business espionage in the age of technology - map your show€¦ · • iot –including alexa/echo...
TRANSCRIPT
BusinessEspionage in the Age of Technology
Bruce Wimmer, CPP
James A. Acevedo, CPP
Security Issues• CHALLENGE!!!
• Video Surveillance Cameras and Management Systems
• Telephones and Internet
• Motherboard and IT manufacturing
• Subway train cars
• Internet of Things (IOT) and Alarm Systems, etc.
• Unmanned Aerial Systems (drones)
• Autonomous Systems in Vehicles
• Robots
• Artificial Intelligence Systems
Security issues…
Part One
The Then…
In the beginning… some time after there was light.
…“Send out for yourself men so that
they may spy out the land of Canaan, which I am going to
give to the sons of Israel”…
The Now…
The Then
The Now…
“The vulnerabilities in technology are being built in during the development and manufacturing process. With one intent… to gather information. The integration into consumer-based devices and electronics is simply brilliant.”
Part Two
Weaponized cardboard
AN insert country name here COMPANY
Package and Product Designed in the
INSERT COUNTRY NAME HERE
MADE IN INSERT COUNTRY NAME HERE
Security Issues
Unmanned Aerial Systems (Drones)
• DJI systems sends data back to China; programs can be over-ridden from China and data transferred to China
• Other systems have no good cyber defense and a third party can get data or take over flight control
Brendan Schulman
Vice President of
Policy and Legal
Affairs, DJI talking
to a UK
Parliamentary Inquiry
"Teaching computers to learn for themselves is a brilliant shortcut — and like all shortcuts, it involves cutting corners"…
Part Three
Security Issues
Motherboard Manufacturing
• Various equipment manufacturers got an
“extra” chip from subcontract facilities in China
-- Super Micro and other entities moving manufacturing ops to Taiwan or other countries
-- Question now is: Where do the various components come from?
Security Issues
Telephones and Internet
• Hua Wei = 5G Network• Devices come from Shenzhen (where Chinese MSS has main
operating base)• U.S., UK, Australia and NZ all warned equipment transmits data
to China and has a “failure button” to shut it down• Numerous countries in Europe and Asia say they will use Hua
Wei’s 5G, to get lower pricing – ignoring loss of IP costs
Security IssuesVSS and Cameras
• Hikvision and Dahua
• 42% owned by Chinese government; all information goes to multiple servers in China
• Led by an R & D engineer who works for Chinese Public Security Bureau
• U.S. Army bought some and bragged about cost…but then removed them; other U.S. and state government sites did the same
• DHS issued a warning on the backdoors in March 2017
Security Issues
• Subway Train Systems
• China Railway Construction Corporation has just submitted a bid on the Washington DC subway system
• Preparing a bid for New York City
• Already won Boston, Philadelphia, Chicago and Los Angeles
• Underbid in each case by hundreds of millions of dollars
• WiFi is captured on each train car and can then be sent to China
Security Issues
• IOT – Including Alexa/Echo Devices and SIRI
• Reports say more than a thousand contractors around the world have been employed to listen to conversations and activities on these systems
• Demonstrates that many IOT systems for access control, intrusion detection and climate controls can be compromised too
Security Issues
• IOT – Including Alexa/Echo Devices and SIRI
Security Issues
Autonomous Systems for Vehicle “Safety”
• In the name of “safety,” multiple vehicles have systems that when they detect something in front of the vehicle, take over and bring the vehicle to a “safe” stop, avoiding a hazard
• In Guadalajara, Mexico a Mercedes Benz was stopped by kidnappers using smoke grenades and after a douse of gasoline…all were kidnapped and taken hostage
Security Issues
Autonomous Systems for Vehicle Safety
• How can you get a self-driving vehicle to stop?
• Just use a rabbit -- which caused a Tesla Model S on Autopilot to suddenly veer and stop (photo)
- Could terrorists or kidnappers do that?
…“THE JEEP HACKERS ARE BACK TO PROVE CAR HACKING CAN GET MUCH WORSE”…
Security Issues
Robots (for security, safety, etc.)
• Company in Hawaii thought this was cheaper than human guards and cleaners
• Ended up having sensitive business data photographed, recorded and transmitted – and ultimately sold to competition
• Losses far exceeded the supposed “savings” of some amazingly inexpensive robots (there was a reason they were so inexpensive)
Security Issues
Artificial Intelligence
• China heavily involved in this area
• Business Espionage resulted in loss of considerable sensitive related data
• Many resulting AI systems have built-in collection - and transmission - programs
• Programs set to ignore certain things that involve the programming site
Part Four
Security Issues
Any Common Threads Here???
• Technology is rushed into production by security and other providers without good security measures considered and “built-in”
• Technology is purchased based on pricing and “surface” capability
• Due Diligence is limited
• Embarrassing revelations show flawed processes in development and manufacturing
Security IssuesCHALLENGE!!! When buying and using Technology:
• Do a thorough Due Diligence on security technology to be purchased
• Take system security into consideration when making a procurement decision; make it a part of all bids and buys
• Know where every component comes from and the vulnerabilities (Risk) that goes with each
• Do cyber and supply chain security assessments for all equipment; require all systems have security built-into them and then do audits for compliance
Security Issues
Continued CHALLENGE!!!
• Do not be so totally in awe of technology for the sake of technology; look for any potential “downside” and security issues and address them
• Make certain it fits into your total security approach
• Effective security should do ALL four of these:
1. Deter
2. Detect
3. Delay
4. Respond
Security Issues
CHALLENGE!!!
• VSS without active monitoring is of limited value; use AI to help but make sure that does not compromise detection
• IDS without a quick response is of limited value
• Make your security Risk-Based…you may not be able to protect everything from everybody/every Threat -- but focus on the highest Consequence/Most Critical
Questions
Bruce Wimmer, CPPJames A. Acevedo, CPP