Modern field guide to security and privacy

Experts: Shoddy Asian cybersecurity gives hackers easy targets

Smaller Asian countries struggle to fend off sophisticated Chinese cyberattacks. Experts at an Atlantic Council event, though, say there's hope for better digital security.

Mike Theiler/Reuters
President Barack Obama (L) chats with Chinese President Xi Jinping as they walk from the West Wing of the White House, followed by interpreters, to a private dinner across the street at Blair House, in Washington, September 24, 2015.

Suspected Chinese hackers have spent years sifting through other Asian countries' computer networks, which often don't have basic protections against cyberattacks.

This summer, political clashes brought cybersecurity into focus in Asia. After the Hague-based Permanent Court of Arbitration ruled against China's territorial claims in the South China Sea in July, hackers linked to Beijing shut down airport check-in screens at Vietnam’s two largest airports (Vietnam and others are locked in a conflict with China over who owns the resource-rich waterway). 

And smaller Asian countries seem uniquely unprepared to fend off that kind of aggressive, high-profile hacking. The cybersecurity firm FireEye reported that hackers who penetrate Asian companies' corporate network typically remain in the system for up to 520 days before they're caught, compared to an average of 146 days in the US.

But experts speaking at an Atlantic Council event Tuesday said there are ways to improve their overall cybersecurity practices. Panelists included Will Glass, a threat intelligence analyst at the cybersecurity company FireEye; Robert Manning, senior fellow at the Atlantic Council's Strategic Foresight Initiative; and Denise Zheng, a senior fellow at the Strategic Technologies Program at the Center for Strategic and International Studies. 

Here are just a few things we learned:

1. When it comes to cybersecurity, Asia is behind

It’s not just China’s hacking prowess that has enabled Beijing-linked groups to break into systems at a number of targets, experts say poor cybersecurity practices throughout Asia are enabling bad guys to steal files and engage in political espionage. 

“There used to be a perimeter model where you could set up a wall or a moat and some archers and you could pretty much keep everything out,” said Mr. Glass referring to how Asian countries have traditionally thought about cybersecurity. “I have to operate under the assumption that there’s some bad guy in my network, what do I do to make sure that I can mitigate the damage they can cause once they’re inside.”

2. Deterrence is having some impact

While deterring innocuous cybercrime, like website defacements and social media pranks, remains difficult, according to Ms. Zheng, the strategy so far has had an impact in Asia by limiting attacks on critical infrastructure facilities. 

“When you’re looking at really catastrophic cyberattacks, you could argue that we’ve effectively deterred those types of things, mostly because of our conventional military capabilities,” she said. “So if you attack our power grid, if you bring our power grid down, we have many other options on the table to retaliate.”

That’s why talk of a doomsday-like cyberattack in Asia might be overblown.

“When people talk about building a cyber nuclear bomb, it’s not particularly useful,” she said. “That’s why we use things like sanctions and indictments, we have used diplomatic actions, a combination of all of the above really, to deter this type of activity.”

3. There’s room for negotiation

Even though the US and China have already agreed to a deal to limit corporate cyberespionage that appears to be having some impact, experts say there's still room from improvement. 

“There’s room for more detailed codes of conduct,” said Mr. Manning. “The more China develops, the more vulnerable it gets, and this mutual vulnerability cuts across the whole strategic relationship with China.”

And that room for negotiation could grow, says FireEye’s Glass, as China has begun to move toward a model of economic development that depends upon direct investment from Western companies, not just foreign trade.

“There is a certain limit to which you can derive value from stealing blueprints for something, you need the people who know how to build it,” he said. “I think part of the reduction we might be seeing is somewhat of an attempt by the Chinese side to say, we’re going to scale this back a bit and build a more friendly environment for Western companies to come to China.”

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.