Hack highlights debate over government versus business cybersecurity

Law-enforcement officials are probing a Christmas Eve cyberattack on the international security think-tank Stratfor that exposed the personal and financial data of thousands of the firm's clients.

Over the weekend, Stratfor--which provides intelligence analysis to individuals, a variety of corporations, government agencies, and other organizations around the world--told clients that their information may have been stolen.

Since then, a "private client list" has been posted online, and some customers have reported that their credit cards had been used to donate to charity, according to The Wall Street Journal.

The charitable donations may go to waste, however, as the money will be revoked once credit-card companies verify the fraud.

"This symbolizes how you have to have your house in order before offering advice to others," said Richard Forno, cybersecurity graduate program director for the University of Maryland (Baltimore County).

As long as there are vulnerabilities, hackers will seek to exploit them, he said.

An FBI spokesman confirmed to National Journal on Tuesday that the agency is aware of the breach.

The FBI has been actively investigating Anonymous, the group believed to be behind this latest attack, for months. In July, the FBI arrested 16 people suspected of hacking PayPal on behalf of Anonymous.

"The law-enforcement investigation is active and ongoing," Stratfor CEO George Friedman said in a statement on the company's Facebook page on Sunday.

The continuing debate over how to increase national cybersecurity has revolved around the division between government- and private-sector security. While businesses seek more protections, few favor active government regulation and protection of private networks and information.

The issue is especially complicated when it comes to companies such as Stratfor that may deal in sensitive information related to government operations. In May, the country's largest defense contractor, Lockheed Martin, fought off a major cyberattack.

"When you have a major firm specializing in cybersecurity getting hacked this way, it gives you an idea of how difficult this problem is and how much ground still needs to be covered to better secure our cyber networks," Rep. Jim Langevin, D-R.I., said in an e-mail statement to National Journal.

Langevin, a member of the House Intelligence Committee and a cofounder of the Congressional Cybersecurity Caucus, said that if a company with the security expertise of Stratfor can be hacked, the threat to businesses that may be less aware is even greater.

As a consequence of the amorphous nature of the group, statements purporting to be from Anonymous have sent mixed signals about its involvement in the Stratfor incident--they both disavow and claim responsibility for the hack. Forno said that Anonymous is a group "in the loosest sense of the term," and it is unclear who is involved at any one time.

Barrett Brown, a declared spokesman for Anonymous, took to the Web on Monday to say that the attack's main goal was to expose e-mails documenting a "state-corporate alliance" between government agencies and defense companies.

"Stratfor was not breached in order to obtain customer credit-card numbers, which the hackers in question could not have expected to be as easily obtainable as they were," Brown wrote in an online post. "Rather, the operation was pursued in order to obtain the 2.7 million e-mails that exist on the firm's servers. This wealth of data includes correspondence with untold thousands of contacts who have spoken to Stratfor's employees off the record over more than a decade."

As of Tuesday, Stratfor's main website featured a message saying it is "currently undergoing maintenance."

Friedman said that Stratfor has hired "a leading identity-theft protection and monitoring service" to help clients as well as "an experienced outside consultant" to help beef up security.

Besides donating to charities, Anonymous called for the release of Pfc. Bradley Manning, the Army soldier accused of giving classified documents to WikiLeaks. In addition to financial data, the attack also exposed reams of company e-mails.

In October, a report by the Internet security firm Symantec and the National Cyber Security Alliance said that companies with fewer than 500 employees are often ill-prepared to prevent cyberattacks, even though nearly half of attacks are aimed at small businesses.

Federal Communications Commission Chairman Julius Genachowski has called small businesses "low-hanging fruit" for hackers, and the agency has led an effort to educate small businesses about how to better protect against cyberthreats.