New Articles

Winter 2019 U.S.- China Cybersecurity Update

cybersecurity

Winter 2019 U.S.- China Cybersecurity Update

It is difficult to accurately speculate on the progress of U.S.-China trade negotiations, as media reports on the status of key policy proposals seemingly differ each day depending on the transparency and messaging agenda of the sources involved. However, what has been certain during the winter of 2019 is that major updates to U.S. and Chinese cybersecurity regulations are in the process of being implemented, and these developments stand to set key precedents for the intersection of applicable foreign investment and cybersecurity regulations in the U.S. and China.  

Building on our previous two articles regarding U.S. economic espionage concerns and updated U.S. foreign investment restrictions, this article will provide an overview of notable cybersecurity legislative and investigative developments that will likely dictate the near future of critical facets of U.S.-China relations in the 21st century, including (1) the implementation of China’s revised cybersecurity legislation known as the Multi-Level Protection Scheme (“MLPS 2.0”); (2) the Committee on Foreign Investment in the United States (“CFIUS”) reported investigation into the popular social media app TikTok; and (3) the race to implement 5G infrastructure and ongoing speculation regarding Huawei’s licensing status.

1. Implementation of China’s Multi-Level Protection Scheme (MLPS 2.0)

In 2017, China implemented comprehensive cybersecurity legislation commonly referred to as China’s Cybersecurity Law (“CCL”) in efforts to consolidate authority over and standardize regulation of the internet and cyberspace. The CCL includes strict prohibitions on how companies, particularly U.S. and other foreign companies, can store data and interact online.  For example, the CCL requires that network operators in China cooperate with and provide support to government agencies in support of safeguarding national security, and additional provisions have been passed in recent years under the CCL that provide broad authorizations for law enforcement agencies to inspect and monitor internet service providers and computer network data centers. Foreign companies and human rights organizations have criticized the CCL as regressive legislation that fosters state censorship and surveillance and lacks sufficient privacy protections.

Article 21 of the CCL codified China’s requirements for network operators to implement a cybersecurity “multi-level protection system” that includes mandates to implement and adopt certain technical measures and security protocols to monitor and record network activity. Article 37 imposes certain data localization requirements and requires “critical information infrastructure” operators to store personal information and important data gathered or produced within the mainland territory of China.

On December 1, 2019, MLPS 2.0 will take effect, and will impact how U.S. companies and other foreign companies can do business online and store electronic data in China. A draft of the new regulations was first released in June 2018, and the revised MLPS 2.0 incorporates three information security technology standards that in effect will broaden the Chinese government’s authority, particularly that of the Ministry of Public Security, to proactively supervise, manage, and enforce cybersecurity regulations and restrictions on companies operating in China.

The expanded monitoring and enforcement authorities that MLPS 2.0 provides the Chinese government has provoked increasing privacy concerns for foreign firms, particularly those handling sensitive data. The regulations provide stringent mandates on how foreign companies must secure their networks, utilize local sever systems, and cooperate with government authorities. As the new law enters into effect on December 1, 2019, it will be critical for U.S. companies operating in China to understand how the new laws will impact their operations. Companies that store and utilize sensitive personal data, U.S.-regulated technology or technological data, or proprietary intellectual property and trade secrets will have to ensure compliance with both U.S. and Chinese regulations governing privacy, export controls, and cybersecurity regulations. 

2. CFIUS Takes on TikTok

We previously provided an overview of the updated CFIUS regulations concerning foreign investment restrictions scheduled to take effect in the U.S. in February 2020. However, that does not mean that CFIUS, the inter-agency committee tasked with the authority to review, modify and reject certain types of foreign investment that could adversely impact U.S. national security, is dormant in terms of its current investigations. In fact, on November 1, 2019, Reuters reported that CFIUS has launched a national security review of the popular social media and video-streaming app TikTok, related to the acquisition of social media app Musical.ly (since rebranded as “TikTok”) by Beijing ByteDance Technology Co. in 2017 for $1 billion. TikTok earlier this year said that approximately 60% of its 26.5 million monthly active users are located in the United States.

U.S. lawmakers first raised national security concerns related to the TikTok platform, particularly its Chinese parent company’s collection of user data and purported censorship of user content.  For example, Senators Chuck Schumer and Tom Cotton sent a bi-partisan letter to the Acting Director of National Intelligence in October voicing concerns over TikTok’s data collection practices, highlighting Chinese laws that “compel Chinese companies to support and cooperate with intelligence work controlled by the Chinese Communist Party.” While it is unclear what the outcome of this particular review will be, it puts a spotlight on the types of industries and practices that CFIUS is currently scrutinizing and provides a useful case study for what types of mitigating measures we may see imposed by the Committee down the road.

