CYBERSECURITY InsideTargeted attacksare here tostay, writesMaija PalmerPage 4FINANCIAL TIMES SPECIAL REPORT | Tuesday November 1 2011

www.ft.com/cybersecurity­november­2011 | twitter.com/ftreports

W hile large com-panies aroundthe world real-ise that cyber-

security weaknesses are agrowing threat, they are notincreasing spending to meetthe challenge, according torecent surveys.

In a PwC poll of thou-sands of executives, justover half the respondentsexpected their companies tospend more next year ontechnology security, just asthey had the year before.

Yet the confidence ofthose information technol-ogy executives and PwC cli-ents in their organisations’defences has sunk to thelowest point since the sur-vey began six years ago.

The apparent contradic-tion raises troubling ques-tions about the state of thetechnology, corporate gov-ernance, and the ability ofcompany leaders to act in acomplex and evolving arenawithout a short-term crisisor similar motivation.

The apparent paralysishas deep but distinct roots.“There is fatalism, andthere is complacency, andthere is denial,” said SirKevin Tebbit, former per-manent under secretary ofstate at the UK ministry ofdefence and, before that,director of GCHQ, thenation’s signals intelligenceagency.

In October, Sir Kevinspoke at a conference inLondon promoting linksbetween cybersecurity andthe wellbeing of businessesand the broad economy,and showing how goodpractice can be a compei-tive advantage. A confer-ence convened this week byWilliam Hague, the UK for-eign secretary, expected todraw attendees from 60countries, will tackle thatissue and others.

Such efforts can becomean uphill battle. In part,that is because senior exec-utives feel the fight is hope-less, consultants say.

Big defence contractorssuch as Boeing, ManTech,and Northrop Grummanhave all been compromisedin the past two years. So,too, have leading securitycompanies, including topsecurity software vendorSymantec and EMC-ownedRSA, the leading maker oftokens to authenticate com-puter users.

The more educated manyprofessionals become abouthow such high-end attacksare carried out, the morealarmed they become.

Often attributed to hack-ers working with the mili-tary or other governmentagencies in China, thoseattacks are often describedas “advanced persistentthreats” (APTs).

They can combine trick-ing an employee by posingconvincingly as a colleague,with programs that takeadvantage of vulnerabilitiesin software, known as zero-day exploits.

Such campaigns were ini-tially aimed at governmentagencies and are moving toembrace military suppliersand more recently otherindustries, according toMandiant, a US firm thathas conducted investiga-tions on behalf of many of

the highest-profile victims,including Google.

“Mandiant has seen agrowing number of com-mercial entities compro-mised,” the company wroterecently in a trends report,noting that it has beeninvolved in cases in energy,banking, mining, automo-tive and even the hospital-ity industry.

Executives have takennote, telling PwC in largenumbers that APTs are thedriving force behind theirdefensive spending.

Unfortunately, only 16 percent of them say they havethe right policies in place toward off such threats. Somekey capabilities, from alert-management processes toawareness training, areactually in declining use.

“Companies wonder: ‘Isthere really anything I can

do about it?’” says HenryHarrison, cybersecuritydirector at BAE Systems’UK-based Detica unit. “Butmanagement is at least hav-ing those conversations.”

The fatalism is a mistakein the view of Mr Harrisonand many others. Compa-nies can raise the oddsagainst the worst kind ofdata-loss – trade secrets,masses of customers’ infor-mation, and the like – ifthey put in the effort.

Among other things, itrequires redefining whatwinning is, says Mandiant.The bad guys are going toget in, but they can bestopped from getting dataout. In addition, most hack-ing attacks are not carried

out by evil geniuses, but byyoung criminals using read-ily available tools and scan-ning for holes in the systemthat allow them to gainaccess.

The $170m attack on Sonyand others this year used atechnique called SQL injec-tion, which can be pre-vented cheaply.

A recent analysis byImperva, a security firm, ofinternet conversations onone popular hacking forumfound SQL attacks were thesecond most popular topicof discussions, after denial-of-service-attacks, whichneed even less skill.

Indeed, fewer than 1 percent of the infections Micro-soft detects are via securityholes breached by zero-dayevents, the software groupsaid last month.

Republicans in the USHouse of Representatives,who are proposing broadlegislation to improve thecountry’s security, said inOctober 90 per cent ofattacks could be avoidedwith “good hygiene”.

If executives know that,why are they not insistingon good practices?

It may be the rewards forsuccess and the penaltiesfor failure are too low.Because chief executivesexpect security teams toavert catastrophes, theabsence of a successfulattack is rarely grounds fora bonus.

And the increasingly com-mon reports of breaches atbig companies have reducedthe stigma attached to vic-tims of successful attacksand the security figureswho work there. The dan-ger is that the very fre-quency of such reportscould lead to complacency.

Even when the attacksare serious, the damage isoften unclear. The breachesmay not be reported toauthorities or to customers,so not immediately harm-ing the brand.

They may prompt littlemore than securityenhancements that fallwithin a reasonable overalltechnology budget and areunlikely to lead to a firing

The potential exists foroutright and very publicdisaster, but it is still smallenough that the third prongof Sir Kevin’s problemstatement comes in: denial.

It is human nature toavoid hard work aimed atavoiding something thathas only a small chance of acareer-shortening bad out-come, veterans in the indus-try say. A few things wouldhelp break out of the stasismany politicians, defenceleaders and security profes-sionals say is putting theeconomy at risk.

One would be simplerchoices, such as the optionof more affordable and com-prehensive cyber-insurance.

Something that made iteasier to sort through themorass of marketing hypearound security softwarewould also be a boon.

Some of the biggest all-purpose technology provid-ers, including Hewlett-Pack-ard and Dell, have boughtsecurity firms in the pastyear and might be on theroad to giving thoroughprotection as a service.

But the attempted fix thatis likely to arrive the soon-est is increased mandatorydisclosure.

In a lengthy public state-ment from its staff releasedin mid-October after

pressure from members ofCongress, the US Securitiesand Exchange Commissionsaid cyberattacks that couldbe material should berevealed to shareholders ofpublicly traded companies.

“Although no existing dis-closure requirement explic-itly refers to cybersecurity

risks and cyber-incidents, anumber of disclosurerequirements may imposean obligation on regis-trants,” the staff wrote.

Potentially material costscould include increasedsecurity spending, reputa-tion damage and lostrevenue.

