The New China Syndrome: The Board’s Nightmare
The film ‘China Syndrome’ was fanciful but the New China Syndrome – Industrial Scale Espionage – is deadly serious. Yet most CEOs blithely flick cyber security to their CIOs. Find out why, in 2019, boards must change this.
‘Anything but far-fetched’
The 1979 film starring Jack Lemon, Jane Fonda and Michael Douglas was a far-fetched concept: a nuclear reactor meltdown that burnt through containment lines deep into the earth.
The New China Syndrome is anything but far-fetched. It’s real and now: the meltdown of containment lines that protect the world’s most valuable data – using deliberate, orchestrated Industrial Scale Espionage.
How big is ‘Industrial Scale’?
Late in 2018, the US Department of Justice charged two Chinese nationals with being part of a 12-year campaign sponsored by the Chinese government against the US. The tally included the alleged theft of information from 45 US tech companies and government agencies. That’s quite a haul but, of course, US agencies have been spying on China for just as long.
The two spies were part of China’s Elite APT10 hacking group which, according to Computerworld, ‘is associated with “Operation Cloud Hopper”, a sustained effort to compromise the security of major managed service providers to access the IP and data of both the MSPs and their customers.’
If you were a managed services customer and your data included your IP or strategic plans, would you feel a bit more than compromised?
There’s no prospect of an end to this state-backed espionage; arresting a few spies will make no difference. According to Stratfor, ‘China has found that it is cheaper and quicker to simply steal what it needs.’ Not a comforting thought.
Just a Fight Between Heavyweights?
It’s tempting to see it that way, but that’s a soothing fantasy. ‘[The campaign] is audacious, it is huge and it impacts potentially thousands of businesses globally,’ head of Australia’s Cyber Security Centre, Alastair MacGibbon, told News Ltd last year. He added that a number of Australian companies had been affected and notified by authorities in 2016 and 2017.
Cyber theft in Australia is not new. Remember the panic back in 2012, when the blueprints for the AU$631 million, ultra-modern, ultra-secure new home for ASIO were hacked from a contractor’s computer? The hackers gained access to the lot: floor plans and the locations of communications cabling, servers and security systems.
If our top security agency is so easily cracked, what hope does anyone else have?
Australia: Asleep at the Wheel?
You’d think that the ASIO hack would’ve served as a wake-up call for Australia to take espionage seriously.
Yet, three years later, the NT government sold the Port of Darwin to a state-owned Chinese company. US President Obama, preoccupied with Beijing’s forays into the South China Sea, only heard about it on the news. When he demanded an explanation, the Australian Prime Minister laughed off the security implications and suggested Obama should subscribe to the NT News. More Here.
The 2017 sale of 49% of London-based Aldersgate Investments didn’t ring alarm bells either. It should have, since Aldersgate is the parent company of Global Switch, the owner of two high security data centres in Sydney that hosted classified Defence and Intelligence information. The Defence Department quietly moved its sensitive files to another data centre.
Not just Government Targets
If you think you’re safe because you’re non-government, think again.
2018 saw a surge of cyber attacks on Australian companies, according to The Sydney Morning Herald, breaching an agreement struck between Premier Li Keqiang and then prime minister Malcolm Turnbull. A senior Australian government source described China’s activity as ‘a constant, significant effort to steal our intellectual property.’
It’s not just China and what she steals. Other states are at it too, like Korea and Russia. But there is a bigger threat: the tools they use to steal.
Developed by enterprising ex-spooks, these sophisticated cyber warfare toolkits are for sale to any entity willing to pay the price. Two vendors of such kits are NSO (Israel) and Dark Matter (UAE).
Armed with such tools, hackers can target specific executives, infect their phones and extract whatever information they want.
That’s just the beginning. Of the Pegasus kit from NSO, a 2018 report said: ‘They can even surreptitiously use the phone’s microphones and cameras to view and eavesdrop on their targets.’ This adds a whole new dimension to cyber-espionage: relatively affordable tools any rogue state or person can use.
So, if your CEO’s mobile phone is lost or mislaid, how sure can you be that it was an accident?
Fighting Drones with Moats
A recent Ponemon Institute survey found that 1 in 3 companies can’t protect themselves from data breaches. The reasons? Too few staff, challenges with patch management, lack of visibility into complex networks and avalanches of security alerts. Yeah, yeah.
These reasons aren’t going away; they’re only going to get harder to defend.
Considering that these are breaches of any kind, what if someone specifically wanted to target your organisation? Employee mistakes are your biggest vulnerability (see at right), especially from phishing attacks, yet no firewall or ant-virus software is going to help you.
Focusing on perimeter security these days is like digging a moat when your enemy is using armed drones.
Modern cyber attackers are cunning and patient.
They don’t need to announce themselves by storming the battlements. They use long term, stealth strategies like Advanced Persistent Threats using phishing attacks as the opening, unseen act. Then, they quietly have their way with your organisation’s data and you won’t know for months or years, if ever.
Who’s Responsible for Cyber Security?
It depends on whom you ask. Ask most CEOs and they’ll say it’s the CIO’s job.
Many CIOs don’t see it that way.
A recent survey by McAfee asked CIOs and CISOs two questions: ‘Who do you think should be accountable for cyber security?’ and ‘Who do you think cares least for cyber security?’ Nearly half answered ‘the CEO’ for both.
