show image

US charges Russian spies over massive Yahoo! breach

Today’s papers and online sources are full of the charges against two Russian spies (among others) over the breaches to Yahoo’s security. We’ve reported often on the breaches themselves and we’ll return to that in a second.

The question the press is raising, inevitably, is that state-sponsored hacking is huge business. The recent establishment of the National Cyber Security Centre speaks eloquently about how seriously the possibility is being taken in the UK.

It’s not actually a great surprise. Espionage and intelligence activities are known to have been taking place for generations. Any thought that this wouldn’t spill into the cyber-world is patently absurd.

So where’s the story?

Russian activity lying dormant

Some of the best spy stories involve someone called a “sleeper”. The idea is that they are planted into a community or organisation, live and work like natives and only years later are they “awoken” to act against that community. Neighbours are horrified when their best friend turns against them, and soforth.

The parallel isn’t exact, but hacking activity can do the same. It lies harmlessly inside a system and then on a given day it activates,

The difference in the Yahoo! case, as we’ve highlighted before (you can check the link above), is that oddly, the organisation might then start behaving as if nothing untoward has happened.

The suggestion is that the breaches happened several years ago; not “bugs got into the system and then lay dormant for a while” but the breaches actually happened and accounts were compromised. Half a billion of them, in fact. And although the organisation no doubt took a lot of internal action, it tried to keep the proverbial lid on it until it was forced to concede something bad had happened.

We get it. Nobody wants customers to think they’re in actual danger until they’re sure, and any public announcement like that is going to hit the share price (and Yahoo!’s price went down after the issue emerged). You don’t want to announce this sort of thing.

But if a company knows its customers are at risk and doesn’t tell them, there are questions of good practice to raise. Russian spies may or may not be among those responsible for the breach in the first place, that’s for a jury to decide. What the company did next and how open it was about the problem is damaging in a different way.