Foreign office threats: Protecting operations overseas

Controlling the airwaves

And action would be most welcome as enterprise and government operations continue to expand across borders and, as a result, face potential risks from native intruders more familiar with the lay of the land.

Foreign office threats is sure to be a big topic this coming year, says Rich Baich , a principal analyst in the security and privacy practice at Deloitte & Touche LLP. But, while most attention has been focused on privacy laws, what's been missing, he says, is a comprehensive understanding of telecommunications laws, particularly those affecting telecom infrastructure owned or controlled by a foreign nation-state.

“We understand what the FBI can do,” Baich says, referring to traditional means of surveillance of telecommunication, such as VoIP or cell phone calls. “But, do organisations understand who owns the rights to their data when that data is being transmitted in foreign nations?”

The message seems to be: No one should be trusted. The data flowing among corporate headquarters and remote satellite offices, particularly in foreign countries, is subject to a number of variables, namely foreign-controlled network infrastructure. This is different from privacy laws, he says. “Can you trust the phone guy?” he asks.

How can corporations opening an office overseas entrust the buildout of their office to contractors? As an illustration, he mentions the American embassy built in Moscow in the mid-1980s that had to be redone once it was discovered that the building was infested with bugs – of the snooping variety.

The threat of unauthorized access by criminals is just one of the challenges of a foreign-controlled network infrastructure. The system is also vulnerable to eavesdropping by foreign intelligence services interested in intercepting corporate or government proprietary data.

It is more than a matter of doing due diligence, Baich says. When leaving your host country, the laws are going to be different. “If you're an executive, what sort of encryption are you using?” he asks. And when that executive returns, how can it be determined they are not bringing back something unwanted on their laptop?

The risk, Baich says, is that state-sponsored entities, perhaps in cahoots with criminal gangs, can use any number of techniques to monitor, intercept, modify or disrupt the communications of any corporation or government agency from any number of points in the network path. Devices can be implanted anywhere, including within the central office of the telco.

As well, miscreants can use social engineering to dupe an email recipient into providing a password or another key needed to view corporate assets. Or, the public and private wireless networks can be penetrated. Compounding the situation, “lawful” intercept rules are not likely to be consistently applied across nation-state boundaries, Baich says.

The new Cold War

Baich says his job is to let people know they have to think of security differently as opportunities for attack always rest outside of a traveller’s environment. Supply chain infiltration has been real for years, since at least World War II, he says. When one goes to a foreign country, they can become a target for corporate espionage. “The Cold War is still on,” Baich says. “It's just a different domain.”

Any look at the top IT security risks for the coming year should include an examination of why a person is being targeted, and a look at what of value is being sought. Criminals seek to penetrate the network of a mining company, for example, because they want to know where the company next will be drilling, Baich says. Or, an e-commerce provider is hacked, say, to tinker with the code so that a penny can be siphoned from every transaction.

For Titus of Unisys, the question really boils down to who is in charge of security in the United States. Is it Christopher Painter, the US Department of State's first coordinator for cyber issues, appointed in April? Among his duties is to coordinate the department's global diplomatic engagement on cyber issues and serve as a liaison to public and private sector entities.

But, Titus asks, can he coordinate when, at this point the US government has not even settled whether laws governing overseas data transmission are a diplomatic or corporate issue.

But she does see some evolutions in governance coming from the White House, particularly the US Commerce Department creating an internet ID, a cybersecurity effort that seeks to create an “identity ecosystem,” according to White House Cybersecurity Coordinator Howard Schmidt.

The final plan for the National Strategy for Trusted Identities in Cyberspace, announced on 15 April, provides guidelines for establishing secure online credentials to make internet transactions more secure. Computer users would cease using unique passwords on each website they visit and instead employ a set of credentials recognized by multiple sites. However, the secure credential – software on a mobile device, a smartcard or a small token that generates one-time passwords – has yet to be devised.

Despite that, Titus calls for expanding the initiative and bringing in EU colleagues to get identity standards moving quicker. Further, while there seems to be no unified effort at the moment to create an international set of standards for the transfer of data, Thompson points to historical precedents that caused huge legal shifts, such as the failure of Enron, which gave rise to SOX, and rampant identity theft cases in the state of California, which gave rise to the first data breach notification laws in this nation.

“There has been no privacy Armageddon yet,” says Thompson, “but there have been tremors.” He cites the recent breach of Epsilon, an email marketing services firm, where so much data was compromised that the consequences reverberated in the media and, thus, the status quo was shaken.

“When will we cross that boundary to get an overarching law to kick in?” he asks. So far, there is no answer.

Copyright © SC Magazine, Australia