Since Verisign is a public company, they file a financial report called a 10-Q with the SEC every quarter. According to the SEC's web site, Verisign filed their 10-Q for June through September 2011 on October 28th. where it's been available to the public ever since.
Like every other 10-Q, it has a Risk Factors section which lists all the reasons that the company might fail, so don't sue us. Normally those sections are pretty routine, key employees might quit, customers might desert us, key contracts might not be renewed, that sort of stuff. But this 10-Q contained this bit:

We experienced security breaches in the corporate network in 2010 which were not sufficiently reported to Management.

In 2010, the Company faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers. We have investigated and do not believe these attacks breached the servers that support our Domain Name System ("DNS") network. Information stored on the compromised corporate systems was exfiltrated. The Company's information security group was aware of the attacks shortly after the time of their occurrence and the group implemented remedial measures designed to mitigate the attacks and to detect and thwart similar additional attacks. However, given the nature of such attacks, we cannot assure that our remedial actions will be sufficient to thwart future attacks or prevent the future loss of information. In addition, although the Company is unaware of any situation in which possibly exfiltrated information has been used, we are unable to assure that such information was not or could not be used in the future. The occurrences of the attacks were not sufficiently reported to the Company's management at the time they occurred for the purpose of assessing any disclosure requirements. Management was informed of the incident in September 2011 and, following the review, the Company's management concluded that our disclosure controls and procedures are effective. However, the Company has implemented reporting line and escalation organization changes, procedures and processes to strengthen the Company's disclosure controls and procedures in this area.

Apparently nobody got around to reading it until today, at least nobody who understands the business well enough to know what it means.

All the press reports I've seen just regurgitate that paragraph, adding a few quotes from people close to Verisign who all said they didn't know about it either, and security types who told us that it's an enormous big deal. (Now that you've read the paragraph, you're as qualified to pontificate as anyone.)

Personally, I don't know if it's an enormous big deal or not. Risk factor sections tend to be written as pessimistically as possible, so you can skip over the parts about they cannot assure you and so forth. One thing I do know is that it happened over a year ago, so if anything significant happened as a result, and Verisign knew about it, they'd have told us about that, too, on the principle that you release all your bad news at once. So this means that either it really was just a minor network breach, or the evil consequences are so deep and subtle that we may not know about them for years and years, if ever. I'd tend toward the former, but then, I'm not a Verisign stockholder.

Written by John Levine, Author, Consultant & Speaker

Remarks by Kroes:

"The Internet does not belong to any one group, but attacks on it affect every group. So let's work together, all sectors, all levels, public and private, national, international and European. So that we can safeguard the security of the systems that increasingly underpin our lives, today and in the future."

"In tomorrow's world, if the Internet is not secured, nothing will be."

Full statement published here.

From the report: During the third quarter of 2011, Akamai observed attack traffic originating from 195 unique countries/regions, up from 192 in the second quarter. After making its first appearance in the top 10 list in recent memory in the second quarter, Indonesia vaulted to the top of the list this quarter, generating 14% of observed attack traffic. Myanmar, which had suddenly appeared at the top of the list in the prior two quarters, disappeared from the list just as suddenly in the third quarter, potentially indicating that the attack traffic that had been observed originating from the country has either been shut down, or is now coming from other places. With Myanmar dropping out of the top 10 list, South korea moved into it, more than tripling its observed level of attack traffic, responsible for 3.8% in the third quarter. In addition to South korea and Indonesia, Taiwan, China, India, and Egypt were all responsible for higher percentages of attack traffic as compared to the prior quarter.

Attack Traffic – Top Originating Countries

Lying at the heart of the cycle is the fact that these hot threats have never been particularly new. Within the security community, we tend to talk about the evolution of the threat landscape. If you speak with the relevant experts about a particular threat category you'll uncover that the back story to many of these "hot threats" often goes back a decade or two. Mobile malware threats are certainly no exception.