Since the new guidancealso encompasses disclo-sures of risk factors, JohnReed Stark, a former SECinternet enforcement spe-cialist, says he expects thenumber of the largest 500companies reporting cyber-threats to soar from today’shandful.

“There isn’t a regulatedentity out there that on anygiven day isn’t subject toattack,” says Mr Stark, whoheads the Washington officeof Stroz Freidberg, a digitalforensics firm. “It’s cer-tainly going to be a largenumber that are vulnerableto this.”

The hope of those whopushed for the SEC actionis that it will make cyberissues command the atten-tion of chief executives, aswell as the public. Thatcould lead to more strategicthinking on the issue, bothinside corporate hackingtargets and at large.

A war marked by fatalism and denialIt is possible to winbattles easily andcheaply, explainsJoseph Menn

InsideSophisticated attacksIs there a solution toadvanced threats? Page 2

Insurance Cost is themain obstacle Page 2

SEC filings Newguidelines will place aburden on companies inthe US Page 2

Everyday risks Attacksare getting easier andmore frequent Page 3

Data protectionCloud computing neednot be a security riskPage 3

Regulation Legislationis needed but noteveryone welcomes theidea Page 3

Viruses Cyber­strikesare becoming morefocused Page 4

Malware Threats onceconfined to computers areappearing on mobiledevices Page 4

Liability Businessesoften struggle to receivecompensation Page 4

Frequent reports ofbreaches at bigcompanies havereduced the stigmaattached to victims

Illustration: Ian Dodds

2 ★ FINANCIAL TIMES TUESDAY NOVEMBER 1 2011

Cybersecurity

One of the difficulties in fight-ing cybercrime is the uncer-tainty about how much it costscompanies, countries and indi-viduals.

Without this information, it ishard to determine what shouldbe spent to combat the problem– let alone who should be spend-ing the money and on what.

For annual global losses, esti-mates range from below $100bnto as much as $1,000bn, anindustry report’s ballpark figurethat has been cited by BarackObama, the US president.

This figure includes lost intel-lectual property, which could beworth far more to the inventorthan to the thief, but it does notinclude national security, whichis hard to put a price on.

But many more professionalsare about to start making edu-cated guesses about the costs tospecific companies, potentiallyhelping both top executives andsociety as a whole understandwhat they are up against.

On October 13, the staff of theUS Securities and Exchange

Commission issued extensiveguidelines to companies that arepublicly traded in the country,spelling out when and how bothpast cybersecurity breaches andthe risk of future ones should bedisclosed in regulatory filingsviewable by anyone.

That will prompt many, if notall, of the several hundred larg-est companies to start openingup about what they have lostand what they stand to lose,says John Reed Stark, a formerSEC official and now managingdirector of Stroz Friedberg, adigital security firm.

Even if companies do not leapto adhere to the agency’s man-date that they avoid vague lan-guage – such as a retailer warn-ing that all industry databasesof customer data could theoreti-cally be targets – laws thatreward whistleblowers willencourage employees and othersto tip off the SEC about seriousbreaches.

“The SEC has issued an all-points bulletin to any whistle-blower out there: ‘Let us knowand you may be able to get upto 30 per cent of whatever finewe levy’ ,” Mr Stark says.

“It is terrific that the SEC hascome in, but it is going to be atremendous burden for publiccompanies,” he adds.

Companies will now have tocover specific security issues inthe “risk factors” section of

their regular filings. Systemcompromises that have a mate-rial impact on results or finan-cial conditions, or that arelikely to do so, must be reportedin management discussions ofrecent performance.

They could even potentiallybe included in so-called 8K fil-ings, which describe specialevents.

The combined disclosuresshould “provide sufficient dis-closure to allow investors toappreciate the nature of therisks faced by the particularregistrant”, the SEC wrote, add-ing that reputational damage,loss of customers and strategictrade secrets would all be fac-tors to consider.

Though a fair number of com-panies have mentioned hackingthreats in passing, thus far veryfew have disclosed actualbreaches and their financialconsequence.

Intel, the US microchip group,and Google did so early lastyear, after the internet companyannounced that hackers basedin China had tried to gainaccess to the accounts of politi-cal dissidents.

However, these companieshave not put a dollar value onthe impact.

As regards extended outagesand credit card thefts, some dis-closures have been more pre-cise. Sony, the consumer elec-

tronics group, said it stood tolose about $170m after its onlinegaming networks were attackedrepeatedly this year.

TJX, the US retail group thatowns TK Maxx, and HeartlandPayment Systems, a paymentprocessing company, said thatbeing victims in some of thelargest credit and debit cardnumber thefts yet reported hadcost them more than $250m and$140m respectively.

US laws force companies towarn customers when they losesensitive data about them,which can trigger lawsuits andprovisions for settlements.

But, so far, the loss oftrade secrets has generallynot required disclosure.

In the past, some com-panies that were hit byhackers chose not tolearn what data were

taken, according toHenry Harrison,technical director atBAE Systems’ Det-ica, the informationsecurity company

owned by the defence

equipment group. This is con-firmed by veteran contractinvestigators in the US.

William Beer, a director of thecybersecurity practice at PwC,the professional services firm,comments: “It is a bit of aPandora’s box. You could dis-cover some pretty nasty prob-lems, so the easy option is tokeep the lid shut.”

However, a policy of deliber-ate ignorance might be un-tenable in the wake of the SECpolicy.

If companies start to admitdire events – such as softwarevendors disclosing the loss ofsource code for key programs –they could face stock sell-offs byinvestors.

Security veterans disagreeabout how often such thingsmight occur, but say that any-thing beyond a few public state-ments about events on this scalewill encourage a public debateand could force stalled securitylaws through legislatures.

Richard Clarke, the formerWhite House cybersecuritychief, says more disclosure isnot only fairer to investors, butcould galvanise Congress intomore helpful action.

“If you are a company and 90per cent of your revenue comesfrom three drugs and the formu-las are gone and they are beingknocked off in India, what,really, is your worth?”

Businesses told to reveal true scale of lossesSEC filingsFresh guidelines arelikely to be a burdenfor US companies,writes Joseph Menn

William Beerof PwC saysthat manycompaniesare afraid todiscover whatdata havebeen lost

Insuring against cyber-attackhas not been high on the agendafor companies up to now. Butthe attack on Sony this yearserved as a wake-up call.

The attack exposed the detailsof 100m Sony PlayStation cus-tomers and is expected to costthe Japanese electronics com-pany $182m this year, and it isfacing 55 class action lawsuits.Worse yet, Zurich American,one of Sony’s insurers, is argu-ing in court the insurance itwrote does not cover digitalattacks.

Courts are increasingly decid-ing general insurance coverdoes not extend to cyber-incidents, says Steve DeGeorge,partner at Robinson Bradshaw,the law firm. The US Court ofAppeals in North and SouthCarolina, for example, ruled thisyear that insurance coveringtangible property does notextend to electronic data.

“There is a perception that ifyou have commercial generalliability insurance, you will becovered,” he says. “But this is avery risky strategy.”

In addition to well-publicisedattacks such as Sony’s, securityexperts say thousands of otherattacks on businesses go unre-ported. Experts believe mostcompanies will have sufferedsome kind of internet attack.

A UK government study thisyear indicated internet crimecosts businesses £21bn a year,with £9.2bn being intellectualproperty theft and £7.6bn indus-trial espionage.

The cyber-insurance market isgrowing, with Lloyds, the insur-ance company, estimating it tobe now worth $600m a year,from $450m two years ago.

However, only a quarter ofcompanies in the UK haveinsurance against cybercrime,in spite of more than half seeinga rise in threat levels over thepast year, according to a studyby KPMG.

Just 27 per cent of UK busi-nesses have insurance againstdata loss and a policy coveringthem for business interruptionby hackers. Only 22 per centhave insurance to cover thepotential large legal costs asso-ciated with an ecrime incident.

Mr DeGeorge estimates thatjust 15 per cent of US publiclytraded companies have cyber-crime insurance. In some indus-tries, such as healthcare andbanking, however, this is begin-ning to change.

Kim Holmes, healthcare prod-uct manager for the Chubbgroup of insurance companies,says there has been a large risein interest from healthcare com-panies, after the US brought inthe High Tech Act in 2009, tight-ening protection of privatehealth records.

Under this law, companies canbe fined up to $1.5m if such dataare exposed.

Class action lawsuits, such asthe $20m suit being broughtagainst Stanford Hospital for

loss of data, are making theissue very real for this sector.

“It is now talked about as awhen – not an if – scenario,” MsHolmes says. “In healthcare,folks are actually listeningbecause the High Tech law isclearly here today. Other indus-try sectors, however, are notunder the same governmentscrutiny and so there is not thesame urgency.”

Cost is one of the main factorsstopping companies taking outcyber-insurance. A typical pre-mium might be $5,000 for cover-age of $1m, according to MrDeGeorge. “We are in a very dif-ficult economy and businessesdon’t have the appetite for addi-tional spending. Companiesthink they have alreadyinvested a lot in their internalsecurity and may feel that buy-ing insurance on top of that willbe hard to justify to sharehold-ers,” he says.

Part of the reason for the highcosts is that underwriters havedifficulty assessing the threat.

“People providing cyber-insurance are flying blind,because the threats are sodifficult to predict,” saysMalcolm Marshall, head of UKinformation security for KPMG.

“Cyber-insurance has onlybeen around for about 10 years,in a 300-year-old insuranceindustry. There is no reliableactuarial data to help informunderwriters’ pricing.”

Mr DeGeorge says: “When any

insurance product comes tomarket, there is always a periodof years when issues come tothe fore and are fought out inthe courts.”

Costs may come down. Some20 years ago, when pollutionand environmental liabilityinsurance first came on to themarket, it was very expensivebecause underwriters did notknow how to price the risk. Nowcosts have come down consider-ably.

“I think we will see the samedevelopment in cybercrimeinsurance,” says Mr DeGeorge.

Especially if more companiesin a variety of sectors areobliged to report cyberattacks, abody of data will develop.

In the meantime, companiescan obtain lower insurancequotes by getting internal secu-rity as tight as possible, andmonitoring the threats theywant to be protected from.

“A policy written in 2011may be obsolete in a couple ofyears, because this area is devel-oping so fast. Something couldhappen that is not covered,because it was unimagined afew years earlier,” Mr DeGeorgewarns.

“It really is the case that,every year when the policycomes up for renewal, youshould look at how the worldhas changed and how the com-pany’s requirements may havechanged with it.”

The trade­offbetween riskand costInsurancePremiums are highbut will fall over time,writes Maija Palmer

‘People providingcyber­insurance areflying blind, becausethreats are sodifficult to predict’

W hat can securitycompanies do toprevent govern-ments and large

corporations being attacked by“advanced persistent threats” incyberspace?

This is one of the topics thatis most hotly debated by cyber-security experts. Advanced per-sistent threats – or APTs – areattacks at the most sophisti-cated end of cybercrime activ-ity. They are aimed at extract-ing high-value intellectual prop-erty from governments or corpo-rations. They can do immensedamage to the targeted organi-sation – and they can be hugelydifficult to stop.

Over the past few years,there have been a growingnumber of such assaults. TheStuxnet worm launched againstIran’s nuclear programme is themost famous APT, doing tangi-ble – though not permanent –damage to Tehran’s uranium

enrichment facility at Natanz.Stuxnet is widely assume to

be a worm developed by the USand Israeli governments, thoughneither has confirmed this.

More generally, APTs havebeen used as a potentially pow-erful weapon in industrial espio-nage.

In March, an informationsecurity breach at RSA, a lead-ing US-based security company,led to reported attempts to stealinformation from US defencecompany Lockheed Martin,which, the company said, wereunsuccessful.

In September, there werereports that Mitsubishi HeavyIndustries had found that equip-ment at its Tokyo headquartersand its manufacturing facilitieswas infected with malware.

The question of who carriesout these threats is a matter ofmuch debate. The strongassumption on the part of west-ern security agencies is thatChinese and Russian govern-ments – and their proxies – aresignificant forces. “The Chineseare notable for the sheer volumeof what they do,” says one lead-ing European security official.“The Russians are less active,but what they do is very sophis-ticated.”

Another security official is

more blunt: “APT is basically asynonym for China.”

Others, meanwhile, insist it isnot just nation states that areresponsible for this kind ofsophisticated espionage. Accord-ing to John Skipper, a cyber-security expert at UK-based PAConsulting Group, groupsinvolved in organised crimehave been deploying APTs.

But it is hard to obtain anaccurate picture of how many

such attacks are taking place.As Henry Harrison, technicaldirector of Detica, a technologyconsulting firm owned by BAESystems, puts it: “The reality isthat companies don’t like to talkabout being attacked, so a lotdoesn’t get reported.”

However, Sam Curry, chieftechnologist at RSA, says a lotcan be done to defend systemsagainst such attacks. “Rightnow, the trend is for defences to

worsen while opponents becomemore effective. We are in a con-stant state of infrastructurecompromise. But this does nothave to mean organisationsneed to live in a constant stateof risk.”

One important point made byleading security companies isthat organisations need to havesystems in place that tell themwhen these attacks are takingplace. “The starting point forcompanies is that they need toknow they will never have 100per cent defence against APTs,”says Mr Harrison. “The key,therefore, is to have mecha-nisms in place that recognisewhen your system has beencompromised and take actionaccordingly.

“The time lag between initialcompromise of a computer sys-tem and the moment when anattacker finds the informationhe is looking for can be anumber of weeks. The challengeis to terminate the attack inthat critical window.”

Companies also need to beaware of a wide range of issuesas they plan defences. “Peopleneed to build protection rightacross their businesses,” saysMr Skipper of PA Consulting.“They need to monitor unusualbehaviour going on around

them. They need to keep a closeeye on staff. Many of the mostsuccessful APTs ultimately havetheir origins in a human ele-ment inside the target organisa-tion.”

Mr Curry believes that compa-nies need a new range of tools,combined in fresh ways and tak-ing advantage of technologicaladvance, to tackle APTs.

“People need to go back to thebasics,” he says: “Limit access,harden systems and simplify theenvironment rather than mak-ing it more complex. They alsoneed to start looking at securityand network analysis.

“Situational awareness andorientation are vital. Very oftenthe question is who might tar-get you and your customers andpartners and why, rather thanhow would they achieve theiraims.”

In the long run, the challengesfor companies will be huge. AsMr Curry puts it, they will haveto do a lot of lateral thinking ifthey are to stop APTs gettingthrough. “People need to stoppreparing for the last war,” hesays. “Contemporary threatscan completely bypass static,traditional defences. Today’ssmart APTs have a stockpile ofnever-before-seen tools that theywill use against you.”

A huge challenge from China,Russia and organised crimeSecurityJames Blitz considerswhat can be doneabout advancedpersistent threats

ContributorsJoseph MennTechnology Correspondent

Maija PalmerTechnology Correspondent

Chris NuttallTechnology Correspondent

Alan RappeportUS Consumer Correspondent

James BlitzDefence and Diplomatic Editor

Stephen PritchardFT Contributor

Adam JezardCommissioning Editor

Steven BirdDesigner

Andy MearsPicture Editor

For advertising details, contact:Liam Sweeney+44 (0)20 7873 4148Fax +44 (0)20 7873 4006Email: liam.sweeney@ft.com,or your usual representative

All FT Reports are available onFT.com.Go to: www.ft.com/reports

Follow us on twitter atwww.twitter.com/ft.reports

All editorial content in thissupplement is produced bythe FT.

Mitsubishi Heavy Industries was reported to have been infected with malware that affected equipment at its Tokyo headquarters and its manufacturing facilities Getty

‘The Chinese arenotable for the sheervolume of what theydo. The Russians areless active but verysophisticated’

FINANCIAL TIMES TUESDAY NOVEMBER 1 2011 ★ 3

Cybersecurity

Not too long ago, any IT direc-tor would have been dismissedas irrational – if not dismissedfrom the business altogether –for proposing that critical com-pany data be put on a sharedcomputer, accessed via theinternet.

Today, the IT industry isexhorting businesses to do justthat, through cloud computing.

Some vendors are evenbypassing the IT department,and going straight to businessunits to sell them services suchas sales force automation, orcustomer relationship manage-ment. These services are invari-ably delivered via the cloud.

And by no means all cloudservices operate with enterprise-grade security; many have ori-gins in consumer servicesdesigned to be cheap and easyto use.

Neil Campbell, general man-ager for security at DimensionData, an IT services vendor,cautions: “If it is a consumerservice, you would expect basicsecurity controls but not a highlevel approach to security.”

In part, this is a function ofhow cloud computing works. Inorder to be cost-effective, pro-viders have to take a “one sizefits all” approach to their busi-ness, including security. Bycomparison, much enterprise ITwould more closely resemblebespoke tailoring.

William Beer, a director in theinformation security practice atPwC, the processional servicesfirm, explains: “Vendors havefocused on the flexibility andcost-saving elements of thecloud and have locked down the

contracts very tightly. It’s aservice that they want to be rep-licable.”

That, though, says Mr Beer,means businesses moving to thecloud will have less control overtheir operating environment,including their security, thanwith traditional in-house IT oroutsourcing models.

However, cloud service ven-dors are changing their businessmodels to suit the demands ofsecurity-conscious customers.As well as private clouds, set upfor one company, and commu-nity or “trusted” clouds, createdto serve the needs of a group ofrelated firms or governmentdepartments, generalist cloudservice providers are also bol-stering security.

“Amazon and Google are mov-ing into the business spacethrough enterprise levels ofencryption and service,” saysRupert Chapman, an IT securityspecialist at PA Consulting. “Ifit is a private or trusted cloud it

may be able to deliver servicesthat are as good as or betterthan in your own data centres.”

“Whether there’s a higherlevel of security will depend onthe size of the organisation pro-curing cloud services,” saysPeter Allwood, a manager forinformation security and risk

at Deloitte, the consultancy.He adds: “SMEs may not have

enterprise security infrastruc-ture. Cloud was invented forSMEs, so they can take advan-tage of enterprise security meas-ures the cloud provider hasdeveloped.”

But larger organisationsshould not assume that enter-

prise-grade security will comewith a consumer or small busi-ness cloud service. Dependingon the cloud provider, upgrad-ing security may be difficult.Bespoke or highly customisedcloud services, usually createdby large IT systems integrators,will be more accommodating.

PA’s Mr Chapman says: “Wehave shown clients the securityfrom a [customised] cloud serv-ice, and the conclusion was thatbecause it was part of the pro-vider’s unique selling point,they could do it better than theenterprise, with more money,and more focus.”

And, with high-level IT skills– and IT security skills in partic-ular – in short supply in mostwestern economies, movingservices to the cloud actuallyboosts security. This is espe-cially true for short-term orproof of concept projects, wherecloud computing’s flexibility isalready very attractive.

But concerns remain about

putting sensitive informationand data into the cloud. Busi-nesses need to know where theirdata are stored. EU businesseshave legal restrictions on host-ing personal data outside theCommunity. This has led largercloud service providers to set updata centres within Europe. Butbusinesses still need to ensuresecurity and data privacy prac-tices are integrated with thoseof cloud providers.

A more complex issue iswhether cloud service providersare, themselves, vulnerable toattack. For example, Amazon’sWeb Services cloud system wasattacked by the Anonymousgroup over its withdrawal ofservices to WikiLeaks. Securityexperts warn that attacksagainst one user of a cloud pro-vider could take out the servicefor all others.

And anywhere that assembleslarge amounts of sensitive datais likely to prove a magnet forhackers.

“Large providers of cloudservices can bring togethersecurity expertise and have areally high-powered teamdefending your data and serv-ices, but that also makes a big-ger bull’s eye for the bad guysto go after,” admits MartinSadler, director of the cloud andsecurity lab at Hewlett-Pack-ard’s research arm. “But it’sstill more of a theoretical than apractical threat.”

And, as information becomesmore important to businesses,so it will become more attrac-tive to criminals. Cloud provid-ers, in turn, will have toincrease their investments insecurity measures.

“The level of protection in thecloud should be higher [than inthe enterprise], because if theservice provider is hacked, it isdead,” remarks Marc Vael, aboard member of ISACA, thesecurity industry body.

“But cloud may become a lit-tle more costly,” he warns.

The cloud still has a silver lining but it may be costlyData protectionStephen Pritchardlooks at why higherlevels of defence needto be provided

‘A trusted cloudmay be able todeliver servicesas good asyour own,’says RupertChapman

US cybersecurity expertssay that tough regulationsare needed to encouragecompanies to work harderto protect the data of theircustomers. However, theyfear that government grid-lock is allowing the issue tolanguish.

In the past year, severalhigh-profile securitybreaches have broughtcybersecurity to the fore asan important public issue.This applies to companiesas well as to private users.

Citigroup, Sony, Google,Lockheed Martin and Nas-daq OMX have all facedembarrassing attacks thatexposed weaknesses in theirsystems and put sensitivecustomer data at risk.

Chris Wysopal, founder ofVeracode, a cybersecuritycompany, says that a yearago he surmised it wouldtake several high-profilecorporate breaches to spurnew legislation – but thatnow it is unclear what itwill take for that to happen.

“I guess it will take a con-stant drumbeat of thesebreaches and maybe even-tually over time, things willchange,” Mr Wysopal says.“Or maybe the breacheshave to be bigger.”

The recent spate ofattacks has generated inter-est in legislation with realteeth, but also pushbackfrom companies fearful ofregulatory over-reach.

Last May, the Obamaadministration outlined aproposal that would givethe US government thepower to review plans thatprivate owners of infra-structure had in place todefend against malicioushackers.

The White House alsocalled for a US law thatwould force companies todisclose the loss of cus-tomer data to users and fed-eral authorities.

In September, RichardBlumenthal, a Democraticsenator from Connecticut,

introduced data breach andsecurity legislation thatwould punish companies forfailing to comply with mini-mum safeguards, requireprompt notification ofbreaches and promote bet-ter sharing of technicalinformation.

Mr Blumenthal said: “Mygoal is to prevent and deterdata breaches that putpeople at risk of identitytheft and other seriousharm, both by helping pro-tect consumers’ data beforebreaches occur, and byholding entities accountablewhen consumers’ person-ally identifiable informationis compromised.”

He continued: “Systemsto safeguard such privatepersonal information, andprompt notification in casesof breach, both should berequired, along with con-sumer remedies to compen-sate for any harm.”

Republicans in Congress

have called for increasedinformation sharing aboutsecurity threats betweengovernment officials andkey industries.

They have also asked forthe Department of Home-land Security to obtainmore support from thedefence department.

The Republican proposal,however, favours compa-nies having broader compli-ance standards and protec-tion from lawsuits.

In spite of these efforts,political gridlock in the UShas dimmed hopes that alaw will be created in thenear future.

“The US government is sodysfunctional right nowthat nothing will happen,”says Bruce Schneier, a

cybersecurity expert.“There’s lots of talk, but noreal action.”

According to Mr Schneier,the US would benefit from amore “cumbersome”approach that challengescompanies.

He points to Europe’sdata protection act andlaws in California as modelsthat would be helpful on anational level in the US, butsays that companies havebeen pushing hard for moreexemptions to avoid addi-tional costs and negativepublicity.

Mr Wysopal says thatcompanies would benefitfrom national cyber-security legislation, becauseit would simplify their prob-lem of navigating the lawsthat apply in the differentUS states.

He says that there needsto be a lower thresholdfor corporate “negligence”when lawsuits are filedagainst companies for databreaches, so those compa-nies have a stronger busi-ness case for investing insecurity measures.

“Now it’s just aboutbrand damage,” Mr Wys-opal says.

“The whole issue is thatpeople with poor securityshould have liability.”

Meanwhile, the threatsare only becoming morechallenging, as an evolvingecosystem of devices andsoftware becomes availableto new digital users.

The quickly shifting land-scape will put added pres-sure on lawmakers and reg-ulators to act quickly.

According to the GeorgiaTech 2012 Emerging CyberThreats report, mobilebrowsers, “apps” and cloudcomputing are presentingnew and vulnerable targetsfor cybercriminals.

Because mobile devicesand browsers are infre-quently updated or patched,they are rife with securityholes.

“Mobile applications areincreasingly reliant on thebrowser,” says PatrickTraynor, assistant professorat the Georgia Tech Schoolof Computer Science.

“As a result, we expectmore web-based attacksagainst mobile devices inthe coming year.”

Lawmakers asked tostep into digital ageRegulationData breaches havebrought securitycentre stage, writesAlan Rappeport

O fficers at theBoston PoliceDepartment werealready having a

bad day before the phonerang. A thousand user-names and passwords fromtheir union’s website hadbeen posted online after ahacking attack, apparentlyin support of the localinstance of the Occupy WallStreet protests.

But when one Bostonianpolice official answered thephone to a young man witha British accent purportingto be a member of the press,he did not expect thatinsult would be added toinjury.

“We’re in the process ofinvestigating it,” the officialsaid of the hack.

“Yeah, that was me,” the‘reporter’ replied.

“You hacked into thewebsite? Would you like totell me why you did it?” theflabbergasted policemanasked.

“I just got a bit bored,”the young man laughed.

