* Any views expressed in this opinion piece are those of the author and not of Thomson Reuters Foundation.
News of cyber attacks often focus on foreign governments or social “hacktivists”, but many incidents stem from corrupt employees, abusing their access to networks and selling data for financial gain
A 2013 report by Kroll Advisory Solutions suggests that more than two-thirds of all cyber cases involving theft of data stem from corrupt corporate insiders – but that companies’ desire to deal with incidents quietly and internally means they rarely reach the public eye.
Cyber threats can take a range of different forms: from distributed denial of service (DDoS) attacks that swamp computers with huge amounts of traffic, to simple “phishing” emails or complex hidden malware.
Too often overlooked, however, is the central role anti-corruption and human factors have to play in countering this new technological menace.
Coverage of cyber attacks has typically focused on the dangers posed by foreign governments, or on the high-visibility strikes of social “hacktivists” like Anonymous or LulzSec. Yet many incidents stem from the work of corrupt inside officials or employees, often abusing their privileged access to networks or using low-tech methods like dumping data to personal USBs and selling them for financial gain.
Defence ministries and companies make particularly attractive targets. For such institutions, the security of confidential information is vital, and any cyber breach can have serious implications for defence plans or costly procurement projects.
In March 2010, Michael Mitchell, a former marketing executive for Kevlar body armour at DuPont, was sentenced to 18 months in prison for selling trade secrets to Kolon Industries, a South Korean competitor, in exchange for consultancy work. A U.S. jury went on in September 2012 to award DuPont damages in the amount of $919.9 million.
The temptation to blame outside actors, however, remains strong across all industries. China and Russia are favourite targets. In 2011, Renault was forced to withdraw allegations of Chinese involvement in a data theft that proved to be an attempt by the firm’s own computer protection officer to fraudulently create work for a friend’s cybersecurity consulting business.
More widely, governments are acting to boost their resilience to cyber attacks. On July 30, the U.S. Senate Commerce Committee unanimously passed a new draft cybersecurity bill, despite concerns it waters down a number of changes proposed by the industry and the White House. In India, similarly, the director general of Army Signals HQ called for a vision of cyber as the “fifth dimension of warfare”, amid new worries that the country will not be able to deliver the infrastructure and expertise pledged in its National Cyber Security Policy.
Too little, however, is being done to incorporate anti-corruption efforts into cybersecurity planning, especially in the sensitive area of national defence. This is a mistake. Ensuring strong anti-corruption standards – through clear ethical leadership, risk assessments, internal training and other such good practice – is a key part of securing confidential assets.
The success or failure of defence companies to integrate such measures into their everyday practice also informs whom exactly governments choose to do business with. After all, defence contracts involve the sharing of privileged designs and information. This requires a relationship of mutual trust – especially on the cybersecurity front – which can be greatly undermined if one or more sides cannot be sure of possible corruption in the ranks.
Balance, however, is needed. The traditional focus of cybersecurity is on the restriction and protection of data. Yet such measures must also be paired with opportunities for safe, legitimate exposure of information by whistle-blowers. Employees encountering evidence of corruption in a company with fair, transparent systems for handling whistle-blower complaints will not have to resort to the messy process of leaking incriminating data to “hacktivists” or to the press.
Real cybersecurity, then, means protecting insiders from the corrupt actions of institutions, as much as protecting institutions from corrupt insiders.
It is important to get this nuance right, and to act now. Unveiling plans for a new cyber partnership between the UK Ministry of Defence, intelligence agency GCHQ and companies such as BAE, BT and Lockheed Martin, British minister Philip Dunne described the current cyber environment as a “gunpowder moment” – a potential game-changer, which, like the invention of gunpowder, could have profound security ramifications for us all.
Only organisations free of corruption can best weather this moment of transformation, guarding against external hacker threats, while also empowering whistle-blowers to protect against internal misdeeds. Cyber networks can, like gunpowder, prove a volatile material – a powerful tool in the right hands, but prone to explode spectacularly in the wrong conditions. If defence and industry leaders are not proactive in dealing with insider ethical issues, corruption might just provide the fateful spark.
James Black is a research assistant at Transparency International’s Defence and Security Programme.