A history lesson in the evolution of mobile malware is hopefully not required, beyond to say that today's hot threat has evolved over a couple of decades and poses less of a technical challenge than many believe or commonly portray. But as history so often reveals in these cases, when a new threat is similarly labeled and thrust into the limelight for the first time, there's all too often a stampede towards apparently novel and threat-specific solutions.

Solutions (and I use that term very loosely) within the mobile malware threat mitigation arena are increasingly difficult to differentiate from one another. In the confusion of defining a new threat and the nomenclature that accompanies it, the underlying technologies and viability of their approaches can get lost rather easily.

What is the "Mobile Threat"?

When I meet with customers, prospects and journalists, I get a lot of questions about the Mobile Threat. In particular, how should businesses work to defend against it? My immediate response tends to be "what do you define as the mobile threat?"

The term "Mobile Threat" is amorphous — it has become a catch-all to encompass anything not physically tethered to a network and happens to be newish from a technology perspective, and likely subject to some new (previously unencountered) formulation of evilness. That sounds like a kind of wishy-washy definition (and it is), but catch-all's usually are. Instead, I'd rather focus on one aspect of the Mobile Threat — that of the mobile malware threat.

As I described in a blog entry illuminating a handful of security predictions for 2012, mobile malware threats continue to be misunderstood. It's all too easy to dive deep in to the various technologies that expose mobile devices to new forms of attack and vectors of compromise; just as it's rather easy to describe the various built-in technologies that the developers and engineers of the mobile devices have included to prevent many of the "legacy" threat categories we're already all too familiar with.

You could spin a lot of cycles looking into the "what if's" of mobile security threats but, at the end of the day, if you want to determine which threats and attack vectors are going to be the most immediate and protectable concern for your organization you only need to understand two things — how do your employees really use their mobile devices, and how are cybercriminals going to monetize their control of these devices?

For a moment, think about this. While Smartphones and Tablets often share a common operating system and maybe even the same application markets or stores, they are used in different ways, at different times, to accomplish different tasks. For this reason the attack vectors cybercriminals (and espionage-focused agencies) choose to launch against them are different for each category of mobile device. The tools — of which the most commonly encountered category is "malware" — are likely to be transportable between devices, but the vectors for installation and the type of meaningful information that can be extracted via them are quite different.

When it comes to the cybercriminals that target mobile devices (which constitute the core element of the "Mobile Threat"), it is interesting to note that they're pretty much the same entities that have been historically successful in targeting traditional non-mobile devices. That shouldn't really be a surprise to anyone — it's all about monetizing the victims. If a particular cybercriminal group specializes in online banking fraud and a third of their potential target list shifts to tablet-based banking applications, they need to make a business decision — do they target the new platform or optimize their attacks against the traditional devices. As mobile application use increases, there's an increasing driver for cybercriminals to invest in new mobile tool development. Similarly, if employees are wirelessly connecting to corporate systems and assets using mobile devices in preference to other traditional platforms, the attackers are forced to target these new devices and develop the appropriate tools.

It's important to note that, while the end-point device is physically changing and the specifics of the tools the criminals need to develop and install upon the compromised devices is also changing, at the enterprise network and Internet infrastructure level there has been no change in criminal behaviors; nor is any change actually needed by them. The vast majority of C&C communications are HTTP-based regardless of the malware family or compromised device type. By speaking the same language, the cybercriminals can keep their existing infrastructure… business as usual!

Written by Gunter Ollmann, VP of Research at Damballa

After thinking about it for a while, I came up with the following representation:

The two axes represent how skilled the attacker is, and how much a particular victim is being targeted.

I dub the lower left "joy hacks". These are the province of the script kiddie or the novice hacker. They've learned about "cool" tools, and they try them out on anyone in reach. Ordinary care will generally deflect joy hackers.

