[dnbgfher]

This is an absurd appeal to the whole victim-blaming awareness trend. That's about an individual going about their life and having a crime perpetrated on them, which primarily negatively affects them. This meanwhile is about a corporation entrusted with valuable information/access with the understanding the corporation would take appropriate measures to secure it.

The victims here had an obligation to those they worked with to take reasonable measures to prevent and mitigate this sort of thing. Just because something bad happened to them doesn't relieve them of this obligation.

It's possible for more than one party involved to be in the wrong. Just because the victims screwed up doesn't mean the perpetrator is somehow morally cleared. Nor does the perpetrator clear the victims of their carelessness.

Edit: Since apparently people are taking this to mean I think companies should withstand a dedicated attack by China, I've gone wrong somewhere. I don't mean that. I was talking about responsibility. They can both be responsible and not be negligent. What I expect is them to help clean up afterwards. Just because they failed in an understandable way doesn't mean they get to avoid taking actions to ensure the damage is minimized.

[threeseed]

As someone who has been involved in corporate security where we had a state sponsored attack your position is simply uninformed.

Almost all companies simply do not have the capabilities to defend against state sponsored attacks and are already taking reasonable measures to prevent and mitigate. When you have undisclosed exploits being used against third party vendor hardware to attack the company what can you reasonably do ?

[dnbgfher]

Mm. Perhaps I should have been a little more explicit. I never meant to imply any business should be able to handle a nation-state attack. That's not feasible.

It doesn't mean they get to clean their hands of the whole thing either. They failed, and that's fine as long as they weren't being negligent. But they are still responsible for doing what they can to minimize the damage. That means, for one, informing those impacted about what is known.

So, just to be super explicit. I don't expect a business to withstand a nation-state attack. I do however expect them to do what they can to minimize the damage afterwards.

[viraptor]

There's possibility to decide what could be done by the company without saying they're completely responsible, or couldn't do anything.

In this case it was spearphishing infected .docs. If corp security can't deal with that, they've got bigger problems.

[reirob]

Is it really so that even a company cannot protect itself against a state sponsored attack? I am asking sincerely, is it really the state of IT security today? I mean, it is somewhat clear that since Snowden we all know that we could not even dream up in our nightmares how far NSA is going. But I was thinking, that since then at least companies with strategic data started to work on protection.

If, what you are saying is reality, what consequences can it have and what legal recourse can a client (corporation or private) expect in such cases? Who can be hold as responsible if sensitive data disappears? Does it need a new type of contracts when subscribing to a service?

[jammygit]

Imagine an undeclared cyber war broke out. Out of curiosity, how 'far' from being able to defend themselves are most serious companies? If they had 3 months to prepare, do they save themselves from getting breached without going offline?

[nradov]

I don't believe you. Some companies may not have the capabilities to defend against state-sponsored attacks today, but that's only because their executives have chosen to be willfully ignorant and not devote sufficient resources to the problem. There's a whole industry of consultants and outsourcing services which provide exactly this capability. All you have to do is write a check.

[threeseed]

Show me who I need to write a check to defend against a 0-day exploit that was used against Cisco networking equipment. Which in turn was used to compromise security mechanisms within the company.

Oh wait you can't. Which is why we had to turn to our government intelligence services to provide assistance.

So stop pretending like companies can defend against state sponsors who are buying 0-days for $100k+ like it's candy.

[nickpsecurity]

The NSA certified the Boeing SNS Server and BAE Systems XTS-400 as stuff they couldn't hack at that point. They're used as guards to protect secrets on classified site from attacks on Internet side. There's been no published hacks of those systems for almost 30 years. You could try to see if you can buy them. I linked to descriptions of some of those products here:

https://lobste.rs/s/o6x9b3/tech_s_masturbatory_historiograph...

I described what I learned about how high-assurance security builds stuff here:

https://pastebin.com/y3PufJ0V

As I often said, compare anything from security market advertised as secure against stuff on that list. If they're missing something, they're probably insecure. Now, I'm still not saying you can stop nation states and all 0-days. I am saying that most of the $100k 0-days are preventable with architectures like above with apps in safe languages with guards separating trusted things from untrusted things. Ada has also been around a long time with Rust getting popular now.

