New Dillingers rob data instead of banks as they cash in on virtual world
Cybersecurity boss Anthony O'Mara warns firms must step up the fight against gangsters stealing valuable information from public and private sector targets
When asked to explain why criminals now focus on stealing information, Anthony O'Mara, EMEA vice-president at security software company Malwarebytes, likes to use a quote from the Depression-era gangster John Dillinger. "When he was caught, the judge asked him 'John, why do you rob banks?' He answered: 'Because that's where the money is'."
Today the virtual world is where the money is, and latter-day Dillingers rely on malware so streamlined you might never even know you've been attacked. There might not be a tangible "theft", but your data has been critically compromised.
Cyber attacks on government bodies have made for some of 2016's most dramatic headlines, ranging from the unexpected (earlier this month, the Australian Bureau of Meteorology was targeted by remote access tool malware), to this year's notorious DNC hack, to further US allegations that Russian "bad actors" have targeted their voting machines.
Recently, a nuclear facility in Japan revealed that it had been the victim of spear-phishing designed to steal the work of scientific researchers. Alleged state attackers can also target commercial properties - Yahoo's 500 million compromised accounts were the result of what's believed to have been a state-sponsored hack.
With public sector attacks, it's clear that information is more precious than gold. These virtual offensives are becoming more popular, forever threatening to evolve into a cold war fought from behind laptop screens.
Malwarebytes is among the fastest-growing cybersecurity firms worldwide, using intelligent heuristics and behaviour-based technologies to protect businesses and individuals from cyber attacks.
Founded by a then-teenaged Marcin Kleczynski in 2008, the company has offices in Cork and San Jose, California, and its software runs on over 250 million machines worldwide.
To O'Mara there's little point in dwelling on differences between public and private sector cyber attacks - in both cases, a criminal is after valuable information.
"Value is held in the online world - whether it's online banking or information stored in the cloud," he said. "Governments hold treasure troves of information on people, on budgets, and on things like zoning and planning, all of which criminals will at some point try to steal." The latter-day equivalent to bugged hotel rooms and tapped phone lines, traditional espionage has evolved into hacking, migrating from the physical world to the virtual space.
"There's an element of innovation which drives the cybersecurity industry but in another sense it's the same old tactics: it's just that the platform has changed," said O'Mara. "It's easier to do now, too, given the platforms that we're all operating on."
Irish government websites have been targeted repeatedly in recent years, including a DDoS attack in January this year and an attack on our Freedom of Information site in February, made by a group claiming - somewhat dubiously - to be connected to ISIS.
But O'Mara does not see Ireland as especially vulnerable. Cybersecurity will always be subject to trade-offs, with budgets dictating system updates and recruitment. For now, our Government's cybersecurity is adequate: the challenge is keeping up with evolving threats.
"One of the things which has emerged in recent years is that you can purchase malware as a service," O'Mara said. "You can effectively go to a malware supermarket and give them a profile of your potential victims. You can go after specific information from specific government departments. Imagine how valuable the health information of certain individuals is, for instance, stolen from a hospital." Another scenario might see purpose-hired hacking software target a local council office in order to access zoning plans. "Today everybody talks about the lack of houses in Ireland, but, if a commercial organisation was able to get hold of information on land about to be zoned, and they were looking to buy land, they could do that. It would still be criminal activity; a commercial organisation using a criminal activity to find out what land to buy."
These relatively niche attacks aren't going to make international news headlines, but their subtlety is also their main strength. "It's not like robbing money from a bank," said O'Mara. "You still hold the information. It's just that someone else has access to it as well. In a sense this is an even greater concern, because, if someone takes information from you, you probably won't know that it's happening."
What can be done to fend off attacks? "There are simple, basic security measures that will go a long way to protecting you, for individuals and governments as well."
O'Mara advises both public and private sector companies to invest time and resources in education, and to make sure software is up to date and bought from a reputable vendor (free security software can be useful, but works on a more passive basis).
But, as ever, it's human error, in this case that of government workers, which leads to mistakes. "The biggest risk for any organisation, whether it's government or commercial, is the person behind the laptop."