The updated CFIUS regulations set to take effect in February 2020 expressly expand the jurisdiction of CFIUS to include reviews of non-controlling foreign investments in companies that store and have access to sensitive personal data of U.S. citizens. But the CFIUS review into TikTok is only the latest investigation by the Committee into burgeoning technology apps that store sensitive personal data. CFIUS has previously targeted the proposed acquisition by the Chinese Kunlun Group of the U.S. dating application “Grindr” for data privacy concerns regarding its individual users, and similarly forced the Chinese digital healthcare company iCarbonX to divest from it its investment in the U.S. healthcare startup “PatientsLikeMe.” 

These recent cases ultimately show that CFIUS is increasingly focused on the protection of the sensitive personal data of U.S. citizens in emerging technological applications, particularly when Chinese investment is involved.  All U.S. companies considering foreign investment will have to take heed of the current and soon-to-be updated CFIUS regulations and increase their due diligence efforts, particularly where Chinese investment is concerned.

3. 5G Supremacy: Timeline on Huawei Restrictions and Licensing Still Unclear

Finally, a critical ongoing area of U.S.-China cybersecurity relations is the debate over the role that China’s telecommunications leader Huawei will have in developing and implementing global 5G technology and data networks. Huawei was placed on the U.S. Department of Commerce “Entity List” over national security concerns in May 2019, which restricts U.S. companies from doing business with it, and a licensing regime was put into place for U.S. companies that seek to engage with Huawei and certain of its subsidiaries. While no such licenses have been issued to date, U.S. Secretary of Commerce Wilbur Ross recently indicated that at least some of the 260 license applications their office has received will be granted and issued shortly.  

U.S. critics believe that allowing Huawei to take the lead on 5G and similar data network equipment will potentially give the Chinese government the ability to collect data of the users of Huawei products. However, Huawei is a global leader in 5G technology, and despite pressure from the U.S. government, countries like Germany, Hungary, and Norway have decided against banning Huawei from their 5G networks. The inherent difficulties and concerns in having the global leader in 5G technology also be closely connected to the Chinese government is an issue that every country seeking to develop 5G infrastructure will have to address, and will likely be a focal point in the U.S.-China trade war as well as in global cybersecurity relations for years to come. 

If you have any questions about U.S.-China trade relations as it relates to CFIUS, cybersecurity regulatory compliance, or U.S.-imposed licensing restrictions, please contact a member of Baker Donelson’s Global Business Team below.

____________________________________________________________________
Joe D. Whitley is a shareholder at Baker Donelson and chairs the Firm’s Government Enforcement and Investigations Group. He can be reached at jwhitley@bakerdonelson.com. 

Alan Enslen is a shareholder with Baker Donelson and leads the International Trade and National Security Practice and is a member of the Global Business Team. He can be reached at aenslen@bakerdonelson.com. 

Julius Bodie is an associate with Baker Donelson who assists U.S. and foreign companies across multiple industries with international trade regulatory issues. He can be reached at jbodie@bakerdonelson.com. 

Frank Xue is an associate with Baker Donelson who assists Chinese clients with matters in the U.S. related to foreign direct investments, mergers and acquisitions, and private equity/venture capital. He can be reached at fxue@bakerdonelson.com. 

_______________________________________________________________________

1. CCL Translation: “Cyber-security Law of the People’s Republic of China,” Dezan Shira and Associates. https://www.dezshira.com/library/legal/cyber-security-law-china-8013.html.

2. CCL Article 9; see also Laney Zhang, China: New Regulation on Police Cybersecurity Supervision and Inspection Powers Issued, Library of Congress (November 13, 2018) (discussing Measures of Internet Security Supervision and Inspection by the Public Security Organs, (Sept. 15, 2018, effective Nov. 1, 2018)) https://www.loc.gov/law/foreign-news/article/china-new-regulation-on-police-cybersecurity-supervision-and-inspection-powers-issued/.

3. See, e.g., China: Abusive Cybersecurity Law Set to be Passed, Human Rights Watch (November 6, 2016) https://www.hrw.org/news/2016/11/06/china-abusive-cybersecurity-law-set-be-passed; China adopts cyber security law in face of overseas opposition, Reuters (November 6, 2016) https://www.reuters.com/article/us-china-parliament-cyber-idUSKBN132049.

4. Draft Cybersecurity Classified Protection Regulations, China Ministry of Public Security (June 27, 2018) http://www.mps.gov.cn/n2254536/n4904355/c6159136/content.html?from=timeline&isappinstalled=0.

