...doing business with countries such as China and France will, as a matter of course, be subject to attempts to steal information and intellectual property.
"What we're seeing is every organisation that's doing business with certain countries is being targeted with the same cyber-weaponry that the military is being targeted with," says Paller. "If you're about to do business with a particular country they will not only penetrate your computers, but they'll go after your lawyers, consultants and accountants, looking for all the documents about the deals you're about to make, giving them a competitive weapon. My guess is there are 25 countries being involved in this at some level or another. The commercial side of it seems to be more China and France."
State of denial
However, following the attacks on Estonia and on other country's critical national infrastructures, Paller says critical national infrastructure (CNI) operators in many countries, including power utilities, banks and health services, still had not made adequate security preparations.
"There's still a state of denial," says Paller. "The most difficult problem is to get the energy in place to build defences, as long as your senior leadership wants to believe they wouldn't be targets. One of the reasons the CIA released some data about an actual outage [involving a power company] that was caused by remote cyberattack was to awaken senior management of critical national infrastructure to the idea that being in denial is just stupid, you actually have to start protecting your systems."
According to Paller, problems faced by CNI companies include extortion from criminal gangs that prove they can attack and demand money, which Paller describes as a growing threat. Victims are like to pay up, says Paller, "even if they don't think the bad guys are likely to do what they say they can do."
Paller warns there is also a danger of people "owning" computers to be used later. "They come in, take them over, collect as much information as they can about employees, management systems and passwords, and they hide, just hide," explains Paller.
Tiirmaa-Klaar argues that CNI companies have a long way to go before their security is up to scratch. Supervisory Control and Data Acquisition systems (Scada), used in conjunction with human operators to control industrial systems, do not have adequate security in many European countries, she claims.
"Critical national infrastructure organisations should check the gaps where their Scada systems are connected to the internet," says Tiirmaa-Klaar. "In many cases Scada is not secure: it depends on the country. The UK [is probably] safe, but I don't know about all European countries. A lot of critical infrastructure is in private hands, and private companies are always having to update their systems. Private companies are not interested in investing in security unless it's really vital. Governments have to make sure private companies are investing in up-to-date systems — there should be control mechanisms."
John Colley, the managing director of security training organisation ISC2, claims that in the UK the effect on government has been to focus attention on the possibility of politically motivated cyberattack. However, he says businesses have done "very little beyond what they were already doing", although he concedes that most businesses now plan for distributed denial of service (DDoS) attacks.
"My impression is that government is taking it more seriously than industry," says Colley. "It could be that industry is not particularly focused on Estonia."
Other security experts, such as the National Institute of Standards and Technology's manager of systems and network security group Tim Grance, say that assaults...