Why Most Companies Won't Admit They Were Hacked
The new headquarters of the New York Times, on Eighth Avenue in Manhattan.
CREDIT: Haxorjoe/Creative Commons
The New York Times, which today (Jan. 31) detailed a massive attack upon its computer systems, is certainly not the first U.S. company to be hit by hackers apparently working for Chinese interests.
Hundreds of Western companies, organizations and government agencies have been attacked by hackers from China over the past five years. But the Times is among the few companies — Google is another — willing both to disclose details of the attack and to accuse Beijing of being behind it.
For every cyberattack or data breach you do hear about, countless others will never be disclosed.
Why don't more companies come clean? There are many reasons.
Keeping it under wraps
"Some companies that get hit like this never realize they were hit," said Mikko Hypponen, chief research officer at F-Secure in Helsinki, Finland. "Many of the companies that get hit are defense contractors. They'd rather not tell anyone they were hacked."
"It's not good publicity, which can negatively impact the company or organization in many ways," said Roel Schouwenberg, senior anti-virus researcher in the Woburn, Mass., office of Kaspersky Lab. "It may also interfere with ongoing investigations by law enforcement."
There might be other reasons to avoid blaming China, Hypponen said.
"Some of the targets are human-rights organizations and freedom-of-speech organizations," he said. "They might be simply afraid."
When most companies disclose data breaches or cyberattacks, it's because they have to.
Hospitals, insurance companies and health agencies must disclose breaches of patient information. Publicly traded companies have to mention effects on earnings or profits in reports to shareholders.
"If certain types of data have been stolen (such as PII and customer records) there may be legal and moral obligations to issue a press release and guidance for those who could be impacted," said Graham Cluley, senior technology consultant at Sophos in Abingdon, Oxfordshire, England.
PII stand for "personally identifiable information."
Unlike most companies who are required to or choose to disclose a data breach, the Times was especially candid, providing readers with a timeline and breakdown of how the attack occurred.
The newspaper broke the news in a front-page story and even went as far as to link the hackers to the Chinese military, an accusation that's rarely made overtly.
One reason it's hard to openly blame China is because the attackers almost always use compromised servers in other countries or hide behind proxy services, veiling their true origins.
"How do you prove that it was Chinese hackers?" Cluley asked. "Even if an attack was traced back to a Chinese IP [Internet Protocol] address, how can you prove that that computer wasn't also compromised and under the control of a hacker in, say, Belgium?"
"Forensics is difficult and never perfect. I expect most companies don't admit they've been hacked because they often don't have a complete picture themselves," F-Secure's security advisor Sean Sullivan said.
Even if the attackers seem to be operating in the interest of the Chinese government, that doesn't mean they were sponsored by it.
"I wouldn't blame 'China,' because it could very well be Chinese nationals," Sullivan said. "There are all sorts of hackers in the world, and many of them are patriotic Chinese citizens that act on their own."
"Chinese hackers aren't as often to blame as fear mongers in the press want to report," said Robert Graham, founder and chief executive officer of Errata Security in Atlanta.
Good for business
George Smith, a senior fellow at the Alexandria, Va., think tank GlobalSecurity.org, believes corporations might be concerned that blaming China will make it harder to do business in China.
"The Chinese actually have been blamed for a long time," Smith said. "However, many U.S. multi-nationals, unsurprisingly, have business in China and aims directed at exploiting markets there.
"You can see where such a business would think it's in a bind if it needs permissions and cooperation from [the] Chinese central government and, at the same time, finds out it has been penetrated by cyber-espionage efforts that may originate from the same."
Smith noted that the Times had a motivation for being forthcoming. It's simply a great news story, and one the newspaper was sure not to let anyone else get to first.
The Times "has many incentives to cover the story and provide details, as well as the capability to do it well and to shape it from a first-hand account, in advance of competing news outlets," Smith said.
Badge of honor
The Times' willingness to spill the beans may trigger more openness about cyberattacks and data breaches.
"Given the amount of stories about high-profile hits in recent and not-so-recent times, people have gotten more used to this type of news," Schouwenberg said. "Slowly people have come to realize that this happens to everyone. I definitely think the negative impact is not as severe as it once was."
"Disclosure from @nytimes is good," Schouwenberg later tweeted. "But the security industry needs tech details to make sure other targets are better protected."
"Somehow I suspect its [the New York Times'] rivals will soon be more eager to admit to being targets of the Chinese," Sullivan said. "I think that could become a badge of honor among news-media outlets."
Hypponen also saw today's disclosure as a positive step.
"Google and the New York Times did a service to all of us by publicly coming out and announcing they've been had," he said.