For anyone paying attention, the fact that Chinese hackers apparently accessed key U.S. weapons designs may be unsettling but hardly surprising. Previously undisclosed findings by the Defense Science Board show that more than two dozen major weapons designs were breached, according to a Washington Post report on Tuesday. Affected projects range from U.S. missile defenses to combat aircraft — including the F-35 Joint Strike Fighter — and ships. (The Post compiled a list of the affected weapons here.)
Dan Geer, a superstar among computer security and risk management experts, spoke to me about just this sort of risk last week. The most sobering part of the conversation was Geer’s stated belief that the game has definitively shifted from prevention of attacks to mitigation of their consequences.
In short: if you have something worth accessing, it will be accessed. The only realistic goal now is to make sure you know when that breach happens as fast as possible. I quoted him on this topic earlier, but his words ring even more eerily true now:
“If your enemy really is the People’s Liberation Army, what can you do? We can sputter about it but they’re serious and they’re good … The most serious attackers will probably get in no matter what you do. At this point, the design principal, if you’re a security person working inside a firm, is not no failures, but no silent failures.”
Of course security vendors have latched onto these threats as a way to sell more stuff and are increasingly glomming onto big data analysis as a way to shorten the time between an attack and stopping it in a high-stakes game of whack-a-mole.
As RSA executive chairman Art Coviello said a few months ago: “It’s not about perfect security; its all about ratcheting down risk as much as you can.”
And it’s not just huge government contractors, agencies and suppliers at risk. “No industry is immune,” cautioned Geer, who is also an advisor to In-Q-Tel, the investment arm of the CIA and other security agencies, and to Verdasys, a security vendor. Almost anyone can see why hackers target gigantic players like Boeing that spend billions on designs which could be used to build similar products at much lower cost. But don’t forget that any grocery store chain that uses credit cards is also a target for someone, Geer said.