As the attackers' skill level moves up, you get what I call "random hacks". (I'm not fond of that name; any better suggestions?) People who write new worms often fall into this class, especially if the worms exploit 0-days. But worms are generally random in their targets. If you're a spammer or a botnet builder, though, that's fine; a low-bandwidth node may not be able to spew as much garbage as a well-connected one, but as the saying goes, "from each according to his ability". Your best defense here is the usual technical litany: turning off unneeded services, keeping up to date on patches, etc.

The X axis, which reflects targeting, does not necessarily imply particular technical measures. In general, though, it means that the attacker will gather as much intelligence as is feasible about the target. (Again, I'm quite unhappy with my name, especially when I have to translate it into the noun for the attacker.) Spear-phishing attacks, which show a knowledge of the organization and the victim and perhaps the purported source of the message, show the efficacy of this. The attacks themselves may not be novel, but the extra information the attacker has helps immensely. This is an arena where education and process help.

The upper right (or the upper right of the upper right) is, of course, the Advanced Persistent Threat, what John Erlichman so memorably called the "big enchilada”. Here, you need everything you can bring to bear and then some: patches, education, process, luck, and perhaps sacrificing the entrails of a virgin artichoke on your keyboards.

Do APTs exist? Assuredly; if it accomplished nothing else, Stuxnet showed that. Are most attacks on high-profile companies APTs? I suspect that some are and some are not — but I haven't investigated or even reviewed the investigation of any of them, so I won't comment. Are nation-states behind APTs? Unknown and probably unknowable, though the more sophisticated the attack (and especially the more comprehensive and sophisticated the target intelligence was), I'd say it becomes more likely (which is not the same as "likely"). Should you worry about APTs? Ask yourself this: who would be likely to target you, and how good are they?

Written by Steven Bellovin, Professor of Computer Science at Columbia University

Arbor Networks, Citrix and others make great gear, but there's no magic box that will solve all your problems for you. Human expertise will always be a crucial ingredient.

The Science

Certain attacks can be mitigated purely through automation. For example, you can set up proper access control lists on your routers, which can block connections to ports through which you have no services. (That is, you can define a list of services authorized to receive traffic, while at the same time dropping all other traffic.) Some attackers randomly try certain attack vectors, hoping to get lucky and flood your infrastructure — without investigating which type of attack might actually work best. When properly configured, your routers and firewalls will automatically drop such traffic, without it even reaching your servers. This is can be very effective and should be part of any mitigation strategy.

Equally effective are advanced AI algorithms, which are often built into routers and DDoS mitigation hardware. These algorithms can give you a picture of an attack in progress. You can also tune their settings to drop traffic when certain thresholds are met. AI algorithms do very well at handling simple attacks (SYN floods, UDP floods, etc.). The catch: Without careful tuning, they can automatically drop good traffic, defeating your goal of continuing business as usual. If your business is profiled on CNN, resulting in surging traffic, your gear may very well kick in and legitimate traffic could be blocked.

The Art

To avoid that sort of situation, you need to spend considerable time tuning your mitigation hardware, so it can tell good traffic from bad. Even this will not always be enough. These days, anyone with decent software development skills can craft attacks that zero in on key infrastructure. He or she will make educated guesses about your website: which parts feature dynamic content, possibly back-ended by a database, and even which parts might be making high-CPU/memory database calls. An attack can be easily masked to look like legitimate traffic. In fact, 10 properly designed simultaneous connections might be enough to take down a cluster! Such attacks take time and creativity to block, no matter if you have the latest mitigation hardware.

The same thing is true when a large, distributed botnet generates thousands of legitimate-looking requests. Automation alone will help you only so much. With the right expertise and hands-on experience, you can set up filters to drop bad traffic.

A Balanced Approach to Stopping Attacks

Before you lose millions in downtime, revenue and brand equity, make sure your mitigation includes both art and science. Remember, even the best technology won't excel without the right guidance. When comes to fighting DDoS attacks, you need both man and machine.

