Wednesday, January 6, 2016

Submarine plans and communications hand delivered due to hacking fears

I saw this a few months ago while teaching in Australia, then forgot about it until I was chatting with a friend and it came to mind as an example.  In Australia, the $20 billion contract for the next generation submarine fleet is big news.  It's big news in Germany, France, and Japan too - countries who are in the final round of bidding for the job to build the subs.

But reportedly (and not surprisingly), China and Russia are also interested in the submarine plans.  Germany's contractor said they are receiving 40 hacking attempts per night.  It is of course unclear what they consider to be a "hacking attempt" but it is clear that the hacking attempts are on the radar of the executives at the ship builders.

Perhaps the most interesting development in the story is the report that due to increasing hacking attempts, the organizations involved are resorting to hand delivery of sensitive data.  At Rendition Infosec, we always recommend that organizations have out of band communications for use in incident response.  The rationale is that if the attackers have compromised your mail server (or other in-band communications) you don't want them listening in on your conversations during the incident.  It appears that the Australian government has taken this to a whole new level with hand carried documents and communications.

What can we learn from this as infosec professionals?  First, Australia has publicly set a precedent for extreme caution which we can cite if needed.  While I'm sure this has been done before, good public examples never hurt.  Second, we can use this as an example of possible overreaction to hacking fears.  If the reports are true, there were probably other measures that could have been used to secure communications that didn't rely on hand carrying.  If conducting a sand table exercise, I'd ask how much inefficiency this would introduce into the process and ask business stakeholders to assign a dollar value to that.  Security is always a cost center and we need enable the business to operate safely, while still operating.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.