According to Marcus J. Carey, security researcher and community manager with Rapid7, there is a great quote attributed many times to baseball legend Mark Grace: "If you aren't cheating, then you aren't trying hard enough."
“This resonates well with me in the current global market where everyone is playing by new rules. It seems like even though many Americans value concepts such as intellectual property, trade secrets, and competitive advantages, they don’t consider the value other countries place on them too, and they don’t take the necessary steps to protect their valuable information”, he says in his latest security posting.
Yet, he adds, the recent report to the US Congress on Foreign Economic Collection and Industrial Espionage (2009-2011) demonstrates the real need to do this.
Carey asserts that the report paints a picture showing that every country - especially China, Russia, and even US allies - engages in industrial espionage against the United States and each other.
For these countries, he argues, cyber espionage is likely just the tip of the iceberg, very much complementing the main areas of espionage being conducted in the real/physical world.
“It’s much cheaper for foreign governments to `borrow’ research and development information and go straight into production, particularly in countries like China and India where there is a strong supply of industrial, low wage workers to crank out products”, he says.
“For this and other reasons, espionage is certainly not a new practice, rather the internet has simply made it more visible and traceable”, he adds.
The truth is, he goes on to say, is that a good espionage program is vital to a country's success, as we saw during WWII and the Cold War – and it is the responsibility of governing agencies to perform espionage against other countries, as well as helping their own citizens with counter-espionage and cyber defense strategies.
In fact, he notes, this is the main charter of the National Security Agency (NSA) who he worked for more than eight years.
The NSA’s focus, he claims, is on exploiting other countries' communications and at the same time, ensuring that the USA's government and business communications remain confidential.
“With this in mind, I've re-spun the Mark Grace quote as: `Countries that aren't engaging in espionage aren't trying hard enough!’ - it’s not the findings of the report that are so shocking, but the fact that organizations continue to underestimate this threat”, he says.
“It’s time people realized that cyber threats are not going to go away. There are no treaties or other negotiations that will make this activity stop. These are the new rules of the internet-based society. This being the case, all organizations must establish a solid information security program to protect themselves”, he adds.
The bottom line, argues Carey, is that companies need establish a business continuity plan with solid incident response procedures, and ensure that their business leadership understands the risks.
Companies should also, he says, carry out effective security awareness training for all staff and – as a minimum – conduct weekly vulnerability scanning and patch vulnerabilities.
Firms also need to carry out regular penetration testing to vet their security architecture and create a degree of organizational accountability to hold staff responsible for security failures.