If you don't have the expertise in house, consider a third-party solution like Neustar SiteProtect, a cloud-based service which not only fuses technology from leading vendors (Arbor, Citrix and Juniper, along with several others) but backs it with the experts in our Security Operations Center.

Written by Miguel Ramos, Sr. Product Manager, Neustar Enterprise Services

Making comments and adding any other development you think should be on this list.
Joining us for the webinar discussion on 20 December 2012 at 15.00 (CET).

1. The Internet gets highly political

2011 started with the continuance of the Arab Spring. Although there are very different views on the impact of the Internet on the Arab Spring phenomenon (ranging from minimal to key), one outcome is certain: social media is now perceived as a decisive tool in modern political life. In various ways, the Internet — and its governance — popped up on political radars worldwide this year.

2. Internet governance moves to the premier league of global politics

Internet governance is an increasingly important global issue: its policy relevance is now comparable to topics such as climate change, migration, and food security. This is illustrated by — among other developments — the numerous high-level events on Internet governance this year: the e-G8 Forum, the London Cyberspace Conference, the Vienna Conference on Human Rights and the Internet, and the Hague Conference on Internet and Freedom. In parallel, Internet governance emerged in the mainstream of the UN General Assembly. The main global media (The Economist, IHT, Al Jazeera, BBC) are now following Internet governance developments more closely than ever before.

3. Clearer positioning of the main players

Previous vague national Internet governance approaches have started to crystallise. The USA re-affirmed its support for ICANN. The EU's Digital Agenda is taking clearer international shape (EU's Digital Diplomacy). After an attempt to form a joint approach, IBSA (India, Brazil, South Africa) moved on separately. In October, India submitted a proposal to the UN General Assembly regarding the formation of a UN Committee for Internet-Related Policies. In addition, Russia, China, Tajikistan and Uzbekistan proposed an International Code of Conduct for Information Security to the UN GA.

4. A shift in Internet governance direction, from technology (IT, telecom) to political ministries (diplomacy, prime ministerial cabinets)

Another consequence of the growing political relevance of the Internet is the reconfiguration of national handling of Internet governance. Diplomatic services and the highest political authorities are more involved. Given the complexity of Internet governance issues, the main challenge will be to achieve policy coherence and informed decision-making.

5. Cybersecurity takes centre stage

An increasing number of security incidents and the fear of cyberwar put cybersecurity high on diplomatic agendas. Cross-border cooperation remains one of the main challenges in global cybersecurity cooperation. Some analysts argue that cybersecurity will become the first area where governments will support a global Internet treaty.

6. Online human rights come into focus

Increasing interest in online human rights was triggered by two major developments: the Arab Spring, and concern that the focus on cybersecurity may endanger human rights (e.g. protection of privacy, freedom of expression). This strong interest has been particularly clear in the last few months with the Vienna and Hague conferences focusing exclusively on online human rights. Moreover, following the Swedish proposal, the UN Council on Human Rights will discuss freedom of expression on the Internet in its 2012 meeting.

7. ICANN's soul-searching

Three main developments characterised ICANN in 2011: (1) implementation of management reform; (2) introduction of new generic top-level domains (gTLDs); (3) the resignation of its CEO and the search for a new CEO. Policy discussions in ICANN in 2011 reflected different views and approaches to the way in which the Internet should be governed in the future.

8. Internet blackout in Egypt

On 27 January, Egyptian authorities cut the Internet in a vain hope to stop political protests. This was the first example of a complete country Internet blackout ordered by the government. Previously, even in the case of military conflicts (former Yugoslavia, Iraq) Internet communication was never completely severed.

9. Avalanche of Internet principles

Internet principles were proposed by the OECD, the Council of Europe, the EU, and other players. There are many convergences among these principles which may constitute a future preamble of a global Internet declaration or similar document.

