Once a month, cybersecurity lawyer Paul Haswell gets a call from an Asian company with the same question: “We’ve been hacked. Who do we need to tell?”
More often than not, his answer is “no one.” The client will hang up before Haswell can urge them to go public.
“There’s no uniformity across Asia — some countries don’t even have a law,” said Haswell, a Hong Kong-based partner at Pinsent Masons. “In mainland China, security is the lowest priority.”
Illustration: Kevin Sheu
In an era where more and more data is stored online and attacks are discovered with alarming regularity, the lack of reporting mechanisms means there is no telling how often or how much personal information is taken from databases in Asia.
That veil of secrecy obscures an unsettling reality. Companies in the region are targeted 35 percent to 40 percent more than the global average, according to FireEye Inc, which helps clients investigate and fend off cyberbreaches. Law firm DLA Piper estimates Asian institutions are twice as likely to be targeted.
Asian corporations and governments are easier targets because they invest less in security and share less with regulators when victimized than firms in other countries, in part because of longstanding tensions with their neighbors, cybersecurity experts say.
The US has accused China, which is embroiled in territorial and political disputes with several of its neighbors, of being the source of many large-scale attacks.
China has repeatedly denied the allegations, saying that it, too, is a victim of hacking attacks and it makes every effort to maintain cybersecurity.
The Chinese Ministry of Foreign Affairs did not immediately respond to questions faxed on Friday last week about the accusations, the importance the Chinese government places on cybersecurity, requirements for reporting breaches, and the steps the government is taking to monitor and prepare for attacks.
A lack of laws mandating disclosure may be abetting recent attacks.
“The culture of silence regarding cyberattacks in Asia serves as fuel to the guild of thieves who operate with impunity in the region,” said Tom Kellermann, chief cybersecurity officer at security software developer Trend Micro Inc. “The deep-seated historical mistrust in the region undermines true collaboration.”
If attacks are not disclosed, hackers are free to use the same techniques repeatedly. Apart from the resultant theft of intellectual property and personal data, perpetrators can exploit holes in Asian security to then infiltrate networks in other regions.
They “are conducting ‘island hopping’ as they leapfrog from one insecure network into another,” Kellermann, who is based in Washington, said in an e-mail.
Security breaches cost the global economy more than US$400 billion annually, the Center for Strategic and International Studies estimates, with Asian nations among the most hurt as a percentage of their respective GDP.
“Criminals know there’s a gap: laws and regulations tend to lag, they’ll do their market scanning and then they attack,” said Noboru Nakatani, executive director of the Interpol Global Complex for Innovation in Singapore, which fights cybercrime. “Unfortunately, cybercrime cases in Asia will be going up and as more people use the Internet, there will be vulnerability.”
Cybersecurity took center stage at the seventh US-China summit in June, cementing its place at the top of the political and economic agenda. Both sides have pledged to improve cooperation.
Most companies do not have the legal obligation of their counterparts in the US and some European nations to disclose when hackers steal personal information.
That means about 42 percent of the world’s Internet users — or 1.4 billion people — remain in the dark about just how much of their sensitive data has been or will be purloined: information that could aid identity fraud or theft.
There are no specific penalties for failure to comply with Chinese government guidelines on notification, which include the need to report cases where there has been a leak of personal information, according to the World Law Group, an international network of independent law firms.
However, there might be penalties or fines when such breaches cause material damage or losses, especially in sensitive areas such as telecommunications or Internet services, said Mark Schreiber, a partner with Locke Lord LLP in Boston.
India has no legal obligations for companies to publicly disclose data breaches, though there are requirements to inform regulators and affected parties, World Law Group said. Hong Kong follows guidelines issued by the data privacy commissioner, yet has no legal obligation to disclose hacking. In Japan, there is no clear legal obligation. In South Korea, there is an obligation to disclose some types of hacks only if more than 10,000 individuals are affected.
In contrast, companies in the US face greater pressure to come clean the moment they confirm that user data has been accessed, particularly with the recent proliferation of malware, such as ZeuS. Cybersecurity experts credit tougher regulations and the risk of costly lawsuits. Government agencies or state attorneys-general can levy fines for delayed notification, the World Law Group said.
“The vulnerability is the same in Asia as in the US and Europe,” said Bryce Boland, Asia-Pacific chief technology officer for FireEye. “What’s different is, in Asia there’s essentially no disclosure requirement.”
Asia is often depicted as the source of attacks, yet of 19 heavily targeted nations monitored by Trend Micro last year, 10 were Asian. Japanese, Taiwanese and Philippine companies have been dealing with a crime wave, Kellermann said.
Part of that comes down to politics, as China spars with the Philippines and Japan over territorial claims in the East and South China seas, or as Hong Kong clamors for more freedom.
