Security experts say Google cyber-attack was routine
"This wasn't in my opinion ground-breaking as an attack. We see this fairly regularly," said Mikko Hypponen, of security firm F-Secure.
"Most companies just never go public," he added.
In some ways this comment is true, and in other ways I think it can mislead some readers. I believe it is true in the sense that many organizations are dealing with advanced persistent threats. However, I believe this comment leads some readers to focus incorrectly on two rather insignificant aspects of the Google incident: vulnerabilities and malware.
On the vulnerability front, we have a zero-day in Internet Explorer. I agree that this is completely routine, in a really disappointing way.
On the malware front, we have code submitted to Wepawet. I agree that this is also not particularly interesting, although I would like to know how it ended up being posted there!
Five issues make Google v China different for me.
- The victim made a public statement about the intrusion. I read that this was a difficult decision to make and it took strong leadership to see it through:
Google Inc.'s startling threat to withdraw from China was an intensely personal decision, drawing its celebrated founders and other top executives into a debate over the right way to confront the issues of censorship and cyber security.
Google's very public response to what it called a "highly sophisticated and targeted attack on our corporate infrastructure originating from China" was crafted over a period of weeks, with heavy involvement from Google's co-founders, Larry Page and Sergey Brin.
- The victim is not alone. Google isn't alone in the sense that firms suffering from Conficker last month weren't alone, i.e., this isn't a case of widespread malware. Instead, we're hearing that multiple companies are affected.
- The victim is not a national government. Don't forget all the China incidents involving national governments that I followed from summer 2007 through 2008.
- The victim named the perpetrator. This amazes me. We need more of this to happen. By doing so a private company influenced a powerful policy maker to issue a statement of a diplomatic nature.
- The victim could suffer further damage as a result of this statement and decision. Every CIO, CTO, CSO, and CISO magazine in the world talks about "aligning with business," blah blah. Business is supposed to rule. Instead, we have a situation where the self-reported "theft of intellectual property from Google" plus "accessing the Gmail accounts of Chinese human rights activists" resulted in a business decision to alter and potentially cancel operations. That astounds me. You can claim Baidu is beating Google, but I don't buy it as the real reason Google is acting like this.