Since last month’s cyber attacks on defence company Lockheed Martin, there has been a flurry of announcements from both UK and US governments about how they intend to deal with the growing threat. In the UK we have been told that such attacks are being put on an equal footing with other conflicts; meanwhile, CIA director Leon Panetta warned that a cyber attack could be “the next Pearl Harbor … that cripples America’s electrical grid and financial systems.”
Hacking isn’t new – we’ve all seen films like War Games and Sneakers (though the latter did try to rule the planet using Microsoft Excel running on a Cray supercomputer, which was a little far-fetched). People have been trying to break into computers as long as they have existed. So, why are cyber attacks becoming so important now?
The world is a very different place from a couple of decades ago, when such films became popular. Today, the Internet is accessible from just about every urban space on the planet, and indeed just about every computer; people are more technologically savvy; and the goals have more financially and ideologically driven. Cyber attacks can be launched by a small group of smart individuals, with potentially massive effect – no wonder that they are increasing in both volume and impact, as such groups get better at identifying opportunities.
It’s not just governments either. Sony is still reeling from the attack that brought down its Playstation Network, and Nintendo, Epic and Codemasters have also been targeted in recent weeks. Success breeds success in the hacker community, and it’s highly probable we’re going to see the wave of attacks continue. That’s not hype, it’s stating the obvious.
I spend much of my time talking to CIOs and CISOs about how they can help their board members take security seriously, and real examples have always been a useful tool. However there are too many examples to be treated as potential evidence: we have overwhelming proof that cyber attacks are targeting weaknesses across large organisations. Ignorance is not bliss. The bottom line is, would your organisation rather allocate time and resource to find the vulnerabilities in your its own systems and networks, or is it prepared to leave this to the cyber attackers?