5. See, e.g. Simone McCarthy, Will China’s revised cybersecurity rules put foreign firms at risk of losing their secrets?, South China Morning Post (October 13, 2019) https://www.scmp.com/news/china/diplomacy/article/3032649/will-chinas-revised-cybersecurity-law-put-foreign-firms-risk.

6. Greg Roumeliotis, Yingzhi Yang, Echo Wang, Alexandra Alper, Exclusive: U.S. opens national security investigation into TikTok, Reuters (November 1, 2019) https://www.reuters.com/article/us-tiktok-cfius-exclusive/exclusive-u-s-opens-national-security-investigation-into-tiktok-sources-idUSKBN1XB4IL.

7. Reuters,  How TikTok, Caught in U.S. Regulatory Crossfire, Rose to Global Video Stardom, The New York Times (November 4, 2019) https://www.nytimes.com/reuters/2019/11/04/business/04reuters-tiktok-cfius-factbox.html.

8. See, e.g. Senator Marco Rubio Letter to Secretary of Treasury Steven Mnuchin https://www.rubio.senate.gov/public/_cache/files/9ba023e4-2f4b-404a-a8c0 e87ea784f440/FCEFFE1F54F3899795B4E5F1F1804630.20191009-letter-to-secretary-mnuchin-re-tiktok.pdf

9. Senators Charles E. Schumer and Tom Cotton Senate Letter (October 23, 2019) https://www.democrats.senate.gov/imo/media/doc/10232019%20TikTok%20Letter%20-%20FINAL%20PDF.pdf.

10. See, e.g., Christiana Farr and Ari Levy, The Trump administration is forcing this health start-up that took Chinese money into a fire sale, CNBC (April 4,  2019) https://www.cnbc.com/2019/04/04/cfius-forces-patientslikeme-into-fire-sale-booting-chinese-investor.html; Echo Wang, China’s Kunlun Tech agrees to U.S. demand to sell Grindr gay dating app, Reuters (May 13, 2019) https://www.reuters.com/article/us-grindr-m-a-beijingkunlun/chinas-kunlun-tech-agrees-to-u-s-demand-to-sell-grindr-gay-dating-app-idUSKCN1SJ28N.

11. Huawei Entity List and Temporary General License Frequently Asked Questions, Department of Commerce (September 18, 2019) https://www.bis.doc.gov/index.php/documents/pdfs/2447-huawei-entity-listing-faqs/file

12. Philip Heijmans and Haslinda Amin, Ross Optimistic on China Deal, Trump Wants It Signed in U.S., Bloomberg (November 3, 2019) https://www.bloomberg.com/news/articles/2019-11-03/ross-optimistic-on-china-trade-deal-says-huawei-licenses-coming?srnd=premium.

13. See, e.g., Associated Press, Hungary Says Huawei to Help Build Its 5G Wireless Network, New York Times (November 5, 2019) https://www.nytimes.com/aponline/2019/11/05/business/bc-eu-hungary-huawei.html; Chloe Taylor, Germany set to allow Huawei into 5G networks, defying pressure from the US, CNBC (October 16, 2019) https://www.cnbc.com/2019/10/16/germany-to-allow-huawei-into-5g-networks-defying-pressure-from-the-us.html.

C-TPAT

C-TPAT DRIVES SUPPLY CHAIN SECURITY AND TRADE COMPLIANCE

In today’s ever-chaining business environment, organizations are faced with ongoing security challenges. It’s crucial for shippers to understand any potential risks to their supply chains and establish security plans to avoid disruption. One significant way for shippers to proactively protect their operations is by becoming a member of the Customs-Trade Partnership Against Terrorism (C-TPAT) program.

Established in 2001, as a direct result of the September 11 terror attacks, the C-TPAT program is part of the U.S. Customs and Border Protection’s (CBP) multi-layered cargo enforcement strategy. Through this voluntary program, the CBP works with the importers, shippers, carriers, brokers and logistics providers to implement best practices for ensuring a safe, secure and expeditious supply chain. Today, there are more than 11,400 certified C-TPAT partners in the program, and these companies account for more than 52 percent of the products imported into the U.S.

C-TPAT Member Benefits

In addition to promoting supply chain security, participating in the C-TPAT program can yield significant benefits for shippers and transportation providers, including:

Fewer customs inspections – C-TPAT certification offers companies the opportunity to decrease customs inspections and documentation reviews. According to the CBP, C-TPAT members are 3.5 times less likely to incur a security or compliance examination. 

