As a general proposition, companies divide their security considerations into physical security (facilities and people), supply chain security (goods) and financial security (internal systems). So, where does cybersecurity fit? The answer is within all three areas.
We’ve all heard about systems being hacked and private information of individuals being compromised from credit card companies and other holders of such data. The issue, however, is far more widespread. Cyber professionals now say pointedly that China and Russia are at the forefront of cyber attacks. “It’s no secret that Russia and China have advanced cyber capabilities,” Defense Secretary Leon Panetta told the Business Executives for National Security in New York in October.
Although not publicly discussed by the U.S. government, the general press has reported successful attempts to hack U.S. agency servers, including those at the Justice and Defense departments.
But it’s the daily, repeated attacks seeking to get business and military information that experts say are at the core of rising concern about cybersecurity. A colleague recently told the story of an investigator who had meetings with prospective customers and always found himself running into one of his competitors. It turned out the competitor had hacked his computer system and knew about his plans, pricing and other confidential details.
However, the highly sophisticated Stuxnet computer worm undermined Iran’s nuclear capabilities.
So when is hacking good and when is it bad? Do you favor white hat hacking (permitted intrusions into one’s own system to identify and fix vulnerabilities) or black hat hacking (unpermitted intrusions to get what you, your company or your government want based on illegal entry)? The answer obviously turns, at least in part, on whether you’re on the giving or receiving end, and who the end-target is.
When do the ends justify the means? Computer security firm Symantec reportedly concluded Stuxnet was the result of five to 10 highly educated and well-funded hackers. If that’s “all” it took to seriously delay the Iranians, imagine what could be accomplished with the whole government behind the hackers!
The real danger is not that hacking is taking place, which is significant enough itself, but the type of hacking that’s occurring. In the early days, hacking was primarily designed to achieve criminal purposes. Now, hacking is more espionage-related, and not necessarily just diplomatic or military in scope. In the business context, it’s called theft of trade secrets.
The question of compromising proprietary information is an important one in the international trade arena as the Department of Homeland Security increasingly states its desire to share import and export data with U.S. trading partners. It’s understandable that the DHS wants to exchange data with other countries as a sign of good will and to allow validation of information importers in that country file.
Certain Latin American countries provide classic examples of underreporting shipment values, due no doubt to unusually high import duty rates. The U.S. and Canada routinely share data to validate import statistics.
This process, however, must be guarded carefully. If countries are willing to hack — break into computer systems to illegally gain what they want — what’s to stop government officials from sharing with local companies the pricing and other proprietary details companies state in their shipping documents and data reports to the U.S. government?
It’s common knowledge that major computer companies distribute their computers in high-risk countries such as China with software that is two to three versions old, so as to minimize the impact of the software being counterfeited. If local governments aren’t honoring basic copyright protections, why should U.S. companies think their pricing, sourcing and other confidential information is any safer?
In the U.S. and certain other countries, it’s ingrained in the legal system that companies have the right to protect their core information. Government employees in those countries also are legally barred from sharing business-proprietary information and, in fact, could land in jail for doing so. The same isn’t true in many other parts of the world. Unless the DHS can extract binding and enforceable commitments from our trading partners that shipment data shared at the government-to-government level won’t go from the receiving government quickly to the private sector, the agency must stop demanding concessions from the private sector to agree to the sort of data sharing proposed.
To paraphrase a well-known presidential anthem, it’s all about American competitiveness!
Susan Kohn Ross is an international trade attorney with Mitchell Silberberg & Knupp in Los Angeles. Contact her at firstname.lastname@example.org.