A Blog by Jonathan Low

 

Sep 23, 2016

Who Hacked Yahoo and Why? Who Cares!

North Korea, Russia, China, Iran...The potential perpetrators of 'the largest hack in history' - until the next one -  are part of an almost endless list. And if your corporate communications staff throws in 'non-state actors' like ISIS, well, as they used to say, 'Katy bar the door.' You know, back when doors actually served a useful security purpose.

National security services hack to obtain useful information they can apply for strategic purposes. Criminals do it to make money. And sometimes - as is often the case with Russia and North Korea - the two are combined. 

The real issue is why this keeps happening. The threat is well-known. The costs are astronomical. The embarrassment at the seeming incompetence profound. Blaming a foreign government does not absolve management of responsibility. JL

Tim Culpan comments in Bloomberg:

In blaming a "state-sponsored actor," Yahoo seems to be trying to tell us "there's nothing we could do." JPMorgan tried a similar tactic, with little success, after a 2014 hack. It's as if foreign governments are expected to be able to breach any firm's cyber-security measures, and corporations should be forgiven.
It's funny because it's true.
Claiming a hack was launched by a foreign government is the ultimate get-out-of-jail-free card for embarrassed corporate executives.
That line from coverage of the Yahoo hack of at least 500 million user accounts sums up the ridiculous attitude so many in management (and in public relations) take toward cyber security. In blaming a "state-sponsored actor," Yahoo seems to be trying to tell us "there's nothing we could do." JPMorgan tried a similar tactic, with little success, after a 2014 hack.
It's as if foreign governments are expected to be able to breach any firm's cyber-security measures, and corporations should be forgiven.
That's bunkum.
Cyber security is one of the few areas where victim-blaming might be considered acceptable, and by victim, I mean the companies. In reality, the real victims are the customers, because little downside ever seems to visit the corporations, or their executives.


Image result for image yahoo's shrinking share of global ad spend - bloomberg intelligence


Ah...Who?
Yahoo's declining relevance to advertisers can be seen in its shrinking share of global spend, yet its legacy mail service and large user base make the latest hack a massive security breach
Source: Bloomberg Intelligence
I know I'm going out on a limb here, but by implying a hack is state-backed, and thus couldn't be stopped, corporations are by extension blaming users themselves. That's not acceptable.
Obfuscation aside, it may not be an entirely stupid move to blame a nation like China, Russia, North Korea or the U.S. (come on, if you're pointing fingers don't leave anyone out!). You see, a state-backed hack may be better news than a non-government attack. Crazy, I know, but hear me out.
If a government is hacking your service provider, it's more likely to be looking for strategically valuable information, or a way to extract information from a strategically valuable person. If you're an average Joe teaching gym at the local high school you're probably not on the hacker's radar. If you're a White House staffer sending POTUS's private schedule -- or nuclear launch codes -- to your Yahoo Mail account, then you're SOL.A non-government hacker is probably in it for commercial reasons. Stealing credentials en masse to sell to the highest bidder is just one business model. And since buyers know that even coach Joe has a credit card, that's valuable information.
There's nothing to suggest a state-sponsored hacker isn't also in it for commercial reasons -- heck, a bit of ransomware would be a great way to fund the office Christmas party -- but that's not usually their primary purpose. At the same time, remember that state-sponsored and commercial hacks aren't mutually exclusive.
While Yahoo's position in the global internet economy is declining, its legacy status and massive email base make this breach important, and damaging. Blaming it on a state-sponsored actor looks suspiciously like PR spin, but the alternative could be worse.

0 comments:

Post a Comment