Asia lacks reporting mechanisms for hacking attacks

Without disclosure laws, hackers are free to strike in region and use the same techniques

BEIJING • Once a month, cyber security lawyer Paul Haswell gets a call from an Asian company with the same question: We've been hacked. Who do we need to tell?

More often than not, his answer is "no one". The client will hang up before Mr Haswell can urge them to go public anyway.

"There's no uniformity across Asia - some countries don't even have a law," said Mr Haswell, a Hong Kong-based partner at Pinsent Masons.

The lack of reporting mechanisms means there is no telling how often or how much personal information is taken from databases in Asia. But that veil of secrecy obscures an unsettling reality.

Companies in the region are targeted 35 per cent to 40 per cent more than the global average, according to FireEye, which helps clients investigate and fend off cyber breaches.

NO UNIFORMITY

There's no uniformity across Asia - some countries don't even have a law.

MR PAUL HASWELL, cyber security lawyer and partner at Pinsent Masons.

Asian corporations and governments are easier targets because they invest less in security and share less with regulators and other countries when victimised, in part because of longstanding tensions with their neighbours, cyber security experts say.

The United States has accused China of being the source of many large-scale attacks, which China has denied, saying that it, too, is a victim of hacking attacks.

A lack of laws mandating disclosure may be abetting recent attacks.

"The culture of silence regarding cyber attacks in Asia serves as fuel to the guild of thieves who operate with impunity in the region," said Mr Tom Kellermann, chief cyber security officer at security software developer Trend Micro.

If attacks are not disclosed, hackers are free to use the same techniques repeatedly. Perpetrators can exploit holes in Asian security to then infiltrate networks in other regions, said Mr Kellermann.

Security breaches cost the global economy more than US$400 billion (S$547 billion) annually, the Centre for Strategic and International Studies estimates, with Asian countries among the most badly hurt as a percentage of their respective gross domestic products.

It is not just China that has no specific penalties or obligations to disclose when hackers steal personal information, according to the World Law Group, an international network of independent law firms.

India, Hong Kong and Japan have no legal obligations for companies to publicly disclose data breaches, says the group. In South Korea, there is an obligation only if more than 10,000 individuals are affected.

"The vulnerability is the same in Asia as in the US and Europe," said Mr Bryce Boland, Asia Pacific chief technology officer for FireEye. "What's different is, in Asia there's essentially no disclosure requirement."

Asia is often depicted as the source of attacks. Yet of 19 heavily targeted countries monitored by Trend Micro in 2014, 10 were Asian. Part of that comes down to politics, as China spars with the its neighbours over territorial claims in the East and South China Seas.

"As tensions heat up in Asia, whether it's conflict between China, Taiwan, Korea, Hong Kong or maritime disputes, where we see real world tensions, we see cyber tensions as well," said Mr Grady Summers, FireEye's chief technology officer.

Asian companies and governments are waking up to the threat.

Singapore's central bank took regulatory action against Standard Chartered over how it handled the theft of wealthy clients' data, though details have not been made public. StanChart referred questions to the Monetary Authority of Singapore, which said in 2014 that it did not generally disclose details of supervisory actions.

Publicly traded companies should have a duty to disclose because hacks are like a "community health issue" that can spread faster because of secrecy, Mr Boland said.

Experts said it is not clear whether governments around the region have the incentive to tighten disclosure regulations.

"We could almost do with a high- profile case like a Sony or Target to raise awareness," said Mr Haswell, referring to two of the biggest cyber attacks in US history.

BLOOMBERG

A version of this article appeared in the print edition of The Straits Times on July 30, 2015, with the headline 'Asia lacks reporting mechanisms for hacking attacks'. Print Edition | Subscribe