Also, according to a report in the July-August edition of MIT Technology review, “the failure of the (hacked) companies’ supposed security technologies was stupefying.”
Indeed, there are multiple examples of the Chinese easily gaining long-term access to corporate networks.
Nortel Networks, which had been one of the telecom giants, had reportedly been penetrated by Chinese hackers for as long as a decade before it filed for bankruptcy in 2009. The hack began with the theft of seven passwords from top executives, including the CEO.
Porous security is not the only problem either, Halligan said. “The real problem lies in U.S. companies not conducting internal trade secret audits,” he said. “Everybody starts with security, but you should really start by identifying assets and classifying them. Policies don’t matter if you don’t now what you’re protecting.”
He said while there are U.S. laws protecting patents, copyrights and trademarks, “we don’t have a registration system for trade secrets, so you have to set it up internally. Too many U.S. companies don’t want to do that, so they’re fleeced and don’t know they’ve been fleeced.”
The FBI warns companies not to think that just because they are small to mid-sized, they are not on the radar for economic espionage.
The telecom executive agrees with that. “Most companies think they aren’t big enough to interest the Chinese,” he said. “But if you are part of the supply chain, you’re on the scope – they are a full-spectrum adversary.”
What should organizations do? The FBI, as part of its economic espionage awareness campaign, offers a list of recommendations protecting IP assets. And Quinn said U.S. firms should follow the five steps of Operations Security:
Securing your operations
- Identification of critical information needed by an adversary: This focuses the remainder of the OPSEC process on protecting the most vital information.
- Analysis of threats: Use all available means to identify likely adversaries to a planned operation.
- Analysis of vulnerabilities: Examine each aspect of a planned operation to identify OPSEC indicators that could reveal critical information and then compare those indicators with the adversary’s intelligence collection capabilities.
- Risk assessment: First, analyze the vulnerabilities identified in the previous action and identify possible OPSEC measures for each vulnerability. Then, senior officials should select the, specific OPSEC measures to execute.
- Application of appropriate OPSEC measures: The company should then implement the OPSEC measures or, in the case of planned future operations and activities, include the measures in specific corporate OPSEC plans.
But Halligan said he believes organizations can get 80 percent worth of protection by doing just two things.
“Only those with need to know should have access to assets,” he said. “That’s something that should be easy to implement. And then, break up the pieces of the puzzle, so if someone absconds with one piece, they can’t get the whole trade secret.”
Sign up for CIO Asia eNewsletters.