Cyber-attacks a standard part of doing business with China, security experts say
China has been cited as one of the most active countries for cyber crime attacks at New Zealand's first Cyber Security Summit in Auckland.
Jim Lewis, senior vice president for the US-based Center for Strategic and International Studies, said the most active cyber attackers were based in Russia, Iran, and China, with the latter mainly focused on economic espionage.
Lewis cited the example of an Australian company in talks recently on a deal with Chinese interests who said there had been 200 efforts to break into its IT systems to get data that would have been useful during those negotiations.
"I talked to the head of a UK security firm who said it was just a normal part of doing business with China," he said. "They want what would give them a competitive advantage in any deal they're in."
China has been a growing market for Kiwi exporters, especially dairy product exporters, since New Zealand signed a free trade agreement with Beijing in 2008,
Hacking is standard business practice in China, agreed Richard Bejtlich, chief security strategist at security firm FireEye. Companies doing business there have to decide if they'll earn enough revenue to pay for better cyber security.
"It's possible to hold them off. But I had a 40-plus team that were among the best in the world and we were just barely able to hold them off," he said. "I dealt with some companies who had physical offices in China that knew they were under surveillance and sometimes they were even approached by the government with that surveillance in hand or Chinese companies were told not to do a deal because of what the government had heard."
China signed landmark deals last year promising not to conduct cyber espionage to steal trade secrets from the US, Britain and Germany and that led to a similar agreement between the Group of 20 nations last November.
However, just weeks after the China/US deal was signed, the cybersecurity firm Crowd Strike caught dozens of alleged Chinese hackers trying to steal copyrighted data from American tech and pharmaceutical companies.
Bejtlich said industrial espionage by Japan used to be a problem and he's optimistic China will eventually cut it out as well but that doesn't mean other developing countries won't adopt similar tactics.
"We could have a similar issue in Africa or Latin America with, say, Nigeria saying 'that whole steal stuff from other people and put into our economy to jump start it looks a good idea'."
Lewis said one of the important moves the Obama administration had taken on cyber security was improving attribution. One example was the US Justice Department in March charging seven Iranians allegedly linked to Iran's Islamic Revolutionary Guard Corps with breaking into the computer network of a small New York dam and attacking more than 40 US companies.
The ability of the US government to find the source of cyber attacks has shifted from one in three to more than two in three because of private sector information sharing with government officials, he said. Microsoft, Google and Twitter all now have policies of sharing information on attacks on their customers if they detect them.
Microsoft vice-president of security Matt Thomlinson said its customer data showed a major upsurge in ransomware attacks since February.
Thomlinson said it often starts with spear phishing - an email that appears to be from someone you know - and has now moved from being targeted at consumers to industrial scale.
The latest Symantec Internet Security Threat Report estimated ransomware attacks in New Zealand averaged 108 per day.
The rise of bitcoin, a digital currency, is one reason for the upsurge in ransomware, said Bejtlich. Bitcoin is now well-established and provides hackers with enough anonymity to protect their identities while providing a ready market for stolen data.
His company had worked with corporate ransomware victims who had paid five to seven figure sums "as they don't have an alternative". However victims don't appear to be hit repeatedly as they are with other cyber crime once they had paid out, he said.
Mandatory reporting by companies that have been hacked can help others learn what's needed to tighten security, Lewis said.
"People don't like it because it can have a share price effect. That usually only lasts a quarter, though the effects on the brand can be longer-lasting," he said. "Greater transparency creates market incentives for companies to do better on cyber security."
New Zealand proposes replacing the current voluntary data breach reporting with a mandatory requirement, in draft legislation that should emerge by early next year.