It’s hard to find an optimist in the cyber security industry in these post-referendum days. I spoke to a fair few for an upcoming feature for Infosecurity Magazine and the consensus seems to be that a Brexit will be bad for staffing, the digital economy and the financial stability of UK-based security vendors.
That’s not even to mention the legal and compliance implications. Chatham House associate fellow, Emily Taylor, recommended firms continue on the road to compliance with the European General Data Protection Regulation. Aside from the fact that any firms with EU customers will still need to comply with the far-reaching law, she reckons that if we want to protect the free flow of digital information between the EU and UK, we’ll need to continue following European laws in this area.
Snoopers gonna snoop
However, a Brexit would cause other problems, notably in that the current Snooper’s Charter looks like it will enshrine in legislation the principle of bulk surveillance – the very thing which effectively led to the scrapping of the Safe Harbour agreement between the US and EU. If this bill goes through as is and we go out of Europe but stay in the single market, we’ll have to change that bit, Taylor told me.
“A case brought by David Davis and Tom Watson questioning the legality of bulk surveillance powers under the old DRIPA laws is currently being considered by the CJEU,” she explained.
“It’s not clear which way the CJEU will go on this, because many member states have lined up to support the British approach. However, if CJEU follows its recent decisions, it could strike down bulk data collection. If we wanted to stay in the single market, we’d have to amend our IP Bill in response.”
Even if we broke away from Europe completely and adopted the status of a “third country” like the US, we’d still have to adopt measures “to give equivalent protection to EU citizens’ data as they enjoy within the EU,” she argued. And bulk surveillance would certainly be a no-no in this scenario.
The uncertainty – which could continue potentially for years while Brexit deals are worked out – is also viewed by many as damaging to the cyber security industry, and tech in general. Immigration lawyer and partner at MediVisas, Victoria Sharkey, claimed firms may be unwilling to employ skilled workers if there’s a chance they might have to leave in a couple of years’ time.
“This is certainly going to be the case where significant training and investment is involved,” she added.
In fact, EU nationals are apparently already packing their bags.
“I am already seeing EU nationals who have been here for years make plans to leave and either go home or go to another EU country. They are worried for their jobs, are worried that they will be told to leave and so would rather leave on their own terms, and they are also being made to feel unwelcome,” Sharkey continued.
“I feel that when we do leave that it is going to become significantly harder for UK employers to encourage the best in their industry to come and work in the UK.”
This, for an industry which has always struggled with skills gaps and shortages, is potentially catastrophic.
Can we overcome?
Philip Letts, CEO of global enterprise services platform blur Group, has run businesses in Silicon Valley and the UK. He also pointed out the potential damage that political and financial uncertainty could have on the industry.
“The politicians are in unchartered territory. We don’t yet have a clear timetable for the triggering of Article 50, nor the trade deals that are going to have to be negotiated. There is a political vacuum. Business confidence is low and many will hunker down, try to avoid risk and wait for this to play out,” he told me.
“Globally, the US tech heavyweights will want to remain in the UK and the EU, and they will do both, operating across different European centres. But the EU market is more lucrative than the UK, so things may shift over time.”
So is the tech and cyber security sector really doomed? Not so, according to KPMG UK head of technology, Tudor Aw.
“I believe the resilient UK tech sector can withstand the challenges of Brexit and thrive,” he told me.
“Technology is increasingly a key sector that underpins all other sectors – whether it be back office systems or strategic enablers such as IoT and data analytics. Companies will need to invest in technology to drive efficiencies and strategic growth – one only has to look at developments across a diverse range of sectors such as healthcare, automotive, property, retail and the military to see that technology spend will only increase regardless of Brexit.”
It’s a moot point now, but I wonder how much better it could have thrived had we not voted out on 23 June.
If there’s one major security trend of 2015 I’d predict causing even more trouble next year it’s abuse of crypto keys and digital certificates. Cybercriminals have simply found that abusing this layer of the internet is far easier, cheaper and often more effective than more traditional forms of attack.
Digital certificates stolen from Sony Pictures were later used to sign malware in order to make attacks more effective; and the same technique was linked to the Anthem and Premera healthcare breaches in the States.
And of course it was a similar strategy which contributed to the success of the Stuxnet attack.
