The call to Bob Bailey, an IT executive with a major government contractor, came on an otherwise ordinary day in October 2003. “Why are you attacking us?” demanded the caller, an IT leader with a Silicon Valley manufacturer. He wanted to know why Bailey’s company had launched a denial-of-service attack against his network.
Bailey (not his real name), deputy CIO in charge of IT operations, was thrown. He spent the next several hours reviewing logs and profiling systems. He discovered that someone had taken over one of the company’s servers and was using it to launch attacks against other companies in the valley.
MORE ON CIO.COM
After conducting a forensic review of the drives, Bailey learned that intruders had been lurking on two of his company’s servers for almost a year. These hackers, who were traced to a university in Beijing, had entered the company’s extranet through an unpatched vulnerability in the Solaris operating system. As far as Bailey could tell, they hadn’t accessed any classified information. But they were able to view mountains of intellectual property, including design information and product specifications related to transportation and communications systems, along with information belonging to the company’s customers and partners.
“It was such a sobering experience,” Bailey says, not least because three years earlier he had conducted a network security audit and patched every hole. But he hadn’t done the same with the extranet.
Bailey will never know who hacked his servers. China’s poorly defended servers are often used to launch attacks. He likes to believe that the culprits were a couple of students who launched the DoS attacks out of boredom, grew bored with that and went on their ways. But he knows that comforting scenario may be wrong. It’s just as possible that the intruders were after his company’s IP. And they easily may have gotten it.
(CIO agreed to Bailey’s request for anonymity in order to protect the identities of his company’s business partners.)
According to cybercrime experts, digital IP theft is a growing threat. Although precise numbers are hard to come by, the U.S. Department of Commerce estimates stolen IP costs companies a collective $250 billion each year. And that number does not include hacked or hijacked information that goes unnoticed or unreported. The economic costs on a nationwide scale are impossible to quantify just yet.
Suspected state-sponsored espionage against the U.S. government has received the most publicity, thanks to the investigation of a series of coordinated attacks on federal computers dubbed “Titan Rain.” The 2003 attacks may have been the work of a China-based cyberespionage ring that was trying to steal government information, according to articles published in The Washington Post and Time magazine in 2005. But companies in any industry may be vulnerable. As businesses increasingly collaborate with external partners and expand globally, they’re also increasing their exposure to criminals—and possibly foreign governments—who may have more on their minds than scoring some Social Security numbers.
How Vulnerable Are You to IP Theft?
If your intellectual property is digital, you’re at risk for online IP theft. But there are varying degrees of exposure. “It has to do with how valuable a target you present and how well-defended you are,” explains O. Sami Saydjari, president of security consultancy Cyber Defense Agency.
The types of organizations that currently face the highest risk include:
- Large, globally distributed organizations
- Small to midsize businesses in niche markets
- Companies with foreign partners or that sell directly in foreign markets
- Organizations with decentralized IT
- Military or government organizations that rely heavily on contractors and suppliers
- Industries like telecommunications that supply critical national infrastructure
- Organizations lacking executive sponsorship of security issues, technical enforcement of security policies, adequate security monitoring or process/preparedness for dealing with security breaches
External partners, locally and globally, are a major source of risk. “You can spend millions on your own defenses,” says John Bumgarner, research director for security technology at the U.S. Cyber Consequences Unit. But attackers may find a way in through weak spots in the systems of customers or suppliers. As intruders’ sophistication increases, however, all organizations may face similar vulnerabilities. “With new hacking methods, if the information is not encrypted and it is very valuable, it’s at high risk,” says Alan Paller, research director for the SANS Institute.