A few years ago, I was called in by the CSO of a Fortune 25 company. He hired 4 of the best known companies that do penetration testing to find problems with their corporate network. All 4 companies came back two weeks and $100,000 later, and told the CEO that they had full control of his network. The CSO went immediately to the CEO, who basically replied, "I don't care."
The CSO then hired me to perform an espionage simulation. I came back within one week, and handed the CSO their mergers and acquisitions plans, their new technologies that were being released in three years, multibillion dollar proposals, pictures showing how I bugged the CEO's office and told him that I had full control of their entire network. The next week, the CEO raised the security budget by $10,000,000 and they hired security managers for all business units.
The reason that the CEO reacted that way is because I grabbed the company by their proverbial balls and squeezed. I showed him the pain related to bad security. A value was placed on the vulnerabilities and it showed the CEO that they had to be addressed.
I thought of this story as I read how Dennis Blair, the Director of National Intelligence, testified to Congress telling them how the Chinese hack of Google should serve as a wakeup call. Frankly, while I admit that Google is a large American business, and the attack sounds outrageous, I have to reply, "I don't care."
In the grand scheme of things, China can hack Google, but the overall effects to the United States are rather minimal. Besides of the fact that you don't want to see any company being targeted by a foreign nation, the hack of Google really has no impact on the US. It is much more likely that the 33 other companies that were hacked by China during the same attacks, which of course don't get any press, pose a much more dire threat to the US and its economy.
At this point, I really don't see how China can do much worse than has already been well reported over the last 5 years. It is widely acknowledged that China hacked the White House, the Obama and McCain presidential campaigns, and much more importantly has an ongoing, massive hacking campaign against the Department of Defense, Department of Energy and their contractors. China has already compromised weapons and missile technology. Why is hacking Google now a wakeup call?
Basically the country has slept through dozens of fire alarms. The Google hack is irrelevant when compared to all of the other successful hacking that China has accomplished over the last decade. And that is now the big problem.
The US Senate formally voted to condemn the hacking. I am sure that they will soon apologise for the condemnation when the US again goes to ask China for loans to finance the deficit. Do you think China actually cares about a symbolic vote at best for hacking a company, while they regularly ignore dozens of other rebukes for human rights violations?
Making a big deal out of hacking Google trivialises the problem. Look at this from the perspective of a corporation. Google is easily the most well resourced technology company in the world. If Google cannot stop China, what can a typical cash strapped company do? Companies can spend a lot of money to unsuccessfully stop China, but to what end?
Then consider that the losses from being hacked by China are nearly impossible to quantify for most companies. While there are some companies that can point to tangible losses, most Chinese hacking attacks have no obvious consequences for the victims. Hacking Google sounds heinous, but again the tangible effects are minimal.
Everyone is ignoring the fact that China is grabbing the US by the proverbial balls and squeezing, while they focus on an itch. So as Blair wastes his time highlighting the Google hack, he fails to remind Congress of the decade long theft of defence and other critical technologies that can be used against the US. It is also very possible given past experiences that China will potentially sell these technologies to terrorist sponsoring nations.
Security managers have to likewise ask themselves if they are focusing on nonsense while there are more obvious and critical issues to worry about. Hacks and vulnerabilities are completely irrelevant. It is the resulting, or at least potential, losses that matter. If the losses are ambiguous, irrelevant, or not even discussed, then your CEO will turn to you and say, "I don't care."