“As tensions heat up in Asia, whether it’s conflict between China, Taiwan, Korea, Hong Kong or maritime disputes, where we see real world tensions, we see cybertensions as well,” FireEye chief technology officer Grady Summers said. “It’s not an exaggeration to say that any organization that has got interesting data, especially to the Chinese government, is probably fending off attacks on a daily basis.”
In Asia, 55 percent of employees think their organization is fully prepared to protect itself against cyberthreats, according to an Ernst & Young LLP survey of 1,508 people in February.
Asian companies and governments are waking up to the threat.
Kellermann points to the Interpol information center in Singapore as a model for battling cybercrime via public-private collaboration.
Yet customary practices play a role in the lack of disclosure. Regulators tend to investigate privately and go public only once action is taken, sometimes long after the breach has occurred, Taylor Wessing lawyers Rizwi Wun and Jack Ow wrote in January.
Singapore’s central bank took regulatory action against Standard Chartered PLC over how it handled the theft of wealthy clients’ data, though details have not been made public.
The bank referred questions to the Monetary Authority of Singapore, which said last year that it did not generally disclose details of supervisory actions.
Fair Isaac Corp released a survey on Monday of 34 senior Asia-Pacific banking executives in which 64 percent of respondents said they felt unprepared for a cyberattack and only 41 percent said they had a plan in place to respond to a data breach.
Sony Corp faced criticism in 2011 from gamers and US lawmakers for a delay in revealing the scope of an “external intrusion” into its PlayStation network that eventually morphed into one of the largest cyberattacks at the time. The investigation took time and there was no evidence that the lag allowed attackers to abuse credit card or personal information, Sony spokesman Masaki Tsukakoshi said.
Financial institutions have to disclose hacks to regulators. That does not cover the misappropriation of other types of data that can be just as valuable to criminals looking to create fake identities, or even to companies looking to pilfer clients.
Personal information enables criminals to perpetrate fraud or launder cash, said Jonathan Fairtlough, a former Los Angeles prosecutor who now heads cyberinvestigations at Kroll Inc.
“The best thefts are cons, where you are tricked and voluntarily hand out the money,” he said.
China is a tempting target because of the boom in platforms that tie e-commerce with electronic wallets and other data.
Alibaba Group Holding Ltd is investing in Israeli cybersecurity start-ups to protect its payment business after a 2010 hack which did not manage to gain access to user data. JD.com has not had any data breaches, spokesman Josh Gartner said in an e-mail.
Publicly traded companies should have a duty to disclose because hacks are like a “community health issue” that can spread faster because of secrecy, Boland said.
It is not clear whether governments around the region have the incentive to tighten disclosure regulations, experts said.
“We could almost do with a high-profile case like a Sony or Target to raise awareness,” said Haswell, referring to two of the biggest cyberattacks in US history.
Recently, China launched another diplomatic offensive against Taiwan, improperly linking its “one China principle” with UN General Assembly Resolution 2758 to constrain Taiwan’s diplomatic space. After Taiwan’s presidential election on Jan. 13, China persuaded Nauru to sever diplomatic ties with Taiwan. Nauru cited Resolution 2758 in its declaration of the diplomatic break. Subsequently, during the WHO Executive Board meeting that month, Beijing rallied countries including Venezuela, Zimbabwe, Belarus, Egypt, Nicaragua, Sri Lanka, Laos, Russia, Syria and Pakistan to reiterate the “one China principle” in their statements, and assert that “Resolution 2758 has settled the status of Taiwan” to hinder Taiwan’s
Singaporean Prime Minister Lee Hsien Loong’s (李顯龍) decision to step down after 19 years and hand power to his deputy, Lawrence Wong (黃循財), on May 15 was expected — though, perhaps, not so soon. Most political analysts had been eyeing an end-of-year handover, to ensure more time for Wong to study and shadow the role, ahead of general elections that must be called by November next year. Wong — who is currently both deputy prime minister and minister of finance — would need a combination of fresh ideas, wisdom and experience as he writes the nation’s next chapter. The world that
Can US dialogue and cooperation with the communist dictatorship in Beijing help avert a Taiwan Strait crisis? Or is US President Joe Biden playing into Chinese President Xi Jinping’s (習近平) hands? With America preoccupied with the wars in Europe and the Middle East, Biden is seeking better relations with Xi’s regime. The goal is to responsibly manage US-China competition and prevent unintended conflict, thereby hoping to create greater space for the two countries to work together in areas where their interests align. The existing wars have already stretched US military resources thin, and the last thing Biden wants is yet another war.
As Maldivian President Mohamed Muizzu’s party won by a landslide in Sunday’s parliamentary election, it is a good time to take another look at recent developments in the Maldivian foreign policy. While Muizzu has been promoting his “Maldives First” policy, the agenda seems to have lost sight of a number of factors. Contemporary Maldivian policy serves as a stark illustration of how a blend of missteps in public posturing, populist agendas and inattentive leadership can lead to diplomatic setbacks and damage a country’s long-term foreign policy priorities. Over the past few months, Maldivian foreign policy has entangled itself in playing