May 19, 2014 Updated: May 21, 2014 at 5:46 pm
If a major data breach at Target last year didn't wake business owners up to the reality of cyber attacks, accusations Monday that Chinese military officials hacked into several U.S. companies might spur them into action.
But it appears the Target breach was enough to compel many U.S. businesses to take steps to make their networks more secure, according to a partner at a Denver-based law firm who specializes in cyber security.
"It scared the daylights out of everyone else," Tracy Gray, a partner at Holland & Hart's Boulder office, said after taking part in a panel discussion Monday on the first day of the four-day Space Symposium at The Broadmoor.
"Information has come out that there were signs and network weaknesses up to a year in advance (of the breach). There were vulnerabilities that could have been addressed, and addressing vulnerabilities beforehand is the way to go."
Gray was one of four members on the Cyber 1.4 workshop panel who discussed how businesses and government agencies could better protect sensitive data and systems.
Businesses will have to balance the cost of better securing their network against the risk of failing to do so, which in Target's case is likely to result in an insurance claim for $100 million in damages, Gray said. The biggest threat of cyber attacks has traditionally been in the financial services industry, but the Target breach put retailers on "high alert" that attackers are increasingly focusing on them as a way to get financial information, she said.
In the case announced Monday, five officers of the Chinese People's Liberation Army are accused of hacking into computers at Westinghouse Electric Co., U.S Steel Corp., Alcoa Inc., several others businesses and a union to gain access to trade secrets and private communications.
"There's not been a lot of this, but it does set a precedent," Gray said.
It remains to be seen whether the indictments against the officers will send a message to other would-be hackers, she said. Without a successful prosecution, there will likely be no deterrent.
Avoiding attacks begins with top management communicating the importance of maintaining cyber security, but also requires training employees how to keep a company's or government agency's network secure, Gray said. Companies also should have a policy in place for what to do when an attack occurs, and that policy must be flexible enough to deal with any attack, she said.
William Marion, a panel member and chief technology officer of Air Force Space Command, emphasized that people are the most important line of defense in maintaining cyber security, which he said is less about "the network itself; it comes down to how users behave on the market."
Panel moderator Christopher Ling, who is executive vice president of military contractor Booz Allen Hamilton, said one of the ways his company maintains cyber security is by sending out fictitious emails to employees, trying to convince them to click on a link. If they do, they have to attend a two-hour training session on following the company's cyber security policies. So-called "spearfishing" - sending authentic-looking emails to company employees - is allegedly how the Chinese officials operated.
Some of the newest methods for maintaining cyber security include software that looks for changes in user behavior as a clue that a breach has happened, and using "frequency-hopping" technology that randomly changes the user's location on the network to make it more difficult for attackers to "get a fix on where you are," said Jeffrey Snyder, a panel member and vice president of cyber programs for defense contractor Raytheon.
"The threat is real, stealthy and will always be there. We have to minimize it," Snyder said.