Once a month, cybersecurity lawyer Paul Haswell gets a call from an Asian company with the same question: We’ve been hacked. Who do we need to tell?
More often than not, his answer is “no one.” The client will hang up before Haswell can urge them to go public anyway.
“There’s no uniformity across Asia -- some countries don’t even have a law,” said Haswell, a Hong Kong-based partner at Pinsent Masons. “In Mainland China, security is the lowest priority.”
In an era where more and more data is stored online and attacks are discovered with alarming regularity, the lack of reporting mechanisms means there’s no telling how often or how much personal information is taken from databases in Asia.
That veil of secrecy obscures an unsettling reality. Companies in the region are targeted 35 percent to 40 percent more than the global average, according to FireEye Inc., which helps clients investigate and fend off cyberbreaches. Law firm DLA Piper estimates Asian institutions are twice as likely to be targeted.
Asian corporations and governments are easier targets because they invest less in security and share less with regulators and other countries when victimized, in part because of longstanding tensions with their neighbors, cybersecurity experts say.
The U.S. has accused China, which is embroiled in territorial and political disputes with several of its neighbors, of being the source of many large-scale attacks.
China has repeatedly denied the allegations, saying that it, too, is a victim of hacking attacks.
“China firmly opposes and combats any forms of cyber attacks,” Foreign Ministry spokesman Hong Lei said in a faxed response to questions from Bloomberg News. A global effort to fight cybercrime “needs coordination and trust from different parties, rather than blaming, accusation and provocation,” Hong said.
The statement didn’t address questions about the country’s requirements for reporting breaches, or steps the government is taking to monitor and prepare for attacks.
A lack of laws mandating disclosure may be abetting recent attacks.
“The culture of silence regarding cyber-attacks in Asia serves as fuel to the guild of thieves who operate with impunity in the region,” said Tom Kellermann, chief cybersecurity officer at security software developer Trend Micro Inc. “The deep-seated historical mistrust in the region undermines true collaboration.”
If attacks aren’t disclosed, hackers are free to use the same techniques repeatedly. Apart from the resultant theft of intellectual property and personal data, perpetrators can exploit holes in Asian security to then infiltrate networks in other regions.
They “are conducting ‘island hopping’ as they leapfrog from one insecure network into another,” Kellermann, who is based in Washington, said in an e-mail.
Security breaches cost the global economy more than $400 billion annually, the Center for Strategic and International Studies estimates, with Asian countries among the most hurt as a percentage of their respective gross domestic products.
“Criminals know there’s a gap: laws and regulations tend to lag, they’ll do their market scanning and then they attack,” said Noboru Nakatani, executive director of the Interpol Global Complex for Innovation in Singapore, which fights cybercrime. “Unfortunately, cybercrime cases in Asia will be going up, and as more people use the Internet, there will be vulnerability.”
Cybersecurity took center stage at the seventh U.S.-China summit last month, cementing its place at the top of the political and economic agenda. Both sides have pledged to improve cooperation.
Most companies don’t have the legal obligation of their counterparts in the U.S. and some European countries to disclose when hackers steal personal information.
That means about 42 percent of the world’s Internet users - - or 1.4 billion people -- remain in the dark about just how much of their sensitive data has been or will be purloined: information that could aid identity fraud or theft.
There are no specific penalties for failure to comply with Chinese government guidelines on notification, which include the need to report cases where there’s been a leak of personal information, according to the World Law Group, an international network of independent law firms.
However, there may be penalties or fines when such breaches cause material damage or losses, especially in sensitive areas like telecommunications or Internet services, according to Mark Schreiber, a partner with Locke Lord LLP in Boston.
India has no legal obligations for companies to publicly disclose data breaches, though there are requirements to inform regulators and affected parties, according to the group. Hong Kong follows guidelines issued by the data privacy commissioner, yet has no legal obligation to disclose hacking. In Japan, there’s no clear legal obligation. In South Korea, there’s an obligation to disclose in some types of hacks only if more than 10,000 individuals are affected.
