Security experts have been openly speculating that China may be behind the recent unauthorized network access events at several U.S. defense contractors, and that they may also be responsible for the RSA SecurID breach as well.
Former Department of Homeland Security chief Michael Chertoff believes that such events do not not require the support of nation states, and that these operations may just as well have been conducted by small hacker collectives such as LulzSec and Anonymous.
“We live in a world of globalization and technology, so even small groups now have the ability to project themselves around the world, in terms of presence, communications and travel… and build bigger and more destructive tools and weapons, and unleash them," Chertoff said.
Chertoff made the remarks during a keynote presentation at the 2011 Gartner Security & Risk Management Summit in Washington, DC.
RSA, the security division of EMC, announced in mid-March they had suffered a breach stemming from an attack on their network systems that targeted proprietary information about the company's SecurID product.
SecurID is a product designed to prevent unauthorized access to enterprise network systems, and exposure of proprietary information about the product could in turn make RSA's clients more vulnerable to hacks themselves.
“We can have [criminal] networks that can cause serious threats if not existential damage without a nation-state involved. With the confluence of globalization and technology, these groups now have the ability to cause the kind of damage that used to involve national effort. We got a taste of this on 9/11," Chertoff explained.
LulzSec is reported to have conducted a successful attacks against the Central Intelligence Agency, the U.S. Senate website, PBS, as well as networks belonging to the Atlanta chapter of FBI affiliate InfraGard. LulzSec also claims to have also hacked Sony Pictures, Sony Entertainment and Sony BMG, among others.
Previously, Anonymous gained attention for DDoS attacks against PayPal, Visa, MasterCard, PostFinance Bank, Amazon, Bank of America, the U.S. Chamber of Commerce website, and for having breached the systems of security consultants HBGary Federal.
One of the biggest obstacles to standardization of military response to cyber-based attacks is in reliably determining attribution. In many cases, it is nearly impossible to clearly determine the origin of an attack, and even more difficult to ascertain if the event was state-sponsored or instigated by individual actors.
Chertoff went on to discuss logistical problems related to how best to “convey to the public what they need to know in a way that’s accurate, understandable, succinct and credible.”
“You’ll never get perfect information, there’s always something more you could learn, always uncertainty about what you could do, and time is not your friend. You need to be able to act decisively, as inaction is also a decision, but a decision by default,” Chertoff explained.