Asian corporations and governments are easier targets for cyberattacks because they invest less in security and share less with regulators when victimised. Photo / Thinkstock
Asian corporations and governments are easier targets for cyberattacks because they invest less in security and share less with regulators when victimised. Photo / Thinkstock
Once a month, cybersecurity lawyer Paul Haswell gets a call from an Asian company with the same question: We've been hacked. Who do we need to tell?
More often than not, his answer is "no one." The client will hang up before Haswell can urge them to go public anyway.
"There's no uniformity across Asia - some countries don't even have a law," said Haswell, a Hong Kong-based partner at Pinsent Masons. "In Mainland China, security is the lowest priority."
In an era where more and more data is stored online and attacks are discovered with alarming regularity, the lack of reporting mechanisms means there's no telling how often or how much personal information is taken from databases in Asia.
That veil of secrecy obscures an unsettling reality. Companies in the region are targeted 35 per cent to 40 per cent more than the global average, according to FireEye, which helps clients investigate and fend off cyberbreaches. Law firm DLA Piper estimates Asian institutions are twice as likely to be targeted.
Asian corporations and governments are easier targets because they invest less in security and share less with regulators and other countries when victimised, in part because of longstanding tensions with their neighbours, cybersecurity experts say.
The US has accused China, which is embroiled in territorial and political disputes with several of its neighbours, of being the source of many large-scale attacks.
China has repeatedly denied the allegations, saying that it, too, is a victim of hacking attacks.
"China firmly opposes and combats any forms of cyber attacks," Foreign Ministry spokesman Hong Lei said in a faxed response to questions from Bloomberg News. A global effort to fight cybercrime "needs coordination and trust from different parties, rather than blaming, accusation and provocation," Hong said.
The statement didn't address questions about the country's requirements for reporting breaches, or steps the government is taking to monitor and prepare for attacks.
A lack of laws mandating disclosure may be abetting recent attacks.
"The culture of silence regarding cyber-attacks in Asia serves as fuel to the guild of thieves who operate with impunity in the region," said Tom Kellermann, chief cybersecurity officer at security software developer Trend Micro. "The deep-seated historical mistrust in the region undermines true collaboration."
If attacks aren't disclosed, hackers are free to use the same techniques repeatedly. Apart from the resultant theft of intellectual property and personal data, perpetrators can exploit holes in Asian security to then infiltrate networks in other regions.
They "are conducting 'island hopping' as they leapfrog from one insecure network into another," Kellermann, who is based in Washington, said in an email.
Unfortunately, cybercrime cases in Asia will be going up, and as more people use the Internet, there will be vulnerability.
Security breaches cost the global economy more than $400 billion annually, the Center for Strategic and International Studies estimates, with Asian countries among the most hurt as a percentage of their respective gross domestic products.
"Criminals know there's a gap: laws and regulations tend to lag, they'll do their market scanning and then they attack," said Noboru Nakatani, executive director of the Interpol Global Complex for Innovation in Singapore, which fights cybercrime. "Unfortunately, cybercrime cases in Asia will be going up, and as more people use the Internet, there will be vulnerability."
Most companies don't have the legal obligation of their counterparts in the US and some European countries to disclose when hackers steal personal information.
That means about 42 per cent of the world's Internet users - or 1.4 billion people - remain in the dark about just how much of their sensitive data has been or will be purloined: information that could aid identity fraud or theft.
There are no specific penalties for failure to comply with Chinese government guidelines on notification, which include the need to report cases where there's been a leak of personal information, according to the World Law Group, an international network of independent law firms.
However, there may be penalties or fines when such breaches cause material damage or losses, especially in sensitive areas like telecommunications or Internet services, according to Mark Schreiber, a partner with Locke Lord n Boston.
India has no legal obligations for companies to publicly disclose data breaches, though there are requirements to inform regulators and affected parties, according to the group. Hong Kong follows guidelines issued by the data privacy commissioner, yet has no legal obligation to disclose hacking. In Japan, there's no clear legal obligation. In South Korea, there's an obligation to disclose in some types of hacks only if more than 10,000 individuals are affected.
In contrast, companies in the US face greater pressure to come clean the moment they confirm that user-data has been accessed, particularly with the recent proliferation of malware, such as ZeuS. Cybersecurity experts credit tougher regulations and the risk of costly lawsuits. Government agencies or state attorneys-general can levy fines for delayed notification, the World Law Group said.
"The vulnerability is the same in Asia as in the US and Europe," said Bryce Boland, Asia Pacific chief technology officer for FireEye. "What's different is, in Asia there's essentially no disclosure requirement."
Asia is often depicted as the source of attacks. Yet of 19 heavily targeted countries monitored by Trend Micro in 2014, 10 were Asian. Japanese, Taiwanese and Filipino companies have been dealing with a crime wave, Kellermann said.
China's a tempting target because of the boom in platforms that tie e-commerce with electronic wallets and other data. Alibaba is investing in Israeli cybersecurity startups to protect its payment business after a 2010 hack which didn't manage to gain access to user data. JD.com hasn't had any data breaches, spokesman Josh Gartner said in an email.
Fair Isaac Corp, also known as FICO, released a survey on Monday of 34 senior Asia-Pacific banking executives in which 64 per cent of respondents said they felt unprepared for a cyber-attack, and only 41 per cent said they had a plan in place to respond to a data breach.
