Companies and regulators across Asia need to spend more on cyber security to keep up with a fast-evolving environment, but even this won’t ensure their safety.
That is the view of Singapore’s former head of cyber security, Alan Seow, who told an audience of intrigued delegates at the FinanceAsia 4th Annual Compliance Summit that numerous incidents of hacking in Asia and beyond have demonstrated the vulnerability of companies and vital infrastructure to committed cyber criminals.
“We can never be 100% secure [from hacker attacks]. Never,” was his sobering assessment. “[Cyber attacks] can lead to a loss of data, a loss of protection and a loss of lives. I’m serious about this.”
Seow, who formerly worked at the Singapore Ministry of Communication and Information, noted that serious infrastructure has not been seriously compromised by cyber attacks to date, with hackers focusing more on industrial espionage, or financial and information theft. However, he felt that dangerous penetrations into national infrastructure would be more a matter of ‘when’ than ‘if’.
Regional countries are increasingly taking cyber security seriously. Seow pointed to Singapore, which has implemented a National Cyber Security Masterplan that includes S$130 million ($91.44 million) in spending across government and military departments to help give the country more firepower in the fight against rising security attacks.
Indonesia’s government has established a centralised cyber security commission, which is set to become operational in 2016 and report directly to President Joko Widodo. Meanwhile Malaysia, which recorded 11,900 cyber attacks in 2014 versus 11,000 in 2013, is seeking to create a more structured legislative framework to improve the protection of existing services against cyber attacks, even as the country seeks to develop e-commerce hubs.
The Hong Kong Monetary Authority confirmed in September that cyber criminals are using various means to breach the walls of financial institutions increasingly regularly. It said banks operating in the territory had reported 17 cases related to distributed denial-of-service attempts up to that point in 2015, versus three in 2014.
Seow pointedly referred to the well-publicised attack on Sony Pictures Entertainment by a previously unknown hacker group calling itself ‘Guardians of Peace’ in late 2014.
The group crashed the US movie production company’s servers, unleashed thousands of confidential emails and threatened the company as part of a campaign to prevent it distributing a comedy movie called ‘The Interview’, which portrayed an imaginary assassination of North Korean leader Kim Jong-un.
The high-profile nature of the target and the unusual demands led to a great deal of media attention. That attention was further inflamed when the US government blamed North Korea for being the state agent behind the attacks.
Seow said it remains uncertain how much the country was involved, with some speculation pointing to combined attacks from Russia and North Korea and other theories arguing the nation had no involvement. However, he noted it was important that it seemed state-backed players had conducted the attack as they enjoy the large resources to do so.
The attack led banks in particular to scramble to improve their cyber defences but ought nonetheless to be placed into context.
“This gained media attention because it was a Hollywood studio and involved a movie. But it was not an outlier attack. It should remind us that top security breaches are not restricted to organisations that are transaction-based,” Seow said.
Sony suffered a great deal of embarrassment from the attack. It also had to settle an $8 million lawsuit against its own employees last month to cover expenses related to losses due to identity theft from the cyber attack.
Seow noted that Sony has a history of cyber attacks stretching back to 2011, when a hacker caused the company’s online PlayStation Network, which support its gaming devices, to crash. He believes the company does not appear to have learned from such experiences particularly well.
“Sony does not appear to have moved past its decentralised structure,” Seow said. “Therefore even if one department improves its defences these are not [then] passed to others.”
However, a Sony executive attending the conference told FinanceAsia that this decentralisation had conferred some unexpected benefits too.
“Because we had so little centralisation our division’s computers were unaffected,” he said. “The only problem we had was that we couldn’t email or call Sony Pictures executives, because their systems were down.”
Seow’s concluding message for the audience was that they have to invest more in their IT security systems, regularly update their security software to protect against malicious attacks, and employ experts who can help defend them.
He suggested a three-tiered approach: preparedness, in which companies have defensive measures in place, including processes to keep employees from being exposed; responsiveness, with systems in place to rapidly handle attacks and limit the damage they do; and recovery, with companies having systems and processes in place to quickly bounce back from an attack. The latter may require the entire shutdown of IT systems to help purge them of malware or phishing attacks.
Even companies that spend a lot of money on experienced staff and put sensible measures in place have no guarantee of keeping ahead of hacking opponents.
“It reminds me of the space race of the 1960s and 1970s,” Seow said. “Back then the United States spent millions [of US dollars] to create a pen that could work in space. The Russians decided a pencil could do the job instead.”