Raleigh, N.C. — Meat, tobacco, furniture and surgical products are just a few of the North Carolina exports booming in the Chinese market. North Carolina businesses’ secrets are also in high demand overseas, and cyber terrorism experts say many companies are not doing enough to fend off hackers.
Research Triangle Park companies employ nearly 40,000 people and are home to billions of dollars of intellectual property. Every day, those companies are targeted by hackers, with many of the attacks coming from China, security experts say.
Retired FBI agent Greg Baker has helped RTP companies deal with cyber threats and says everyone should be concerned, especially “if your retirement plan is tied to one of those 401ks.”
“Companies all across the planet are being hacked every single day. Intellectual assets are being stolen every day,” Baker said. “We have to protect what’s ours.”
One example is Nortel, which was one of the Triangle's largest private employers with more than 7,000 workers. The telecommunications giant has since gone bankrupt, and a former executive said publicly that Chinese hackers were partly to blame.
Brian Shields, a former investigator for Nortel, told The Wall Street Journal last year that hackers spent nine years stealing company secrets, including technical papers, research and development reports, business plans, employee emails and other documents. The hackers also reportedly stole the passwords of seven high-ranking executives. The software used to compromise Nortel was so deep that no one noticed for years, according to Shields.
“That should cause a recognition to occur, that if it can happen to a company that size, it can happen to you,” Baker said. “Most of the situations I’ve seen (are) not because the hacker was so intelligent and so sophisticated, it was really poor company policy, training or a mistake.”
Hacking threats come from various countries for various reasons, including for political and financial gain, espionage and pleasure. When it comes to business secrets, though, an independent government commission estimated that Chinese hackers are responsible for about 50 to 80 percent of all stolen American intellectual property.
The key to understanding the phenomenon of hacking, especially in China, is understanding cultural differences, cyber security experts say. In China, many see hacking as being patriotic. Hackers are treated like celebrities and many believe information should be in the public domain. Chinese officials say they are cracking down, though, and recently added computer crimes to criminal law.
With North Carolina exports to China up nearly 300 percent in the past decade, according to the N.C. Department of Commerce, state business leaders say they want to build a relationship with China. Brooks Raiford, president of the North Carolina Technology Association, sponsored a seminar on June 24 for tech companies looking to do business in China.
Rule No. 1, Raiford says, is to know how the rules work in other countries. “In other cases, even the published rules are not necessarily followed, so that’s where the professional advice comes in on how to double- and triple-protect yourself,” he said.
Big corporations aren’t the only ones threatened, according to Michael Gibbons, a former head of Cyber Crime Investigation for the FBI who now does private security work for Alvarez & Marsal, a global professional services firm. Hackers are now going after businesses’ partners, such as accountants, marketing and law firms.
“They are going where the locks aren’t as secure. That’s the really scary thing, because some of those places, especially with law firms, they have just as sensitive information and, sometimes, all the keys to the kingdom,” Gibbons said. “They are the ones who are processing all the paperwork and how to file the papers to get that new patent. They are the ones who have sensitive litigation that’s ongoing with people’s personal information. It’s very much the place you’d want to go to find a honeypot of information.”
Cyber security firm Mandiant released a report earlier this year that traced 141 attacks on U.S. businesses to hackers in China. In some cases, Mandiant was able to follow hackers as they worked online. Many of the recent attacks were traced to a 12-story high rise in Shanghai.
While Mandiant says the attacks originated in that building, the hackers used fake domains registered in other cities to make them harder to trace. Those cities included Calgary, Houston, Washington and even a fake domain registered to the tiny North Carolina coastal town of Shallote.
"However, this information is not often validated. This means that certain information may be correct, out of date, or completely wrong," said Mandiant spokeswoman Susan Helmick. "That is to say, a person can register a domain as being in North Carolina, or any other state or location, when it isn’t."
Those fake domains give hackers another easy way in, even if a company detects and fixes one hole in its firewall.
“It took over 200 days, on average, for organizations to determine that they were compromised,” said Dave Damato, Mandiant’s director of professional services.
Businesses need to “figure out where their sensitive information is, how it’s protected, why they collect it and then get rid of it when they don’t need it anymore,” according to Gibbons.
“There are hundreds of thousands of people across the world engaged in breaking into others’ computers on a continuous basis,” Gibbons said. “I don’t see this going away in the future. In fact, the more complex our society gets and the more we rely on technology, the more vulnerabilities there are going to be. Complexity is really our enemy here.”
FREQUENTLY ASKED QUESTIONS ABOUT HACKING:
Ryan Johnson, a director with Alvarez & Marsal Global Forensic and Dispute Services in Raleigh, answers five commonly asked questions about hacking.
1) What kind of companies are the biggest targets for cyber crime?
Companies with proprietary intellectual property, formulas or convertible assets, such as credit card or financial data are large targets. If these companies are in litigation, then their lawyers are targets, too.
2) What are the top two biggest risks to business today?
The top two risks are lost laptops with sensitive data that is not encrypted, and untrained staff opening email attachments with hostile code. Companies should encrypt sensitive information while stored at the company or while being transmitted across the Internet. All staff members need to be trained at least annually on how to protect information under their care and control.
3) If a company does business internationally and its executives travel to other countries frequently, what can they do to minimize their risks based on bringing computers and data into some of these countries?
While traveling, it is best to only take new laptops with no company data and to use web-based email using SSL protections. Look for the lock on the browser window and use the SSL connection whenever possible when sending your logon information. Some people set up a new email account and use it just for a short time, maybe only one trip, in case it is compromised. Always change account passwords to systems that you access internationally in case your logon was intercepted.
4) What are the five most effective security measures companies can implement to protect their assets?
Training is an excellent start to creating an environment that protects sensitive information. Having an external expert review your security procedures is also a best practice. Reviewing logs on servers for bad activity is critical to a security program's success. Having a written incident response plan in case of an incident before one occurs. Policy, policy, policy, written and communicated with staff is critical, and a low cost best practice.
5) If a company's network is protected by firewalls, isn't that sufficient to ward of intruders?
People are the weakest link in security. The firewalls are a necessary technical control, but like doors in your home or business, the hackers will look for other ways of entry, even being invited in by your employees who have not been properly trained to understand the risks to your sensitive information.