someone can steal all the operational
information it took you six years to develop and open a facility that on day
one has the exact same level of efficiency, they have effectively stolen the
majority of the profit for your facility.
What is being stolen is something
enormously more valuable than what
has been lost to credit card or bank
fraud. This is a huge issue and puts
these companies and potentially entire domestic industries in jeopardy of
survival.
noRTon: Should we assume that the
attackers also lift one or two key staff
people to help interpret this information?
BoRG: If you take Asia as an example,
using this type of information is often
limited by the availability of people
who understand Western business
practices. This is not something you
learn by taking a course locally. To use
the information effectively, you have
to send someone not only to study in
the West but also to work in Western
industry.
BianCo: It used to be that you had to
be just secure enough that an attacker
would give up and go to a less-secure
competitor. This is no longer true.
Being targeted today means you have
something of specific value, and the
attackers will probably not go away
until they get it. This is fundamentally different from past practices.
The people who learned about this in
January when Google made its Gmail
announcement are probably several
years behind everyone else.
CLaRK: Much of the business community looks at security as being the
people who make sure all the doors
and windows are locked. Rarely are security processes aligned with the business, but it’s the business that drives
security, and security should protect
and support valued business processes. That’s easier said than done.
There is also the ethical dilemma
of assuming that my competitor and
I do business in the same way. That
is clearly asymmetric, because your
competitor may not follow your business rules. It’s hard enough to run a
business, be ethical, and work within
your regulatory framework without an
actor coming in outside of that framework.
We need to: (a) educate people that
Steve Bourne, CTO, El Dorado Ventures; past president, ACM; chair, ACM
Queue Editorial Board; chair, ACM
Professions Board
Mache Creeger (moderator) principal, Emergent Technology Associates
CREEGER: While past definitions
have narrowly defined valued infor-
mation as banking codes or secret in-
ventions, criminals have broadened
that definition to where they can clone
entire businesses through the com-
prehensive theft of more mundane
information such as manufacturing
processes, suppliers, customers, fac-
tory layout, contract terms, general
know-how, and so on. This new shift
kind. Further investigation indicated
that when the attackers were in the
control networks, they gave equal at-
tention to equipment regardless of its
ability to blow things up.
Roundtable panel from bottom left: Jim norton, David Bianco, mache Creeger,
Louise Bennett; top left: Steve Bourne, Scott Borg, andy Clark, Jeremy Epstein,
and BCS Director for Professionalism adam Thilthorpe.
has significant implications to the
competitive balance of entire industries, regardless of company size, and
it has implications across the global
economic landscape. How do you see
this new security threat evolving, and
how should businesses respond?
photographS by marjan SadoUghi
BoRG: In 2004, when the U.S. Cyber
Consequences Unit started, we were
concerned about intrusions into critical infrastructure facilities, such as
chemical plants and refineries. We
believed that some of these intrusions
were reconnaissance in preparation
for an attack that would cause physical destruction.
We got that one wrong, because
there were no major attacks of that
popping up in Southeast Asia. No visi-
tors were allowed, and we believe it’s
because they were exact replicas of at-
tacked facilities.
