Stuxnet, Snowden and Sony: Why we've passed the cyber security tipping point

Heavy-handed pressures from tech-unaware legislators, successful strikes by laterally-thinking hackers, a growing tide of dissent about government intervention and corporate concerns about last year's massive hack of Sony Pictures corporate documents have pushed us past the security tipping point into an environment where cyber-attacks will increasingly become favoured tools of nation states and terrorist groups, a leading security journalist has warned.

Speaking to CSO Australia after a keynote presentation at the CSO Perspectives Roadshow 2015, Kim Zetter – an award-winning security journalist with Wired and author of the recent book Countdown to Zero Day – said that while the Stuxnet industrial-espionage worm had shown some people how serious the cyber-security arms race had become, it was attacks against Sony that had really crystallised the issue in the minds of the world's business leaders.

“Stuxnet was discovered in 2010 and it wasn't enough for anyone to take seriously,” she said. “The Sony attack was probably the tipping point, not Stuxnet. People care about CEO emails – and the decision makers are saying 'oh wait, it's not just my customers that are going to lose on this, but this is going to embarrass me and possibly cause me to lose my job'.”

Broad alarm over the implications of the Sony hack had also been fuelled by concerns about the revelations of Edward Snowden, whose exposé on the US government's systematic mass collection of personal data reshaped international relations and sent governments around the world scrambling to defend and adapt surveillance programs fatally compromised by the revelations.

The previous secrecy of such programs had allowed programs like the Stuxnet worm to operate under the radar, but “the Snowden stuff in the last year and a half has really opened a lot of eyes,” Zetter said. “There has been a lot of realisation that the oversight process is broken.”

This, in turn, had contributed to a difficult climate for governments in Australia and elsewhere, where collection of personal data has been railroaded through parliamentary processes based on claims it will help improve enforcement of anti-terrorism efforts.

Snowden's revelations were outlined in a recent Australian government report that blamed him for helping terrorists close the technology gap with the governments that were monitoring them. But Zetter was having none of that, arguing that even though US president Barack Obama had been a trailblazer in technology-aware leadership, “we don't have a tech savvy Congress” and the government should have anticipated the backlash should its domestic spying be revealed.

“The government can say 'this has ruined our methods' but the government is its own worst enemy,” Zetter said. “Had they done a more reasonable kind of collection, Snowden wouldn't have leaked.”

“I don't think anyone doubts that we need the NSA to be doing spying,” she added, “but we need it to be doing targeted spying. They don't need to be collecting everyone's phone records in order to find the needle in the haystack. There are clearly better ways that they can be doing what they need to do and not involve everyone's data.”

Despite the growing acknowledgement that new methods of surveillance and data analysis needed to be applied to problems such as terrorism, Zetter was sceptical that the gap can ever be properly closed.

Hackers are working overtime to circumvent protections that had been put in place to protect all manner of security mechanisms, and with the likely entry of terrorist groups like ISIS it was “only a matter of time” before new forms of attack unleashed the likes of Stuxnet onto the same governments that were using them to get the upper hand in the fight against cybercrime.

ISIS “isn't focused on cyber-attacks yet, but there will eventually be a group that does focus on cyber-attacks,” Zetter predicted. “It takes a lot more planning and a lot more skill, but you can buy that.”

Security lessons

While the proliferation of Stuxnet and similar attacks represented an escalation in online nation-state conflicts, corporate concerns about the reputational damage of the Sony hack were likely to see IT security budgets increased and CSOs pressured to close security holes like never before.

Fellow keynote speaker Bill Cheswick – co-inventor of the first network firewall – had in a separate CSO Perspectives Roadshow presentation flagged the need for IT developers to revisit their security practices, potentially starting from scratch in an effort to incorporate current thinking into secure new computing architectures.

No matter how threatened business executives may feel in the wake of the Sony hack, however, Zetter was sceptical that Cheswick's call for expensive, complex and time-consuming reworking of security architectures could be executed in practice.

“When you're dealing with things like that you're patching,” she said. “You're not fixing things, really, and it's often a knee-jerk response. In some cases you do need to start from scratch, but I don't think that's necessarily realistic because the business model isn't there.”

Read more: 2014's vulnerability surge left Mac OS, iOS more exposed than Windows

Zetter was also cynical about the idea that security could ever be practically improved by redesigning systems around secure 'sandboxes' built into specific-purpose environments that could not be compromised – something that Cheswick had argued would be a desirable design goal in the effort to reduce the potential for human mistakes to compromise corporate security.

“Software is complex and the people who write it are human,” she said. “You're never going to get a system that doesn't have vulnerabilities in it. And even with sandboxes, if you can bypass the sandbox and go to something else,” security would be compromised.

“That's all hacking is,” she continued, “to find the next way to go around all the secure barriers that [companies have] put in. And so far, hackers have been pretty successful at going around every security barrier.”

That said, just what constitutes the new business model is changing rapidly as organisations come to grips with their security vulnerabilities and the implications of those. This, she added, had had a trickle-down effect on cybersecurity researchers and the tools they offer the market to protect against attacks.

“Stuxnet really changed the cybersecurity industry,” she said.

“You have cybersecurity researchers whose primary job until now was to protect the customers. But now they are caught between protecting the customer and exposing the covert operations of the government.”

“I talk about everything being before Stuxnet or after Stuxnet,” she added. “It's really about the marked politicisation of cybersecurity research, and we had never seen that before. It raises questions about whether this is going to become a new method of warfare.”


This article is brought to you by Enex TestLab, content directors for CSO Australia.

Upcoming IT Security Events

Last chance March 9th 2015

Join CSO for the day@#csoperspectives and hear from @kimzetter @LeviathanSec

3 International Keynote speakers, 36 Key IT Security Industry Speaker, 21 Exhibitors, Security Analysts and many more.. Register today

Dont miss one of the biggest IT Security events in ANZ (registration is free, but seats are limited)

Join the CSO newsletter!

Error: Please check your email address.

Tags hackersSony Pictures corporatecybersecurity industryIsis#csoperspectivesSnowdencyber securityCEO emailsKim Zettertech-unaware legislatorsSecurity lessonsEdward SnowdenStuxnetsonyBill CheswickCSO Australia

More about BillCSOEnex TestLabinventorIT SecurityNSASony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts