophisticated set of attacks," he added.
Data breaches are bad no matter where they happen, but in the United States and Germany, they're particularly costly. At $188 per record in the U.S. and $199 in Germany, those countries had the highest costs among the nine nations studied for the 2013 Cost of Data Breach report from Poneman Institute and Symnatec.
As high as the cost of data breach in the U.S. was, though, it was still lower than in 2011, when it was $194 per record.
"The decrease in U.S. costs is encouraging," Linda Park, senior product marketing manager for Symantec, told TechNewsWorld. "It means there is greater awareness around the issue of data breaches and that people are doing more to protect themselves against data loss."
Another Poneman study -- one sponsored by Hartford Steam Boiler -- focused on cyberattacks on small businesses. Among its findings:
- Nearly one-third of U.S. small businesses had a cyberattack in the previous year and nearly three-quarters of those businesses were not able to fully restore their company's computer data;
- Primary methods of cyberattacks included computer viruses, worms and Trojans (61 percent) and unspecified malware (22 percent); and
- Consequences of the attacks included damage to reputations (59 percent), theft of business information (49 percent), loss of customers (48 percent) and system downtime (48 percent).
Data Breach Diary
- June 4. University of Massachusetts at Amherst notifies clients of a data breach at its Center for Language, Speech and Hearing that occurred after a workstation was infected by malware. Some 1,670 patient records were affected. Records included Social Security numbers, addresses, names, dates of birth, health insurance company names or names of other payees, insurance numbers, primary health care or referring physicians, and diagnoses and procedure codes. No evidence was found that any data left the workstation.
- June 5. Ponemon Institute releases its annual Cost of Data Breach study showing an increase in the average cost of a data breach for the nine countries in the research to $136 per record compromised, from $130 in the previous year.
- June 6. European Parliament's civil liberties committee approves a draft of a law that would create a mandatory two-year jail term for computer hacking and a minimum three-year sentence for creating a botnet.
Upcoming Security Events
- June 4. Get Actionable Insight with Security Intelligence for Mainframe Environments. Noon EDT. Dark Reading Webcast sponsored by IBM. Free.
- June 4. 2013 Government Cybersecurity Forum. Under Cybersiege: What Should America Do? 8:30 a.m.-2:15 p.m. EDT. Ronald Reagan Building, Washington, D.C. Sponsored by Kaspersky Lab. Free.
- June 10-13. Gartner Security and Risk Management Summit. National Harbor, Md. Registration: $2,375.
- June 11. Cyber Security Brainstorm. 8 a.m.-2:30 p.m. EDT. Newseum, Washington, D.C. Registration for nongovernment attendees: Through June 10, $495; onsite, $595.
- June 13. Agiliance Executive Advisory Council (EAC) forum. 9 a.m.-1:30 p.m. EDT. Law offices of Sidley Austin, Washington, D.C. Free.
- June 14-22. SANSfire 2013. Washington Hilton, 1919 Connecticut Ave. NW, Washington, D.C. Course tracks range from $1,800 to $4,845.
- June 15-16. Suits and Spooks conference. La Jolla, Calif. Registration: $595; Securing Our eCity Foundation members, $545; government/military/academia $395.
- June 20. Top Ten Web Defenses. 2 p.m. EDT. Black Hat webcast sponsored by Symantec. Free.
- June 25-26. ICF International CyberSci Summit 2013. Arlington Hilton Hotel, Arlington, Va. Registration: $650.
- July 24. Cyber Security Brainstorm. 8 a.m.-2:30 p.m. EDT. Newseum, Washington, D.C. Registration for nongovernment attendees: Through July 23, $495; onsite, $595.
- July 27-Aug. 1. Black Hat USA 2013. Caesars Palace, Las Vegas. Registration: Through July 24, $2,195; July 25 through Aug. 1, $2,595.