Kaspersky Lab even said this week that the number of new malware files it detected this year have actually dropped, as hackers instead use stolen or bought digital certs to achieve the same ends.
Kevin Bocek is chief security strategist at Venafi – a firm which helps secure cryptographic keys and digital certs. He told me these foundational layers of trust on which the internet rests are being undermined by the latest developments in the black hat community.
“We’ve all seen that movie scene where the bad guy dresses up as a painter to gain access to a building; this is now what is happening in the cyberworld,” he told me.
“Bad guys are trading keys and certificates on the dark web and using them to crack into company systems – just look at Sony, the Snowden revelations and Stuxnet. They all involved stolen or misused keys and certificates.”
It doesn’t bode well for the future, with even current systems being architected in the same way – based on digital certificates.
“My concern is that moving forward industrial control centre malware could become bioweapons,” Bocek claimed. “This is because the moment you sign the malware with a valid certificate, it is essentially like a bio weapon. In the current climate, that’s frightening.”
That’s not all. The burgeoning Internet of Things space is ripe for exploitation in the same way, with cybercriminals likely to hold firms ransom by effectively taking over their smart devices.
“By taking a code-signing certificate and changing the entity it obeys, a hacker can change the firmware on a smart device to take control of it. Now when that sensor or smart device calls back to the ‘mothership’ who does it trust? The bad guy,” he explained.
“From a single point of compromise – the digital certificate – hackers and cybercriminals can take over a whole network of hundreds, thousands or even millions of smart ‘things’. This can then be used to blackmail companies – either cease operations, take on huge disruption, or pay up.”
Now, Venafi certainly has a vested interest to talk up the potential damage that abuse of certs and keys could effect.
But this is already happening in the wild with real consequences for organizations and their customers around the world.
Unfortunately 2016 is likely to see things get a lot worse before CISOs start to give this their full attention.
Apple had a rip-roaring second quarter, as I’ve just reported here for IDG Connect. But the financials were about more than putting yet more dollars in the bank. In years to come, the quarter may well be seen as a tipping point – the point when the Cupertino giant came to rely way too much on China.
Although sales in China have yet to surpass the Americas, that point is not too far away. But the quarter did see iPhone sales from the Middle Kingdom overtake the US, and it also witnessed total revenue from China leapfrog that of Europe – two pretty significant milestones.
Apple is in a position that its American rivals and counterparts – Google, Microsoft, Amazon, Facebook etc – would dearly love. They’ve all been either banned or investigated for anti-trust dealings – in other words harangued by the authorities. These firms face an uncertain future in the world’s soon-to-be largest technology market. But while Apple is largely loved by consumers still in style-obsessed China, its days too could be numbered.
Certainly the government has been making life difficult for US tech firms over the past year or two. The revelations from NSA whistleblower Edward Snowden has given it the perfect excuse to request stringent security checks on products destined for the public sector market. It’s a de facto ban for many providers. Beijing is trying to do the same with the banking industry. And it will get its way, eventually.
What does it mean for Apple? Yes the firm is a large investor in the country. But that won’t count for much if or when Beijing wants to apply some pressure. Apple has already been forced to comply with its unpalatable censorship demands, withdrawing apps from its store. It was notably silent when the authorities launched a Man in the Middle attack on iCloud last year. And CEO Tim Cook was forced to make a grovelling apology when a state TV-led witch hunt found issues with its customer service in the country. Cook has reportedly also agreed to give the government access to its source code in a bid to pacify regulators and ensure its devices are approved. This in itself could backfire if Beijing uses that intelligence to create backdoors to spy on Apple users outside the country.
Then there’s the issue of growth. China is not necessarily the license to print money many think it is for Apple.
IDC analyst Xiaohan Tay told me smartphone growth will begin to slow in the country over the coming years.
“Most of the growth in the smartphone market will come from the lower end segment of the market. As Apple is a high-end product in the China market, most of its growth will come from replacement users which are the Apple fans, as well as those who may be using the higher end Android phones at the moment,” she added.
“The new iPhones were a hit in the Chinese market as consumers were awaiting the release of the larger screen sized phones from Apple for the longest time, and this helped to drive growth in the past two quarters since the new iPhones were launched in China.”
