CISOs Need to Interpret the China / Google Situation for Their Companies

There is a press firestorm over Google’s announcement that it and other organizations were attacked from within China, and that Google will stop censoring google.cn, even if it means it has to pull out of the country. This feels like an Information Security story, but is it? Does this change anything for CISOs, and if so, what?

Security professionals haven’t learned much new. We already knew there was a concerted industrial espionage effort by groups linked to the Chinese government. Google’s recent announcement and the various follow-ups just make the extent of the this problem a little more clear.

Will security professionals benefit from increased awareness within “the business”? It is good that non-security folks are more aware of the extent of the problem. However, most senior executives are probably drawing the wrong conclusion from the news. News articles report “Google got attacked so it may withdraw from China.” The obvious inference is: you can avoid cyberattack by not doing business in China. It is critical that CISOs use this opportunity to explain that these attacks are occurring against all big companies, regardless of whether or not they do business in or with China. If you feel like you’re not spending enough to protect your company’s information, now is the time to ask for more money!

What are the implications for doing business in or with China? If you have Google’s financial power or favor with the media, then you too could try to influence the Chinese government by threatening to suspend Chinese operations. Of course this is not a realistic option for most companies–even Google doesn’t have much to lose in the short run and probably doesn’t really expect to leave. They’ve probably been wondering for a while now how a business that makes money by setting information free is going to make money where information is not free.

The lesson for most companies is: any Chinese venture has to be profitable after assuming all related IP is lost. If China is willing to attack dozens of high-profile companies like Google and Adobe, there is no hope of protecting intellectual property in any sort of Chinese venture. Even a wholly-owned operation in China will be infiltrated by employees who are really spies. There is no information security protection available against a moderately motivated and skillful insider, especially one not concerned with losing his/her job or being prosecuted for a crime. CISOs will be unlikely to press the argument this far, but they should work with corporate strategists to re-evaluate offshoring risks, and to determine whether IP can be compartmentalized to reduce the value trusted to any one third party or geopolitical unit.

If China is willing to attack dozens of major companies like Google and Adobe, there is no hope of protecting intellectual property in any sort of Chinese venture.  Even a wholly-owned operation in China will be infiltrated by employees who are really spies.  There is no information security protection available against a moderately motivated and skillful insider, especially one not concerned with losing his/her job or being prosecuted for a crime. Any Chinese venture has to be profitable after assuming all related IP is lost.
Advertisements
Explore posts in the same categories: Uncategorized

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: