Guardians of Internet Security Are Targets
The New York Times
By SOMINI SENGUPTA
Published: August 4, 2011
Jeff Moss is the founder of Black Hat and Defcon, well-known conferences on hacking and the security industry.
Photo: Stuart Isett for The New York Times
LAS VEGAS —
The Web site of ManTech International, a $2.6 billion computer security company that won a major F.B.I. contract, sells its services this way:
“Whether an intrusion is conducted by a skilled outsider with criminal intent, an adolescent hacker seeking a thrill or a disgruntled employee bent on revenge or espionage, the potential risks to the organization are enormous.”
Last Friday, ManTech was that organization.
A band of Internet vigilantes calling itself Anonymous said it had sneaked into ManTech’s computers to demonstrate the company’s insecurity. The group released what it said were internal company documents and, in language that suggested the handiwork of an adolescent hacker seeking a thrill, taunted the company online: “It’s really good to know that you guys are taking care of protecting the United States from so-called cyber threats.”
ManTech is in good company. In recent months, several security firms and consultants have been hit by the very intruders they are hired to keep at bay.
Think of these companies as the new Pinkertons: Instead of taking on 19th-century outlaws in the Wild West, they are hired today to protect corporate and government data, including the most confidential intelligence information, across a vast virtual frontier. The string of embarrassing attacks on them demonstrates how vulnerable everyone is online, including those who are paid to be the protectors.
Many technology professionals who have long warned about such security risks say so-called hacktivist groups like Anonymous, which publicize their attacks to make a point, are the least worrisome of the many potential intruders out there.
“With the rise of hacktivism, now the people who break into you tell you they break into you,” said Jeff Moss, founder of the Black Hat conference, which drew nearly 6,500 technologists, largely security professionals, to Las Vegas this week. “A little bit of public humiliation is going to go a long way in helping the security industry clean up.”
Other times, the attackers are mysterious and more worrying entities, as in the case of the still unknown organization that in March breached the systems of RSA, whose electronic security tokens are used across many industries.
RSA’s parent company, EMC, has said that replacing tokens and cleaning up the mess has cost it roughly $90 million so far this year. Hackers used information obtained in the RSA attack to break into Lockheed Martin, the largest military contractor in the country.
On Wednesday the security company McAfee said it had uncovered a campaign of computer break-ins at 72 organizations and companies worldwide. McAfee called it the handiwork of a nation-state intent on acquiring, among other things, American military designs. Military contractors in the United States made up a disproportionately large share of the companies selected — 12 in all.
Anonymous, for its part, has made it plain that it goes after defense and intelligence contractors to expose their security vulnerabilities, not for financial or strategic gain. Booz Allen Hamilton, a $5.6 billion company based in McLean, Va., that does computer security work for the Defense Department, was hit by the group in early July; the hackers released the e-mail addresses of 90,000 military personnel.
The most notorious breach of a security company came early this year after an executive at HBGary Federal, a relatively small consultant eyeing a government contract, boasted publicly of his ability to unmask the members of Anonymous. In response, hackers made off with a large trove of the company’s e-mail messages and dumped them online, exposing details of its business transactions.
Greg Hoglund, who is the chief executive of HBGary, the parent company that owns a minority stake in HBGary Federal, said that the breach was the result of “a human mistake” and that his firm, along with other security companies, had fortified their systems since then.
“It was a wake-up call for the entire security industry,” Mr. Hoglund said. “It probably needed to happen. I wish I didn’t have to be the sacrificial lamb.”
As unlikely as it may seem, HBGary Federal still has a contract to help an unnamed federal agency sniff out spies inside its organization. And HBGary continues to sell its software, intended to ferret out the circumstances of a network intrusion.
For its part, ManTech posted a vague statement on its site last Friday after the Anonymous attack, saying that it addresses threats to its information systems and pointing out the obvious: “All organizations attract cyber threats in our highly networked world.”
An academic who studies computer security, who declined to be named because he consults for the government, described the Anonymous attacks on security companies in blunt terms: “They’re pulling their pants down publicly.”
The spate of attacks — and the fear of more — could actually end up buoying the fortunes of the global security industry. A nationwide survey of company technology managers, conducted by Forrester Research, found that computer security had increased as a share of the total information technology budget of companies, to 14 percent this year from 8.2 percent in 2007. Of those surveyed this year, 56 percent said it was a high priority to “significantly upgrade.”
“The landscape is more menacing now,” said Eve Maler, principal analyst for security and risk at Forrester. “Even the most experienced practitioners are in the process of upping their game.”
All of the major defense and intelligence contractors have expanded their digital security wings in recent years. They are simply following the money. The business of security for government agencies is growing by an enviable 9 percent a year, according to the research firm Input/Deltek. Federal government contracts alone amount to over $9 billion today and are projected to grow to $13.3 billion by 2015. “Cybersecurity,” Deltek concluded in a recent report, “is somewhat immune to spending and budget cuts.”
For better or worse, said Jonathan L. Zittrain, a Harvard Law School professor, securing the Internet has been largely left to private players — and even government information is increasingly guarded by private companies, whose actions can be difficult to monitor and hold accountable.
“In the absence of larger public order, we’ve seen do-it-yourself approaches: the technologically savvy can configure their own firewalls, and corporations can try to buy security,” he said. “But this can be as figuratively dicey as trying to get and maintain security contractors in Baghdad immediately following the fall of Saddam Hussein.”
ManTech International: http://www.mantech.com
