The confounding math behind cyber attacks

The spectrum of worst possible outcomes will fluctuate, governed by the wildly differing kinds of hackers' expertise and intentionsSingaporeWHEN the worst possible outcome of a hacking attack is imagined, the average person must be thinking of the post-apocalyptic wasteland of Terminator at the mercy of the malevolent computer system, Skynet.文件倉Even among experts, this scenario is not that much of a stretch.Stree Naidu, data-security company Imperva's vice-president for the Asia-Pacific and Japan, said: "World War 4 could just be a cyber attack, and we underestimate that in totality."Cyber threats have increasingly brought doomsday-type scenarios within our peripheral vision; occasionally, they have struck key facilities or disrupted businesses.Last year, for example, 30,000 workstations at oil giant Saudi Aramco were brought down by a malware attack, which US officials blamed on Iranian-backed hackers.Iran has denied involvement.In March, South Korea's banks and broadcasting stations were paralysed by malware attacks that had experts pointing fingers at North Korea.So far, the fallout has stopped short of Armageddon.Saudi Aramco claimed that its hydrocarbon exploration and production systems were unaffected. South Korean banks have been attacked intermittently for years, with files lost and passwords compromised. Yet each time, they have survived to be hacked another day.The end of the world notwithstanding, these attacks add up. A survey of 234 firms by Ponemon Institute (which carries out independent research on privacy, data protection and information security policy) found that this year, cybercrime cost each firm an average of US$7.2 million - a 30 per cent increase from last year.In Singapore, the worst-case scenario has remained nebulous.Trend Micro Singapore's country manager David Siah said: "So far, I don't see (what happened in South Korea) happening here . . . Singapore is pretty well defended."But defence aside, a wo存倉st- case scenario might well come down to an alignment of motivation with ability.Senol Yilmaz, an associate research fellow with the Centre of Excellence for National Security at the S Rajaratnam School of International Studies, said some conditions are key for a worst- case scenario to materialise.For one, there needs to be a "state-actor" - an individual or group acting on behalf of a government - and this state-actor needs to have highly sophisticated cyber capabilities and great motivation to inflict harm, he told The Business Times."In the current international climate, I do not see any state-actor that would have the motivation to hit Singapore," he said.But even if there is little political motivation for now, financial motivation still exists. Imperva's Mr Naidu said: "We're a target because Singapore's the lynchpin of Asia.""If I were a chief executive, my biggest fear would be to wake up in the morning and find that all my important information lies in the hands of my competition."In March, the monthly statements of 647 Standard Chartered Bank private banking clients were stolen off the server belonging to the bank's printer, Fuji Xerox Singapore.Where there is no apparent financial or political motive, pinning down a worst-case scenario is even more difficult. Delson Moo, the 42-year-old businessman charged with defacing the Istana's webpage, told the press last month that he did it because "my hand was itchy".Experts say that a hacker who is in it just for the heck of it is a bigger headache than one looking for a profit. "He has a motivation we can't define," Mr Naidu said.As more people answer the hacktivist siren call, the spectrum of worst possible outcomes will fluctuate, governed by the wildly differing kinds of hackers' expertise and intentions. At the same time, the decentralised nature of hacktivism will make them harder to identify.Amid all this, firms will have to put a price tag on a problem with no face.儲存