What makes most companies not use stuff like that isn't that level of security being unachievable: they just don't want to for management's reasons which range from arbitrary to sound practices in a profit-focused environment.

[Terr_]

> All you have to do is write a check.

"I don't believe you." You can't just change the organization, culture, and procedures of a company just by throwing money at consultants.

That's like saying a big family can solve their feuds and mental illnesses just by writing a check to team of group therapists and lawyers.

[guelo]

Defense from foreign attacks is one of the main reasons for the federal government to even exist. You can blame the victims all you want but diplomatic and military defense is still the government's responsibility.

[jacquesm]

Even small nation states have a hard time defending against the larger ones, it is as you correctly identify merely a matter of writing a larger check but the amount on that check is so much larger than what is feasible that even the largest nation states find themselves routinely hacked.

Security is hard. So hard that no matter what amount of money you spend you will still be vulnerable, but maybe a bit less so. There are no absolutes in this.

[dx87]

What should the companies have done to protect themselves against the state sponsored attack? The article doesn't say how they were compromised, so what "reasonable measures" didn't they take to mitigate being targeted by a powerful nation?

[excalibur]

This is a fair point. Many of these large data breaches are revealed to be the result of negligence on the company's part (and often the company faces few to no consequences beyond public shaming). But in this particular case we simply don't have enough information yet to make that type of claim.

[A2017U1]

Taken from another commenter:

> according to the indictment, it was a few spearphishing emails with .docs attached, followed by keylogger and other malware installation.

Junior Sysadmins straight out of a bootcamp can negate that.

[dnbgfher]

Sure, maybe this was something beyond what could be reasonably prevented by a non-state. I don't think we know yet.

But they have a duty after the fact as well, to ensure the damage is minimized. That includes actually telling those potentially impacted what is known, etc.

[ineedasername]

This is true. It starts with China, it's their fault, but if your customers are compromised as a result they need know to protect themselves, or it spreads like a virus.

IBM is not to blame for the initial attack. But any further attacks that result from their silence can have a good share of blame laid at their feet.

[Kalium]

You're completely right. Every company has a basic, fundamental obligation to respect the human rights of their customers and partners to security and privacy. This is best manifested as taking reasonable measures to ensure that this basic human right is protected.

Now, there may be a wrinkle. When discussing nation-state grade actors, there's a very real possibility that they may attack in ways that cannot reasonably have been protected against by most private-sector security programs.

What are we to think, to do, to expect in such a scenario? To what extent should be expect any company, even a large and wealthy one, to successfully fend off the full might of a large and powerful nation-state's offensive information security apparatus?

Again, you're absolutely and unquestionably right. Companies can, should, and must take reasonable measures to protect the basic human rights of security and privacy. There just might be some room for subtlety when considering what reasonable measures can accomplish.

[dnbgfher]

Absolutely. I didn't mean to imply otherwise. I don't expect companies to be able to stand up to dedicated attention from a nation-state.

What I was trying to say was that that doesn't relieve them of their responsibilities to minimize the damage afterwards.

Just because they can't be expected to win doesn't mean they should be able to wash their hands of the whole affair without trying to help.

[Kalium]

What do you expect the outcome would be in a scenario where a company is living up their responsibilities to deploy reasonable measures, deploy defense in depth, and work to minimize the damage of a breach in the face of a sustained nation-state attack?

More to the point, in what ways are the companies allegedly breached failing to live up to their responsibilities to help minimize the damage of a breach? What should they do in a scenario where investigations may be ongoing and potentially involving law enforcement?

[umvi]

And I'm sure you believe Iran should've taken more reasonable measures to prevent Stuxnet? Securing yourself against script kiddies is one thing, but against a nation? Good luck.

[threeseed]

Stuxnet involved multiple 0-day exploits which state sponsors can afford to buy and deploy against even low level companies if they see fit.

