Suspected Chinese hackers have spent years sifting through other Asian countries’ computer networks, which often don’t have basic protections against cyberattacks.
This summer, political clashes brought cybersecurity into focus in Asia. After the Hague-based Permanent Court of Arbitration ruled against China’s territorial claims in the South China Sea in July, hackers linked to Beijing shut down airport check-in screens at Vietnam’s two largest airports (Vietnam and others are locked in a conflict with China over who owns the resource-rich waterway).
And smaller Asian countries seem uniquely unprepared to fend off that kind of aggressive, high-profile hacking. The cybersecurity firm FireEye reported that hackers who penetrate Asian companies’ corporate network typically remain in the system for up to 520 days before they’re caught, compared to an average of 146 days in the US.
But experts speaking at an Atlantic Council event Tuesday said there are ways to improve their overall cybersecurity practices. Panelists included Will Glass, a threat intelligence analyst at the cybersecurity company FireEye; Robert Manning, senior fellow at the Atlantic Council’s Strategic Foresight Initiative; Samm Sacks, senior analyst for Asia at the Eurasia Group; and Denise Zheng, a senior fellow at the Strategic Technologies Program at the Center for Strategic and International Studies.
Here are just a few things we learned:
1. When it comes to cybersecurity, Asia is behind
It’s not just China’s hacking prowess that has enabled Beijing-linked groups to break into systems at a number of targets, experts say poor cybersecurity practices throughout Asia are enabling bad guys to steal files and engage in political espionage.
“There used to be a perimeter model where you could set up a wall or a moat and some archers and you could pretty much keep everything out,” said Mr. Glass referring to how Asian countries have traditionally thought about cybersecurity. “I have to operate under the assumption that there’s some bad guy in my network, what do I do to make sure that I can mitigate the damage they can cause once they’re inside.”
2. Deterrence is having some impact
While deterring innocuous cybercrime, like website defacements and social media pranks, remains difficult, according to Ms. Zheng, the strategy so far has had an impact in Asia by limiting attacks on critical infrastructure facilities.
“When you’re looking at really catastrophic cyberattacks, you could argue that we’ve effectively deterred those types of things, mostly because of our conventional military capabilities,” she said. “So if you attack our power grid, if you bring our power grid down, we have many other options on the table to retaliate.”
That’s why talk of a doomsday-like cyberattack in Asia might be overblown.
“When people talk about building a cyber nuclear bomb, it’s not particularly useful,” she said. “That’s why we use things like sanctions and indictments, we have used diplomatic actions, a combination of all of the above really, to deter this type of activity.”
3. There’s room for negotiation
Even though the US and China have already agreed to a deal to limit corporate cyberespionage that appears to be having some impact, experts say there’s still room from improvement.
“There’s room for more detailed codes of conduct,” said Mr. Manning. “The more China develops, the more vulnerable it gets, and this mutual vulnerability cuts across the whole strategic relationship with China.”
And that room for negotiation could grow, says FireEye’s Glass, as China has begun to move toward a model of economic development that depends upon direct investment from Western companies, not just foreign trade.
“There is a certain limit to which you can derive value from stealing blueprints for something, you need the people who know how to build it,” he said. “I think part of the reduction we might be seeing is somewhat of an attempt by the Chinese side to say, we’re going to scale this back a bit and build a more friendly environment for Western companies to come to China.”