By Shyam Sankar and Gabe Rosen

The Internet is the new Wild West, a frontier big enough for every pioneer and outlaw to roam free. Today, The New York Times revealed that hackers in China had spent the last four months infiltrating its computer systems and pilfering employee passwords. As in the old West, it’s not a question of if you’ll be hit — but when and how. Online, primitive DDOS attacks rain down like arrows, while artful hackers can steal the data equivalent of 5,000 head of cattle before any breach is detected. There’s no choice but to defend the homestead as best you can – and retreating to civilization is no longer an option.

According to Mandiant, the infosec firm that conducted the investigation, the Times was first compromised on September 13. The attackers established at least three backdoors and installed 45 pieces of malware, only one of which was detected by Symantec security software. After two weeks, the attackers found the domain controller that contained all staff passwords. Times executive editor Jill Abramson maintains there is “no evidence that sensitive emails or files” were accessed, yet the investigation found that the attackers “created custom software that allowed them to search for and grab [Times journalists] Mr. Barboza’s and Mr. Yardley’s e-mails and documents.”

As the TED Blog recently recounted, we know a bit about this sort of thing at Palantir. Our platform was used to investigate “GhostNet”, a Chinese cyber espionage network. In 2008, an unnamed country received an email from China warning them not to host the Dalai Lama for a scheduled visit. The email was startling because this visit was not public knowledge. The country sought to find out how this sensitive information had been leaked. Not only the Dalai Lama’s personal computer been hacked, but 1,300 computers across the globe had been infected in the same way. This network had been operating for two years without notice.

Naturally, when we heard about The New York Times hack today, we looked for parallels. The Dalai Lama’s office was infiltrated by “spear phishing” — where hackers research a person and create an email, with an attachment, that looks like it came from a confidant. Spear phishing is suspected, though not confirmed, in the Times attack. Like GhostNet, the Times attackers covered their tracks through intermediaries in numerous countries, and employed remote access tools (RATs) and malware. The attacks also appear related to Chinese political sensitivities, though the exact loyalties in play are murky.

While it’s important to resist easy conclusions, Occam’s razor and common sense shouldn’t be ignored. The difficulty is that positive attribution is rare in cyber warfare, so when something looks like the work of someone who was never actually identified, it may not be exceptionally meaningful. As open-source sleuth Jeff Carr points out, there are several doubts. Beijing’s time zone includes numerous other cities. The attacks were ultimately traced to Chinese IPs, though their geo-locations encompass millions of people. The attackers used RATs, but these are widely available and hardly confined to China. According to Richard Bejtlich, Mandiant’s chief security officer, “When you see the same group steal data on Chinese dissidents and Tibetan activists, then attack an aerospace company, it starts to push you in the right direction.” Given the vast spectrum of potentially interested parties, it’s a very general direction – but it’s a start nonetheless.

The lack of clear answers notwithstanding, Mr. Bejtlich is certainly correct that cyber defense “requires an internal vigilance model.” You have to sleep with one eye open, and preoccupation with one mode of attack leaves you vulnerable to others. As in the old West, it’s essential to make common cause with your neighbors, however distant. During the recent spate of suspected Iranian DDOS attacks, two global Top 20 banks shared threat data in real time with each other as well as US law enforcement, and collaboration across public/private lines is essential to countering the matrix of state and non-state combatants.

Above all, we need to adopt a Wild West approach of our own. The sheriff’s only hope is to become as swift, resourceful, and adaptive as the outlaws.

Shyam Sankar is the Director at Palantir Technologies. He gave the TED Talk “The rise of human-computer collaboration” at TEDGlobal 2012, as well as the talk embedded above at TED2010. Gabe Rosen works in Business Development at Palantir.

Below, in a TED Blog exclusive recorded at TED2010, Sankar explains how his company, Palantir Technologies, helped create software to solve a mystery: Who hacked the Dalai Lama’s email?

Here is the story.

In 2008, an unnamed country received an email from China warning them not to host the Dalai Lama for a scheduled visit. The email was startling for a single reason: The upcoming visit was not public knowledge yet. And so the country brought in a team of data experts to find out where the message had come from and how this sensitive info had been leaked. The team used Palantir’s data analysis tools to help crack the case.

As it turns out, the Dalai Lama’s email had been targeted by spies using a practice known as “spear-fishing” — in which hackers do research on a specific person to create an email that looks like it came from someone they know well. The email includes an attachment that, if opened, gives hackers access to the target’s computer without their knowledge. As Sankar explains, hackers can not only read your email, export documents and send emails as you — they can even turn on your webcam and hear every word you say.

In this case, the hackers had downloaded negotiation documents off the Dalai Lama’s computer.

“These guys literally took the goods while sitting at home in their pajamas,” says Sankar in the talk.

But in the hands of a team of human data experts, Palantir’s technology helped showed something even more sinister at work. About 1,300 computers in 103 countries had been infected in the same way. The computers belonged to both individuals and companies with interests in Southeast Asia. And this network had existed for a shocking two years before it was made visible.

It’s a story that should warn us all to be very careful when it comes to opening attachments.