Davos 2010: Cyber threats escalate with state attacks

Cyber-attacks are rising sharply, mainly driven by state-sponsored hackers, experts at the World Economic Forum in Davos have warned.

The situation is made worse by the open nature of the web, making it difficult to track down the attackers.

Craig Mundie, Microsoft's chief research officer, called for a three-tier system of authentication - for people, devices and applications - to tackle the problem.

The biggest cyber-risks, however, are insiders, experts said.

The security of cyberspace and data in general has been a theme at a string of sessions in Davos, with leading security experts warning that internet threats were growing at a geometric rate.

"It's scary and getting worse," said the representative of a company that helps direct large parts of global internet traffic.

He said his firm was monitoring a steadily increasing number of "denial of service" attacks, where large networks of hijacked computers send random data to an organisation's servers, thus overwhelming the system until the website crashes.

Hacking is steadily evolving.

While most individuals move in the safety of the herd, companies and governments are much more obvious targets.

When another government sends is planes and they drop bombs, we know we are at war. But when does a cyber-war start?
Hacking expert

Microsoft, Mr Mundie said, had been under attack for many years and probably seen it all.

"We have weathered the storm of nearly every class of attack as it has evolved, and lost some IP [intellectual property] on the way.

"We had lots of distributed denial of service attacks, but we are coping with that, but to do so you have to have active security these days."

What was once done mainly for fun, to demonstrate technical prowess has progressed to criminal activity and now cyber warfare, where government-sponsored hackers had the capability to overwhelm the defences of some countries.

They cited the examples of Georgia and Estonia, both of which had come under attack at times of political tensions.

Search giant Google recently caused headlines after it said that hackers had tried to infiltrate its software coding and the e-mail accounts of Chinese human rights activists, in a "highly sophisticated" attack that originated from China.

Vulnerabilities

The problem with all internet attacks is that they are difficult to trace.

In fact, cyber attacks had been traced to every single country in the world, because the real attackers - wherever they sit - simply control PCs that have been hijacked after a virus attack.

"Even if we find out which computer is causing it - and the owner probably doesn't know what the PC is doing - there's nothing we can do next," said one expert.

Another Davos participant, a so-called "white hat hacker" who helps companies to secure their systems, said criminals were mostly going for the "low-hanging fruits".

That refers to people using the most popular systems, who were not updating their computers and failed to take basic internet security precautions.

Much rarer, but much more sophisticated, were targeted attacks at high-value individuals, he said, like chief executives or high-value staff.

Cyber criminals, one expert claimed, caused greater damage than the global illegal drugs trade, but there was hardly anything that resembled the war on drugs.

"Our model of cyber security has been that we've just been building stronger castles and bigger moats, but bad people have are inventing air planes and cruise missiles."

Passive defences against cyber threats are not working anymore, he said, "you now have to have an active defence."

Threat levels, the experts agreed, were constantly evolving.

Most manufacturers do not realise that their products - cars, televisions, appliances - were in fact computers with hardware around it, and thus as vulnerable to threats as traditional computers.
Google in China
The Google-China spat illustrates the evolving complexity of the threat

But threat levels are escalating even further, argues the chief executive of a firm that specialises in protecting its clients from digital attacks.

"This is not a single dimensional problem, every few months we add new dimensions of risk."

One example, he said, was cloud computing, where users store their data and applications on third-party servers and access them through through the internet.

"Here you get a concentration of risk and an extreme asymmetry," he said. "You need communication to make your whole system work, so if something goes wrong here you lose everything."

"You're left to playing Solitaire" on your PC, commented another expert.

He compared the shift in threat level to the risk of terrorists once blowing

Few clear strategies were proposed to counter the threat, but one that the experts agreed on was "authentication", where systems verify that you are who you say you are.

"The internet is a wonderful place because it's so easy to get on… but that's because it's unauthenticated. A lot could be prevented just by having a two-step authentication," said one expert.

Microsoft's Mr Mundie pointed to a much more dangerous threat to most companies.

"What we have also experienced is the act of insider threat.

"As a company we start with the assumption, there are agents of governments and rivals inside the company, so you have to think how you can secure yourself. But most companies don't start with the assumption that there's an insider threat."

Other experts agreed, while in other sessions hackers pointed out that these insiders may be doing their work unwittingly.

"Have a look at this USB thumb drive," one hacker said. "I give it to you at a conference, or ask you to print something out, and when you plug it in, it will download all the data and passwords on your computer, and when the time is right it will upload it all to my servers somewhere in the world."

Cyber-war

Now that governments get involved in hacking, the threats are multiplying.

"Any government with a few good computers and a few clever guys can do some serious damage," one person at Davos warned.

A senior politician asked: "Will we know when the cyber-war has started?"

"When another government sends is planes and they drop bombs, we know we are at war. But when does a cyber-war start?"

Would a denial of service attack be the start of war?

Or would you know it's war when the other side was taking control - or bringing down - the systems that run you electricity grid, your water supplies, your phone systems?

Wherever the issue was discussed, audiences soon had pained expressions, and asked whether there was any ray of hope.

"Well," said the boss of one security company, "we are trying to run faster than the bad guys."

The crucial word is "try".