Alas, risk assessments are only useful if they are written in a way that the people who receive them will actually pay attention to them.
According to a story by the Canadian Press over the weekend, last November the Canadian Security Intelligence Service (CSIS) produced a top secret intelligence assessment titled, Cyberattacks on Canadian Government Departments: An Overview. The report outlined on-going attacks against Canadian government IT systems, especially the use of social engineering attacks targeting individuals in governmental departments.
The Canadian Press story quotes the report - which it obtained through a Freedom of Information Act request - as stating:
"Canada has been engaged in detecting, monitoring and mitigating a series of ongoing and evolving ... cyberattacks directed against the computer systems and networks used by Canadian government departments... The perpetrators of such attacks use ... correspondence directed against individuals within Canadian government departments .. [such as] crafted emails with malware in their attachments or links to externally hosted malicious files. The emails appear to have been sent by trusted individuals in Canada or officials associated with foreign governments and international organizations, meetings and expositions."
A few weeks after the release of the CSIS report, computers at several Canadian government departments were taken over by hackers traced to servers operating in China.
As I noted here in February, employees at the Canadian Treasury Board and Department of Finance were cut off from the Internet for several weeks because of the cyberattacks. The hackers sent emails supposedly from senior government executives to departmental technical staffers that were sufficiently convincing that the staffers provided the hackers with key passwords to government networks.
The Canadian Press story unfortunately does not say who received the CSIS report or what their responsibility was to act on it. It also doesn't mention whether the report was a broad, informational-type IT security risk assessment, or one that was meant to be taken as a warning to senior government executives to take immediate, specific action. From the title of the report, it looks more like the former than the latter.
The surfeit of these former types of cyber threat assessment reports is probably one reason why some like the co-chair of the Congressional Cybersecurity Caucus, Rep. James Langevin from Rhode Island, are complaining about the lack of attention being paid to the cyber threat even as it appears to be increasing.
After receiving constant warnings and exhortations to be careful (Did you know that October was National Cyber Security Awareness Month?), people tend to tune such warnings out, especially if nothing happens. So when a social engineering attack is launched, employees may not be on their guard or may get sloppy in following required IT security practices. In the Canadian situation, for example, government personnel were found not to be following the mandated IT security requirements.
A story today in the Wall Street Journal coincidentally focuses the increasing use of social engineering techniques to break into IT systems as opposed to the more direct route. A reason given is that technologically-based computer security is getting better in many organizations, thus making "schmoozing" a more cost effective approach to hack into a government or commercial system.
Of course, a hacker doesn't have to resort to social engineering techniques if there is an unlocked IT security door just waiting to be pushed open.
Over the weekend, there was a news report on how the Pakistani military intelligence service (ISI) was able to penetrate the German Police Project Team (GPPT) systems in Afghanistan and pass classified military information to the Taliban.
According to this story in the Indian newspaper The Statesman (itself based on a report appearing in the German paper Bild) the Pakistani Intelligence service were able to get access to the information because the GPPT:
"... communicated ... on unprotected lines to reduce costs and thereby 'opened the doors' to the ISI."
In another cyber-related incident reported last week by Reuters among others, the U.S.-China Economic and Security Review Commission claims that hackers - suspected to be from China - had apparently tried to interfere with the operations of the ground station in Norway that is used to control two US environmental-monitoring satellites (Landsat-7 and the Terra AM-1) a few years ago. According to a story at the Foreigner, the ground system may have been ripe for attack.
However, the Chinese government denied that it had anything to do with the cyberattack and the company that runs the ground station says it never heard about or saw any such attack, either.
Finally, last week saw a report of a successful IT security breach said to be the work of China-based hackers. In mid-September, Japan's largest defense contractor Mitsubishi Heavy Industries Ltd., confirmed that 45 of its servers and 38 of its computers at a total of 11 company facilities in Japan had been compromised and were found to be infected with eight types of viruses. The company said at the time that it did not know whether any information of value had been taken.
Well, last week, a report in Reuters (citing the Japanese newspaper Asahi) claims that sensitive information on military aircraft and nuclear power plants had indeed been taken by the hackers. Mitsubishi refuses to confirm or deny the story, other than to say its investigation is continuing.
The Chinese government also denied it had any part in this attack, as well.