Faster border crossings – Members have access to special Free and Secure Trade (FAST) lanes at border crossings, and can move to the front of the line during inspections. This can significantly expedite border crossings at many Canada/Mexico land border ports.

Quick response time – Following a national emergency, companies participating in the C-TPAT program are eligible to resume business first. 

Enhanced reputation – Participating in a national security program reflects a company’s ongoing commitment to safety. Some companies will only do business with importers that are C-TPAT certified–giving members a competitive edge. 

Cost avoidance – By decreasing potential supply chain disruptions, C-TPAT members can avoid costs associated with delayed shipments. Additionally, organizations penalized in any way is eligible to receive up to a 50 percent reduction on the imposed fine. 

Joining C-TPAT

While almost every organization that is involved in the import and export business can enroll in the C-TPAT program, eligibility requirements vary by business type. But to achieve certification, all companies are required to:

-Conduct a risk assessment

-Implement a supply chain security management system that complies with C-TPAT requirements

-Submit a detailed application

 -Meet with CBP representatives to verify security measures

In addition to obtaining their own certification, organizations can support the C-TPAT program by working with third-party logistics (3PL) providers that are also C-TPAT certified. C-TPAT-certified 3PLs act as an additional layer of protection against supply chain attacks, because they operate as an extension of the company’s established security procedures, essentially building a stronger company brand. 

A 3PL with active participation in the Mexican and Canadian markets also brings a portfolio of carriers and companies that are approved by C-TPAT, or that comply with minimum requirements for C-TPAT partners, essentially giving shippers a competitive advantage. 

Addressing Evolving Supply Chain Risks


As supply chain risk continues to evolve, so too do the C-TPAT requirements. In May, the CBP announced that it has added Minimum-Security Criteria (MSC) requirements to the C-TPAT guidelines to help further mitigate risks. Some of the areas that were incorporated and updated in the program’s new criteria included:

-Issues related to cyber security

-Protection of the supply chain from agricultural contaminants and pests

-Prevention of money laundering and terrorism financing

-The proper use and management of security technology, such as intrusion alarms and security camera systems

-Members are expected to implement the new criteria throughout the remainder of 2019, and validation of the new MSC will begin in early 2020.

Support Supply Chain Safety

With security risks threatening supply chains around the globe, it is important for companies to support initiatives that aim to tackle and prevent supply chain risks. By obtaining C-the certification, businesses have the unique opportunity to take an active role in supporting national security while improving their own supply chain operations. 

While there are no costs associated with joining the C-TPAT program, companies often have to invest in improving their practices to meet the minimum-security requirements and effectively maintain a compliant program. However, this investment goes a long way in helping companies mitigate risk, avoid supply chain disruptions and drive greater efficiencies for cross-border transport.  

______________________________________________________________

Linda Bravo is the Corporate Customs Broker at Transplace, where Sergio Flores is the Safety and Security Coordinator. Transplace is a 3PL provider offering logistics technology and transportation management services to manufacturers, retailers, chemical and consumer packaged goods companies. Learn more at Transplace.com.

automotive

Automotive Industry Cyber Attacks: Trends and Threats to Watch Out For

A report released from Upstream Security estimates the automotive industry is at risk for losing $24 billion within five years all due to cyber hacks. The company specializes in cloud-based security and took reported cases at a granular level to understand cyber threats and trends to combat in 2019.

The findings were confirmed through a study conducted that analyzes over 170 cyber cases reported between 2010-2018. The study also revealed different ways hackers attack including physical and long-range and wireless strategies.

“With every new service or connected entity, a new attack vector is born” said Oded Yarkoni, Head of Marketing at Upstream Security. “These attacks can be triggered from anywhere placing both drivers and passengers at risk.

“Issues range from safety critical vehicle systems, to data center hacks on back-end servers, to identity theft in car sharing, and even privacy issues. The risk is immense. Just one cyber-hack can cost an automaker $1.1 billion, while we are seeing that the cost for the industry as a whole could reach $24 billion by 2023.”

Key highlights from the report include:

-Back-end application servers are directly involved in 42 percent of automotive cyber security incidents

-Tier 1 suppliers, fleet operation, telematic service providers car sharing companies and public/private transportation providers are experiencing increased threat rates for cyber security issues.

-Multi-layered security tactics such as in-vehicle, automotive cloud security and network security are recommended to reduce risk.

-Fraud and and data privacy are primarily impacted by the two new cyber attack methods.

To read the full report, visit Upstream Security.

Source: Upstream Security

Sepio Systems, Tech Data & SHI Partner for Cybersecurity

Hardware-based attacks are at the center of the tri-partnership recently announced between Sepio Systems, Tech Data, and SHI International Corp.

