February 14, 2012
Former Nortel CEO Frank Dunn, now being tried for fraud, was among several senior company managers who were aware of a long-standing data breach into Nortel’s computers systems, but chose to do nothing.
According to reports in the Wall Street Journal, former Nortel employee Brian Shields led an investigation and discovered the breach, but was prevented by company executives from taking any action.
Nortel, which has since declared bankruptcy, and which was cleared by the Department of Justice to sell $4.5 billion worth of patents to Apple, Microsoft and RIM on Monday, was deeply penetrated by hackers, suspected of being from China. Sophos Senior Security Advisor Chester Wisniewski wondered if those companies would have paid so much for the patents if they’d known the data was likely already compromised. “If the patents were known to have been potentially stolen or compromised, wouldn’t they have to report that?” he asked.
Wisniewski criticized Nortel’s response to the breach. “I think the response is shameful. It doesn’t look like they really cared,” he said. Wisniewski said that while many are blaming the Chinese government for the breach, there’s really nothing to prove that China was really involved. While a Chinese Internet site seems to have been the destination for data stolen from Nortel, “Just because something appears to be from China doesn’t mean it is,” Wisniewski said.
Neil Roiter, research director for Corero Network Security, called the Nortel breach disturbing. But he said that Nortel’s response was even more so. “Perhaps more disturbing, if the report is accurate, is the failure of Nortel to respond when the breach was discovered, and, less surprisingly, their failure to disclose it,” Roiter said. “Perhaps the danger was less clear eight years ago than it is now, but the continued failure of what was viewed as an innovative and sophisticated IT company to appreciate and address the risk is puzzling.”
Roiter predicted that new SEC guidelines will result in more disclosures, such as the news about the 2010 VeriSign data breach. Wisniewski said that while Nortel may have been ill-equipped to deal effectively with the data breach when it was discovered a decade ago, “They should have called law enforcement.” He said that when breaches are international in scope, as the Nortel breach clearly was, then the government is best equipped to deal with it.
Wisniewski said that only governments are really capable of providing the resources to share data regarding several threats and determine patterns, “A lot of information sharing needs to happen to fight these. Only our governments have the ability to share and take action. It’s important that more of these organizations should involve law enforcement,” he said.
Wisniewski said that because Nortel chose not to ask for help or otherwise deal with the breach of its security, it’s unlikely that the attacker will ever be identified. However, he noted that it’s virtually certain that a vast amount of intellectual property was compromised.
Read more about malware/cybercrime in CSOonline’s Malware/Cybercrime section.