What is ‘cyber terrorism’?
Maybe it’s not ‘cyber terrorism’, just ‘terrorism’. Or maybe it’s just political activism, or it could be just crime, not ‘cyber crime’. Maybe it’s just bad people doing bad things with new tools.
I feel that when you look at the word ‘cyber’ in front of these things, the action gets mystified. In reality, however, it does not have to be so. A few years ago, when all of these technologies were very new, not only could something like ‘cyber terrorism’ appear mystified, but it also seemed exotic, or other-worldly. However, today, it’s real.
You have organised crime operating on the Internet instead of the back alleys. Their operations are funded by criminal activity such as the theft of credit card information. These criminal enterprises are organised in a very effective manner to defraud consumers as well as businesses, and to trade in the confidential information that they steal.
When you say cyber terrorism, a lot of people think there are no real victims. But there are victims. The victims are translated into higher credit card fees and lots of activities by individuals who now have to reclaim their identity. It also translates into victims as a result of the terrorist operations. The culprits now have the financial means to break the law. So it’s all very inter-related in that way.
And so I will agree that absolutely, cyber terrorism is a risk in Asia. But I would go a step further, and say it’s just terrorism. It’s just crime. And they’re using technology as a way to enhance their effectiveness. So law enforcement has a big challenge to understand the new technologies, and to be able to fight cyber crime. But individuals and companies play a large role in fighting these problems.
If ‘cyber terrorism’ does occur in Asia, why aren’t such activities covered in the press?
Generally in Asia, victims of these types of crime rarely come forward. In private you often hear them say: “We don’t want to expose problems with our systems. We don’t want our reputation to be damaged.” It’s unfortunate because when people don’t disclose what has happened, then the cycle does not get broken, the criminals are not apprehended and additional people and businesses become victims. This concept of thinking of cyber crime and cyber terrorism in more simplistic terms is a recent revelation to me. I tend to think that when you demystify it, you will have an easier time enforcing the laws which are designed to protect people from such problems.
When one thinks of cyber crime as just plain old ‘crime’, it becomes easier for victims to understand when they have truly been victimised and that there is something they can do about it. Only a few years ago, when you caught a cyber criminal, the media would want to make him a star. I would rather put him in jail.
When you or your company is a victim, you should report it, disclose it and step up to be part of the solution to preventing it in the future. Hiding it will only ensure that these activities remain a problem.
If you say it’s ‘cyber’, the response is often: “Oh, I can’t say anything, people might think my infrastructure is weak and won’t want to do business with me.” However, when someone bangs down your door, charges in to your office and steals all your computers, you would go to the police. The reality is that when a hacker breaks into your system from the outside or from within, the crime is equivalent to a physical break-in.
MIS Asia’s CIO readers rated security as one of their top 10 concerns in 2008. What’s your expert advice on IT security at the corporate level?
I think communication is really the key. It’s very important for the CIOs to get the various departments and stakeholders to talk to each other and collaborate on the best practices for management of the users’ applications and systems.
But here’s the problem. CIOs, CTOs, information management and systems people speak one language, the technology language. The people on the board of directors and the senior management speak a different language, the corporate language. And then there are other parties in every organisation, such as customers, vendors, suppliers, internal departments, and everybody has their own unique language.
So the fundamental challenge for CIOs is to serve as a focal point to get everybody talking together and collaborating. Educate people as to what the risks and best practices for the organisation are, monitoring usage and enforcing policy. Taken as a whole, it is a big job, and very difficult to do.
The organisations that are successful in breaking down what I like to call the ‘technology language barrier’ can emerge as market leaders where corporate assets and value are preserved while providing a safer environment for employees and customers.
In what ways are you helping your clients to deal with the financial meltdown?
Today, we’re very involved in helping companies deal with the financial crisis. We assist companies to establish best practices, systems, policies and procedures to avoid the types of problems they’re having.
Many of the lawsuits that take place are filed in the US, but the data lives in a foreign country.
So, as an example, we’ve had many cases where there is patent litigation or product liability litigation, or what we call FCPA, investigations that are under the Foreign Corrupt Practices Act.
That’s when the federal government is doing an investigation into the company and they’re concerned that they’re bribing foreign officials.
So the company will hire us to conduct the investigation, so that they can respond to the US federal government. For instance, we’ve gone to China to collect electronic data from the company and then examined that data in e-mails, backup tapes, servers, hard drives, thumb drives and different media.
Then we reviewed the contents in the e-mail, the files, the databases, and we reconstructed the events, even in the Chinese language.
We work in every language, Chinese, Japanese, and so on.
