The practice of cyber-espionage is rapidly moving beyond the government sector and finding its way into the world of international business, according to experts with SANS Institute, one of the world's top IT security training organizations.
While the United States and Chinese governments, most notably, have accused each other in recent years of carrying out surreptitious hacking campaigns aimed at stealing strategic information from their respective IT systems -- and many security experts believe that both countries, and many others, are actively engaging in such electronic warfare -- leaders with SANS maintain that the practice has recently begun to spill over into the private sector with greater frequency.
According to the training institute's latest research, cyber-espionage efforts funded by "well-resourced organizations" -- including both government-backed and private efforts -- will expand significantly during 2008, in particular as overseas companies look to gain an upper hand in negotiating business deals with large companies based in the U.S. and Europe.
In one common scenario, said Alan Paller, director of research for SANS, organizations in the process of establishing legitimate partnerships with such companies are willing to pay hackers to break into those firms' IT systems to gather competitive information to gain an advantage at the bargaining table.
More companies than ever before are finding out that they have been victimized in such a manner based on the discovery of their sensitive data in the hands of hackers and other fraudsters who have been apprehended by law enforcement officials, the expert contends.
"Cyber-espionage is clearly growing across the board. It was much bigger in 2007 than in previous years, and it is expanding slowly into economic espionage involving both businesses and government entities," Paller said. "This really has a lot of significant implications because people who have never thought of themselves as targets for this type of attack have suddenly become a sweet spot, and many are not prepared to defend themselves."
Paller said that federal law enforcement agencies have been contacting private industry firms directly to inform them that their data may have been compromised. From closely-protected product designs to company financials, the expert said that cyber-espionage is already working its way into many different areas of business.
"If you live in a foreign country and you want to do business with a big American company, you want to negotiate the best possible deal, and we're seeing more evidence of instances where parties have clearly been paid to break into a companies' computers, as well as those of their accountants, consultants and lawyers, to find information that can be used to tilt deals in their favor," Paller said. "In some cases, it's fair to say that the people who are negotiating these deals overseas end up with more information than the people that are being paid to negotiate with them."
Paller said that while in many cases the business data being stolen is being used to the advantage of private industry players, the training organization believes that a fair amount of the corporate espionage activity may be backed by government sponsors.
While such attacks have been somewhat common among government and defense contractors for years, he said, the process is highlighting a lack of perception regarding security risks inside other major U.S. businesses.