The New York Times' acknowledgment in its Thursday editions that Chinese hackers carried out sustained attacks on its computer systems should be a wake-up call to any company around the world that trades in information, according to computer security experts.
"When you're dealing with an adversary with significant resources like the Chinese -- or the United States, for that matter -- you need to take some pretty extreme steps," said Chris Soghoian, principal technologist for the American Civil Liberty Union's Speech Privacy and Technology Project.
"Off-the-shelf antivirus software is not going to be enough."
That's because consumer antivirus software from business-supply stores such as Staples will not protect computer owners from state-sponsored actors, he said. "Staples, hopefully, will protect you from a scammer trying to steal your bank account, or a Russian criminal gang trying to put a key logger on your computer. There is no commercial software that is going to keep you safe from a determined government," Soghoian said.
According to The Times, the cyberassaults took place over four months, beginning during an investigation by the newspaper into the wealth reportedly accumulated by relatives of the Chinese premier, Wen Jiabao.
The Wall Street Journal reported on Thursday that its computer systems also had been infiltrated by Chinese hackers. The hackers were monitoring the newspaper's China coverage, according to a written statement from Paula Keve, chief communications officer for parent company Dow Jones & Co.
"Evidence shows that infiltration efforts target the monitoring of the Journal's coverage of China, and are not an attempt to gain commercial advantage or to misappropriate customer information," it read.
"If you're a newspaper focusing on issues that are going to upset governments, then you need to invest in security as well," Soghoian said.
Chinese authorities responded to the Times' reports on Wen's family members by blocking access to The Times' website in mainland China.
The Times said that it had worked with computer security experts to monitor, study and then eject the attackers. It said that by following their movements, it aimed to "erect better defenses to block them" in the future.
Such efforts are becoming more important as the incidence of hacking appears to grow, Soghoian said.
"The first thing you do is make sure that everything you have is encrypted both in storage or transmission," he said. That way, if a reporter leaves a laptop in a hotel room in Beijing and the police try to copy it while the reporter is out of the room, it is protected, he said.
But such efforts are not cheap. "You have to hire a bunch of internal security people," he said. "But if you're the newspaper of record and you're talking to whistle-blowers who would go to jail or be tortured or arrested if they talked to you, then you need to take adequate steps."
The same message applies to any journalist who talks to sensitive sources, particularly in government, in the intelligence or defense communities, he said. "Those journalists need to take real steps, take significant steps to shield the identities of their sources."
Soghoian said that, in his experience, few reporters appear to meet that standard. "Most journalists don't know much about digital security," he said. "The number of journalists that I communicate with using encrypted e-mails I can probably count on one hand. The number of journalists who would even know how to open an encrypted e-mail is not something to feel confident about."
Stories about China are not the only ones that reporters should be cautious about, said Peter Toren, a partner in the Washington law firm Weisbrod Matteis & Copley and a former prosecutor with the computer crime and intellectual property section of the Department of Justice.
"Certainly, if I'm writing a story that implicates somebody who is sophisticated in computer hacking, I would be concerned," said Toren, whose expertise includes the area of economic espionage. His feeling is that the incidence of such attacks is growing, but he acknowledged that it's impossible to quantify.
"You only really find out about it when people are caught, and a lot of organizations don't necessarily report the hacks or the successful intrusions because they don't want to be embarrassed."
Toren added, "I think just the mere fact that the New York Times admits they were the victim of hacks is something new."
Law firms are also frequent targets because they tend to take fewer security precautions than do the companies they represent, "and law firms are in possession of some important information," he said.
In response, he said, the FBI met last year with security experts at some of New York's largest firms to help them beef up security.
The threat extends to any organization in which information that is worth money is stored on computers -- "which is just about every organization and every business," he said.
Prosecutions for hacking are rare and almost impossible to win when an attack is launched from outside the United States, a fact that the hackers exploit, he said. "It's just as easy to hack into an American computer from China as it is from Washington, D.C., given that there are no boundaries in cyberspace."
One reason companies can get into trouble is because employees are often easy to victimize, said Hemu Nigam, an Internet security analyst and founder and CEO of SSP Blue, which advises companies on Internet security.
"Your security is as good as your weakest link in the company," said Nigam, who is a former chief security officer of News Corp.