There is a great quote attributed many times to baseball legend Mark Grace: "If you aren't cheating, then you aren't trying hard enough."
This resonates well with me in the current global market where everyone is playing by new rules. It seems like even though many Americans value concepts such as intellectual property, trade secrets, and competitive advantages, they don't consider the value other countries place on them too, and they don't take the necessary steps to protect their valuable information. Yet, the recent Report to Congress on Foreign Economic Collection and Industrial Espionage, 2009-2011 demonstrates the real need to do this.
The report paints a picture showing that every country (especially China, Russia, and even our allies), engages in industrial espionage against the United States and each other. For these countries, cyber espionage is likely just the tip of the iceberg, very much complementing the main areas of espionage being conducted in the real/ physical world. It's much cheaper for foreign governments to "borrow" research and development information and go straight into production, particularly in countries like China and India where there is a strong supply of industrial, low wage workers to crank out products. For this and other reasons, espionage is certainly not a new practice, rather the internet has simply made it more visible and traceable.
None of this should come as breaking news since we hear it in the media all the time. The truth is, a good espionage program is vital to a country's success, as we saw during WWII and the Cold War. It is the responsibility of governing agencies to perform espionage against other countries, as well as helping their own citizens with counter-espionage and cyber defense strategies. In fact, this is the main charter of the NSA, which I had the opportunity of serving for over eight years. Its focus is on exploiting other countries' communications and at the same time, ensuring that the USA's government and business communications remain confidential.
With this in mind, I've re-spun the Mark Grace quote as: "Countries that aren't engaging in espionage aren't trying hard enough!"
It's not the findings of the report that are so shocking, but the fact that organizations continue to underestimate this threat. It's time people realized that cyber threats are not going to go away. There are no treaties or other negotiations that will make this activity stop. These are the new rules of the Internet-based society. This being the case, all organizations must establish a solid information security program to protect themselves.
Here's my Rapid7 to dos:
- Do establish a business continuity plan with solid incident response procedures.
- Do ensure that business leadership understands the risks.
- Do EFFECTIVE security awareness training for all personnel.
- Do, at a minimum, weekly vulnerability scanning and patch vulnerabilities ASAP.
- Do regular penetration testing to vet your security architecture.
- Do create accountabilty to hold personnel responsible for security failures.
- Do quarterly incident response drills to vet your incident response capabilities.
Please feel free to add to this list in the comments sections below.