Growth will continue, but at a slower rate, although the Apple Watch represents a great opportunity to arrest that slide, she added.
“The die-hard Apple fans as well as the middle and upper-middle class consumers in the cities will help to sustain the growth,” said Tay. “I believe that Apple’s high prices actually makes its phones more desirable for the consumers. Owning an iPhone represents a status symbol that the average consumer wants to work towards.”
Plenty of positives for the future for Apple in China, then. But what the Middle Kingdom giveth it can also taketh away. In my opinion, Cupertino had better disperse its eggs into other BRIC baskets if it wants to avoid a nasty surprise down the road.
The threat of accidental or malicious employees compromising information security has been around ever since there were computer systems. But you would have thought by now that CISOs would have got a handle on it.
Not so, according to a new report from training and research firm the SANS Institute which I’ve just covered for Infosecurity Magazine.
It found that although three-quarters of IT security pros are concerned about the insider threat, a third have no means of defending against it and around a half either don’t know how much they’re spending on it or have no idea what the potential losses would be.
From JPMorgan to Chesapeake, the dangers of failing to properly mitigate internal risks are clear to see, but firms seem to be slow on the uptake.
According to Roy Duckles, EMEA Channel Director at Lieberman Software, it’s a lack of “visibility, accountability and auditability” which is to blame.
“There is an assumption that if a person or group have the ‘keys to the kingdom’ with full admin rights across an enterprise, that this is a viable and effective way to apply security policies,” he told me.
“Where most businesses fail is that due to the fact that this approach not only reduces security, but it makes it almost impossible to see who is changing what, on which systems, at what time, and the effect and risk that it has on a business.”
Firms therefore need to remove privileges where possible, introduce 2FA and prevent admins “knowing” which passwords get them into systems, he advised.
Sagie Dulce, security researcher at Imperva, told me by email that organisations lack “budget, training, technology and an incident response plan” for when a breach occurs.
“Obviously, the first things organizations must do is put some resources into the insider threat. The second thing organizations must do is prioritise: ask themselves what are the most important thing they are trying to protect?
Once they know what they are trying to protect they should consider:
- Is it Personal Information, emails, code etc?
- Is the data structured, unstructured?
- Is it found on databases, file shares?
- Who has access to this data and how (from special terminals, via VPN, 3rd party partners etc.)?”
Finally I asked David Chismon, security consultant at MWR InfoSecurity, who repeated the notion that employees should be given the minimum access necessary to do their jobs.
Investing in systems to spot insider abuse could also help protect organisations against targeted attacks which spearphish users and abuse their access, he argued.
“For example, organisations are able to detect when an employee’s account is used to try and access data it shouldn’t or if a large amount of data is being exfiltrated,” Chismon explained. “It doesn’t matter at that stage if it is the employee misusing their account or an external attacker who has compromised the network.”
Last week APT and anti-malware firm FireEye announced the creation of a new Cyber Security Centre of Excellence (CoE) in partnership with the Singaporean government. It didn’t make many headlines outside of the city state but I think it’s worth a second look for a few reasons.
First up, FireEye is pledging 100 trained security professionals to this new regional hub, to provide intelligence to help the local government protect its citizens and infrastructure from attack as well as benefitting the vendor’s customers across APAC.
FireEye is one of the few infosec companies I’ve spoken to in this part of the world that is prepared to talk at length about the specific problems facing organisations in the region. More often than not when I try to go down this avenue with a vendor I’ll be told about how threats are global these days and attacks follow similar patterns no matter where you are on the planet.
While I know this is true to an extent, it was nevertheless refreshing to hear FireEye’s APAC CTO Bryce Boland tell me that the reason for building a team in Singapore was to have the necessary local language and cultural skills to deal with specific regional threats.
“We have a lot of countries here, many of which have tense relationships, so we see a lot of that boil over into cyber space,” he told me.
As well as the various hacktivist skirmishes that periodically hit the region, such as those between the Philippines and Indonesia or China and Japan, there are also more serious IP-stealing raids which stems from the fact that APAC represents more than 45 per cent of the world’s patents, Boland added.
As a result, regional organisations face almost twice as many advanced attacks as the global average.
