During the Beijing Olympics it’s reported there were upwards of 12 million “cyber security incidents” per day . Hacking has evolved tremendously since Beijing four years ago—with great strides in automated attacks and the birth of Anonymous. The Olympics super concentrates people and commerce—making for a very attractive target hackers seeking profits or trying to make a political statement. What does this bode for London 2012? Who will be hacking? What will their targets be? Are we ready?
The games will be a major test of cyber security for both government and private industry. The British Government and the security services are braced for millions of “cyber security incidents” and a special security unit has been set up to monitor for this activity. But the word isn’t out. For example, a guide co-ordinated by the Cabinet Office doesn’t even mention cyber security.
What should the government be worried about? First, this will be the first Olympics where hacktivists, primarily Anonymous, can exert a presence. For example, Theresa May, the UK’s Home Secretary has said the government was aware of the threat from “hacktivist” groups. The second concern is for profit hackers. The third threat? Politically-motivated hackers.
These are the attackers, what will they target?
Attack #1: Data theft. How have hackers hurt public organizations in the past? They exposed credit card information, published embarrassing communications, email addresses and so on. For-profit hackers will try to make money while hacktivists will use breached data for humiliation.
Attack #2: Denial of service. With this attack, primarily hacktivists will also deploy DDoS attacks which attempt to bring down a website so it can’t perform its public function. The purpose is to simply embarrass companies by preventing websites from performing their essential function.
Attack #3: Website defacement. Hackers, especially hacktivists and politically-motivated hackers, may try to deface websites. For example, in 2008 Chinese hackers are reported to have hacked CNN’s website angered by, what were claimed, biased reports of protests during the Olympic torch relay.
Who will the hackers target?
Target #1: Consumers. Certainly consumers need to be on alert. In particular, bogus websites and phishing scams offering anything from hotel rooms, Olympic tickets and—most likely—malware designed to steal credentials and credit card numbers. In fact, by the end of 2011 detectives from the UK’s cyber crime unit had already identified and shut down around 2,000 sites set up by criminals with the games in mind.
Target #2: Business. Consumers can be easy targets, but businesses are typically richer targets since they sit on databases full of credit cards and other valuable data. In some cases, hackers may even try extortion. While the days of Dick Turpin are consigned to history books, a new breed of “highwayman’ is very much alive. Increasingly, with businesses becoming reliant on the internet, high-profile businesses involved with the games, could find themselves victim to “cyber-extortion’ attacks.
Target #2: Government. Although monetary gain is a significant driver behind cyber attack, it’s not the only one. In the past, demonstrations against Beijing’s human rights policies threatened to overshadow the last Olympics, the UK has its fair share of enemies – both abroad and domestically. Hacktivists are expected to use this high-profile event to vent their frustration.
What to do?
Consumers need to pay special attention to scams and may be best advised to avoid the internet for a little while. What can government and private enterprise do? The key issue is that hackers, by definition, are innovators and early adopters. For this reason, many of the traditional technologies we rely on today are no longer effective. For example, antivirus and network firewalls are largely ineffective against today’s cyber threats.
Instead, business and government should refocus spend on protecting data and the applications that transact and access sensitive data. The vast majority of tools companies are buying are focused on detecting malware on a device/PC, finding viruses or stopping bad guys from penetrating their network. For this to succeed by itself, you need an accuracy level of 100%. If one mouse gets through or over your walls, the cheese is gone. Do enterprises have the confidence that the tools they are deploying give them the appropriate visibility to cope?