As I read the discourse, I can't help but realize that cyberwar is the new front.    What I find striking about China attacking the NY Times is why?    CCTV does some great work with a Worldwide audience which puts American Media (including the mighty New York Times) to shame.  I can understand attacking companies for their IP (products/etc.).   I am enough of a realist to realize that the "real world" is different.  A friend of mine had his personal computer hacked from Germany as they began stealing from his computer and he engaged an Indian Hacking Firm that tracked them down to basically save his computer.

The key is being prudent....but is prudence enough, though?  

I remember one of the big security vendors--McAfee?--saying that you could divide the Fortune 500 list into companies which had been hacked, and companies which didn't yet know they'd been hacked.

I guess that includes the Chinese companies?

Isn't that the theory behind the upcoming movie, World War Z? Not that we need a movie to play upon these fears of what, I am sure, is already being worked on.

Cyber-attacks become truly effective when coupled with conventional attacks. 

Imagine a cyberattack taking out the power grid? Expensive, and dangerous for people who need power to survive, but the power grid goes down every once in a while and it's not a national catastrophe. 

Now imagine 9/11 with the power, phones, and Internet connectivity all out on Manhattan, taken out by a cyber-attack that was coordinated with the physical strikes. 

Or, rather, don't imagine it. 

China seems to be the first suspect in any corporate attacks these days. 

Has there been hard evidence linking the attacks with China, or is it all speculation?

Ultimately, that's a question of law rather than technology. Technology only makes us safe when it's deployed within a sound legal framework. 

Michael --

Especially one that -- allegedly! -- has a habit of hacking journalists' computers.

I've got some embarrassing cat pictures on mine that I wouldn't want everyone to see. 

Actually, I might as well get proactive here and get out ahead of this thing, just in case. 

I confess: I take an embarrasing number of pictures of my cats. And I have five cats. I can't stop myself from adopting cats. The vet bills... the cat littler... the scratching... it's an ugly truth. I'm turning into a cat lady. I've been trying to keep it a secret. I don't have as many people over as I used to. It's starting to interfere with my work -- the cats sit on my keyboard, sleep on my laptop, knock papers to the floor, spill my drinks on everything.

I'm joking now (well, okay, not so much funny ha ha but sad), but when I was based in China I took a serious effort to keep politically sensitive stuff off our computers, and out of our office. If we needed to report something on China that might have caused us problems, I assigned it to reporters based elsewhere -- in India, for example. China does not have a good track record dealing with critical reporting.

Paul --

There are state-by-state rules, which differ in every state, for disclosing attacks that lead to the loss of private information such as credit card and social security numbers and medical records.

There is also guidance from the SEC that companies must disclose breaches that might have a substantial financial impact. 

However, if, say, a company loses a laptop full of sensitive information and it is encrypted, it doesn't need to report it to anybody, since the thieves can't do anything with the data. 

There are organizations that gather breach reports in strict confidence, either as part of general security research, or for the purpose of catching the hackers. But participation is voluntary. 

The Ponemon Institute released a study in October, in which they reported:

"The companies participating in our study experienced 102 successful attacks per week – or 1.8 successful attacks per organization. In last year's study, an average of 72 successful attacks occurred per week."

That's almost two attacks, PER WEEK, PER COMPANY, that were successful. We don't hear about the vast majority of these.

Full report here:

http://www.ponemon.org/library/2012-cost-of-cyber-crime-study

Making assumptions has started more controversy and physical harm than just about anything else. I guess one would want to be careful with a country that holds trillions of dollars of our debt. 

Michael --

You're right, there should be an "alleged" there.

And, at the end of the day, we might never know with 100 percent certainty.

However, there are certain reasons why hackers hack.

1. For financial gain. They hack to steal credit card numbers, or to take over your computer to create a botnet for sending spam.

2. As a protest. Cyberactivists might vandalize a site, for example, or shut down a site with a distributed denial of service attack, in order to protest something or make a political point. 

3. To steal information.

Most hackers fall into the first category, and crooks can be found in any country. But the New York Times hack didn't seem to have financial gain in mind.

With New York Times being a high-profile site, it could have been a protest attack, but then someone normally takes credit for it, wants to make a public splash. There was no defacing here, 

So we look at the information stolen, which relates to some sensitive coverage of top Chinese leaders -- and there aren't too many groups outside the Chinese government that might be interested in this.

By conflating all these different types of hacking, the Chinese authorities are trying to muddy the waters here. 

And, given the publicity that came out of this particular attack, I would expect future government-sponsored hacking attempts to be disguized as one of the other types of attack.