It’s no wonder CIOs are under pressure and one of their biggest hopes is to be out of security altogether, according to a Ponemon survey cited by McAffee CTO, Ian Yip.
This survey sums up the thinking thus: ’I am not being given what I need to solve this problem’ and ‘until I get that this is a really stressful problem. I’m not able to sleep at night and I am getting all the blame’.
Sound like fighting drones with moats?
What can you do?
Back in 2013, Bloomberg trumpeted the Chinese hacking problem with its hard-to-miss cover headline at right. That was six years ago. (Image: Bloomberg Businessweek February 24, 2013)
More recently, Yip from McAfee felt that the message was getting through, a bit anyway: ‘Boards are becoming increasingly aware that cyber is a problem but being educated about it is a whole different issue’.
So, some boards are getting the message, but how many are putting it into practice? Are you?
The best way to ensure the right employee behaviour is with radical culture change and regular training: showing them how to spot phishing emails, how to use the right tools to segregate sensitive data, how to protect their mobile devices and why it’s critical to only use secure file-sharing platforms.
In the meantime, while you wait for cultural change to trickle down, here are the practical steps boards need to make sure are being taken. If you do, you’ll have fighting chance of protecting your organisation’s most valuable data. The reverse is also true.
1. Limit who has the keys
You need to get serious about access privileges.
Known as the ‘keys to the kingdom’, privileged access will literally ‘Open Sesame’ if cracked, so you need to allocate it with caution. In most organisations, IT admins allocate privileges based on position, so the CEO and his direct reports end up with access to the lot. What if his phone is stolen or his EA is victim to a sophisticated phishing attack?
The Chinese found their way into ASIO through a mere contractor. Your CEO and his or her EA aren’t obscure; they are the hackers’ top two targets for your organisation, so you need to think about how much access they really need. That doesn’t take everyone else off the hook either; other C-levels, Board Members and Senior Advisors are just as vulnerable.
Also, your CEO should know about the principle of ‘least privilege’ or limiting privileges on a need-to-know basis. This way, employees are only granted the access privileges they need to do their jobs, and nothing more.
2. Split up sensitive data
Or it’s better to lose a bit rather than the lot.
‘Compartmentation’ is a principle that goes back to Ancient Greece, where critical military data was split between individuals, in case any of them were captured and tortured.
It’s been used ever since by Military and Intelligence Communities as the most effective way to minimize risk, by splitting critical data into many separate compartments.
More recently, compartmentation was one of four key points James Clapper listed as critical for enterprise security: ‘Segment your data,’ the former Director of US National Intelligence advised enterprise security specialists. ‘A single breach shouldn’t give attackers access to an entire network infrastructure and a mother lode of proprietary data.’
In the context of Chinese or other foreign hackers, losing a few trinkets is a lot less painful or humiliating than losing all of the kingdom’s Crown Jewels.
3. Forget remote wiping
Smart phones and tablets might be convenient but they’re also the devices most vulnerable to loss, theft and hacking. About 200,000 mobile devices are left in London cabs alone every year, mostly accidental, one hopes.
Many CIOs put their hopes in remote wiping software to stop sensitive or private data falling into the wrong hands, but it’s moats and drones again: remote wiping doesn’t work if the device is turned off or disconnected from the internet. That’s the first thing the ‘the wrong hands’ would do with a stolen phone, especially if it were a targeted theft.
The best way to protect sensitive data is to protect it, not attempt to wipe it when it’s too late. That means applying Intelligence Community principles like compartmentation and encryption key protection.
4. Hide the keys
It’s not just privileged access that can give the kingdom away; it’s the encryption keys that are supposed to protect the stored data on the mobile device.
Many CIOs put their hopes in encryption to protect sensitive data, yet choose systems that store the encryption keys on the device. They also don’t protect the device’s cache, which can be a treasure trove of recent material.
For a board member or C-level executive’s phone, that’s like putting the keys to the device and the kingdom together, directly into the wrong hands.
To get around the issue of keys stored on the device, use a system that derives the user authentication and master encryption keys from a user-entered vault key, so no key or key component needs to be stored on the device, or anywhere. With other security measures below, you can make the device virtually uncrackable and be sure the data is safe.
5. Secure the data
Browser vulnerability is another issue; saved passwords and browsing histories are gold nuggets for hackers.
The prudent way to get around these issues is to avoid browsing and to lock up any sensitive data, if stored on the device. This means using a multi-encrypted file transfer tunnel to access sensitive data, to bypass device caching, and to protect data saved on the device with double encryption (file-level and device-level). A further safeguard is to automatically destroy the data path and data vault if there are failed access attempts.
The Bottom Line: cyber-espionage isn’t going away
There are many ways to make your organisation an unrewarding target for hackers. But if the CEO isn’t interested and the CIO doesn’t have the right tools, it will be up to the board to get change happening.
It’s a matter of using the best technology to secure your data, supported by a strong corporate culture where all staff, from receptionist to CEO, are aware, trained and committed to being part of your cyber security defence. Culture change starts at the top and the board needs to stand up and make protection of your organisation’s valuable information a priority.
If you’d like to protect your organisation better, contact us.