经济学人:商业活动与网络安全 鬼魅之声
日期:2012-09-09 17:12


Businesses and cyber-security.
A spook speaks.
Its cost may be hard to count, but cybercrime has companies worried.
LIKE blooms on a peculiar plant, speeches by the head of the British security service are rare; and when they do appear, they draw attention. On June 25th Jonathan Evans, the director-general of MI5, burst into oratorical flower for the first time in 21 months. After commenting on preparations for the Olympic Games and on counter-terrorism, Mr Evans turned to cyber-security-where the "front line…is as much in business as it is in government." States as well as criminals were up to no good, he said: in particular, a "major London listed company with which we have worked" had lost revenue of "some £800m" ($1.2 billion) to state-sponsored cyber-attack. The firm in question had lost intellectual property and had been put at a disadvantage in commercial negotiations.
英国安全局的发言就如铁树开花一般罕见,而一旦他们发话了,便立即吸引众人目光。6月25日,军情五处的总干事Jonathan Evans在沉默了21个月后首次发表演讲。他先评价了奥运会准备工作和反恐的问题,接着便把话题转移到网络安全上——"在前线……企业和政府的遭遇没什么区别"。他说,国家和个人罪犯都不怀好意,尤其是国家给予经济支持的网络攻击,使得"部分受我们保护的主要伦敦上市企业"盈利损失近达"8亿英镑"(12亿美元)。遭受攻击的企业失去了知识产权,还会在商务谈判中处于劣势。
Examples and rumours abound of companies being burgled by cyberfrauds, cyberspooks or cyber-mischief-makers. On June 26th America's Federal Trade Commission sued Wyndham Worldwide, a hotel group, alleging that security failures at the company in 2008 and 2009 had led to the export of hundreds of thousands of guests' payment-card account numbers to a domain registered in Russia. The FTC says "millions of dollars" were lost to fraud. Wyndham says it knows of no customers who lost money and that the FTC's claims are "without merit".
The loss of industrial secrets is perhaps even more worrying to companies than that of their customers' credit-card data. Some think worry is overdue. Mark Anderson, the chairman of INVNT/IP, a new organisation of technology companies, says: "We are encouraged by discovering the number of global technology CEOs who have come to understand this issue and its importance to their own company welfare, regardless of the incentives and protestations offered by China, Russia and other nations known to actively steal IP."
恐怕对于企业来说,更可怕的是泄露商业机密而不是顾客信用卡数据被窃取,有些人认为现在才开始担心来得太迟。INVNT/IP是一家新成立的技术公司,他的总裁Mark Anderson说:"中国、俄罗斯和其他猖狂进行IP偷窃的国家如今一味发表声明以正其身,尽管如此,我们仍然备受鼓舞,因为我们发现世界上越来越多技术公司总裁意识到网络安全的问题及其对他们公司资产的重要性。
Working out the cost of cybercrime is a devil of a job. The FTC and Wyndham are poles apart on their estimates of the effect of the credit-card thefts. Companies say they are under constant cyber-attack in ever more ingenious forms, but they are loth to say in public how often the raiders get through and how much damage they do—assuming that the breach is spotted. That suggests the damage is underreported. When they are speaking to the security services they may be more forthcoming, but will they be accurate? Companies might anyway have lost some of the business written off to cybercrime. In that case, Mr Evans's £800m would be on the high side.
In a report by Britain's Cabinet Office last year, Detica, the software arm of BAE Systems, a defence company, put the cost of cybercrime to the country at a staggering £27 billion, or 1.8% of GDP. Businesses bore £21 billion, mostly because of the theft of secrets and industrial espionage. Lots of people doubted these numbers-including, it seems, the Ministry of Defence, which commissioned a study from a team led by Ross Anderson, a computer-security expert at Cambridge University.
据英国内阁办公厅去年的报告显示,主理防卫业务的英国BAE系统公司的附属公司Detica给其提供软件助理,Detica在去年投入到英国国内的网络犯罪防范成本惊人,达到270亿英镑,占了GDP的1.8%。他们的业务收入达到210亿英镑,大部分涉及偷取商业机密和行业间谍活动。包括国防部在内的许多人都质疑这份数据,国防部还特此委任了剑桥大学计算机安全专家Ross Anderson组织团队开展研究。
The team's report, published this month, shies away from adding up totals, preferring to assess the costs of different types of crime in turn, but comes up with much lower figures-partly because it discounts Detica's numbers for intellectual-property theft and espionage entirely, saying they have "no obvious foundation". Most of the cost of cybercrime, it concludes, is indirect, such as spending on antivirus software or other corporate defences. In other words, a lot goes on payments by one lot of businesses to another: the computer-security industry.
That may be inevitable. Cyber-attacks are happening more often and are becoming more precisely targeted. Greg Day, the chief technology officer for security in the European business of Symantec, a computer-security firm, says that for years cybercrime was more or less "random", as crooks looked for any holes they could find anywhere. In the past couple of years, however, they have chosen their corporate targets more precisely. Symantec observed virtually no targeted attacks before Stuxnet, a worm that attacked industrial-control systems, appeared in 2010. Last December it spotted an average of 154 a day.
这是不可避免的,网络攻击越来越频繁,目标越来越精确。计算机安全公司赛门铁克的欧洲分公司技术总监Greg Day说,过去的网络犯罪多多少少有点"随机性",不法分子只是在到处找寻他们可以突破的漏洞而已。然而,在最近几年,他们更加有的放矢。据赛门铁克观察发现,2010年之前,没有任何网络受到过针对性攻击,后来,旨在攻击企业控制系统的蠕虫病毒Stuxnet出现了,这种情况就改变了,去年12月,每天就有154个系统受到这种病毒的攻击。
The bad guys are increasingly using social media to try to find a way in, either by gathering intelligence or by befriending employees who may be tricked into opening an e-mail with nasty code within. People, a security-industry adage runs, are the weakest link. Training them to be careful may still be the best defence.

  • commercialadj. 商业的 n. 商业广告
  • borevt. 使厌烦 n. 讨厌的人,麻烦事 v. 钻孔,开凿
  • intelligencen. 理解力,智力 n. 情报,情报工作,情报机关
  • fraudn. 骗子,欺骗,诈欺
  • inevitableadj. 不可避免的,必然(发生)的
  • breachn. 裂口,破坏,违背,(浪的)冲击,决裂 vt. 违反
  • propertyn. 财产,所有物,性质,地产,道具
  • understandvt. 理解,懂,听说,获悉,将 ... 理解为,认为
  • issuen. 发行物,期刊号,争论点 vi. & vt 发行,流
  • foundationn. 基础,根据,建立 n. 粉底霜,基金会