Such is the world inwhich IT security opera-tives – and, increasingly,public-relations people –now live. This phone con-versation was recorded,posted on the video-sharingsite YouTube and passedaround on Twitter, themicro-communications net-work, ensuring it receivedmaximum embarrassment

for the police and muchkudos for the hacker fromhis peers.

Website defacements andstolen passwords are not anew feature of the onlinesecurity landscape. But theease, frequency and profileof such attacks have allrisen sharply in the pastyear, thanks to the antics ofAnonymous, Lulzsec andthe other hacking collec-tives that have followed intheir wake.

High-profile attacks onthe likes of Sony, Nintendoand Rupert Murdoch’s Sunnewspaper websites haveall been executed: for ideo-logical reasons; to makemischief; or, as in the Bos-ton case, simply becausethe hackers involved hadnothing better to do.

“These are people work-ing without a financialmotive,” says Graham Clu-ley, senior technology con-sultant at Sophos, the anti-virus software maker.“Some companies wouldthink that they wouldn’t beanybody’s target, whereasnow people are simplydoing it for kicks, or forpolitical reasons.”

Imperva, a data securityfirm, analysed an onlineforum where tens of thou-sands of hackers gather toswap tips and brag aboutsuccessful incursions.

It found that a quarter ofthe discussions were hack-ing tutorials, “ensuring”,Imperva wrote in its Octo-ber report, “a steady supplyof new talent”.

One typical lesson, a four-minute YouTube video,detailed how to hack a web-site with a relativelystraightforward method of

hacking a database or webapplication.

Other popular topicsinclude “denial of service”attacks, whereby a websiteis overloaded with trafficuntil it is knocked offline,and spam, unsolicited emailcontaining viruses or linksto websites that can capturepasswords.

All this is a far cry fromthe Stuxnet virus, whichtargeted industrial infra-structure, or the roguestates and organised crimi-nal groups behind sophisti-cated hacking attacks.

But just as YouTube andblogs have democratisedthe creation and distribu-tion of media, the social

web has also allowed hack-ing tools and skills to beshared more cheaply andeasily, and the fruits oftheir application to be seenmore widely.

Even if the resultingintrusions do little practicalor long-term harm to corpo-rate systems or their users,they are still damaging toan organisation’s reputa-tion, especially if not han-dled and rectified swiftly.

In a recent report, RSA, asecurity provider owned bystorage firm EMC, callsphishing, whereby users aretricked into handing overpersonal details by a mes-

sage that appears to comefrom a familiar or legiti-mate source, “one of theoldest scams in the book”.

Even so, RSA estimatesthat phishing attacks costbusinesses and individualsaround the world $520m inthe first half of 2011,through tens of thousandsof scams mimicking just afew hundred familiar onlinebrands, such as banks.

Phishing attacks are diffi-cult to prevent becausethey prey on human, ratherthan technological, vulnera-bilities, says Mr Cluley.

He says that weak pass-words, using insufficientnumber or variety of char-acters, were probablyresponsible for October’shijacking of YouTube chan-nels of Microsoft and Ses-ame Street – the latter stuntused to show videos unsuit-able for children.

“It’s really hard for ITmanagers to control,because they are puttingtheir trust in users,” MrCluley says. “Fundamen-tally, it’s about raisingawareness and educatingusers and C-level staff thatsecurity matters, because ifyou do foul up, it’s going tobe on the front pages.”

He recommends repeatingthe security lessons typi-cally taught at a corporateinduction for new employ-ees to long-standing staffevery few years too.

The “consumerisation” ofcorporate IT – as employeesbring their own devicessuch as smartphones andlaptops to work and usepersonal sites such as Face-book – has opened the doorto more everyday securityrisks.

Social networks can bevenues for phishing, andcan also inadvertently giveclues to hackers aboutpotential passwords.

CPP Group, which pro-vides credit card insuranceand identity protectionservices, found a third ofFacebook profiles contain atleast two pieces of personalinformation, such as afavourite sports team orschool, which are com-monly used in passwords orsecurity questions.

Consumerisation “is areally huge issue for mostof our customers”, saysHenry Harrison, technicaldirector at Detica, a secu-rity firm owned by BAESystems. “Every IT depart-ment is under pressure, par-ticularly from senior execu-tives, to let them bringtheir iPad to work.”

He adds: “Historically,the trend that IT has fol-lowed over the past 20 yearshas been to get tighter andtighter control over comput-ing devices, so the securitycan be managed.

“Now, people are using ahome device with very littlecontrol over what othersoftware is on it, and theywant to plug that into thecorporate network becausethey find it convenient.”

The trick in dealing withsuch security threats is thesame as for more serioustechnical hacking attacks,Mr Harrison says. “There isa classic trade-off betweenflexibility and security.”

Reputations can bethe main casualty

Everyday risksHackers can findeasy lessons online,says Tim Bradshaw

‘It is about raisingawareness,because if youdo foul up, it isgoing to be onthe front pages’

Who goes there?The frequency of attacks

inspired by so­calledhacking collectives has risen

sharply in the past year

‘It will take aconstant drumbeatof these breaches– maybe eventuallythings will change’

Chris Wysopal,Founder, Veracode

4 ★ FINANCIAL TIMES TUESDAY NOVEMBER 1 2011

Cybersecurity

J ust in case anyonewas starting to feelcomplacent, re-searchers have just

discovered a new, highlysophisticated virus thatappears to be designed tocollect information secretlyfrom European and MiddleEastern companies.

Dubbed Duqu the virus issimilar to Stuxnet, whichwas uncovered in 2010 andapparently designed to spyon and disrupt Iran’snuclear programme.

Stuxnet, believed to havebeen created by a govern-ment agency, alarmed ITsecurity professionalsbecause it was so highlytargeted and was one of thefirst times that a piece ofmalware was able to causereal-world effects in termsof damaging Iraniannuclear reactors.

The discovery of Duquconfirms that the era ofcyberthreats is here to stay.Although no one knowsquite what Duqu has beencreated for, it appears to bemining companies for data.

Over the past two years,IT security experts say theyhave seen more of thesekinds of attacks – known astargeted attacks oradvanced persistent threats(APTs) – on computer net-works.

Hacking attacks in thepast used to be widespreadand scattergun; for exam-ple, sending millions of peo-ple an email tricking theminto revealing bank details,or hijacking their computerto send out spam messages.

By contrast, an APT isfocused on just a few peoplein an organisation anddesigned in such a way thatit goes unnoticed while itbegins a slow and painstak-ing probe of the network.

