There is a long but fascinating story about hacking in today's Wall Street Journal that should send a cold chill into every corporate board room. It concerns the infiltration of Nortel Networks' computer systems by suspected Chinese-based hackers since at least the year 2000.
According to the WSJ, the hackers--using seven passwords stolen from top Nortel executives, including the CEO--"downloaded technical papers, research and development reports, business plans, employee emails and other documents" for the past decade or more. Nortel, which was once a leading telecommunications firm that went bankrupt in 2009, is in the process of selling itself off in pieces as part of the bankruptcy process. There is now a concern that those companies purchasing Nortel IT assets may also be "purchasing" the hackers and their spyware as well.
The Journal article states that Nortel "did nothing from a security standpoint" to keep the hackers out other than to change the seven stolen passwords when the intrusion was discovered. This lackadaisical security stance allowed the hackers "access to everything" the Journal says. The story also points out that even though Nortel digital switches and other telecom gear are widely used by Internet providers, the company never bothered to check to determine whether any of its products had been compromised by the hacking, even as the extent of the hacking was becoming alarmingly clear.
One reason was that Nortel senior executives did not believe the hackers or their potential for intellectual theft posed much of a threat. One former Nortel CEO was quoted as saying that the hacking wasn't seen as a "real issue" and he couldn't seem to imagine that the selling of IT equipment to other companies posed any conceivable threat either. In addition, as the company increasingly faced financial difficulties, IT security became even less of a management concern at Nortel, if that was even possible.
What was also interesting about the WSJ article was that public companies for sale do not have to disclose that they have suffered a security breach unless the purchasing company specifically asks about it. The US Security and Exchange Commission (SEC) has recently said that such incidents that are material now must be reported on quarterly company reports (that is why the hacking of VeriSign was disclosed), but in Nortel's case, it is doubtful that any IT security event would have been perceived as such, given the attitude of management.
Maybe the SEC should require companies report whether their senior management is clueless about the importance of cyber security.
The Journal article states that the companies that have bought Nortel IT assets and have been contacted by the Journal about the extensive IT penetration of Nortel by hackers don't seem outwardly concerned about it, although I bet that internally they are fuming as they quickly implement additional security reviews. Not only are their own networks likely at increased risk, but the value of the intellectual property they purchased from Nortel may be a lot less than they thought it was.
The Journal story also describes a nice road map for hackers as well. First, target a financially distressed company that probably is not investing in IT security and that is likely to be sold off in pieces. Bury your spyware deep in its IT systems including company laptops and desktops. Wait a while, and they try to activate your spyware. Who knows where it will end up and what you can steal?
The Chinese government denied it had anything to do with the hacking at Nortel. According to the Journal, the Chinese embassy in Washington, DC "issued a statement saying in part that 'cyber attacks are transnational and anonymous" and shouldn't be assumed to originate in China 'without thorough investigation and hard evidence.' "
The fact that Nortel has been penetrated by hackers for so long isn't all that rare. Just last month I wrote about the City College of San Francisco's efforts in fighting the effects of hacking that started over a decade ago and was undetected until recently. I am sure there are other organizations that have been penetrated for as long and still don't know about it.
One other bit of IT security news. According to the Financial Times of London, Dutch telecommunication company KPN has sent via a national ad campaign "two million apologies" to its 2 million subscribers who were unable to access their emails last Saturday and Sunday. The FT article states that "KPN suspended email access and reorganised its servers due to intrusions last month by unknown hackers who said they had downloaded about 16Gb of sensitive data from its servers."
KPN admitted the obvious in an email to its customers that its system maintenance approach had "not been optimal."
However, KPN customers apparently are not only upset about their email being suspended, but also with KPN's admission that it had been hacked in January but only decided to let anyone know about it last week when details of some 500 customer accounts including their passwords were placed online by the hackers.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.