Don't forget who's behind a cyberattack

Private sector can learn plenty from the government when it comes to cybersecurity

Many would argue, and understandably so, that government agencies aren't role models for corporations on how to improve their bottom lines. But federal agencies do hold a leadership position in cybersecurity on one key point: They recognize the value of knowing not just how networks are hacked, but also by whom. 

It’s not uncommon that a virus, worm or other computer attack might reside in one continent at the behest of an organization or individual located in a different region of the world. Case in point: A recent report by researchers in Canada noted that a Chinese network named GhostNet, purported to be sanctioned by the Chinese government to conduct intelligence gathering over the Internet, controls some 1,200 infected computers in more than 100 countries, including North America, Kuwait and India. Although the government denies the allegations, the point here is that simply because a malicious infiltration against an organization originates in one part of the globe doesn’t mean the people behind it are from that same area.

Being able to identify the mechanical tactics that were used is important, but might not tell the complete story. That’s why the State, Justice and Defense departments spend time, money and resources to uncover the true culprits, a process known as “attribution.”

Understanding whom was behind such attacks is important when determining what action to take through diplomatic, military or law enforcement channels. Attributing both the technical and social origins also provides valuable intelligence against terrorist, insurgent and criminal activities that can be countered in multiple ways. This can only be done by understanding whom was behind the attacks and not just recognizing when networks are being hacked.

Although the feds embrace this idea, many businesses in corporate America fail to see the benefits in taking this extra step in their cyber forensic investigations. Most are concerned only with ensuring that such an attack on their systems never happens again; they pay little, if any, attention to whom is playing havoc with their network. Anecdotal evidence suggests the reasons for such apathy are numerous, with the most popular being that it’s not worth the time and effort to investigate further as there’s most likely no real legal recourse against such organizations or individuals. Additionally, some entities believe that making the suspects known will only encourage future attempts to infiltrate their networks.

A notable exception is Google's recent corporate blog posting regarding suspected hacking of Gmail servers by the Chinese government. Google made the effort to determine the source of the attack on its servers, and more notably, to disclose to the public the information Google discovered forensically as to the methods and suspected perpetrators of the attack.

Benefits outweigh the costs

More companies should follow Google's example, if not by publicly revealing cyber attacks and methods, at the very least by determining the who and the how of the attacks. In fact, companies that don’t try to uncover the people and groups behind cyber attacks are doing themselves more harm than good, both in long-term monetary loss to their shareholders and the loss of competitive advantage. Determining who was responsible can shed light on numerous opportunities and unforeseen pitfalls.

For example, a multinational firm might discover that an overseas competitor was behind a particular attempt to hack into its network, seeking to gain insight into the company’s technology to use in a developing market. Recognizing that the attack came from a foreign government allows the corporation to bring in U.S. government resources, which are interested in criminal activity or espionage threats. Even marketers who measure such things as brand equity can leverage such information about who’s attacking the system to determine the depth and nature of the competitive threat in different geographic areas and markets.

Identifying assailants will not necessarily encourage additional attacks. In many cases the opposite is true: hackers don’t want to be known and will run for cover when unmasked. Google is betting on just that by publicly threatening to shut down its Chinese operations in the wake of the attacks against its networks.

If knowledge is indeed power, then organizations need to seize the opportunity to learn more about the people behind such attacks. The dividends can be significant and potentially critical to the company’s future success.

About the Authors

Eric Basu is a former Navy SEAL, and founder and president of Sentek Consulting, a 50-person defense contractor in San Diego. He can be reached at

Cameron Matthews is the CTO for Sentek Consulting, a rapidly growing provider of government and commercial IT security and C2 programs, including security, program management, strategic consulting, engineering, software development and acquisition support.

Reader Comments

Thu, Feb 4, 2010 Don O'Neill

The repeatedly used phrase "understanding whom was behind the attacks"should be stated as "understanding who was behind the attacks".

"Who" is the subject of the verb "was" not the object of the gerundive "understanding". "Who was behind the attacks" in its entierity is the object of the gerundive "understanding".

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above.


WT Daily

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.