10. SOPA (Stop Online Privacy Act)

US internet governance decisions tend to have global impact. If adopted, SOPA could introduce liability for intermediaries in the control of Internet content. The anti-piracy measures would shift from the final users to Internet service providers (ISPs), search engines, and financial institutions, among others. SOPA could be described as a battle between Hollywood (the entertainment industry) and Silicon Valley (the Internet industry: Google, Facebook, Twitter, etc.).

Originally posted at Diplo's website.

Written by Jovan Kurbalija, Founder & Director of DiploFoundation

I appreciate the candor of his observations and the distinction he made between state-level motivations. In particular, his comment "We steal secrets, you bet. But we steal secrets that are essential for American security and safety. We don't steal secrets for American commerce, for American profit. There are many other countries in the world that do not so self limit."

Perhaps I grew up reading too many spy stories or watched one-too-many James Bond movies, but I've always considered one of the functions of government is to run clandestine operations and uncover threats to their citizens and their economic wellbeing. The fact that Cyber is a significant and fruitful espionage vector shouldn't really be surprising. Granted, it's not as visual as digging a 1476 foot long tunnel under Soviet Berlin during the Cold War (see The Berlin Tunnel Operation GOLD (U.S.) Operation STOPWATCH (U.K.)) or as explosive as the French infiltration and eventual destruction of the Greenpeace Rainbow Warrior in New Zealand, but in today's electronic society cyber espionage is a necessary tool.

Personally, I think you'd struggle to find a country or government anywhere around the world that hasn't invested resources in building out their cyber espionage capabilities in recent years. It's a tool of modern statecraft and policing.

While the media tends to focus upon the term "cyber warfare" and its many faceted security and safety ramifications, I think that we often fail to divorce a governments need (or even expectation) to conduct espionage and what would logically be covered by the articles (and declaration) of war. Granted it all gets a bit fuzzy — just look at the history of the "Cold War". Perhaps a more appropriate name for the current situation and tensions would be "Cyber Realpolitik”.

China is often depicted as the bogeyman — rightly or wrongly — when it comes to cyber espionage. We increasingly find ourselves drawn into a debate of whether attacks which are instigated or traced back to the country are state-sponsored, state-endorsed, socially acceptable, or merely the patriotic duty of appropriately skilled citizens. The fact of the matter though is that there's a disproportionate volume of cyber-attacks and infiltration attempts coming from China, targeting North American and European commercial institutions. You may argue that this is an artifact of China's population but, if that was the case, wouldn't India feature more highly then? India is more populous and arguably has a better developed education system in the field of information technology and software development — and yet they are rarely seen on the totem pole of threat instigators.

Michael Hayden alludes that China (and other countries) is not opposed to using cyber espionage for commercial advancement and profit, and based upon past observations, I would tend to agree with that conclusion. That said though, I don't think that any country is immune to the temptation. Given the hoopla of the recent U.S. congressional insider trading fiasco and French presidential corruption, I'm not sure that "self limit" approaches work in all cases.

Cyber Realpolitik is the world we find ourselves living in and cyber espionage is arguably the latest tool in a government's clandestine toolkit. We could consume a lot of time debating the ethics and outcomes of modern espionage campaigns but, at the end of the day, it's a facet of international politics and governmental needs that have existed for millennium. For those commercial entities being subjected to the cyber campaigns directed at them by foreign governments, I don't believe this threat will be going away anytime in the foreseeable future. Perhaps the noise surrounding the attacks may disappear, but that may just reflect an increase in stealthiness.

Written by Gunter Ollmann, VP of Research at Damballa

The year still has a couple of weeks to rock on before we can comprehensively summarize the events and trends of 2011. I'm sure there will be a bunch of annual threat reports preempting the end of year — extrapolating trends etc. in order to get the jump on reports that use real data. At the highest level of navel gazing you could probably sum up 2011 with one word — "More". The bad guys got richer, more successful, invented a few new attack vectors, and generally grew in numbers; meanwhile the good guys got more efficient at causing the bad guys pain, but continued to be outspent by the bad guys.

