It is a good idea to have a few anecdotes in your back pocket to put I.T. Security and the importance of I.T. Audit into context. This article by Shane Harris is a great place to start when it comes to understanding the depth and breadth of Chinese Hacking and protecting your company’s and your client’s data.
Hacked by the Chinese Government
Google uncovered evidence of one of the most extensive and far-reaching campaigns of cyber espionage in U.S. history. Evidence suggested that Chinese hackers had penetrated the systems of nearly three dozen other companies, including technology mainstays such as Symantec, Yahoo, and Adobe, the defense contractor Northrop Grumman, and the equipment maker Juniper Networks…
The only things Google seemed certain of was that the campaign was massive and persistent, and that China was behind it. And not just individual hackers, but the Chinese government, which had the means and the motive to launch such a broad assault.
On the day that Google’s lawyer wrote the blog post, the NSA’s general counsel began drafting a “cooperative research and development agreement,” a legal pact that was originally devised under a 1980 law to speed up the commercial development of new technologies that are of mutual interest to companies and the government. The agreement’s purpose is to build something — a device or a technique, for instance…
It’s not clear what the NSA and Google built after the China hack. But a spokeswoman at the agency gave hints at the time the agreement was written. “As a general matter, as part of its information-assurance mission, NSA works with a broad range of commercial partners and research associates to ensure the availability of secure tailored solutions for Department of Defense and national security systems customers,” she said. It was the phrase “tailored solutions” that was so intriguing. That implied something custom built for the agency, so that it could perform its intelligence-gathering mission. According to officials who were privy to the details of Google’s arrangements with the NSA, the company agreed to provide information about traffic on its networks in exchange for intelligence from the NSA about what it knew of foreign hackers. It was a quid pro quo, information for information.
IT Audit and Security Considerations
A huge – and often neglected – part of I.T. Audit and Security services is providing context to clients. To help them make decisions that are in the best interest of their company and their customers. Having an understanding of events as described above go a long way toward establishing credibility.
In short – if cyber security is important enough for Google, important enough for the U.S. Government, and important enough for the two to develop secret technologies – it should be an important component of any corporate risk strategy.