Choose your language:
Somewhat unnoticed or less appreciated amid all the global apocalypse hype in the Middle East and Ukraine was the theft of 1.2 billion usernames and passwords by what is vaguely identified as a crime syndicate of “Russian hackers.”
And if that wasn't enough, it wasn't the U.S. government or the Pentagon or the CIA or NSA that uncovered the hack. Instead, it was a little-known Milwaukee-based firm known as Hold Security that put the news out as part of a clever marketing ploy to pitch its Breach Notification Service product. This wasn't Hold Security’s first time uncovering hacks for major breaches, such as Target and Adobe in 2013. But that private sector entities are doing the heavy monitoring lift that the public expects from government agencies is telling on many levels.
Still, that’s the least of many people’s worries. War is Boring blog analysts Matthew Gault and Robert Beckhusen cite cybercrime (as opposed to cyberattacks) as a serious threat the public should really pay attention to. “The U.S.—and the rest of the world, for that matter—aren’t ready to deal with cybercrime,” argue Gault and Beckhusen, adding that cybersecurity analysts worry about the wrong threats, especially when Russian hackers can comb through your passwords.
What’s nerve-rattling about the incident in the current geopolitical environment is that the hackers are reportedly Russian. As war between the Ukrainian government and pro-Russian separatists rages, the tension between Western countries and the regime of Russian President Vladimir Putin also boils. Both sides have launched a number of economic sanction salvos at one another and it could be a matter of time before that escalates into some form of nonconventional cyber warfare (if that hasn’t happened already).
This brings up a valid question: Who’s to say this particular group of hackers is not state-sponsored? It’s an icky proposition, especially when considering the nebulous and nonattributable nature of hackers, qualities that make them especially appealing to military agencies looking to conceal offensive capabilities and activities. We saw this happen in 2007 with the first recorded “cyber invasion” of Estonia, followed by a 2009 preinvasion cyberattack of Georgia infrastructure before Russian military mercenaries and regulars launched operations. In each of these instances, the Russian government officially denied any involvement or support. Russia is not the only one, either—the U.S. and the Israelis successfully launched a Stuxnet virus that succeeded in wrecking Iran’s nuclear program.
The official line is there is evidence of a linkage between the hackers and the Russian government. But that was the official line back then, too. If Russia worked with hackers to steal passwords, could the data from a breach of this magnitude become a new threat vector against NATO-aligned nations supporting Ukrainian government troops or Western nations sanctioning Russia? Should this prove true, it could be particularly devastating since most security experts worry aloud about the inability of private and public sector institutions to protect themselves from major intrusions. Still, Gartner’s Earl Perkins strikes an optimistic note in a July Hype Cycle report in which he observes “Cybersecurity awareness is growing with business leaders and is increasingly considered a required part of new and existing business designs.”
While the effects of cybercrimes aren’t particularly pretty, the resulting post-breach outcomes present a major opportunity for vendors that specialize in anti-breach services and products as well as industry players who know where to find highly skilled information security talent. If Perkins’s theory holds true, firms are quickly adapting to the threat climate, which means CIOs and CISOs are spending increasing budget on InfoSec. It’s an unsettling, uncertain frontier—but it doesn’t have to stay that way with the right combination of expertise and investments in secured networks. Will companies and governments, however, be willing to make the necessary investments before it’s too late?
Charles Ellison is a senior analyst relations strategist for TEKsystems. He keeps close tabs on changes and public policy shaping the innovation space. He is also a former congressional staffer, senior aide to state and local elected officials and an expert advocacy strategist. You can reach him with questions and comments @twoARguys via Twitter.