Thanks to breach disclosure regulations in the U.S. and U.K., we regularly learn about the latest capers from the headlines. Without a doubt, these countries still face daunting cyber security challenges. One way to make those challenges look almost manageable is to compare them with the state of cyber awareness in Asia.
Advanced cyber attacks in Asia are relatively common. In the second half of 2015, FireEye observed targeted attacks on 27 percent of its customers in the Asia Pacific region, which is nearly double the global average exposure of 15 percent. Over this period, an organization in Asia was almost twice as likely to be hit with an advanced cyber attack than the worldwide average.
These attacks hit a broad swath of economic sectors. The sectors FireEye most commonly observed to be exposed to APT attacks in the second half of 2015 were federal governments (45 percent of organizations exposed), entertainment/media/hospitality (38 percent), high-tech (33 percent), manufacturing (29 percent), energy and utilities (29 percent), state and local governments (28 percent), services/consulting (25 percent), and financial services (20 percent).
What’s behind these advanced attacks? Geopolitical tensions are escalating across the region. This creates more demand for intelligence, and intelligence gleaned from cyber espionage, which is lower in risk and potentially higher in reward, fuels greater cyber espionage activity. And the cyber defenses of the typical Asian organization are relatively weak, which means they can be compromised at a relatively low cost, increasing the return on investment of the operation.
Despite the elevated frequency of advanced attacks across the Asia Pacific, the region’s cyber security capabilities lag many years behind the U.S., sometimes by a decade or more. The threats do not.
Last year, FireEye revealed a decade-long state-sponsored cyber espionage campaign by a well-organized China-based cyber threat actor called APT30. The operation focused on targets—governments, businesses and journalists—which hold key political, economic, and military information about Southeast Asia and South Asia.
Part of the infrastructure used by the group dated back 10 years, which is astonishing when one considers that discovery typically disrupts these groups much sooner in other markets. The group continued its development throughout this period but the fact that its attacks went unreported helped it avoid completely retooling and rebuilding infrastructure.
How could APT30 operate for so long with the same infrastructure? Most organizations in Asia aren’t capable of detecting advanced attacks. Many leaders believe legacy technologies, like firewalls and antivirus provide, provide adequate security. And when firms do find they are attacked and breached, they are very rarely required to disclose this to the government, let alone to the general public. When firms aren’t required to disclose significant intrusions, the attackers can continue to use the same tools and techniques to breach other firms.
The ramifications of this challenge extend beyond the Asia Pacific. The region comprises approximately 25 percent of the world’s GDP. For decades, its economies have served as the world’s factories. Increasingly the region delivers services as well. The ramifications of this weak state of cyber security in Asian countries extends to the rest of the world, where its goods and services are consumed.
Asia’s mature economies, such as Japan, Australia, Hong Kong, South Korea, and Singapore, are making progress in improving their security, but they can and should do much more. One way to do this is by requiring breach notifications.
Beyond the very largest organizations, awareness about the threats posed by cyber threat groups and defensive strategies is limited and restricts the adoption of technology and expertise to fend off advanced attacks. When organizations disclose they have been targeted and that they contained the breach, they significantly raise awareness of this issue.
Breach notifications also help strengthen the security of the wider ecosystem. When a cyber threat group successfully compromises a network, we often observe the group use the same tools, tactics, and procedures to conduct a subsequent compromise against another organization. These organizations are often unaware of the vulnerabilities exploited previously, and so they remain vulnerable. Attackers also reuse stolen credentials across multiple networks.
However, when organizations disclose breaches and share this intelligence, other organizations are better able to defend themselves against advanced attacks. Shared intelligence is one of the best weapons in our arsenal against cyber attackers, and it remains the least used among Asia-Pacific economies. Intelligence is most powerful when it lets the weak defend against the strong, and it can reduce the asymmetry of power the attacker has over the defender. Only with breach disclosure and intelligence sharing can Asia-Pacific economies have a level playing field in the battle against cyber crime and cyber espionage.