BusinessEspionage in the Age of Technology

Bruce Wimmer, CPP

James A. Acevedo, CPP

Security Issues• CHALLENGE!!!

• Video Surveillance Cameras and Management Systems

• Telephones and Internet

• Motherboard and IT manufacturing

• Subway train cars

• Internet of Things (IOT) and Alarm Systems, etc.

• Unmanned Aerial Systems (drones)

• Autonomous Systems in Vehicles

• Robots

• Artificial Intelligence Systems

Security issues…

Part One

The Then…

In the beginning… some time after there was light.

…“Send out for yourself men so that

they may spy out the land of Canaan, which I am going to

give to the sons of Israel”…

The Now…

The Then

The Now…

“The vulnerabilities in technology are being built in during the development and manufacturing process. With one intent… to gather information. The integration into consumer-based devices and electronics is simply brilliant.”

Part Two

Weaponized cardboard

AN insert country name here COMPANY

Package and Product Designed in the

INSERT COUNTRY NAME HERE

MADE IN INSERT COUNTRY NAME HERE

Security Issues

Unmanned Aerial Systems (Drones)

• DJI systems sends data back to China; programs can be over-ridden from China and data transferred to China

• Other systems have no good cyber defense and a third party can get data or take over flight control

Brendan Schulman

Vice President of

Policy and Legal

Affairs, DJI talking

to a UK

Parliamentary Inquiry

"Teaching computers to learn for themselves is a brilliant shortcut — and like all shortcuts, it involves cutting corners"…

Part Three

Security Issues

Motherboard Manufacturing

• Various equipment manufacturers got an

“extra” chip from subcontract facilities in China

-- Super Micro and other entities moving manufacturing ops to Taiwan or other countries

-- Question now is: Where do the various components come from?

Security Issues

Telephones and Internet

• Hua Wei = 5G Network• Devices come from Shenzhen (where Chinese MSS has main

operating base)• U.S., UK, Australia and NZ all warned equipment transmits data

to China and has a “failure button” to shut it down• Numerous countries in Europe and Asia say they will use Hua

Wei’s 5G, to get lower pricing – ignoring loss of IP costs

Security IssuesVSS and Cameras

• Hikvision and Dahua

• 42% owned by Chinese government; all information goes to multiple servers in China

• Led by an R & D engineer who works for Chinese Public Security Bureau

• U.S. Army bought some and bragged about cost…but then removed them; other U.S. and state government sites did the same

• DHS issued a warning on the backdoors in March 2017

Security Issues

• Subway Train Systems

• China Railway Construction Corporation has just submitted a bid on the Washington DC subway system

• Preparing a bid for New York City

• Already won Boston, Philadelphia, Chicago and Los Angeles

• Underbid in each case by hundreds of millions of dollars

• WiFi is captured on each train car and can then be sent to China

Security Issues

• IOT – Including Alexa/Echo Devices and SIRI

• Reports say more than a thousand contractors around the world have been employed to listen to conversations and activities on these systems

• Demonstrates that many IOT systems for access control, intrusion detection and climate controls can be compromised too

Security Issues

• IOT – Including Alexa/Echo Devices and SIRI

Security Issues

Autonomous Systems for Vehicle “Safety”

• In the name of “safety,” multiple vehicles have systems that when they detect something in front of the vehicle, take over and bring the vehicle to a “safe” stop, avoiding a hazard

• In Guadalajara, Mexico a Mercedes Benz was stopped by kidnappers using smoke grenades and after a douse of gasoline…all were kidnapped and taken hostage

Security Issues

Autonomous Systems for Vehicle Safety

• How can you get a self-driving vehicle to stop?

• Just use a rabbit -- which caused a Tesla Model S on Autopilot to suddenly veer and stop (photo)

- Could terrorists or kidnappers do that?

…“THE JEEP HACKERS ARE BACK TO PROVE CAR HACKING CAN GET MUCH WORSE”…

Security Issues

Robots (for security, safety, etc.)

• Company in Hawaii thought this was cheaper than human guards and cleaners

• Ended up having sensitive business data photographed, recorded and transmitted – and ultimately sold to competition

• Losses far exceeded the supposed “savings” of some amazingly inexpensive robots (there was a reason they were so inexpensive)

Security Issues

Artificial Intelligence

• China heavily involved in this area

• Business Espionage resulted in loss of considerable sensitive related data

• Many resulting AI systems have built-in collection - and transmission - programs

• Programs set to ignore certain things that involve the programming site

Part Four

Security Issues

Any Common Threads Here???

• Technology is rushed into production by security and other providers without good security measures considered and “built-in”

• Technology is purchased based on pricing and “surface” capability

• Due Diligence is limited

• Embarrassing revelations show flawed processes in development and manufacturing

Security IssuesCHALLENGE!!! When buying and using Technology:

• Do a thorough Due Diligence on security technology to be purchased

• Take system security into consideration when making a procurement decision; make it a part of all bids and buys

• Know where every component comes from and the vulnerabilities (Risk) that goes with each

• Do cyber and supply chain security assessments for all equipment; require all systems have security built-into them and then do audits for compliance

Security Issues

Continued CHALLENGE!!!

• Do not be so totally in awe of technology for the sake of technology; look for any potential “downside” and security issues and address them

• Make certain it fits into your total security approach

• Effective security should do ALL four of these:

1. Deter

2. Detect

3. Delay

4. Respond

Security Issues

CHALLENGE!!!

• VSS without active monitoring is of limited value; use AI to help but make sure that does not compromise detection

• IDS without a quick response is of limited value

• Make your security Risk-Based…you may not be able to protect everything from everybody/every Threat -- but focus on the highest Consequence/Most Critical

Questions

Bruce Wimmer, CPPJames A. Acevedo, CPP