Duqu has only been foundin some two dozen organisa-tions so far, and securityexperts are still not surehow it was implanted.

Mikko Hypponen, chiefresearch officer at F-Secure,the IT security company,says: “In advanced persist-ent threats, an email might

be sent to just one com-pany. In will be highly tai-lored to look authentic, itwill be in the right lan-guage with the right con-tent, and it tends to gocompletely unnoticed.”

In one case, a director ata UK defence company hada virus on his laptop thathad been leaking sensitive

details for 18 months beforeit was discovered.

Defence companies ingeneral came under attackthis year in a complex, two-stage operation. First, soft-ware was stolen from RSA,the security company,which compromised secu-rity tokens that it hadissued. A month or two

later, defence contractorssuch as Lockheed Martin,which used these RSAtokens, came under ahighly specific assault.

Leaked documents thisyear also showed that com-panies including DuPont,Walt Disney, Johnson &Johnson, and General Elec-tric had been hit, as well as

law firms and insurancecompanies. Investmentbanks such as MorganStanley have been attackedand the world’s biggest oiland energy companies havebeen infiltrated.

Henry Harrison, technicaldirector at Detica, a tech-nology consulting companyowned by BAE Systems, the

UK defence group, says:“People are realising this issomething they should beworried about. When wetalked about this a yearago, they didn’t understandwhy, but now there hasbeen a change in the levelof awareness.”

Malcolm Marshall, UKhead of information secu-

rity at KPMG, the profes-sional services firm, says:“Companies have to acceptthis is inevitable, and beginpreparing for how to dealwith an attack.”

About 50 per cent of thesecurity work KPMG doesis with companies that havebeen subject to such anattack. One of the problems

in dealing with APTs is thatmost appear to come fromforeign nation states, suchas China and Russia,although the origin of theattack is almost impossibleto prove.

When Google revealed itsemail systems had been thesubject of a targeted attackin late 2009, it pointed thefinger at China. Privately,security professionals talkabout the fact that manyattacks happen during theChinese working day.

It is hard for companiesto get redress when thethreat comes from thesequarters, but practical stepscan be taken.

One is to look for unusualnetwork activity. If a devel-oper’s laptop begins con-necting to an internetaddress halfway across theworld in the middle of thenight, for example, it couldbe a sign of a spy programat work, says Mr Hypponen.

Once rogue activity isdetected, it is worth gather-ing evidence for a while,rather than removing themalware straight away.

Security experts say it isworth trying to find out asmuch about the attackersas possible, and seeing whatthey are looking for.

Mr Marshall says: “Hav-ing an idea of who is attack-ing you is helpful for get-ting a sense of what youneed to do to protect your-self, even if being able toprove it in court and litigat-ing is not possible.”

Protecting everything inthe corporate network istoo expensive, but compa-nies can identify their”crown jewels” and putextra security around theseparts of the system.

The good news is that tar-geted attacks can take timeto carry out, which meansthey can be thwarted beforecritical information hasbeen compromised.

Mr Harrison says: “Thetraditional view was thatwhen someone got into thenetwork, the company hadalready lost the battle.

“But in these attacks, thehackers are looking for spe-cific information and it cantake them weeks or evenmonths to find it,” he says.

“Companies should notdespair. It requires thinkingabout security in a differentway, but there are thingsthey can do.”

Era of targeted attacks is here to stayVirusesA new kind of riskhas been found,says Maija Palmer

Threats, vulnerabilities, Tro-jans, phishing sites – the lan-guage of PC virus warfare isthis year increasingly beingapplied to mobile devices.

A series of reports from secu-rity companies suggest a surgein mobile malware. Juniper Net-works says Google Android mal-ware samples grew 400 per centbetween June 2010 and January2011, while Lookout MobileSecurity reports a 250 per centincrease in the likelihood ofusers encountering malware ontheir mobile devices betweenJanuary and June this year.

Kevin Mahaffey, chief technol-ogy officer and co-founder ofLookout, says 2011 representsthe start-up phase for malware“entrepreneurs” developing abusiness model.

“Every new piece of malwarewe are seeing is experimentingwith methods of distribution –how do you get the malware topeople in the first place – andwith monetisation – how do youmake money as a malwareauthor?” he says.

Distribution is proving easiestin the Android ecosystem.

John Dasher, McAfee seniordirector of mobile security, says:“Apple has a walled garden,with its curating of apps for itsApp Store, so it’s had far fewerinstances of malware, butAndroid is far more porous.”

“There are more than a dozenapps sites, it’s very easy todownload apps and ‘sideload’apps on to a device, and so it’sfar easier for a hacker to get anapp published that containsmalware.”

The easiest way to infect asmartphone is free games orapps that look similar to wellknown ones, confusing usersinto downloading and giving theauthors the permissions theyneed to carry out their under-hand tasks.

Malvertising – ads within apps

– are also becoming popular.GGTracker poses as a free bat-tery-saver app. Clicking on thistakes the user to a fake versionof Google’s Android Market todownload and install the app,which charges premium textmessaging fees to that phone.

A more dangerous kind ofmonetisation spread to Androidthis year from Symbian, Win-dows Mobile and BlackBerrysmartphones in the shape ofZitmo, a supposed bankingauthorisation app. It can inter-cept text messages often sent bybanks that provide one-timepasswords to help users accessaccounts and transfer money.

Despite such alarming threats,security experts say the mobilemalware problem is minor, com-pared with the viral warfareraging in the PC world.

“The percentage increases

we’re seeing are from a tinybase,” says Ed Amoroso, AT&Tchief security officer.

“Most malware continues toreside on the PC – it’s easy pick-ings there – it’s not adminis-tered and it’s on a big fat broad-band pipe.”

He says mobile securityexperts cannot count on learn-ing from their PC counterpartseither, with computer securitynow “in a pretty abysmal state”.

With mobile threats still low,mobile security companies arebundling their anti-malwareprotection with other services tomake them more appealing.

“It’s a conundrum – how doyou get people to adopt a prod-uct without selling through fear[that they may face virusattacks],” asks Lookout’s MrMahaffey.

That is why his companyincludes useful security utilitiessuch as the ability to locate lostsmartphones and remotely lockor wipe them.

The always-on location-aware

nature of smartphones makesthis possible and their activityon the network means they caneasily be monitored for unusualbehaviour by mobile operators.

AT&T has 40 researchersworking in the field of behav-ioural analysis to spot malware,rather than relying on the tradi-tional PC-like databasesscanned to identify viruses bytheir software signatures – thefingerprints of their code.