Tech Data channel partners and SHI customers benefit from the partnership as they are granted the option to bundle Sepio’s solutions addressing issues in cybersecurity. In addition to providing simplified deployment options for Sepio Prime/Sepio Agent security management offerings, specific network threats within uncontrolled peripheral devices and accessories are focal points customers and partners benefit from.

“As part of our continuous effort to ease our customer’s process of complying with the NIST standards and guidelines for securing Information Systems, we are excited to team with Tech Data and SHI,” said Yossi Appleboum, CEO of Sepio Systems Inc.

“Packing Sepio’s deep visibility capabilities into devices and hardware assets together with a granular policy enforcement tool greatly reduces the cyber risk organizations are facing. For the first time, Tech Data customers and partners can deploy a simple and robust software solution that addresses more than 15 controls from the NIST 800-53 Special Publication,” Appleboum concluded.

Sepio Systems currently identifies hidden hardware attacks related to rogue peripherals, invisible network devices, and manipulated firmware. The software-only based solution, Sepio Prime, currently boasts a presence in the U.S., Brazil, Singapore, and Israel.

How To Ditch The Techie Jargon And Improve Your Organization’s Cybersecurity

An office memo that tosses around terms like DRM, botnet, FTP, spear phishing and worm could be a quick, easy read for the head of the IT department.

But for everyone else in the organization it may or may not be one big mass of confusion.

And with that bewilderment comes potential danger, says J. Eduardo Campos, co-founder with his wife, Erica, of Embedded-Knowledge Inc. (www.embedded-knowledge.com) and co-author with her of From Problem Solving to Solution Design: Turning Ideas into Actions.

“There’s a serious gap in communication skills between cybersecurity pros and their general audiences, and it’s essential for the people on the IT side to bridge it,” Campos says. “Increasingly complex security threats demand that cybersecurity professionals use plain language when they are communicating with those less familiar with tech talk.”

Otherwise, he says, an organization could be vulnerable to hackers even if the staff had been warned about what to look for, simply because the employees didn’t understand the language behind the warning.

After all, cyber threats aren’t just a technology problem – they are a people problem, says Campos, who worked on cyber threats as a former employee of Microsoft.

“People are the weakest link in computer security and many companies don’t promote a company philosophy of ‘computer security is everybody’s business, ” he says.

Campos suggests a few ways to improve communication between those in charge of cybersecurity and everyone else in the organization:

Incorporate this need into the hiring process. When hiring new staff for your IT and cybersecurity team, look for experts who have not only tech skills, but also the skills necessary to comfortably interact socially and clearly communicate in lay terms with all the stakeholders in the organization.

Focus on training. Cybersecurity teams can be trained to become solution designers who can connect the dots, Campos says. They can then capture, clarify, and address all stakeholders’ concerns, helping them to determine and keep their goals aligned. Such cybersecurity pros enable success by listening to everyone involved before sharing their own viewpoints.

Realize this is an ongoing process. It’s important to ensure that the improved communication is sustained over the long haul, and people don’t revert to old ways down the road, Campos says. “You will want to monitor the situation so that you can quickly spot and head off any problems,” he says. “You can create a feedback loop so that the employees are encouraged to let you know how things are working.”

“Data breaches, data ransom plots, and email hacks intimidate us all,” Campos says. “Cybersecurity teams themselves feel hard-pressed enough to prepare themselves for the onslaught of these gremlins, let alone to accomplish the challenging task of communicating to stakeholders about how to mitigate and deal with cybersecurity risks.”

“But for organizations to keep their information and systems safe, that communication needs to be done, and in a way everyone can understand.”

About J. Eduardo Campos

J. Eduardo Campos is co-author with his wife, Erica, of From Problem Solving to Solution Design: Turning Ideas into Actions. Campos spent 13 years at Microsoft, first as a cybersecurity advisor, then leading innovative projects at the highest levels of government in the U.S. and abroad.  His consulting firm, Embedded Knowledge Inc. (www.embedded-knowledge.com), works with organizations and entrepreneurs developing customized business strategies and forming partnerships focused on designing creative solutions to complex problems.

GlobeNet Steps Up Cyber Security with Anti-DDoS Gold Mitigation Service

Following successful implementation of the Silver Anti-DDoS Mitigation Service, GlobeNet announced the launch of the latest version of the offering. The Gold Anti-DDos Mitigation Service will formally address diverse and complex customer demands while combating the significant increase in DDoS attacks – reported to have increased 500 percent since 2017.

The upgraded cyber-security solution’s features include a wide range of capabilities that enable customers to operate with fewer limitations and proactive measures to ensure their success, security, and overall efficiency in protection.

