Dark clouds gather over online security

Google may have realised that they cannot guarantee the security of their secrets -- or yours

Google may have threatened to leave China to keep us all from concluding that "the cloud" cannot be secured. If that's true, isn't that precisely what we should conclude?

After all, if Google's security systems were breached, wouldn't they just fix the flaw and keep their mouths shut? If they thought they could protect their data and yours, wouldn't they have just done so and not said anything?

In other words, the whole Google-in-China issues boils down to this: Google may have realized that they cannot guarantee the security of their secrets -- or yours.

It seems that all our data is moving to the cloud -- especially for mobile computing users. Is it time to rethink cloud computing?

Threat: Insecure guardians of private data

What does Google know about you? Depending on which Google services you use, Google might know your exact location, what your e-mail says, what you buy online, what your schedule is, who you know, what your credit-card numbers are, where you live, where all your friends and family live, what your interests are, what you read, what your voicemails say, who you talk to on the phone, your detailed health conditions and health history, and much more.

Google even offers a service called Google Email Uploader , which makes a copy of all your e-mail from Outlook or other desktop utilities and puts it into Google Apps, where it's backed up and searchable. They also now offer a service whereby you can upload any file to Google Apps. Now even pre-cloud personal data is moving to the cloud.

Theoretically, all this personal information is safe. Although Google "knows" all your information, no human would ever read it. Besides, do you trust Google with your information? It's a big question, but I would have to answer that in fact, yes, I do.

Unfortunately, if the China event tells us that the cloud cannot be secured, it doesn't matter if we trust Google. We would have to trust both hackers and anyone they might sell our private data to.

Review that list of what Google "knows" about you. Now imagine what others could do with that information: insurance companies, our government, "their" government, marketers, predatory financial services companies -- not to mention blackmailers, identity thieves and extortionists.

Of course, hacking is nothing new. A recent survey found that more than half of IT executives report "high level" attacks on their companies. The difference with cloud computing is that a cloud service like Google could be one-stop shopping for hackers. If they hack one company, they have one company. But if that company is Google, they have everybody.

It gets worse.

Threat: Outsourced industrial espionage

There are three general theories about the Chinese government's role in the hacking of Google, which involved both the theft of Google's intellectual property and also the accessing of Gmail accounts of critics of the Chinese government, both inside and outside China. The government either perpetrated the crime, had nothing to do with the crime, or the crime was committed on the government's behalf by freelance hackers looking to make money.

Of these three, the third possibility is by far the most threatening. What this could mean is that an industry has emerged in China where hackers seek out secrets that might be of value, and then look to sell them to the highest bidder. Of course, that's nothing new, either. But Google characterized the attacks as "highly sophisticated and targeted," which could mean freelance hackers are operating as organized businesses -- sort of like software companies with R&D labs that develop such advanced techniques. They also mirror the GhostNet attacks reported last year.

And if it's happening in China, it's probably happening elsewhere, too.

I think it's very likely that espionage -- industrial and otherwise -- will become a massive industry. Organized crime gangs will increasingly automate the harvesting of personal data, then figure out later where to sell it. This already happens, but I think we're facing a rapid increase in both scale and sophistication.

Hacking password-protected systems is already simple enough, and can be automated. But freelance industrial spies, following the suspected Chinese model, would launch multipronged, surgical attacks or simultaneous attacks on very large numbers of individual accounts. As in the Chinese hack, this harvesting can include the largest corporations as well as individual citizens. One of the targets in the Google China hack was a 20-year-old Stanford University sophomore named Tenzin Seldon , who is active in a student organization called Students for a Free Tibet. That's right. An American girl exercising her First Amendment right to free speech in the U.S. appears to have been targeted by the Chinese Communist Party as a threat, and as a subject for monitoring.

The state of the art (according to reports analyzing the Chinese attacks on Google) is to first target individuals within an organization who have access to sensitive and valuable secrets. That requires intelligence gathering before the actual hacking even begins. Then, send only the target people fake e-mails with PDF, Excel or other kinds of documents and make them appear to come legitimately from colleagues. Once opened, the documents install software that invisibly executes commands that open up access to the machine (and the user's network privileges) by the hacker. From there, the attackers could find and copy source code and other secrets. Much of the hacking was apparently designed to facilitate other hacks, of cyber-dissidents or of companies doing business in China.

Unlike conventional hack attacks, the Google-China hacks involved a lot of people, planning, research, intelligence gathering and sophisticated techniques by very motivated people who knew exactly what they were looking for.

Welcome to the new reality. It seems as if everyone is moving everything to the cloud. Meanwhile, sophisticated organizations out there are figuring out how to exploit cloud vulnerabilities to harvest valuable secrets. And if Google can't stop them, what chance do you and I have?

It's time to re-think the headlong rush into the cloud. We don't yet understand what's waiting there for us. Chinese spies may be the least of our troubles.

Mike Elgan writes about technology and global tech culture. Contact Mike at mike.elgan@elgan.com, follow him on Twitter or his blog, The Raw Feed.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags Cloudsecurity

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Mike Elgan

Computerworld (US)
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?