Hackers Evade Businesses’ Cyberprotections by Attacking Supply Chains, Researcher says
LLANDUDNO, U.K. -- The creative industries and academia suffer more cyberattacks than other sectors but hackers are increasingly breaking into business supply chains to access more desired information, University of Glamorgan, Wales, Professor Andrew Blyth said on Wednesday at a North Wales e- crime summit. Early results gathered over one business week on what kinds of cyberattacks are hitting Wales and where they're coming from show China to be the worst offender, with the U.S. a distant second, he said.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The survey measured cyberattacks on 15 laptops installed on the networks of organizations, Blyth said. Over five work-days of round-the-clock monitoring, more than 25,000 incidents occurred, around 1,700 per computer, he said. Fourteen percent of creative industries and educational institutions experienced attacks during the project, Blyth said. Seven percent of ICT services, and 4 percent of bioscience and manufacturing services were also hit. Cybercriminals now realize that companies with intellectual property to protect, such as pharmaceutical and high-tech businesses, are taking steps to do so, he said. Rather than going in through the front door of a targeted company, crooks increasingly seek rear-door entry through its suppliers or service providers, he said.
Social networking sites offer an extremely soft target for criminals seeking passwords, said CRYPTOCard Europe Chief Executive Jason Hart, a former “ethical hacker.” But the newest “hotnets” are Web application programming interfaces (API), he said. E-criminals attack by obtaining the password of an employee at a particular company, then using it to access other networks linked by API, he said. These problems are easily preventable, but people believe “it’s not going to happen to me,” he added.
Asked about the policy implications of his research, Blyth recommended closer police cooperation. Tracking e- criminals is expensive and time consuming, he said. It took the world 40 years to sort out the law of the sea, and will likely take that long to come up with the “law of the Internet,” he said.
But Spamhaus Chief Information Officer Richard Cox said that while nearly every U.K. police force has an e-crime unit, each unit has only one officer assigned to it. “The police service: You ARE the weakest link!” he said. It’s impossible to locate an e-crook without cooperation from authorities in other jurisdictions, Cox said. But there’s no incentive for any police officer to investigate crimes where the perpetrators are in a third jurisdiction, he said. He urged governments to take the issue more seriously.
Meanwhile, the U.K. Lords Home Affairs Subcommittee is investigating EU policy on cyberattacks, it said on Wednesday. A European Commission statement on protecting Europe from large-scale cyberattacks highlighted many concerns about the adequacy of protective and responsive infrastructures, and lawmakers want to explore whether its recommendations are realistic, the panel said.
The inquiry will focus on the roles for the EU and national governments in enhanced governance, how to ensure a strong EU-wide response capability, and how to bridge the gaps in national critical systems security policies, the committee said. Many of those systems are no longer operated by public bodies but privately, it said.
Lawmakers want input on several questions, including: (1) How vulnerable the Internet is to widespread technical failures? (2) Whether the Internet industry is doing enough to ensure resilience and stability? (3) Whether EC concerns about cyberattacks are justified, and whether the military should be more involved in protecting the Net? (4) Whether government-run computer emergency response teams are the right mechanism for dealing with Internet incidents? (5) Whether a European-centric or a more global approach to response infrastructure is more appropriate? Comments are due Nov. 13.