Home > Asia Weekly
Friday, January 15, 2016, 11:22

Web invaders


In late 2013, the Anonymous hacking collective through a member known as The Messiah hacked into various Singapore government platforms, including the prime minister’s official website. In one single day, the actions led to 19 government websites being taken down.

And the major cyber breach in the city-state was not a one-off incident in the region.

Asia accounts for eight of the top 10 countries most vulnerable to Internet crime, according to the Security Threat Report 2013 published by cybersecurity company Sophos.

Last year, hackers targeted financial institutions in Hong Kong. Among those breached were the city’s unit of Malaysia’s Public Bank and Hong Kong wealth manager Kowloon Global.

Cybersecurity breaches take a heavy toll on Asia. Consultancy firm Grant Thornton reported in September that cyber attacks were estimated to have cost Asia-Pacific businesses $81 billion in the prior 12-month period. Globally, the total cost of attacks was estimated to be at least $315 billion during the same timeframe.

China leads the region with $60 billion in estimated cyber crime losses annually, while India is a distant second at $4 billion, according to A Guide to Cyber Risk, a report by insurer Allianz Global Corporate & Specialty.

In the past two years, more than 20,000 China-based websites were hacked, and more than 8 million servers hijacked by programs controlled from overseas.

India is ranked among the top five countries to be affected by cyber crime and is considered the “ransomware capital of the Asia Pacific”. Ransomware is a type of malware, or intrusive software, that limits users from accessing their system.

Asian companies are targeted 35 to 40 percent more than the global average, according to network security company FireEye.

Bryce Boland, FireEye’s chief technology officer for Asia Pacific, told China Daily Asia Weekly that problems are exacerbated by a reluctance to talk about breaches. Victims remain silent, allowing the criminals to launch more attacks.

When Google was hacked in 2010, another 34 Fortune 500 companies — in sectors as diverse as IT and chemicals — also lost data and intellectual property. Some information on the incidents only came to light through the whistleblower site WikiLeaks a few years later.

Now, legislation in many Western markets demands that organizations must publicize any breach that impacts personal identifiable information.

However, unlike their counterparts in the United States and some European countries, most companies in Asia do not have a legal obligation to report when personal information is breached.

India has no obligation for companies to publicly disclose data breaches, though there are requirements to inform regulators and affected parties. Japan has no clear legal rules to disclose hacking, while in South Korea certain types of hacks must be reported, but only if more than 10,000 individuals are affected.

However, Singapore’s central bank took regulatory action against banking group Standard Chartered over how it handled the theft of wealthy clients’ data in 2014.

Many businesses have not been paying attention to the levels of cybersecurity that they should have in place.

Attacks have existed within networks and systems for, in some cases, years before being discovered, said Simon Piff, associate vice-president of enterprise infrastructure at the International Data Corporation (IDC).

“Now, with the ongoing headlines, brought about by robust disclosure laws, it appears that there is a new hack every day, whereas there are probably hundreds of new hacks every day, but only a small percentage ever get reported,” Piff said.

The cost to individual companies of recovery from cyber fraud or data breaches is likely the main reason victims keep it quiet.

Companies experience reduced valuation after they have been hacked. The effect on stock prices can be significant — a fall in value of between 1 and 5 percent — but the decline is not permanent, and prices usually recover within a quarter or two, said a report by antivirus software company McAfee.

In what was probably the largest corporate hack in history, Sony was hit in late 2014. In February of last year, the company announced the cyber attack had at that point cost its movie and TV studio an estimated $15 million in recovery and investigation fees.

Hackers calling themselves the Guardians of Peace compromised the personal records of 47,000 employees and released a slew of embarrassing e-mails from the studio’s top management.

Cleaning up in the aftermath of cyber crime is often more expensive than the crime itself.

McAfee reported one study found that while the actual losses were only $875 million, the recovery and opportunity costs reached $8.5 billion. The effect on a business can include damage to brand and other reputational losses and harm to customer relations and retention.

In 2012, when criminals launched disruptive attacks against South Korean banks and media outlets, erasing data on thousands of hard drives, companies and their customers experienced harm that went beyond the cost of cleaning up and repair.

“For many people, hacking is a low-risk, high-reward activity that dovetails into existing criminal enterprises,” said Boland of FireEye.

Breaches are organized by criminal networks — they are well funded, have clear targets and can quickly profit from the information they steal.

“There are no armed guards that you would find at a bank, nor the levels of mistrust and gun law that typifies the illegal drug industry, nor the moral outrage and personal distress that is involved in the illegal sex industry. It’s clean, quick and quite profitable,” said Piff of IDC.

The two most common exploitation techniques are: Social engineering, where a user is tricked into granting access; and vulnerability exploitation, where a programming or implementation failure is exploited to gain access.

Laura DiDio, director of enterprise research, systems research and consulting at Strategy Analytics, said hackers are now more organized and more connected than before.

“Twenty years ago, hacks were done more for fun or for a lark to generate headlines or the proverbial 15 minutes of fame. Not so in the 21st century. This is a multibillion dollar industry. Hacking is a big business,” DiDio said.

Charles Lim, senior cybersecurity analyst for Asia Pacific with Frost & Sullivan, said unlike 10 years ago, online attackers today do not need exquisite skills to create malware to perform an intrusion attempt.

Codes are available for them to use, and free malware tools or distributed denial of service (DDoS) software can also be easily accessed.

The lack of successful prosecution on cyber attackers, or ‘hactivists’, along with lucrative incentives for successful attempts to steal data, make these kinds of activities a business in itself.

“Hactivists realized the significant impact they can inflict through a security breach to bring down the trust in an organization, thus inspiring many to join their fraternity,” Lim said.

With billions of smartphones and Internet-connected devices worldwide, the focus of Internet security is shifting from the desktop to the home, the pocket, and, ultimately, the infrastructure of the Internet itself.

Unfortunately, cyber crime cases in Asia are expected to go up. DiDio of Strategy Analytics said the more interconnections there are, the greater the attack surface.

There is also a marked increase in the number of businesses allowing employees to work remotely, telecommute and use mobile devices. From a behavioral standpoint, organizations fail to require workers to properly secure these devices or notify them of hacks, she said.

Strategy Analytics’ IoT 2015 Deployment and Usage Trends Survey, which polled over 400 businesses worldwide, found that security presented the number one deployment challenge to the Internet of Things (IoT) — objects connected to digital networks.

Another Strategy Analytics survey, which polled 450 businesses worldwide, found that 34 percent of participants acknowledged that they have “no way of knowing when there is a security issue with employee-owned devices”.

This makes the corporation extremely vulnerable and, in fact, “blind” to potential breaches until it is too late.

Hu Jiankun, professor at the Australian Centre for Cyber Security, said emerging technology has made everything intelligent and interconnected.

“Such an environment plus its 24/7 mode availability has made it possible to launch cyber attacks from anywhere, anytime and anything,” Hu told China Daily Asia Weekly.

International cooperation is extending its reach to tackle Internet crimes.

For instance, cybersecurity took center stage at the US-China summit last year when Chinese President Xi Jinping visited the US, cementing its place at the top of the political and economic agenda. Both sides have pledged to improve cooperation.

The mission of identifying and stopping hacking crimes is simply impossible without global intergovernmental cooperation. It will become even more complicated if such attacks are state sponsored, Hu said.

DiDio said creating an international statute to govern cyber crime will be a daunting task.

Hackers only have to be right once to gain entry; organizations and end users have to be right 100 percent of the time to repel all attacks, she said.

Latest News