Earlier this week David Cameron signed a deal designed to elevate the Indo-British relationship to an “unprecedented level of co-operation” on cyber security issues. It came as part of the PM’s three day trade mission to India and is certainly to be welcomed, but the agreement also implies some rather worrying things about the cyber readiness of the country’s big outsourcing firms.
The deal will essentially mean two things. Firstly, UK technical know-how and expertise in the cyber security sphere will be shared with Indian outsourcers, essentially to help protect the vast amounts of data from UK consumers and businesses which are now held on servers in the country.
Secondly, the agreement will see the two countries share relevant threat intelligence in order to thwart attacks on their systems, whether they’re coming from the UK, India or elsewhere.
Now, as mentioned, any kind of international co-operation on cyber threat protection is a step in the right direction, and Cameron certainly can’t be faulted for his assertion that “other countries securing their data is effectively helping us secure our data”.
My surprise is that big name outsourcers like Wipro, HCL, Mahindra and Infosys – firms which have built their business presumably on the quality (and security) of their BPO offerings – need an extra hand.
Any CIO worth his salt would surely relegate to the scrap heap a potential outsourcing provider who could not satisfy his or her list of pre-determined security requirements.
Sure, the smaller outsourcers will benefit most from this deal, but the big boys too?
Well, yes, according to Forrester’s New Delhi-based analyst Katyayan Gupta.
“Even larger Indian firms like Infosys, TCS, etc. will also benefit because now they will have an additional layer of security against cyber criminals,” he told me.
“This is not to say that these firms do not have good security right now. But the question really is – is it enough to keep all attackers out? Probably not.”
Now I know in this age of APTs and highly targeted attacks no firm can claim to be impervious, but it’s slightly worrying when those with huge resources – in an industry where reputational damage following a data breaches could hit hard – are apparently getting expertise flown in from the UK that they haven’t obtained anyway.
Also, as Gupta argued, the deal will still do nothing to stop perhaps the biggest threat to UK data residing on these firms’ servers: corrupt insiders.
It may be time to revisit those SLAs.
In a startlingly refreshing display of honesty, RIM CEO Thorsten Heins has come out and said the firm is steering clear of China when it comes to manufacturing to reduce the risk of IP theft which could cripple its business.
It’s a bold statement, given that in my experience most tech firms – and even analysts – are very reluctant to discuss China in anything approaching critical terms, especially when cyber security is mentioned.
It’s certainly a valid point. I’ve reported in the past for The Register how many multinationals are suffering IP loss from their Chinese business units.
As RIM is teetering on the brink financially and seems only to be able to differentiate competitively from its rivals by virtue of the superior security capabilities of its handsets and infrastructure, any breach would be a huge blow.
That’s not to say it is necessarily safer anywhere else, but eliminating China from the supply chain could be a wise move.
Kenny Lee, a forensics expert with Verizon Business, sat down with me on Thursday to explain what hacking activity he’s seeing inside Hong Kong and Chinese firms.
Interestingly, while he did admit there was a fair amount of “low level” IP theft from firms in the region, mainly due to employees looking to set up their own businesses, there is a more insidious data leakage problem – technology transfers.
These agreements are usually foisted on foreign multinationals wanting to expand into China. The deal is that they have to partner up with a local Chinese firm by law to sell into the country’s huge market, and in doing so will usually need to share IP with them.
After a certain point, Lee explained, the Chinese partner usually has enough knowledge to pull out of the venture, having sucked all the IP it needs from its foreign partner.
There’s the rub for foreign firms such as BT, who can’t gain direct access to the market but equally reject the idea of handing over their hard-earned IP.
There’s no chance of things changing from the top anytime soon, so foreign firms will continue to have to weigh the risks and make that judgement.
This week we saw more news emerge of the escalating tit-for-tat cyber attacks apparently being launched by actors sympathetic to the Philippines and China over a naval stand-off in the South China Sea.
Scarborough Shoal - also known as Panatag Shoal or Huangyan island – is the region long-disputed by the two countries and things got serious earlier this month after Filipino navy officials tried to arrest Chinese fisherman operating in the area but were stopped by Chinese surveillance boats.
Cue a barrage of cyber attacks on Philippine government and university web sites by apparent Chinese hackers, and then reprisals from the other side.
It’s pretty basic stuff, site defacement and DDoS attacks designed to send a clear message to the other side, and in this kind of thing China is probably a world leader.
Although it will never be revealed exactly how many patriotic hacktivists there are in the People’s Republic, what’s more interesting is their relationship with the government. In all but the most repressive states – think Iran or Syria – governments disassociate themselves from any hacking behaviour, but I learnt recently that China has done the opposite.
It has long been suspected, but China has effectively made a deal with the hacking community, a source told me, which goes thus:
- Never hack your own government or companies in your own country
- If you find anything of interest in your hacking activities which could help your country improve its status on the world stage, hand it over.
- When called upon to help the ‘cyber military’, make sure you respond
The deal is simple, the source explained, follow these rules and you can hack away with impunity. It means attacks of the sort seen this month on the Philippines can be carried out with the covert blessing of the government and the Party.
Of course the PRC’s standard response to these accusations is that it denounces all hacking activities, that it is taking steps to prevent cyber crime and that China itself is as much a victim of such attacks as western countries.
Even if tracking technologies mature to the level where the source of such attacks can be pinpointed, by operating at arm’s length, the government will always have the advantage of plausible deniability. It’s just a case of whether the international community will eventually lose patience with China and demand action, economic superpower or not.