Security

How The Rules Of Cyber Engagement Have Changed

Comment

Image Credits: Bryce Durbin

Monzy Merza

Contributor

Monzy Merza is the chief security evangelist at Splunk.

More posts from Monzy Merza

A series of recent breaches at United Airlines, Anthem and, most recently, Sabre Corp. and American Airlines are reportedly tied to state-sponsored cyber attackers. These attacks further highlight an important trend in the cybersecurity arena: Government entities are targeting corporations in addition to other governments, with far-reaching implications.

While “cyber attack” conjures images of destruction, these attacks are rarely about breaking things and are more often about affecting outcomes. Governments are beginning to use cyber attacks to influence very specific events and gain calculated strategic advantages, e.g., giving one company leverage over another in a competitive bid.

This is uncharted and complex territory from a policy perspective. To make matters worse, corporations currently have few incentives to report and share breach information, meaning these attacks will continue to escalate.

The U.S. government and the private industry are interconnected; this means that hackers can exploit a corporation’s weak security posture as an access point to government information, making these attacks a very real threat to national security.

The New Rules Are Revealed

In May 2014, the first public signs of cyber espionage appeared in the news. The U.S. Justice Department indicted five members of the Chinese military for hacking into computers and stealing valuable trade secrets from leading steel, nuclear plant and solar power firms.

Never before had the U.S. government leveled charges against another government for such crimes as computer fraud, conspiracy to commit computer fraud, damaging a computer, aggravated identity theft and economic espionage.

Eric Holder, U.S. Attorney General at the time, summed up all that was at stake:

“The range of trade secrets and other sensitive business information stolen in this case is significant and demands an aggressive response. Success in the global market place should be based solely on a company’s ability to innovate and compete, not on a sponsor government’s ability to spy and steal business secrets. This Administration will not tolerate actions by any nation that seeks to illegally sabotage American companies and undermine the integrity of fair competition in the operation of the free market.”

Despite his strong statement, protecting U.S. corporations from cyber attacks perpetrated by foreign governments remains an ongoing challenge.

Land, Sea, Air And Cyber

The United States has very specific and clear policies for defense when it comes to the land, the sea and the air, but cyber represents a fourth domain where U.S. policy is still in development. Corporations have raised questions about how the U.S. government can provide adequate assistance in the event of a cyber attack by a foreign government.

Policies must be created in a way that balances privacy and civil liberties. Businesses need legal protections that align with the modern threat landscape. But fashioning those protections presents a significant challenge, most notably rendered in self-disclosure or threat-intelligence-sharing debates.

Eat The Breach

Enterprises targeted by sophisticated attacks are not incentivized to report the breaches. There are no incentives for protections from litigation or fines that encourage companies to self-disclose a breach. A self-reported breach faces the same litigation or fines as a breach detected by law enforcement or discovered by way of publicly leaked documents.

Because there is little incentive from the government to self-report and because companies also risk a loss in consumer confidence and face the potential of backlash in the media, many companies would rather the breach not become public.

Sharing breach information is widely proposed as a means to help enterprises protect against attacks. But a number of companies see little benefit in sharing threat information, as security is seen as a competitive advantage.

Informing a competitor of a potential threat helps the competitor better defend against that same threat. Companies that invest in security are reluctant to give their competitors free threat information.

Finally, there is a stigma that surrounds breaches. A common trend in cyber-breach announcements is the shaming of the victimized organization, especially the organization’s CIO or CISO. Harsh remarks toward the security leadership is commonplace in cyber-breach reports and media discourse. Following a breach report, IT leaders often step down and security teams are demoralized.

State-sponsored breaches are often about gaining a strategic advantage rather than causing damage, making the actual cost of a breach hard to quantify. Rather than spending money on remediation or risk fines and audits or public shaming, many companies simply eat the breach.

Organizations don’t report breaches unless absolutely necessary, e.g., when personally identifiable information is lost. More than likely, the number of breaches perpetrated by foreign government groups is much higher and pervasive than what is reported.

The Path Of Least Resistance

If government attacks on corporations could simply be written off as the price of doing business in the modern world, then enterprises could weigh the cost of a breach versus the cost of investment in security and proceed accordingly. Unfortunately, the situation is not that simple.

Many U.S. corporations produce products and services that are created or discovered after significant financial and time investments. These products and services are part of our economy and our daily lives. A compromised infrastructure or a breached industry affects all of its consumers — the U.S. government and private citizens alike.

Furthermore, the U.S. government is interconnected with the private sector through third-party contracting. When a foreign government launches a cyber attack against a private organization, the ultimate target could still very well be the U.S. government.

The attackers could be picking the weakest security point and working their way to the intended target. If we can’t create clear policies that protect enterprises and incentivize corporations to report and remediate breaches, the attacks will continue to escalate. The ultimate victims in all this are our national security and our strategic interests.