But let's put that aside for now. What does 2012 hold in stall for us?

It's easy enough to predict the future when you're merely commenting upon the trends of past years and projecting "more" of the same. While I can offer no shortage of meaningful predictions for 2012 across a broad range of threat and security categories, I thought it would be fun to pick three topics that stole much of the limelight of 2011 — Advanced Persistent Threats (APT's), mobile malware and botnet takedowns.

So, without further ado, here are a handful of predictions for 2012.

APT Bonanza

The volume of persistent attacks directed at large corporations will continue to increase and the victims will continue to feel as though they have been specifically targeted. There will thus be a presumption of sophistication to successful penetrations, which will lead to more organizations concluding that they have been the victim of an APT — which, after more detailed analysis and external input, will increasingly be revealed as false claims.

• More attacks will be labeled as APT's due to misunderstanding by the victims, or because of an implied "get out of jail" tactic when public disclosure of the breach is mandated by law.
• External analysts and security firms will dedicate more time and resources to analyzing breaches that are disclosed as "APT's", and will be more vocal in correcting false claims.
• A growing unease will be attributed to the "cry wolf" mentality of labeling breaches as APT's throughout the year.
• Real APT attacks will increasingly be lost in the noise of falsely-claimed APT's, and the sophisticated attackers will be able to further obfuscate the intent of their attacks.

Mobile Malware threats will continue to be misunderstood

Mobile malware will divide into two streams — Smartphone malware and tablet crimeware. Both mobile malware streams will be similarly unimpressive from a threat sophistication perspective, however their criminal intent will direct their evolutionary changes. Tablet crimeware will develop at a faster pace than Smartphone malware in 2012 as the opportunities to defraud potential victims on tablet systems grow quicker.

• The hype around mobile malware will continue to exceed the threat and the cybercriminals capabilities in 2012 — but the cybercriminals and security researchers will strive to meet that hype.
• As mobile systems become more usable for day-to-day financial transactions and online stores tune their shopping portals for larger-screened mobile devices, cybercriminals will increasingly target these platforms. This crimeware (and injection vectors) will be more "traditional" and a closer facsimile of current generation PC-based crimeware capabilities than many have projected in the past.
• Smartphones, long seen as "the" mobile threat vector and with the longest history of malware abuse (e.g. Symbian-based malware and premium-rate fraud), will technically be susceptible to the same malware as that affecting tablet systems — but will not be the primary target of attack.
• Cybercriminals that develop malware specifically for Smartphones will increasingly target the devices for propagation purposes — seeking to infect other (traditional) corporate systems and to breach corporate VPN's.
• In the corporate realm, the Bring-Your-Own-Device (BYOD) consumerization of IT will entice cybercriminals that target enterprise networks to innovate new attack and propagation vectors. Throughout 2012 new vectors will be theorized and may be developed as proof-of-concept tools, but the hype will be bigger than reality because there are technical hurdles within the operating systems of the mobile devices that have yet to be overcome.
• Security conferences of a Black Hat ilk throughout 2012 will uncover and illustrate new vectors that subvert the underlying mobile device operating systems that will be leveraged in the 2013 timeframe for the targeted propagation of crimeware via BYOD
• The traditional invasive and "scary" mobile malware capabilities (e.g. eavesdropping on the victims calls, tracking the device owner, etc.) will not advance in 2012 and will continue to be potential capabilities rather than primary objectives for attackers.
• The first generation of commercial "DIY" mobile crimeware construction and attack tools will be developed and sold by enterprising cybercriminals
• Large scale botnets will not exist on the mobile platforms in 2012. There will be several "proof-of-concept" botnet implementations and theoretical attacks but, from an overall global threat perspective, they will be insignificant.

