Spying may be the world’s second-oldest profession, but espionage has been quick to embrace the technology of the internet era. Just as the online economy has made it easier to buy and sell goods and services, so the net is making it easier to steal and trade information. And companies are just as likely to be the targets of espionage attempts as government agencies.
“By no means do nation states have a monopoly on espionage,” says Ed Parsons, a senior manager in the UK cyber security practice at KPMG. “We are seeing for-profit and mercenary groups, stealing information and trying to sell it, including to governments.”
Mr Parsons says that one reason cyber espionage is growing is because blame is hard to apportion. Unlike the characters of John Le Carre’s cold war-era novels, who risked arrest or worse, today’s cyber spies are hard to trace and easy for governments and others to deny knowledge of.
Steve Durbin, international vice-president of the Information Security Forum, a not-for-profit trade association, adds that agents no longer have to go out into the cold. Instead of laborious and sometimes dangerous fieldwork, spies can work in comfort from offices far away from their targets, and often well away from their own sponsors.
There may be clues that point to a hacker’s identity or country of origin, including the timing of an attack, which may suggest where they were operating from, and pointers to the keyboard layouts and characters used. But these can be faked.
A surer way of spotting an online spy is to follow the information a hacker tries to extract, say experts. Credit card and financial data theft points to a criminal gang, while personnel, security records and intellectual property are a more likely to be a sign of spies.
High-profile incidents indicate that spying on companies by states may be common. Documents leaked by the former US National Security Agency contractor Edward Snowdon seemingly show that the communications of Petrobras, the Brazilian state oil company, were intercepted by the intelligence agency. Meanwhile, the US has blamed the regime in North Korea for an attack on Sony Pictures. The loss of data on 21.5m federal employees in the US from the Office of Personnel Management’s database is suspected to be the work of Chinese hackers.
Brian Honan, founder of Dublin-based BH Consulting and an adviser to various governments’ information security teams, says: “A government might keep its top spies close, but there will be others they want to keep some distance away, to ensure plausible deniability. In some cases, governments have hired criminal gangs to attack targets on their behalf.”
The lines between government hacking and industrial espionage are increasingly becoming blurred, especially in countries with significant state-controlled industries. Even in free-market economies, the distinction between “economic intelligence” and industrial espionage can be a fine one.
By no means are all spies government agents — companies spying on each other is also on the rise, driven by the same ease of access to data exploited by government spy agencies, say experts. According to the Data Breach Investigations Report from Verizon, a telecoms company, more than two-thirds of “phishing” incidents — the sending of fraudulent emails asking individuals to provide personal or professional data — are probably linked to some form of online espionage.
For companies, hacking or buying information from a hacker poses far fewer risks than paying someone to steal physical blueprints or files. Industries such as pharmaceuticals and technology, as well as defence, have seen products emerge that seem to draw heavily on stolen intellectual property.
In other cases, companies might seek out commercially sensitive data to gain an advantage over competitors. Details of contract negotiations or trade deals are popular espionage targets.
Hackers are also targeting businesses’ advisers, including law firms. According to Laurance Dine, managing principal at Verizon’s investigative response division, professional services firms are the third most targeted type of organisation.
One area where the actions of government and industrial spies will differ, however, is when cyber espionage turns to remote-control sabotage. Spy agencies have long considered physical disruption of an enemy’s infrastructure to be part of their role, although most refrain from such attacks in peacetime.
Cyber spies can plant “malware” — malicious software — on adversaries’ computer systems and activate it months or even years later. However, high-profile malware attacks, such as the Stuxnet virus — widely blamed on the US and Israeli security agencies — that reportedly damaged a fifth of Iranian nuclear centrifuges, seem rare. However, they can also use the web’s dark arts to probe for electronic or physical weak points, and to capture data they may be able to exploit later.
Mr Durbin at the ISF warns that companies with government contracts could especially be used as a back door into the systems of security, defence and government agencies.
“It is easier to access secure systems through third parties, or third parties’ third parties,” he says. “The further away you are from the centre, the more security diminishes. Spies and hackers know this . . . it is easier to go in that way, than to try to hit the Pentagon.”
Governments, however, are realising that their commercial contractors can pose a security threat. In the UK, the security services increasingly give advice directly to businesses. In the US, the National Institute of Standards and Technology also provides cyber security guidance for organisations.
However, some boards and chief information officers still believe there is little that can be done to protect against a well-resourced, determined hacking attack. But Mr Parsons at KPMG says this is not the case. Even national spy agencies rely heavily on basic online vulnerabilities that companies should have fixed.
“Some attacks are depressingly low in sophistication,” he says. “This is certainly not a counsel of despair.”
Get alerts on KPMG LLP when a new story is published