In January 2010, corporate America was compromised. Again. Computer attacks possibly emanating from within China were directed at stealing Google's intellectual property along with that of 40 other corporations, mostly in the United States.
In this case, the attacker used a tactic known as phishing, in which e-mail is sent from someone the user supposedly knows and trusts. Once opened, infected attachments downloaded malware on the host's computer, allowing access to confidential information stored on the computer system. Google has stated that little if any of its property was lost. But it is estimated that similar attacks have led to the loss of 10,000 to 20,000 gigabytes of sensitive information in recent years. The actual figure is probably far higher.
Many computer security experts have called the attack on Google routine. Indeed it was: The number of "computer security incidents" that the U.S. Computer Emergency Readiness Team investigates grew from six in 1988 to 52,658 in 2001. In fact, the United States is "under cyberattack virtually all the time," according to Defense Secretary Robert Gates.
What can the U.S. government do in response? Not enough. It has been reported that the State Department will make a formal protest to Chinese authorities over the Google incident. Why can't we do more? The problem is twofold.
First, it's very difficult to prove who is behind the attacks. The science of tracing such attacks is primitive at best. Sophisticated attacks by knowledgeable hackers, whether private or state-sponsored, are nearly impossible to trace to their source. The current foundation of network communications over the Internet, consisting of the Transmission Control Protocol and the Internet Protocol that route information to its destination, dates to 1982. This antiquated system of communication, designed for a small number of academic and governmental researchers sharing information with low risk of system breaches, is at the heart of the problem.
Second, even if the U.S. government working with Google could definitively state that China was behind the attacks, which seems increasingly likely given recent findings of Chinese code in the malware, legal options are limited. Cyber-attacks activate one of two areas of international law, depending on severity. If the attack is as bad as an armed attack by regular military forces, the laws of war apply. But if it isn't as serious, like the one on Google, other treaties are activated. None of these, however, has any teeth. In recognition of this, the United States and Russia recently took the first steps toward negotiating a treaty for online security, but the countries are still far apart.
Such a treaty, though, would give Google options. It could provide for reparations and sanctions against aggressor nations, like China, when online attacks occur. It could define the burden of proof needed to establish state responsibility for Internet attacks. And, most important, it could provide a forum, a court, where Google could bring a case against China.
Short of a treaty, the Obama administration could push for a national law on online attacks, establishing criminal sanctions against proven attackers and requiring the Department of Justice to prosecute offenders.
Urgent action is needed. So long as the Internet remains open and the legal system undefined, people and nations alike will continue to launch online attacks. Right now, they have nothing to fear.
For a full copy of this article published in the San Francisco Chronicle, go to http://articles.sfgate.com/2010-01-24/opinion/17835314_1_google-attacks-computer-emergency-readiness-team
No comments:
Post a Comment