Botnet takedowns will be ineffective

Despite a number of public and media-hyped botnet takedowns in 2011, and the prospect of increased takedowns in 2012, the overall impact on cyber-criminal operations will decrease. In response to the 2011 takedowns, cybercriminals will change some of their management tactics, further distribute their command-and-control (C&C) infrastructure, and invest in improved and more diverse infection vector operations.

• Professional criminals who build and monetize botnets will invest in more robust crimeware distribution technologies and services. The capability to infect 10,000+ computers per day will be more important than the marginal loss of 3-year old botnets with only a few hundred thousand infected devices.
• Botnet C&C infrastructure will continue to become more agile — flitting between domain names, IP addresses and physical locations at an increasing pace. In 2011 this agility was measured in weeks; by the end of 2012 it will be measured in hours.
• Botnet operators will add more layers between themselves and their victims. In 2011 cybercriminals increasingly adopted the use of commercial anonymous VPN services to connect to their C&C servers, and deployed C&C proxies between the botnet victims and the real C&C servers. In 2012 we can expect this trend to continue and there is a high probability that multiple layers of C&C proxies will be adopted to further protect the cybercriminals C&C investment.
• Noisy botnets (i.e. Spam botnets and DDoS) will continue to be the focus of legal botnet takedowns. In response, cybercriminals will in most cases reduce the noise of their botnets and will also further segment their botnets to ensure that the entire botnet is not lost in a single takedown operation.
• Botnet takedown attempts will become more "risky" as the takedown entities become more comfortable with the process. Risk will be introduced as the entities pursue remote clean-up and remediation of victim devices.
• "Good guy" botnet remediation services will become a commercial reality in 2012. As multiple security vendors and academic institutions focus upon the botnet menace they will uncover more vulnerabilities lying within the heart of both the botnet malware and the C&C portal software. There will be growing pressure to exploit these vulnerabilities for the purpose of usurping control of the botnet from the cybercriminals hands and to issue appropriate shutdown and uninstall commands directly from the compromised C&C servers.

I wonder how many of these predictions will come to fruition? I guess we'll find out in 380 days.

Written by Gunter Ollmann, VP of Research at Damballa

This plan has defined the following as four strategic thrusts:

1. Inducing Change – using game-changing themes to understand the root causes of existing cybersecurity deficiencies with the goal of disrupting the status quo;

2. Developing Scientific Foundations – minimizing future cybersecurity problems by developing the science of security;

3. Maximizing Research Impact – catalyzing coordination, collaboration, and integration of research activities across Federal agencies for maximum effectiveness; and

4. Accelerating Transition to Practice – expediting improvements in cyberspace from research findings through focused transition programs.

Read full story: Krebs on Security

• The attack actually happened.
• Ordinary, off-the-shelf hacking tools were used, rather than something custom like Stuxnet
• Physical damage resulted

Arguably, the first point is the most important one. For years, security specialists have been warning that something like this could happen. Although more and more people have started to believe it, we still hear all of the usual reassuring noises — the hackers don't know enough, we have defenses, there are other safeguards, etc. That debate is now over: we have an existence proof. All future debate has to start from this fact: the threat is real. We can argue over magnitude, but not over the possibility.

The second noteworth point is that it didn't take the cyberwarfare unit of a major nation-state to break in. ("Nation-state"? Are there that many city-states around today that we need to describe which kind of "state" we're worried about? Or is the qualifier intended to distinguish it from nations that aren't states?) Reports point to ordinary vulnerabilites in standard web software.

Finally, the attack caused physical damage to a water pump. It's not enough to wipe the disk of the compromised computer and restore from backups; instead, you have to acquire and install new hardware. This is the really scary part about attacks on SCADA systems: the defenders almost certainly have less replacement hardware than they would need in event of a large-scale, focused, malicious attack.

Exactly what happened here is not yet completely clear. The implications, though, are scary.

Written by Steven Bellovin, Professor of Computer Science at Columbia University