Contributing Lawyers

Canada

Cyndee Todgham Cherniak

United States

Susan Kohn Ross

Australia

Andrew Hudson



Cyber Security – Real or Imagined?

Originally published by the Journal of Commerce On-Line in July 2010

Now that Google’s license to operate in China has been renewed, it is worth taking a moment to consider the events which preceded the renewal. Perhaps the most notable of these was what Google described as the attack on its service. Many would suggest, and Google certainly inferred, that Chinese officials attacked its servers with the purpose of teaching the company a lesson, i.e., to make it conform to the limitations the Chinese government imposes elsewhere in society. Others think it was a blatant attempt by Chinese officials to identify even more details about its citizens, i.e., the dissidents in its midst. While the hackers were never identified, whatever the reasons, Google said it would not cave in. However, business is business and so eventually, Google moved its service to servers located in Hong Kong. It then redirected Chinese users to what many considered to be sanitized sites and data, but life went on and the strategy was successful. Its license was renewed. Why raise this issue in a column generally devoted to trade compliance?

How about this - because one of the fundamental, unfettered "rights" we expect is the ability to exchange data in a secure, timely and accurate manner. After all, isn’t that what C-TPAT, FAST, ISF and the other government security programs are all about?

When you talk with IT folks, you hear terms like "white hat" hackers and "black hat" hackers, and frankly a variety of color in between. All they really mean is hackers who view their role as bringing to a company’s attention the vulnerabilities of its systems (called white hats, likely after the good guys in old-time Westerns who all wore white hats), or the bad guys, the hackers who get into your system without permission and want to steal your data or perhaps have more nefarious intentions (the black hatters).

In a speech in June 2008, CBP Asst. Comm. Baldwin talked about counterfeit goods as presenting "serious threats to our national security and consumer safety." Looking back to that period of time some two plus years ago, we had already heard about the Air Force, Navy, Marines, FAA, FBI and GSA computer systems being hacked and data and personal information being compromised. Even then, there were discussions about the threat of counterfeit or infected integrated circuits which could bring down military communications and weapons systems. Those concerns have only heightened with the passage of time.

In the July 3rd edition of The Economist, there is a story which holds there are five domains of warfare – land, sea, air, space, and now adding cyberspace. In a subsequent story in the same edition, the question is posed – "Are the mouse and keyboard the new weapons of conflict?" While the focus of these articles is to posit that since hacking can only be intended to compromise systems and hackers generally wear black hats, the future likely holds more regulation of the Internet coupled with stepped up efforts by the military to protect its systems. The U.S. has now created the Cyber Command, the goal of which is to protect the .mil addresses from hackers. DHS protects .gov and the private Internet Service Providers protect the rest. Does that give you a warm and fuzzy feeling?

For companies, whether large or small, we are all at the mercy of our computers. Many make and receive telephone calls through ISP connections (e.g. Skype). Certainly, we all live and die with our emails. The experience of one’s hard drive crashing and the impatience which arises while waiting for what seems like the interminable delays to getting one’s data back, quickly cause shivers up and down one’s spine. So, when CBP talks in terms of IT integrity which should "protect data from unauthorized access or manipulation," that goal is not so far fetched. At the same time, is it enough when CBP says you should have accounts assigned to individuals and your system should require periodic changes in passwords? When an infected thumb drive can bring down a mega-system, what controls do you need to have in place regarding your computer system? Do you have, as CBP demands, "accountability" for your system? Can you tell if someone is abusing it? Are your filter settings set high enough that incoming malware (viruses, worms, Trojan horses and other infections) will be blocked. What steps are in place so that if one of those phishing emails gets through and your colleague, in a moment of inattention, clicks on the link? How are you making sure the intended attack does not follow? If one computer is attacked, how are you protecting the rest of the network?

The general understanding in the IT community is at least 3/4 of all the millions of emails sent daily are spam. Even the IT professionals say that a determined hacker will get in given enough time and effort. What have you done to make your system as secure as possible? After all, your servers hold anything of value to your business. How are you stopping your competitors and other "bad guys" from getting at that valuable data?

Leave a Reply

remember my information