Southeast Asia Cybersecurity Risks have Global Effect

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Lien Hoang

Cybersecurity vulnerabilities of connected devices in Southeast Asia pose risks to companies far beyond the region, analysts told Bloomberg BNA.

The massive October 2016 distributed denial-of-service (DDoS) attack on U.S. websites including those of Netflix Inc. and Twitter Inc., demonstrated that U.S. consumers and businesses aren’t immune to cybersecurity risks from remote places. The attack was sprung by taking over insufficiently protected web-connected devices, including internet of things devices in Southeast Asian countries—such as Vietnam and Thailand—to flood the U.S. sites with traffic.

Although far from Southeast Asia, U.S. companies shouldn’t underestimate the effects that cybersecurity vulnerabilities there may have on their businesses, analysts said.

Southeast Asia has the world’s fourth-largest internet population but also has an underdeveloped system of data protection laws and weak adoption of cybersecurity best practices, the analysts said.

The region is rife with illegal software because of weak intellectual property rights in the region, making it easier to infect systems with malware. In addition, new users are getting online through smartphones at breakneck speed, creating a bevy of unsophisticated users targeted through social media and e-mail scams These vulnerabilities in Southeast Asia alter the safety of the internet on a global scale, they said.

Robot Network Army

The culprits fired off their October cyberattack web requests from a botnet of compromised computers around the world, and no country supplied more of those devices than Vietnam.

An analysis by Redwood Shores, Calif.-based website security company Imperva Incapsula showed Vietnam was home to 12.8 percent of the devices infected by Mirai, the malware unleashed in the October DDoS attack. Indonesia and Thailand were among a slew of other Asian nations implicated in the attack. Security analysts agreed on the reason: pirated software.

“If you buy unlicensed software, normally you can’t run updates, you don’t have the latest patches, the latest security,” Hiep Pham, who teaches cybersecurity at the Royal Melbourne Institute of Technology in Ho Chi Minh City, told Bloomberg BNA.

For this reason Vietnam is almost always among the top 10 countries where attacks originate, reflected on a live attack map from Foster City, Calif.-based cybersecurity threat intelligence company Norse. The nation of 92 million people is also the world’s No. 2 source for spam, just behind far larger India, according to a November report from Moscow-based computer security company Kaspersky Lab.

Malaysia also provides a lot of ammunition for botnets and Indonesia is a leading site of malware infections, Kim Andreasson, managing director of cybersecurity consulting company DAKA advisory AB in Goteborg, Sweden, told Bloomberg BNA.

The U.S. Federal Trade Commission has said it intends to focus its enforcement efforts on internet-connected devices and has pointed to the worldwide nature of the threat. The FTC Jan. 5 filed a federal court complaint against Taiwan-headquartered D-Link Corp. and its U.S. subsidiary D-Link Systems Inc. which manufactures wireless routers and webcams alleging that it had misled consumers about the security of its devices.

New Users Influx

Andreasson said that multinationals should understand that security breaches in Southeast Asia may have implications for the companies back at their headquarters.

“If hackers are able to infiltrate, if you will, local offices of American companies in Southeast Asia, then they can potentially get into other data in the United States,” said Andreasson, who was commissioned by the U.K. government to write reports on cybersecurity threats in Southeast Asia.

In 2017, internet growth in Indonesia, Malaysia, the Philippines, and Vietnam will range from 6.4 to 9.5 percent, higher than the global average of 5.8 percent, EMarketer reports.

This influx of new internet users poses a security risk, Andreasson said. More experienced users “know what malware is” and “know not to click on links to ‘win $1 million’,” he said. “But when you come online for the first time, you don’t know these things.”

Most of these new arrivals are coming online through their phones, which are less likely than computers to have anti-virus protection, analysts said. Southeast Asia is number three in the world for mobile subscriptions, according to consulting company Deloitte & Touche LLP. That makes smart phone text phishing an attractive scam, the company said.

Minimal Privacy Laws

Deloitte released a report in December 2016 on the digital economy of the Association of Southeast Asian Nations. It said just three of the ASEAN trade bloc’s 10 states have enacted full data protection frameworks—Malaysia, the Philippines and Singapore.

This undeveloped legal landscape exposes customers’ information to more users, including cybercriminals, and creates uncertainty for companies that own that data, the report said. Since the U.S. is the biggest investor in ASEAN countries, according to Deloitte, U.S. companies have the most cybersecurity risk there.

Pham said companies don’t respect customers’ privacy because even the laws that do exist aren’t strongly enforced. That means there’s less concern about preventing leaks, and a willingness to sell client data, such as phone number lists, he said.

Businesses don’t “take security seriously because the consequences are not that severe,” Pham said.

Zacky Zainal Husein, a telecommunications and business partner at Assegaf Hamzah & Partners in Jakarta, told Bloomberg BNA that raising awareness is “always useful.” Stronger enforcement, such as following up after notification of a security breach “would show that the government is serious about protecting the integrity” of critical infrastructure and other systems, he said.

Malaysia as IT Supplier?

U.S. companies concerned about the security of devices manufactured in China have started to look to Malaysia as a supplier of computer and other electrical equipment, Andreasson said.

If Malaysia wants to become a “global hub” for information technology exports, Malaysian manufacturers will need to build trust in the security of their products, he said.

But there is “a trade-off between the business perspective and the political perspective,” he said. “In business you want to make money, while politically you’re concerned about national security and cybersecurity.”

Malaysia exported nearly $15 billion in electrical machinery to the U.S. in 2013, the latest year data were available, according to the Office of the U.S. Trade Representative.

To contact the reporter on this story: Lien Hoang in Ho Chi Minh City at correspondents@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security