Features such as unlimited clean bandwidth and mitigated attack volume, protection policy flexibility, dynamic detection and neutralization of attacks, early detection of malicious traffic, and more provide clients with the peace of mind knowing the overall risk of downtime is reduced. Ultimately, clients have more options to secure their networks based on their specific needs.

“GlobeNet’s Anti-DDoS Gold and Silver levels provide an effective solution to the growing scale of modern DDoS attacks,” said Eduardo Falzoni, CEO of GlobeNet.

“With this new service, our customers now have the enhanced flexibility to choose the option that will best suit their needs. Both services provide 24/7 network protection without the need for organizations to make costly capital investments in their own anti-DDoS solutions. As a result, we ensure peace of mind for our clients’ mission-critical infrastructure and traffic.”

The Best Weapon Against Cyber Threats Is Not Better Tech – It’s People

When a company’s computers are hacked, management’s first impulses often are to invest in better software, better virus protection packages, better computers or even entire networks.

But they may be putting the emphasis in the wrong place.

“The problem’s root cause is usually not the technology, but people,” says J. Eduardo Campos, co-founder with his wife, Erica, of Embedded-Knowledge Inc. (www.eecampos.com) and co-author with her of From Problem Solving to Solution Design: Turning Ideas into Actions.

Campos, who worked as Chief Information Security Officer (CISO) in large international corporations, says “organizations that take a simplistic approach, assuming “computer hacks are an IT department’s problem” are headed for trouble. “Cybersecurity is everyone’s job,” he cautions.

For lasting results, Campos harnesses the power of solution design techniques to develop cybersecurity systems and protocols, based on the I.D.E.A.S. framework, outlined in his book:

Identify: Get to the root cause of the problem. Step back, take a breath, and assess the situation, so that you will ensure you are treating not just the symptoms.

Design To avoid security breaches, take time to determine the options that can be used to address all the problems related to these issues.

Engage. Confirm that everybody who is impacted by a new cybersecurity program or effort is on board with the changes before they are implemented.

Act. Implement mandatory training for all employees to explain the common ways hackers enter the system, including how phishing works.

Sustain. Design metrics to keep cybersecurity policies in place and implement an easily accessible system for employees to identify and report incidents.

“The company that truly engages all of its employees, suppliers, vendors and other stakeholders to be knowledgeable and aware of basic cybersecurity protocols,” Campos says, “will have a much better chance of countering criminals.”

 

About J. Eduardo and Erica Campos

Eduardo Campos and Erica W. Campos are co-authors of From Problem Solving to Solution Design: Turning Ideas into Actions. They have a combined tenure of over fifty years solving complex problems for global organizations. J. Eduardo is an expert in strategic, human-centric solution design with a background in cybersecurity and business development. He has worked on four continents, tackling intercultural and multinational problems, and spent the last 13 years at Microsoft, first as a cybersecurity advisor, then leading innovative projects at the highest levels of government in the U.S. and abroad. His consulting firm, Embedded-Knowledge Inc. (www.http://www.eecampos.com), works with organizations and entrepreneurs to develop customized business strategies and to form partnerships focused on designing creative solutions to complex problems.

 

5 Key Considerations for your Cyber Security Strategy

Cyber security. Not only do all organizations need it, but most organizations need to improve it. As hackers and all other manner of cyber criminals get increasingly crafty, the average cyber security team is struggling to keep pace. As it turns out, the road to hell is paved with well-intentioned but somewhat unfocused cyber security efforts.


Therefore, developing a cyber security strategy is a good foundational step for obtaining the level of cyber security necessary to protect your business, employees, customers and reputation. And taking attention of these five key considerations is a good foundational step for developing a cyber security strategy.

Set out clear objectives

All organizations need cyber security, but what works for one organization could be a disaster for another. This is not the place to attempt to implement a one size fits all approach. To begin to understand what your cyber security objectives should be, you need a solid understanding of the threat landscape as well as where your organization and critical business operations fit into it. Does your organization need to better protect customer data? Become fully compliant with new regulations? Incorporate a cyber security mindset across all aspects of business operations and functions? Become more resilient to attacks? Before a strategy can begin to take shape, you need to know what you’re working towards.

Identify your assets to establish cyber security priorities

The first part of this step is putting together a comprehensive list of the organization’s most important databases, networks, applications and any other assets. What are they? Where are they? What is currently protecting them? What are they connected to?