More TechCrunch

Around 550 employees across autonomous vehicle company Motional have been laid off, according to information taken from WARN notice filings and sources at the company.  Earlier this week, TechCrunch reported…

Motional cut about 550 employees, around 40%, in recent restructuring, sources say

It ran 110 minutes, but Google managed to reference AI a whopping 121 times during its I/O 2024 (by its own count). CEO Sundar Pichai referenced the figure to wrap…

Google mentioned ‘AI’ 120+ times during its I/O keynote

Here are quick hits of the biggest news from the keynote as they are announced.

Google I/O 2024: Here’s everything Google just announced

Google Play has a new discovery feature for apps, new ways to acquire users, updates to Play Points, and other enhancements to developer-facing tools.

Google Play preps a new full-screen app discovery feature and adds more developer tools

Soon, Android users will be able to drag and drop AI-generated images directly into their Gmail, Google Messages and other apps.

Gemini on Android becomes more capable and works with Gmail, Messages, YouTube and more

Veo can capture different visual and cinematic styles, including shots of landscapes and timelapses, and make edits and adjustments to already-generated footage.

Google gets serious about AI-generated video at Google I/O 2024

In addition to the body of the emails themselves, the feature will also be able to analyze attachments, like PDFs.

Gemini comes to Gmail to summarize, draft emails, and more

The summaries are created based on Gemini’s analysis of insights from Google Maps’ community of more than 300 million contributors.

Google is bringing Gemini capabilities to Google Maps Platform

Google says that over 100,000 developers already tried the service.

Project IDX, Google’s next-gen IDE, is now in open beta

The system effectively listens for “conversation patterns commonly associated with scams” in-real time. 

Google will use Gemini to detect scams during calls

The standard Gemma models were only available in 2 billion and 7 billion parameter versions, making this quite a step up.

Google announces Gemma 2, a 27B-parameter version of its open model, launching in June

This is a great example of a company using generative AI to open its software to more users.

Google TalkBack will use Gemini to describe images for blind people

Firebase Genkit is an open source framework that enables developers to quickly build AI into new and existing applications.

Google launches Firebase Genkit, a new open source framework for building AI-powered apps

This will enable developers to use the on-device model to power their own AI features.

Google is building its Gemini Nano AI model into Chrome on the desktop

Google’s Circle to Search feature will now be able to solve more complex problems across psychics and math word problems. 

Circle to Search is now a better homework helper

People can now search using a video they upload combined with a text query to get an AI overview of the answers they need.

Google experiments with using video to search, thanks to Gemini AI

A search results page based on generative AI as its ranking mechanism will have wide-reaching consequences for online publishers.

Google will soon start using GenAI to organize some search results pages

Google has built a custom Gemini model for search to combine real-time information, Google’s ranking, long context and multimodal features.

Google is adding more AI to its search results

At its Google I/O developer conference, Google on Tuesday announced the next generation of its Tensor Processing Units (TPU) AI chips.

Google’s next-gen TPUs promise a 4.7x performance boost

Google is upgrading Gemini, its AI-powered chatbot, with features aimed at making the experience more ambient and contextually useful.

Google reveals plans for upgrading AI in the real world through Gemini Live at Google I/O 2024

Veo can generate few-seconds-long 1080p video clips given a text prompt.

Google’s image-generating AI gets an upgrade

At Google I/O, Google announced upgrades to Gemini 1.5 Pro, including a bigger context window. .

Google’s generative AI can now analyze hours of video

The AI upgrade will make finding the right content more intuitive and less of a manual search process.

Google Photos introduces an AI search feature, Ask Photos

Apple released new data about anti-fraud measures related to its operation of the iOS App Store on Tuesday morning, trumpeting a claim that it stopped over $7 billion in “potentially…

Apple touts stopping $1.8B in App Store fraud last year in latest pitch to developers

Online travel agency Expedia is testing an AI assistant that bolsters features like search, itinerary building, trip planning, and real-time travel updates.

Expedia starts testing AI-powered features for search and travel planning

Welcome to TechCrunch Fintech! This week, we look at the drama around TabaPay deciding to not buy Synapse’s assets, as well as stocks dropping for a couple of fintechs, Monzo raising…

Inside TabaPay’s drama-filled decision to abandon its plans to buy Synapse’s assets

The person who claimed to have stolen the physical addresses of 49 million Dell customers appears to have taken more data from a different Dell portal, TechCrunch has learned. The…

Threat actor scraped Dell support tickets, including customer phone numbers

If you write the words “cis” or “cisgender” on X, you might be served this full-screen message: “This post contains language that may be considered a slur by X and…

On Elon’s whim, X now treats ‘cisgender’ as a slur

The keynote kicks off at 10 a.m. PT on Tuesday and will offer glimpses into the latest versions of Android, Wear OS and Android TV.

Google I/O 2024: Watch the AI reveals live

Facebook once had big ambitions to be a major player in enterprise communication and productivity, but today the social network’s parent company Meta will be closing a very significant chapter…

Meta is shutting down Workplace, its enterprise communications business