How Much Have Foreign Hackers Stolen?

By Rich Internet Security Computer Security, Hacking

Mike McConnell, a former director of national intelligence, and now vice chairman of Booz Allen Hamilton, said the volume of cybertheft is staggering.

Hackers in China and Russia, security experts say, are habitually breaking into foreign travelers’ mobile devices, leapfrogging into their corporate networks and stealing sensitive government information and corporate trade secrets, often undetected. I explored this issue in an article in Saturday’s New York Times.

But how much have they stolen? Nobody really knows. Most companies I spoke with were reluctant to discuss security breaches or even disclose what policies, if any, they had put in place to protect their trade secrets. In most cases, security experts say, companies do not realize they have been compromised until long after the fact. Yet nearly everyone I spoke with agreed that as hackers improve their capabilities, and as Americans migrate to a mobile workplace, the problem has only grown worse.

In testimony before the House Committee on Financial Services last September, A.T. Smith, the assistant director of the United States Secret Service, estimated that in 2010, cyberthieves abroad stole 867 terabytes of data from the United States, or “nearly four times the amount of data collected in the archives of the Library of Congress.”

That much is now “taken on a daily basis,” said Mike McConnell, the former director of national intelligence and now vice chairman at Booz Allen Hamilton in a recent interview. “The volume is staggering.”

Mr. McConnell said that in evaluating computer systems “of consequence”— at government agencies, Congress and in the private sector — he had yet to encounter one computer that had not been compromised by an advanced persistent threat.

Joel Brenner, formerly the nation’s top counterintelligence official at the office of the director of national intelligence, said the problem was “huge, but it hasn’t been persuasively quantified yet.” He added, “Trade secrets can be measured in so many different ways and most companies don’t know they’ve been targeted.”

Mr. Brenner was the first to alert American companies to the threat of digital espionage by foreign hackers in the lead-up to the Beijing Olympics. In a 2008 travel advisory, his office cautioned travelers that foreign security services and criminals could track their every move using their mobile devices, and remotely activate their microphones, even if their phones were switched off. If a customs official asked to examine a device, or if a hotel room was searched, the advisory warned, “You should assume the device’s hard drive has been copied.”

Four years later, security officials say the pace of China’s corporate espionage campaign has accelerated. “Within the last four years, cyber-espionage has gotten exponentially worse as their capabilities have gotten exponentially better,” said Representative Mike Rogers, the Michigan Republican who is chairman of the House intelligence committee. “The biggest threat, when it comes to cyber-espionage today, is the sheer volume with which China seeks to steal our intellectual property for its own prosperity.”

Mr. Rogers said that at a closed forum at Stanford University last month, which included executives from Cisco, Google, Intel and Oracle, each company acknowledged that it had been hacked and each said they believed China was the culprit.

Enabling matters, security experts say, are American workers themselves. It is far easier to steal trade secrets when Americans carry them around on their personal devices. According to a report by International Data Corporation, half of all mobile devices used in the workplace last year were employee-owned. Workers were connecting these devices to their corporate networks and using them to transmit confidential information, often without so much as a four-digit password.

“We never let go of these things,” said Tom Kellermann, chief technology officer at AirPatrol, a wireless security company. “We work with them; we even sleep next to them. That’s the dark side of Web 3.0. Once someone hacks your device, they don’t just hack the back end, they hack your network. They can turn your camera and microphone on. They can hack your whole life.”

CED Solutions is the #1 location for Microsoft Certifications in North America. CED Solutions provides security training courses for CISSP, Ethical Hacking, Computer Forensics, Windows 7, Windows 2008 Server, Cisco CCNA Security, Cisco CCNP Security, Firewall, Intrusion Detection, Security+ and more.