The second part of this step involves completing a nerve-wracking exercise, but it’s something that needs to be done over and over again if you’re going to have a solid cyber security strategy: assess your organization from the attacker point of view. Of all those assets in the list, what are most attractive to potential attackers? What could inflict the most damage to your organization if it were compromised? What would interrupt the largest number of business processes? Look at this from every possible angle, from the profit-driven hacker to the attackers hired by underhanded competitors to politically-motivated hacktivists – which of your assets are the biggest targets? These are your cyber security priorities.

Determine where you’re vulnerable

This is where you once again need to get proactive. Hacking simulation, penetration testing and other offensive-minded approaches are necessary to find your organization’s weak spots and vulnerabilities as well as figure out exactly how deep someone could get into your networks, systems and databases if they made it in. This serves to help you:
1) Shore up those vulnerabilities as much as possible and…
2) Put in place monitoring measures that help detect and respond to suspicious activity as quickly as possible – a managed security operation center (SOC) might be the best option for organizations that don’t have a robust in-house SOC. 

Make sure you have the right technology and personnel in place

As much as you might hope differently, it isn’t enough to simply invest in the best cyber security technology. Think of it like having an F-35 in your driveway. It’s a marvel of technology, but what good is it going to do if you don’t have a pilot to operate it? What your organization needs is a combination of the right technology, processes and the people who have the skills to orchestrate it.


To get the right cyber security team in place you need to consider your organization’s objectives as well as priorities and vulnerabilities. The team you need could include security engineers and architects, analysts, incident responders, ethical hackers, pen testers, forensic experts, auditors and a chief information security officer, to name a few possible positions, and all these employees need to be able to operate at a high enough level to deal with the threats your organization is facing. If it isn’t possible to staff an in-house team at the level your organization requires, it may once again be time to consider a managed cyber security solution.


Whether you’ve got an in-house team or a managed solution, you then need to ensure you’re working with the right vendors to arm your team with the technology they need to keep your assets protected, otherwise you’ll have the stealth fighter pilot but no F-35.

Assess the overall organization’s cybersecurity awareness

You can have the right cyber security people combined with the highest rated technology and the ideal offensive-minded approach to cyber security for a top-notch security operation center, but it won’t matter if your overall organization is not educated on cyber security threats.


From malware, spear phishing attacks to weak passwords and mishandled credentials, the current cyber security landscape is rife with attackers who know that organizational cyber security awareness and education is lacking and know exactly how to capitalize. From top to bottom, your employees need to be educated on the threats that exist, trained on what they must do to protect your organization, and the potential consequences to the organization if they don’t.


Getting ahead

No one said developing and following a cyber security strategy would be easy, but when done well, it’s one of the most worthwhile investments of time, effort and money an organization can and should make.
The threats aren’t going to let up and in fact will only grow in size, scale and sophistication. With a proactive cyber security strategy, you can stay one step ahead of even the most talented attackers, and one step ahead is the only place you want your organization to be.

Source: CyberHat

A 5-step guide to managing cyber threats in the supply chain

When Danish shipping giant A.P. Moller-Maersk was attacked by the NotPetya malware in 2017, access to its electronic booking systems was blocked and ultimately forced a 10-day overhaul of its entire IT infrastructure.

The malicious attack still remains one of the largest disruptions to affect the global shipping industry to date. As a result of lost bookings and terminal downtime, Maersk incurred a massive US$300 million (€264 million) loss.

With the increasing sophistication of cyber threats, companies worldwide have to brace themselves for a new reality where supply chain disruptions are no longer restricted to those of a physical form. Cyber-attacks have the potential to disrupt or, at its worst, cripple the logistics and supply chain operations of an entire business across different geographies.

Instead of adopting a reactive approach to cyber security, companies should actively prevent and manage such cyber risks by devising a response plan with the following five steps.

Identify third-party risks

To successfully thwart future cyber-attacks, companies have to first determine which vendors or third-party entities have access to their firewall and could have the largest impact to the organization in a worst-case scenario.

When selecting possible vendors to work with, it is best to consider the amount of sensitive data that the vendor is handling, such as personally identifiable data, protected health information or financial transactions. With this knowledge, suitable mitigation measures must then be introduced to safeguard the sensitive data.

Monitor the cyber threat environment

As cyber threats are continuously evolving and news reports of a cyber-incident become known, it is a continuous effort to assess and understand events impacting the vendors or third-party entities that your organization works with.

The ability to persistently monitor one’s supply chain and the cyber threat environment will be the best determinant in responding adequately to a cyber-incident.