Another reason the news of FireEye’s new CoE warrants attention is what it says about the approach to cyber security by the respective governments of Singapore and Hong Kong.
Although Hong Kong threw HK$9 million (£730,000) at a new Cyber Security Centre in 2012, my impression is that Singapore is more proactive all round when it comes to defending its virtual borders.
It was a view shared by Boland, who pointed to Singapore’s ability to attract and support infosec players looking to build regional headquarters there, as well as its efforts to attract globally renowned speakers to an annual security expo.
In my experience, what few events there are in Hong Kong are poorly attended, attract few speakers from outside the SAR, and rarely provide the audience with anything like compelling or useful content.
I don’t often cover India’s outsourcing market but an interesting piece of news emerged this week when local media reported that the EU has found some notable gaps in the country’s data protection legislation which could scupper a major trade agreement between the two.
Basically the two have been trying to thrash out the Broad-based Trade and Investment Agreement since 2006.
The idea is that India opens up more of its vast market for EU firms and vice versa, but with one of India’s biggest industries in Business Process Outsourcing, a key demand from that side was that the country be recognised as a “data secure destination” by Europe.
According to the Data Security Council of India (DSCI), this single accreditation could propel outsourcing revenues from European customers from $20bn to $50bn in no time at all.
Sadly for India, the EU Justice Department decided to launch a consultation on India’s data security credentials and now the mutterings are it doesn’t like what it sees.
Any further delays which require legislative amendments could take years – not exactly what IT services giants like Infosys, Mahindra and Unisys want.
However, Forrester security analyst Manatosh Das told me all may not be quite as bad as it seems.
For starters, he said, India is taking information security a lot more seriously nowadays since recent high profile cyber attacks.
With the proposed electronic surveillance Central Monitoring System, the country is apparently planning for stringent privacy laws, while the DSCI, set up by Nasscom, has a strict remit to monitor data security and privacy in the IT and BPO industries, he said.
“I really don’t think in the current scenario outsourcing will take a back seat,” Das added.
“Private organisations in India follow international security frameworks like ISO 27001, PCI DSS, SOX, HIPAA. They have strong contractual agreements with their clients. Clients have the right to audit the vendors as per the agreement.”
However, he did admit that the IT Amendment Act 2008 lacks enforcement and needs amending again to “remove ambiguity” and create specific exceptions.
As a side note, I’m sure the recent “landmark” agreement between the UK and India on data security will also help reassure European customers considering offloading some services to Indian firms.
As always though, rigorous planning and due diligence and early involvement from the IT department should be a given to prevent any unexpected outsourcing problems down the line.
Last week I finished off an analysis of the China/cyber espionage stories that have been flying around in recent months, with a surprising conclusion – in many circumstances the country may well be as much a victim of attack as a perpetrator.
We are unlikely to ever find out the extent of state-sponsored cyber attacks on the US and its allies, although thanks to several high profile reports which name and shame Beijing it’s clear that the tip of the iceberg is well and truly showing.
However, we can be more clear about how secure or otherwise China’s IP address space is and make some general observations.
I spoke to several information security experts about this and they were all in agreement that China is a particularly attractive place to launch attacks from, simply because there are so many compromised PCs as well as enough bulletproof hosting firms there to use with impunity.
HKCERT senior consultant, SC Leung, explained to me how compromised computers, of bots, in China are helping cyber criminals from outside the country.
“The zombie computer, or bot, steals the data (using its IP address) and sends it back to the attacker. When tracing the compromise police can only find the bot computer IP address. The attacker can further command the bot to send the data to Dropbox or a third party forum, and then retrieved it directly or indirectly. This long chain of investigation of different servers (probably in different jurisdictions) hampers the investigation.”
It’s also worth mentioning that not all attacks are being carried out by external forces to compromise Chinese IP addresses which are then used as a staging point to attack other countries. China has a massive internal problem with home-grown cyber crims targeting their own – stealing data, IP, bank credentials and even blackmailing by DDoS or other means.
It’s interesting to note that a week or so after I published this story, the FT ran an interesting piece which reached the same conclusions, claiming that the government is failing to provide coherent oversight on information security matters and that the forensics industry is virtually non-existent in China.