McAfee, acquired by the chip-maker Intel this year, is work-ing on embedding security intothe hardware.

“For years, security softwarehas lived above the operatingsystem layer, but the goal is toput security lower in the stackwhere it can’t be tamperedwith,” says Mr Dasher.

Juniper, whose Junos PulseMobile Security Suite is used byAT&T and others, advocates aholistic approach of networkoperators monitoring and block-ing threats as well as protectionon the smartphone itself.

“There is the need to scanapps as they are being down-loaded. Firewalls have to be setup and finally the user has to beeducated about threats and safepractices,” says Karim Toubba,Juniper vice-president of secu-rity and strategy.

3LM, founded by two formermembers of the Google Androidteam, last month launched anenterprise security suite forAndroid that hooks directly intothe operating system and givesIT departments a managementconsole to ensure employees’phones are secure.

Tom Moss, chief executive andco-founder, says this is the firstof next-generation anti-malwareproducts that should arrive inthe next year – just in time.

“Now Google is introducingthings such as NFC [mobile pay-ment] chips in addition to otherservices that have financialcomponents, it just makesAndroid a bigger target for the‘black hats’,” he says.

“Google will take actionagainst them, but there’s alsogoing to be a very healthy androbust third-party developercommunity coming along withsecurity solutions as well.”

Mobile devices are likely tobe next victims of virusesMalwareChris Nuttall looks atrecent efforts to keep‘black hats’ out

‘How do you getpeople to adopta productwithout sellingthrough fear?’Kevin Mahaffeyof Lookout

One of the most lucrative andfastest-growing sectors of thecybercrime economy is the dis-tribution and use of sophisti-cated software that assists instealing funds directly frombank accounts.

With most criminals operatingfrom abroad, there is little riskof capture and there are fewersteps than one needs whenusing stolen credit cards to buygoods that are then resold.

“There has been a noticeableincrease in account takeoversthat result in fraudulent trans-fers from the victim’s account toan account under the control ofthe perpetrator,” AT Smith,assistant director of the USSecret Service, testified in Sep-tember to a Congressional hear-ing on electronic bank fraud,which is estimated in billions ofdollars a year. An FBI officialsaid his agency was probing 400cases of corporate account take-overs with losses of about $85m.

Part of the problem is that thediverse digital underground con-tinues to develop technologyquickly. As an example, somemembers of the pernicious“Zeus” family of credential-stealing programs can interceptauthentication codes sent tomobile phones. These illegalbusiness models have alsoadvanced, with effective DIYcrimeware kits available free inmany places.

But there is a less obvious,and potentially more fixable,reason why the crooks continueto prosper in bank cyber-capers:a standoff over who will pay forbetter security.

Basically, neither govern-ments nor privately owned utili-

ties, transport and communica-tions companies want to pay toshore up protections againstattacks from abroad.

The financial industry hasboth that simmering argumentto resolve and a more immedi-ate one: if a business has itsbank account drained by hack-ers, who should be on the hook,the business or the bank?

In the UK, businesses areoften held responsible if they donot recognise fraud on theiraccounts within two days, saysRoss Anderson, professor ofsecurity engineering at Cam-bridge university. Banks some-times try to shift blame on toindividuals, too, he adds.

Under US regulations, thebanks generally must reimburseconsumers whose accounts arecleaned out. But no such ruleprotects businesses, even thoseowned and operated by a singleindividual.

A small but growing numberof companies have been wipedout by Zeus and its ilk, whichcan be delivered via trick emailsthat seem to come from a bankor via user visits to legitimatewebsites that have beeninfected.

In some instances, US bankshave reimbursed companies forall or part of their losses, butthey make no promises, andlow-level courts have been splitso far on whether financialinstitutions can be held respon-sible.

The rulings thus far havedepended heavily on the exactwording of the contractsbetween banks and customerswho opt for electronic banking,as well as whether the institu-tions are deemed to have actedin “good faith” with “commer-cially reasonable” security pre-cautions.

In a big test case, a Mainecompany called Patco Construc-tion lost hundreds of thousandsof dollars after a Zeus infection,then lost money again afterunsuccessfully suing its bank.

Though the transfers from itsaccounts were so unusual as totrigger a high risk score fromthe bank’s security service, allthat did was trigger “challengequestions”. The criminals appar-ently had the answers becauseZeus records keystrokes madeon computer keyboards and thesame questions had been askedbefore. The bank won in partbecause the security rules ineffect at the time did not explic-itly require tokens, telephonecalls or other forms of “out-of-band” authentication.

Another case, heard in Michi-gan federal court, fell in theother direction. The judge thereruled that the bank Comericadid not show good faith, definedas including “fair dealing”,when it did not act quicker tostop wire transfers from clientExperi-metal to Moscow, Esto-nia and China. More than $5min overdrafts were allowed onone Experi-metal account thattypically had a zero balance, thejudge wrote after a bench trial.

Doug Johnson, policy analyst

at the American Bankers Asso-ciation, says it is right suchcases are decided on specifics.He says revised guidelines pub-lished in June will tighten secu-rity.

Among other things, the newrules bar reliance on passwords,standard challenge questionsand “cookies” that identify spe-cific browsers. He also says arecent survey of 77 banks foundthat while attempts at fraud hadmore than doubled in a year,the amounts actually extractedby criminals had fallen.

Though one bill introduced inCongress last year would haveextended the protection given totownships and school districts,which have been hit hard byfraud, Mr Johnson says theindustry remains opposed to theextension of liability to eithernon-profit groups or businessesat large.

“Changing the liability modelis particularly dangerous for thecommunity bank market,”where institutions have less tospend on security and could beruined by major cyber-robberies,says Mr Johnson. “It is onlywhen you banks and businessesview security as a partnershipthat it is going to be effective.”

But others say that banks aremuch better equipped thansmall businesses to outwitcrooks.

But if they are not likely to beheld liable, they have little rea-son to spend what it takes.

Banks refuseto pay out toprotect clientsLiabilityBusinesses targeted bycriminals are left highand dry by lenders,reports Joseph Menn

Institutions are better equipped to catch crooks out Dreamstime

Low­level courts havebeen split so far onwhether financialinstitutions can beheld responsible forcases of cybercrime

Mahmoud Ahmadinejad, Iran’s president, at the Natanz uranium enrichment facility. The plant was the target of the Stuxnet virus in 2010 AP