business will last for a year or so and
then they will move on. We need to be
careful of the models we’re using and
should not claim them to be universal.
BoRG: You can identify certain categories, and as you do so, you are also
providing the business with clues as
to what needs protection. If you are a
cost leader, you have to think about
what makes you a cost leader and try
to secure those things. If you are a
technological innovator but not a cost
leader, you have a very different focus
on what systems you should be trying
CLaRK: Would it be fair to say that
while the defense industrial base has
been the prime target over the past
10 years, things are clearly changing
BoRG: One of the real problems with
this subject, with this whole field, is
it’s so hard to keep on top of it. Eighteen months ago, military contractors
were overwhelmingly the leading target. That has now shifted to a host of
We are hearing about companies
in South Korea, Indonesia, and other
countries that are being offered business research services that will provide them with profiles of competitors
and detailed advice on the state of the
art in certain growth industries. Many
of these research services are selling
information they obtain through cyber attacks.
How does this marketplace work?
Often there are black-market Web
sites that offer the services and have
customer reviews and satisfaction ratings.
CREEGER: Are there any concrete examples of industries being cloned?
BoRG: Until relatively recently, the
main organizations carrying out this
kind of activity were national intelligence agencies. They were probably
spending millions of dollars to steal
the information from one of these
target companies. They tried many,
many generations of malware, as well
as many different attack vectors. We
now have privatization of these original efforts—spin-offs from the original national intelligence efforts working for hire.
We are talking about an illegal service—something that’s not being sold
as a one-off product. We’re talking
services is broadly
You can pay using
credit cards, not
own, to buy yourself
a worldwide attack
about a sustained business relationship where the customer starts out by
buying information for a few thousand
dollars (U.S.), becomes gradually convinced of the criminal organization’s
“integrity,” and then goes on to make
larger, more strategic purchases.
My organization has been theorizing about ways to subvert these
criminal markets. Just as you can use
cyber attacks to undermine trust and
damage legitimate markets, you can
use those same techniques, including
cyber attacks, to undermine criminal
CLaRK: The structure of available
worldwide attack services is broadly
commoditized. You can pay using
credit cards, not necessarily your own,
to buy yourself a worldwide attack service.
CREEGER: We have learned that business sophistication and marketing
in these criminal areas rival anything
seen in the legitimate world. As an IT
manager, what should I focus on in
the next one to three years?
BianCo: Focus on hiring people who
understand how this stuff works.
noRTon: Get people to raise their
eyes, look around, and ask, “What is
unusual, and how was it caused?”
BoRG: In addition, your company needs to be running Symantec,
McAfee, Trend Micro, or another retail Internet security package. In many
cases, it needs to be hiring the services
of an intrusion-detection specialist.
Also, the company has to look at
what it is trying to protect: “What are
the attackers’ motives, what are they
going try to break into, what are they after, and what do you need to defend?”
Basically, you have to answer the question, “Are you a target, and why?”
CREEGER: You’re all strongly saying
that the IT people need to be thought
of as much more than just the people
akin to supporting the plumbing,
electrical, and telephone system. IT
needs to take a much more integral
role in the company’s operations and
contribute to how the company faces
both challenges and opportunities.
noRTon: IT should be engaged in
the business and understand how the
CLaRK: With regard to the urgency
of this issue, I mentioned earlier that
the pace of attacks has increased dra-