Apart from changing these two problems, there needs to be greater user education and awareness to ensure fewer PCs are vulnerable to outside attack, and a crack down on bulletproof hosters.
At the moment, the Party seems to be happy to close down porn sites in high profile raids, willfully censor its citizens and hit out at any US accusations of cyber subterfuge, but not to get its own house in order.
Cleaning up its address space first would would surely improve China’s standing internationally and may even help foster more cross-border co-operation, rather than the relentless mud-slinging of late.
Earlier this week David Cameron signed a deal designed to elevate the Indo-British relationship to an “unprecedented level of co-operation” on cyber security issues. It came as part of the PM’s three day trade mission to India and is certainly to be welcomed, but the agreement also implies some rather worrying things about the cyber readiness of the country’s big outsourcing firms.
The deal will essentially mean two things. Firstly, UK technical know-how and expertise in the cyber security sphere will be shared with Indian outsourcers, essentially to help protect the vast amounts of data from UK consumers and businesses which are now held on servers in the country.
Secondly, the agreement will see the two countries share relevant threat intelligence in order to thwart attacks on their systems, whether they’re coming from the UK, India or elsewhere.
Now, as mentioned, any kind of international co-operation on cyber threat protection is a step in the right direction, and Cameron certainly can’t be faulted for his assertion that “other countries securing their data is effectively helping us secure our data”.
My surprise is that big name outsourcers like Wipro, HCL, Mahindra and Infosys – firms which have built their business presumably on the quality (and security) of their BPO offerings – need an extra hand.
Any CIO worth his salt would surely relegate to the scrap heap a potential outsourcing provider who could not satisfy his or her list of pre-determined security requirements.
Sure, the smaller outsourcers will benefit most from this deal, but the big boys too?
Well, yes, according to Forrester’s New Delhi-based analyst Katyayan Gupta.
“Even larger Indian firms like Infosys, TCS, etc. will also benefit because now they will have an additional layer of security against cyber criminals,” he told me.
“This is not to say that these firms do not have good security right now. But the question really is – is it enough to keep all attackers out? Probably not.”
Now I know in this age of APTs and highly targeted attacks no firm can claim to be impervious, but it’s slightly worrying when those with huge resources – in an industry where reputational damage following a data breaches could hit hard – are apparently getting expertise flown in from the UK that they haven’t obtained anyway.
Also, as Gupta argued, the deal will still do nothing to stop perhaps the biggest threat to UK data residing on these firms’ servers: corrupt insiders.
It may be time to revisit those SLAs.
In a startlingly refreshing display of honesty, RIM CEO Thorsten Heins has come out and said the firm is steering clear of China when it comes to manufacturing to reduce the risk of IP theft which could cripple its business.
It’s a bold statement, given that in my experience most tech firms – and even analysts – are very reluctant to discuss China in anything approaching critical terms, especially when cyber security is mentioned.
It’s certainly a valid point. I’ve reported in the past for The Register how many multinationals are suffering IP loss from their Chinese business units.
As RIM is teetering on the brink financially and seems only to be able to differentiate competitively from its rivals by virtue of the superior security capabilities of its handsets and infrastructure, any breach would be a huge blow.
That’s not to say it is necessarily safer anywhere else, but eliminating China from the supply chain could be a wise move.
Kenny Lee, a forensics expert with Verizon Business, sat down with me on Thursday to explain what hacking activity he’s seeing inside Hong Kong and Chinese firms.
Interestingly, while he did admit there was a fair amount of “low level” IP theft from firms in the region, mainly due to employees looking to set up their own businesses, there is a more insidious data leakage problem – technology transfers.
These agreements are usually foisted on foreign multinationals wanting to expand into China. The deal is that they have to partner up with a local Chinese firm by law to sell into the country’s huge market, and in doing so will usually need to share IP with them.
After a certain point, Lee explained, the Chinese partner usually has enough knowledge to pull out of the venture, having sucked all the IP it needs from its foreign partner.
There’s the rub for foreign firms such as BT, who can’t gain direct access to the market but equally reject the idea of handing over their hard-earned IP.
There’s no chance of things changing from the top anytime soon, so foreign firms will continue to have to weigh the risks and make that judgement.