Around the world, corporations' computer networks and control systems are under "repeated cyberattack, often from high-level adversaries like foreign nation-states," according to a new global survey of information technology executives.
The attacks include run-of-the-mill viruses and other "malware" that routinely strike corporate defenses, but also actions by "high-level" adversaries such as "organized crime, terrorists, or nation states," a first-time global survey by the Center for Strategic and International Studies (CSIS) in Washington has found. More than half of the 600 IT managers surveyed, who operate critical infrastructure in 14 countries, reported that their systems have been hit by such "high-level" attacks, the survey concludes.
A large majority, 59 percent, said they believed that foreign governments or their affiliates had already been involved in such attacks or in efforts to infiltrate important infrastructure – such as refineries, electric utilities, and banks – in their countries.
Such attacks, the survey said, include sophisticated denial-of-service attacks, in which an attacker tries to so overwhelm a corporate network with requests that the network grinds to a halt.
But they also include efforts to infiltrate a company. Fifty-four percent of the IT executives said their companies' networks had been targets of stealth attacks in which infiltration was the intent. In two-thirds of those cases, the IT managers surveyed said company operations had been harmed.
The IT managers also believed that these "stealthy" attacks were conducted by "nation states" targeting their proprietary data, says the survey's main author, CSIS fellow Stewart Baker, in a phone interview. Mr. Baker is a cybersecurity expert formerly with the Department of Homeland Security and National Security Agency.
"It's all the same kind of stuff – spear-phishing, malware, taking over the network and downloading-whatever-you-want kind of attack," he says. "Over half of these executives believe they've been attacked with the kind of sophistication you'd expect from a nation state."
The CSIS report describes such attacks as "stealthy infiltration" of a company's networks by "a high-level adversary" akin to a "GhostNet," or large spy ring featuring "individualized malware attacks that enabled hackers to infiltrate, control and download large amounts of data from computer networks." The GhostNet attacks, which Canadian researchers attributed to Chinese state-run agencies, bear similarities to recent attacks on Google and other high-tech companies, Baker says. Google attributed attacks on it to entities in China.
In the survey, IT managers in the oil and gas industry reported more "GhostNet-style" attacks than any other sector, Baker told reporters Thursday. Seventy percent reported that their firms were subject to "very sophisticated attacks," he said. A recently reported example, Baker said, included 2008 stealth attacks on three oil and gas companies – ExxonMobil, ConocoPhillips, and Marathon – reported by the Monitor on Jan. 25.
"On the whole, the oil and gas industry is attacked more frequently and in the most serious ways," Baker said in an interview.
The survey, funded by antivirus company McAfee, also reported that two-thirds of IT executives said their budgets and security resources had been reduced in recent years. Among those, one-quarter reported cuts of more than 15 percent.
Despite experiencing a relatively high level of stealth attacks and other attacks attributed to nation states, the oil and gas industry had the most widespread cuts in security fundings, with up to three-quarters of IT managers saying their operations had experienced budget reductions, the report found.
The implications of the report are potentially profound, he says.
"It's really very troubling because from what we know of these attacks, it's very difficult to restrict the kind of information once the attack succeeds. It's clear there is now little or no intellectual property, commercial secrets, or customer information that's safe from theft. That just completely changes the way people will do business over the next generation – unless we find a solution."
The survey highlights the need to develop tighter government-private partnerships on security, says Susan Armstrong of the Department of Homeland Security, a panelist at Thursday's press conference about the survey. Phylis Schneck, a McAfee expert, described the Internet as "a massive malware delivery system." Right now, she said, "the bad guys ... are better than we are."
But Adam Rice, chief security officer for Tata Communications, an Internet carrier in India, said that while security was getting worse, awareness of the need for better security appeared to growing. "Our customer base is becoming more security aware," he says.
Even so, the survey may be the harbinger of big changes.
"Either we're going to have to do business without secrets, or spend a lot more on security," Baker says. "Otherwise, the corporate crown jewels are there for the taking."
Follow us on Twitter.