Interview: 'You Do Not Have to Be in China to Be Hacked'
With recent revelations that the computer systems of major news organizations such as The New York Times and The Wall Street Journal had been victims of prolonged hacking attacks originating out of China, many businesses were left wondering: Who is next? And what, if anything, can they do to stop this from happening to them? We reached out to Dane Chamorro, Asia-Pacific director for global risk analysis at the independent consultancy Control Risks, for some answers.
What is the risk of this happening to businesses in China?
The risk is high if you are in a sensitive sector, including aerospace, telecoms, extractives, media and high tech. These are the sectors that are targeted by China’s state apparatus. There is also a credible risk of competitors attempting to access intellectual property (IP) through both electronic and social engineering.
How common is this? How does one know if they’ve been targeted in this way?
Common — and expected — if you are in those sectors or have particularly aggressive competitors. You may not know unless you have a very robust security and monitoring program. Even if you have those things, and your IT system is impenetrable, the human factor often comes into play. Your local PRC employees can often be exploited to reveal information, willingly or not, about corporate plans and operations. Your employees outside China can also be targeted and coerced or bribed to hand over valuable information.
Since Google and Bloomberg also have been hacked in China and yet they're still there, do most businesses consider hacking a cost of doing business in China and simply move on?
Generally yes, but it is important to remember that you do not have to be in China to be hacked. The risk is global, and it is not just from China. Modern communications make corporates (and individuals) more vulnerable to this type of activity. Most companies consider it only a matter of time before they lose IP. It remains a constant driver for companies to continue to innovate and stay ahead of the pack, at the same time as protecting information as long as possible.
When it comes to intellectual property security in China, what are the biggest vulnerabilities that businesses there face?
A lot of media attention is focused on "counterfeiting" and that certainly is an issue for some industries. But usually the threat comes from a "trusted" business partner who is bootlegging out the side door or the human element, as mentioned above. So you have to ask yourself, how difficult would if be for your local competition or a state agency to hire away your top R&D researcher? How much would it cost? The answer typically is not very much. That is the greatest weakness.
What are businesses in China doing about this? Are intellectual property security related risks making companies in China reconsider their business in country?
In the best case they are investing more in being certain they acquire reliable partners and people. They do their homework (due diligence on distributors and channel partners for example) and invest in security precautions — including technical and physical measures. They build layers of protection and recognize that IP protection has legal, technical and human elements. They understand and identify their critical information assets and build additional measures to protect it, which can include limiting the exposure China partners or employees have to every piece of information. They assess their competitors and understand which ones represent a credible threat to their intellectual property and identify their modus operandi.