For instance, a year on from the cyber-attack on Maersk, Chinese state-owned shipping conglomerate COSCO Group managed to contain the damage and limit the length of disruption when its shipping operations in the Americas suffered a ransomware attack.
Though its shipping operations in the Americas came to a momentary standstill, the company’s swift response efforts and preemptive network segmentation prevented the escalation of the attack, allowing regular operations to resume within a week without significant damage.

Assess potential impact

Organizations should possess the capability to gauge the extent of the potential impact a cyber-attack can have on its business operations.

Knowing the nature of each cyber-attack can better equip companies by facilitating understanding, communication and coordination along its supply chain.

Types of cyber attacks

·Data breach: Release of secure information to an untrusted environment, including trade data, schematics, manufacturing systems, shipping data, and other confidential company information
·Ransomware: A form of malware which encrypts a user or end system, rendering all data within inaccessible, and demanding the payment of ransom to decrypt
·Denial of service: A cyber-attack performed by many actors to render a firm’s website or system unavailable to users
·Vulnerability: The discovery of a weakness, known or unknown, which may be exploited by a threat actor to perform unauthorized actions on a system
·Phishing: A fraudulent attempt to obtain security credentials from entry to executive levels for malicious purposes

Conducting a risk assessment on the areas of vulnerability from multiple angles will help companies measure the potential risk and threat of a sudden attack on its supply chain.

Develop risk scenarios and emergency protocols

Without emergency protocols established or adhered to in the event of a cyber-attack, it will likely cause confusion that leads to disruption in the supply chain. Companies need to train its employees on potential threat scenarios and develop corresponding response plans to tackle different situations.

Often, these response processes might involve the use of advanced technology and human intelligence analysis. Having established the protocols and trained employees on their respective emergency response roles, the company will then be well-prepared to implement the appropriate measures to mitigate the potential damage inflicted by a cyber-attack.

Communicate relevant actions to stakeholders

When a threat has been identified, it is imperative to investigate the matter internally and cascade information in a timely manner within the organization before alerting the relevant authorities. Once more details emerge and the nature of the threat is confirmed, organizations should pro-actively inform all stakeholders who have been affected, while activating the emergency response teams to rectify the issue.

With the threat of cyber-attacks looming large, companies need to take control and ready themselves with a proper response plan and top-notch cyber security practices to protect their supply chain.

Shehrina spearheads the supply chain risk monitoring capabilities for Resilience360. Resilience360 offers end-to-end supply chain risk management, alerting customers about supply chain incidents globally and risks to their global supply chain in almost real time. The platform helps companies handle an ever-changing world by assessing the impact of natural disasters, changing regulatory environments, and other supply chain risks. With Resilience360, businesses can visualize their supply chains end-to-end, use machine learning capabilities to detect early warnings of incidents that can disrupt their supply chain and it will allow customers to preemptively respond and minimize business interruption.

This article was originally published on DHL’s Logistics of Things. Read more on how logistics impacts business, builds lasting connections and drives innovation.

US Retailers “Overconfident” on Cyber Security Issues

Portland, OR – US retail firms are confident in their ability to quickly detect data breaches, despite industry research to the contrary, according to a recent survey conducted by Dimensional Research and Oregon-based security management firm Tripwire.

When asked how quickly their organizations would detect a breach, 42 percent said it would take 48 hours, 18 percent said it would take 72 hours, and 11 percent said it would take a week, the survey said.

While 35 percent of respondents were “very confident” and 47 percent were “somewhat confident” that their security controls could detect rogue applications, most breaches go undiscovered for weeks, months or even longer, the research found.

The 2014 Trustwave Global Security Report reveals that the retail sector is the top target for cyber criminals, comprising 35 percent of the attacks studied with an average 229 days taken to detect a security breach.

The report also states that the number of firms that detected their own breaches dropped from 37 percent in 2012 to 33 percent in 2013. Some 85 percent of point-of-sale intrusions took weeks to discover, and 43 percent of web application attacks took months to detect.

The survey evaluated the attitudes of 154 retail organizations on a variety of cyber security topics.

“I always say that trust is not a control, and hope is not a strategy,” said Dwayne Melancon, chief technology officer for Tripwire. “Unfortunately, this data suggests that a lot of retailers are far too hopeful about their own cyber security capabilities.

Despite “ample historical evidence that most breaches go undiscovered for months,” he said, “There is clearly a significant disconnect between perception and reality, even though the repercussions for failing to meet the required level of rigor around cyber security has led to the recent removal of retail executives and board members.”

The survey also found that 70 percent of respondents said that the recent, nationally-reported Target security breach has affected the level of attention executives give to security in their organizations and that 26 percent of respondents don’t evaluate the security of business partners, such as HVAC contractors who were implicated in the Target breach.

07/03/2014