Cyber attacks threaten most companies

- There is no infrastructure in developed nations today, including Canada, that is not highly dependent on the Internet and technology.

That means two things: Terrorists and rogue nations seeking to cause the maximum damage are studying ways to conduct cyber attacks, and if they ever succeed on a large scale the devastation could be catastrophic.

“People would not be killed immediately, but we rely on the Internet and technology. If there’s no Internet, if there’s no electricity, for example, what could happen?” says Qing Tan, assistant professor at the School of Computing and Information Systems, Athabasca University.

Not surprisingly, last October, U.S. Deputy Defense Secretary William J. Lynn III said that “any major future conflict will almost certainly include elements of cyber warfare. And the threat posed by cyber warfare extends far beyond military operations — it extends to the very heart of our economy.” The U.S. is not taking any chances, and this year added a new domain to its military: the U.S. Cyber Command. Already, the list of cyber attacks on governments as well as corporations is lengthy and rapidly growing.

Many have cited the Russian/Georgian war of 2008 as the first example of cyber warfare used as part of a conventional war because, just prior to the Russian military attack, Georgian infrastructure and key government websites were bombarded with cyber attacks.

This November, the world learned that for 18 minutes on April 8, 15 of the worldÂ’s Internet traffic, including traffic to and from U.S. military and government websites, was hijacked by the state-owned China Telecom.

“I think the most dangerous threat is when the attacker takes over the control, and you may not even be aware that this has happened,” says Mr. Tan. “In any cyber attack, the attacker has the advantage if only because they have studied specifically how to attack your security holes.”

Those creating the attacks can be very sophisticated, tech-savvy professionals and even organized, he says, although just as with offline crime, there are many types of cyber crimes and criminals.

“It is clear that spam, for example, is an activity based on a network of computers ‘enslaved’ to a controlling centre. The University of Toronto recently exposed one such network of ‘bots.’ But it’s not always clear that behind the network of computers stands a network of people,” says Avner Levin, Director, Privacy & Cyber Crime Institute, Ted Rogers School of Management, Ryerson University.

“Quite often it is possible for one individual to control large computer networks. What is true is that no one invents the wheel. These individuals rely on a criminal infrastructure that they access. It is also true that other forms of criminal activity, such as skimming of financial information in order to commit financial fraud, is an organized activity — not necessarily controlled by the old crime families, but certainly by organizations that deploy rogue employees to collect the data, have people then fabricate new bank/credit cards with the stolen information, and then have more people withdraw cash/make purchases with these fraudulent cards.”

An Internet worm that infiltrated industrial systems in Iran early this fall was likely designed by highly skilled professionals to specifically attack the country's nuclear program. Unfortunately, experts now warn that the worm, called Stuxnet, can be modified to wreak havoc on just about any type of industrial control system around the world. In other words, businesses here in Canada now face the risk of being collateral damage of the attack on Iran. ThatÂ’s what can happen in todayÂ’s highly cyber-interconnected world.

All this points to the need for a new level of awareness about network security among the public and, more particularly, in the boardrooms. According to CSIS, because Canada is a world leader in such technology-intensive fields as aerospace, biotechnology, chemicals, communications, information technology, mining and metallurgy, as well as nuclear, oil and gas and environmental technologies, Canadian companies have been targeted by espionage from foreign governments. In fact, according to a new government report on cyber attacks prepared by the Public Safety Department with data from the Canadian Security Intelligence Service, the Defence Department, the RCMP and the Privy Council Office, 86 of large Canadian corporations have been hit. No only has cyber espionage on the private sector doubled in two years, states the paper, but these attacks are also causing considerable economic damage in Canada, as well as representing a national security threat.

“Most of the public discussion to date has been about personal information in the hands of organizations and government, and how it gets compromised, for example, data breaches that lead to identity theft,” says Prof. Levin. “But not a lot has been said about commercial espionage, or national espionage for that matter, in which the organization or government itself, and its own interests, are attacked.”

He adds: “I think we are moving and will move in the future from the traditional crimes-via-computer — not to say that these will be eliminated, they will just be more a part of life — to the relatively new crimes that target the digital infrastructure and the national and corporate interests of the corporations and governments involved.”

According to Mr. Tan, it is impossible to stop all cyber attacks, but with heightened network security — and a strong contingency plan — businesses and societies can minimize their impact and remain resilient in this new era of cyber risks and threats.