Not sure how on earth people expect companies to defend against that.

[nickpsecurity]

Use secure devices, development practices, and so on. They've all existed since the 1980's on the market. IBM itself invented some of it in form of Fagan Inspections, VDM methodology, Cleanroom Software Engineering for low-defect development, a CPU that blocked leaks that violated a security policy, and a smartcard OS (Caernarvon) done by Karger et al to high-assurance standards. They could've afforded to use Ada, SPARK, and/or static analysis for protection by default from tons of 0-days. They had their own language, PL/S, with some protections. They instead of McAfee could've acquired Secure Computing Corporation or some other company if they wanted this expertise early plus some products with it. Boeings SNS server, which has no public hacks in 20-30 years, used the LOCK platform from SCC. There's small, new companies using lightweight, formal methods on kernels, protocols, and VPN's. One to four people groups in CompSci do the same thing regularly. IBM has even more developers.

You mentioned Cisco in another comment. Why buy Cisco if their stuff is known to be insecure or not proven secure? If not knowing high-security, I'd consider genua just cuz they use OpenBSD at the core. There were two others using INTEGRITY RTOS, one Sentinel's HYDRA and another discontinued, with both having few buyers. There's still going to be attacks but way less of them choking attackers further year after year. Hell, even leaks in CPU's were found from 1992-1995 using these same methods as LOCK et al in VAX VMM. We knew then with companies and security folks just ignoring them because those high-performance, lower-cost CPU's let us do some awesome stuff, right?

We're not getting hit because of ridiculous resources opponents put into 0-days: we're getting hit because of ridiculous resources put into known-insecure components and methods after people with those resources ignore stuff that works, often letting it die off. Totally, different problem. When phrased that way, one starts thinking maybe they should be regulated to use what works or liable for some of these decisions for ignoring what works using what's high-risk. I favor regulation after seeing positive results in TCSEC and DO-178B markets in terms of assurance activities.

[nradov]

Companies can defend against that through layered defense in depth and limiting the attack surface area.

[threeseed]

Well done. You've solved the security challenge of our generation.

And all it took was meaningless buzzwords which almost all enterprise companies at least do already. It doesn't make one iota of difference when your vendor equipment or services are compromised.

[ineedasername]

Limit the attack surface all you want, there's still an attack surface, and state based actors are highly motivated to put extreme pressure on these. It's nearly axiomatic that there is no perfect security, and to expect a company to defend against all attacks from organizations whose cyber warfare budget exceeds the company's gross revenue is unreasonable.

[monocasa]

Uh yeah, they should have. Random USB sticks (which is how stuxnet bridged the air gap) are banned for a reason in every secure site I've heard of.

[hermitdev]

Agreed. Financial institutions I've worked at have blocked unapproved USB devices at a domain level. Want that special keyboard or mouse? Got to have approval. Want to connect your iPod/phone for anything beyond charging? Hell no. Attach a USB mass storage device? Likely be ealked out the door fired before you get approval.

Edit: spelling.

[ineedasername]

those bans started happening en mass pretty much as a result of stuxnet. Before that, many places had policies that were lax or non existent.

[hermitdev]

Not sure this is true. Every company at scale I've worked at has had policies banning unapproved USB devices since the early 2000s. It's usually smaller companies that are more susceptible to this, because they dont have the infrastructure.

[ineedasername]

Really? Maybe it's just a bit of selection bias (not yours) that I didn't see it at the places I came into contact with.

[hermitdev]

Maybe it is selection bias. Most of my career has been spent in industries sensitive to trade theft (finance, industrial manufacturing). Not sure how difficult it is to do on Linux, but if you're administering a windows domain, disabling unapproved USB devices can easily be done via group policies.

[monocasa]

Nah, I personally know that some secure sites were banning them at least as early as 2006.

[lern_too_spel]

That's well and good, but existing and future clients should still be aware. The clients might decide that other service providers would be just as vulnerable, but they should not be kept in the dark.