Australian IT security firms should stop scaremongering

3

opinion I was disappointed yesterday morning to read yet another scaremongering plea for business dressed up as an informed commentary piece by a high-profile member of Australia’s IT security community.

Published in the opinion pages of the Australian Financial Review, the article by one of Australia’s most prominent technologists — former ICANN chief executive Paul Twomey — raised the bar in its ability to professionally regurgitate the usual IT security company hype.

Even for an industry which specialises in seeing risk everywhere and danger behind every door, this was an article designed to make Australia’s business community feel afraid — very afraid.

Twomey starts his article by raising the obvious point that the world has changed. Modern businesses rely on computers and the internet as the basis for modern day commerce, he argues. And it’s a valid point — who can possibly disagree with this? Most of the people reading the article, after all, are probably flipping through the AFR’s pages while keeping an eye on their BlackBerry and laptop — or even reading Twomey’s commentary online.

But, Twomey goes on to suggest — in a classic security industry segue — there is a “dark side” to this wonderful enabling technology. Have board directors, he asks, considered the obvious downside of this reliance? The “vulnerability” of the technology? The “malicious actions of cybercriminals and expionage agencies”?

By the time Twomey gets to paragraph six he has launched into the full-fledged paranoia common to those who spend most of their lives obsessing about security. “No business is invulnerable to cyber attacks,” the former ICANN chief writes. And just who are these bad guys that will creep into your datacentre at the midnight hour and steal all your secrets, leaving your network in pieces? According to Twomey:

“The range of the bad actors is increasing — criminal groups acting alone or as proxies for certain national security elements, state and corporate espionage services, ego or vengeance driven hackers and, increasingly, cause-based activists.”

Sounds pretty dramatic.

In fact, if I was a board director reading this article, I might be tempted to run into the office, grab my chief information officer by the throat and scream at him: “IS MY EMAIL SECURE?? IS IT? IS IT??!!!”

Now none of what Twomey is suggesting in the article is technically incorrect, although it is overly dramatic. After all, most businesses in Australia are small to medium-sized businesses, and many of those would not suffer many problems if someone hacked into their computer systems and destroyed them.

It’s not like any of Australia’s hairdressers, chicken shops, cafes, tradespeople or so on would suffer many problems if their system got destroyed. They’d just keep on working. And even if their bank account got broken into, the banks would likely understand that and reimburse them.

But it the deplorable escape route that the ICANN chief takes at the end of his article that really frustrates me. Rather than actually name concrete examples of where Australian businesses have been impacted by cybercriminals, Twomey jumps into his own getaway van and escapes with his grab bags full of free public relations hype.

“Successful cyberattacks are rarely made public,” he states.

The only concrete identifiable examples of cyberattacks that Twomey (pictured, below) actually mentions are the Mariposa botnet, the breach at Heartland Payment Systems and the reported Chinese espionage attack on Australian mining giants BHP Billiton, Rio Tinto and Fortescue Metals Group.

Let’s break down these attacks one by one and do a little analysis.

Just last week Slovenian police reported that they had detained a suspect they believed to be the creator the Mariposa botnet, which affected some 12 million computers worldwide. The PCs — including PCs being used by Fortune 500 companies globally — had a bot installed on them that could be used to steal bank account details, aid with denial of service attacks on network infrastructure and so on — typical bot powers.

However, many of the articles about this event mention one fact that Twomey omitted. There has as of yet been no official estimate of money lost through the botnet — and in fact after browsing through dozens of articles, we couldn’t find an instance where someone had complained that they had lost money or had downtime because of it.

Funny, that.

The only cost mentioned is the cost of removing the rogue software — something that should be relatively trivial with modern-day security software, one would assume. Or if it’s not — what are we paying security vendors for anyway?

The situation is a little more stark when it comes to the Heartland Payment Systems example, which was hacked in late 2008 and might have had data relating to over 100 million credit cards being stolen. There’s a fantastic article about this by Wired.

Again, however, it appears the damage was relatively minimal — the company reported in May 2009 that it lost some US$12.6 million as a result of the hack. But much of that may have actually come from legal disputes with Visa and Mastercard, which claimed that Heartland was not actually compliant with payment card industry rules anyway.

Of course, the fact remains that Heartland lost a substantial amount of money — the full extent of which probably has not been disclosed — and this example does make Twomey’s point well. But we hardly think it should take a commentary in the AFR to point out that a credit card processing company should be careful with regards to IT security.

Well, duh.

The final example that Twomey mentions is even more dubious than the first two. He reminds readers that in April this year, the ABC’s Four Corners program reported that mining giants BHP Billiton, Rio Tinto and Fortescue Metals Group had been the subject of Chinese cyberattacks — including one towards Rio around the time of the controversial arrest of Rio executive Stern Hu there on bribery and spying charges.

But what Twomey fails to mention is that Four Corners never provided the viewer with any evidence that that the attacks took place, and never detailed the nature of the attacks.

As I wrote at the time, the associated upgrade in network security that the miners conducted at the time of the attacks was more likely to have been in reaction to distributed denial of service attacks — which can often be stopped at the telco layer — than a form of corporate espionage.

It’s even possible that the attacks were simply the work of Chinese patriots annoyed and ping-flooding Rio and other Australian miners over what they saw as Hu’s indiscretions in their country, rather than a more sinister government or corporate spying effort. Script-kiddie stuff. Lightweights.

Coincidentally, Twomey himself was also quoted in Four Corners’ report on the mining attacks.

Now none of this is to say that IT security is not an issue that Australian businesses should be worried about. It is an issue, and businesses do get hacked.

But it’s not a massive, dangerous issue.

Over the years, IT security has become more and more commoditised and baked into other technologies, and business has become more open with sharing information anyway. Australian businesses in general are aware of the IT security issue and have generally taken some basic steps to secure the crown jewels. Such hacks as do happen are not known to have caused the massive disruption that security representatives like Twomey would like us to believe.

One final point should be made here. The largest real, identified and publicly known technology outage to have recently hit a number of large Australian companies was not a security issue caused by hackers.

It was the massive outage caused by one of the IT security industry’s largest players — McAfee, who singlehandedly took down Coles stores across Western and South Australia and the Northern Territory earlier this year, as well as forcing Virgin Mobile retail staff to conduct transactions manually and even knocking out PCs at the Commonwealth Bank of Australia.

You can bet that Twomey didn’t mention that little fact in his article. But then he wouldn’t. The website of his company — Argo Pacific — publicly advertises that it provides cybersecurity services.

When you’re in the business of promoting fear, it’s not a good look to admit that your own industry — and the hype it creates — might in fact be part of the problem.

Delimiter will gladly publish a rebuttal by Paul Twomey or anyone else in Australia’s IT security industry to Renai’s argument.

Image credit: Jordan Pérez, Joi Ito, both Creative Commons licensed

3 COMMENTS

  1. FYI: There was the blackmailed dos attack against a northern territory based betting business Multibet that i believe went bust. Transcript of the Four corners report on it http://www.abc.net.au/4corners/content/2009/s2658405.htm.

    I do see your point that ma and pa’s chick shop wouldn’t be targeted by such a large and significant attack though it doesn’t hurt to be careful and mindful of the possibility.

  2. The local Chippy or corner store is unlikely to be effected drastically in the short term by having their systems attacked.
    Many businesses (particularly those with some form of office) now depend upon email and other internet based systems to run their business, and communicate with suppliers and customers.

    I bet if you killed the it systems for say… a plumbing business or a real estate business you’d find chaos panic and disorder arrising pretty quickly.

Comments are closed.