In contrast, companies in the U.S. face greater pressure to come clean the moment they confirm that user-data has been accessed, particularly with the recent proliferation of malware, such as ZeuS. Cybersecurity experts credit tougher regulations and the risk of costly lawsuits. Government agencies or state attorneys-general can levy fines for delayed notification, the World Law Group said.
“The vulnerability is the same in Asia as in the U.S. and Europe,” said Bryce Boland, Asia Pacific chief technology officer for FireEye. “What’s different is, in Asia there’s essentially no disclosure requirement.”
Asia is often depicted as the source of attacks. Yet of 19 heavily targeted countries monitored by Trend Micro in 2014, 10 were Asian. Japanese, Taiwanese and Filipino companies have been dealing with a crime wave, Kellermann said.
“As tensions heat up in Asia, whether it’s conflict between China, Taiwan, Korea, Hong Kong or maritime disputes, where we see real world tensions, we see cybertensions as well,” said Grady Summers, FireEye’s chief technology officer. “It’s not an exaggeration to say that any organization that has got interesting data, especially to the Chinese government, is probably fending off attacks on a daily basis.”
In Asia, 55 percent of employees think their organization is fully prepared to protect itself against cyberthreats, according to an Ernst & Young LLP survey of 1,508 people in February.
To be sure, Asian companies and governments are waking to the threat. Trend Micro’s Kellermann points to the Interpol information center in Singapore as a model for battling cybercrime via public-private collaboration.
Yet customary practices play a role in the lack of disclosure. Regulators tend to investigate privately and go public only once action is taken, sometimes long after the breach has occurred, RHTLaw Taylor Wessing LLP lawyers Rizwi Wun and Jack Ow wrote in January.
Singapore’s central bank took regulatory action against Standard Chartered Plc over how it handled the theft of wealthy clients’ data, though details haven’t been made public. StanChart referred questions to the Monetary Authority of Singapore, which said in 2014 that it didn’t generally disclose details of supervisory actions.
Fair Isaac Corp., also known as FICO, released a survey Monday of 34 senior Asia-Pacific banking executives in which 64 percent of respondents said they felt unprepared for a cyber-attack, and only 41 percent said they had a plan in place to respond to a data breach.
Sony Corp. faced criticism in 2011 from gamers and U.S. lawmakers for a delay in revealing the scope of an “external intrusion” into its PlayStation network that eventually morphed into one of the largest cyber-attacks at the time. The investigation took time and there was no evidence that the lag allowed attackers to abuse credit card or personal information, said Masaki Tsukakoshi, a spokesman for Sony’s games unit.
Financial institutions have to disclose hacks to regulators. That doesn’t cover the misappropriation of other types of data that can be just as valuable to criminals looking to create fake identities, or even to companies looking to pilfer clients.
Personal information enables crooks to perpetrate fraud or launder cash, said Jonathan Fairtlough, a former Los Angeles prosecutor who now heads cyber-investigations at Kroll Inc.
“The best thefts are cons, where you are tricked and voluntarily hand out the money,” he said.
China’s a tempting target because of the boom in platforms that tie e-commerce with electronic wallets and other data. Alibaba Group Holding Ltd. is investing in Israeli cybersecurity startups to protect its payment business after a 2010 hack which didn’t manage to gain access to user data. JD.com hasn’t had any data breaches, spokesman Josh Gartner said in an e-mail.
Publicly traded companies should have a duty to disclose because hacks are like a “community health issue” that can spread faster because of secrecy, Boland said.
It’s not clear whether governments around the region have the incentive to tighten disclosure regulations, experts said.
“We could almost do with a high profile case like a Sony or Target to raise awareness,” said Haswell, the cybersecurity lawyer in Hong Kong, referring to two of the biggest cyber-attacks in U.S. history.