Cyber Security

HIGHLIGHTS

Internet of Things Takes Off, Prompting Push for Tighter Cybersecurity

Strategic Resilience Plans Help Company Units Work Together During Cyberattack

Otsuka America Pharma Looks to Invest More on Cybersecurity, CFO Says

Senators Move to Sink ZTE Deal

Editor’s News Picks: Britain fines Yahoo UK for 2014 hack, Questioning Kaspersky move, Some Monero mined with malware, Dark web drug dealer pleads guilty

Advertisement

Commentary & Analysis

Internet of Things Takes Off, Prompting Push for Tighter Cybersecurity

By Jeff Stone

Consumers quickly have grown accustomed to connected devices that promise to make life easier by adjusting the lights at home, providing real-time health data, or summoning a favorite song on voice command.

But as companies offer, and seek, more of these convenient services to improve efficiency, concerns are growing that unsecured products -- from gadgets to jet-engine parts -- could become a conduit for cybercrime.

Legislators are taking notice, with Sens. Mark Warner (D.,Va.) and Cory Gardner (R.,Co.) proposing last year the Internet of Things Cybersecurity Improvement Act of 2017, a bill that would force vendors to adhere to minimum security standards in connected products sold to the government.

The proposal is part of an effort to fill security holes as the number of global IoT devices grows to an estimated 20.4 billion by 2020, up from roughly 8.4 billion in 2017, according to market research and consulting firm Gartner Inc.

“Right now internet-connected devices are laughably easy for hackers to hijack, both for spying and [cybercrime],” Sen. Ron Wyden (D., Ore.), who co-sponsored the bill, said in a statement to WSJ Pro Cybersecurity. “Setting standards for the devices the government buys will have ripple effects that make the entire Internet of Things more secure.”

The IoT Cybersecurity Improvement Act applies to physical objects that regularly connect to the internet, and have computer processing capabilities that can collect, send or receive data.

Connected devices can be difficult to secure when manufacturers fail to take basic precautions. They should not ship IoT products with vulnerable passwords, or build devices that are incapable of receiving security updates, said Mr. Warner in a statement to WSJ Pro Cybersecurity.

“As manufacturers are adding ‘smart’ functionality to everyday products, quality assurance is too often an afterthought,” he said.

Enterprises also embed IoT technology throughout their systems, forcing business leaders to balance security with efficiency. For example, a technology company outside Yokohama, Japan, has 30,000 sensors in one building that collect data about where people go, the temperature, when employees use the phone and more, according to Richard Soley, chairman and chief executive of Object Management Group, which develops standards for securing IoT devices.

In that project, building operators must balance that new visibility into their business while also ensuring the technology which makes that possible is secure, he said.

“The idea is making the building more comfortable to use,” he said. “There’s a lot more communication going on, simply because you have so many more devices. Whenever you increase the attack surface of a system, you make it harder to secure that system.”

There also are numerous examples of connected consumer devices that have prompted security and privacy concerns.

Companies including Target Corp. and eBay Inc. confirmed this month they will stop selling the CloudPets brand of children’s toys after researchers discovered that hackers could spy on kids who played with their stuffed animals. Amazon.com Inc. confirmed last month that one of its Echo home speakers recorded a private conversation, and sent a recording of that discussion to someone in the owners’ contact list without permission, the Wall Street Journal reported.

Connected devices have been used to launch denial-of-service attacks such as the one in 2016 against Dynamic Network Services Inc., known as Dyn, in which hacked cameras and digital video recorders reportedly were used against web services including Amazon and Netflix Inc.

The Internet of Things Cybersecurity Improvement Act of 2017 in its current form would require that any IoT devices sold to the government be capable of receiving patches remotely. It also would prohibit vendors from shipping devices to federal government customers with known security vulnerabilities, and to ensure that the passwords in the device can be changed.

These provisions are a good step, but business leaders should view the requirements as minimum IoT security standards, said Stuart Berman, IT security architect at Steelcase Inc. The office furniture manufacturer makes and deploys IoT sensors in a system that informs people about conference room availability. Not included in the legislation, Mr. Berman noted, are best practices such as penetration testing and continuous monitoring of installed devices for any vulnerabilities.

Before installing IoT devices from a vendor on its internal network, Steelcase technologists assess the potential risks, and apply appropriate safeguards, Mr. Berman said. When Steelcase sought to add a connected lighting product to its office systems, the company connected those lights to a secure network that was isolated from corporate networks where employees traded more sensitive information, he said.

But when Steelcase vetted partners to provide surveillance cameras for internal use, Steelcase put firms under greater scrutiny by asking for penetration testing and source-code analysis to identify any vulnerabilities, he said.

“If something has really sensitive information, like who is coming and going, that has to be more tightly controlled,” he said. “A test often will reveal right away whether a device is seriously flawed.”

Heightened awareness of Internet of Things security likely will force device makers to build products with better security, said Jeff Wilbur, director of the Online Trust Alliance, an initiative of the Internet Society, a non-profit dedicated to internet standards.

“It feel like we have positive momentum in this area,” he said. “Unfortunately I think it took these negative events to bring all this to light, but at least it’s happening.”

Write to Jeff Stone at jeff.stone@wsj.com.

Strategic Resilience Plans Help Company Units Work Together During Cyberattack

By Sara Castellanos

It is important to have a strategic “resilience” plan for how to address cyberattacks, said Phyllis A. Schneck, former deputy undersecretary for cybersecurity and communications for the U.S. Department of Homeland Security.

It is better to “understand that you’re going to get attacked” and have a plan that involves multiple departments, including legal and communications, so that a company can recover quickly, said Ms. Schneck, speaking on a panel at the WSJ’s CFO Network annual meeting in Washington Tuesday.

Compliance programs are important, but often, cyberattackers already know all about them, said Ms. Schneck, who also is managing director and global leader for cybersolutions at Promontory Financial Group.

She advises chief financial officers to prioritize the data a company wants to protect, make sure teams practice cyber-resilience plans so that it becomes “muscle memory” and to be wary of an expensive, “solve-it-all” cybersecurity plan.

Kevin Mandia, chief executive of FireEye Inc., suggested that CFOs form “red teams,” consisting of cybersecurity experts, that can attempt to hack internal systems such as stealing the CEO’s emails, credit-card and customer data, and attack industrial control systems. This will show what the company’s weaknesses are, he said.

“The best thing to do is test it,” he said.

Mr. Mandia said FireEye responded to more than 600 computer intrusions last year, in which the hackers were mostly nation states, including North Korea, China and Russia.

Mr. Mandia said dwell time is now under 100 days, down from over 200 days about 20 years ago. Dwell time is the amount of time between an intrusion and when a company finds out about the intrusion.

Write to Sara Castellanos at sara.castellanos@wsj.com.

Otsuka America Pharma Looks to Invest More on Cybersecurity, CFO Says

By Nina Trentmann

Otsuka America Pharmaceutical Inc. has recently made changes to its cybersecurity policies in response to a “couple of attacks” in the past four months, said Chief Financial Officer Ed Stelmakh on Tuesday.

The damage caused by these attacks was not material, but has raised the management’s awareness of the issue, said Mr. Stelmakh, who was at the WSJ’s CFO Network Annual Meeting in Washington.

“We are paying a lot more attention to cybersecurity,” he said, adding that the U.S. subsidiary of the Japanese drug maker plans to potentially invest more money into its cyber defenses. “We don’t disclose the actual amount, but it is growing.”

The company’s IT chiefs now report to him, the CFO said, highlighting the company’s most recent attempts to centralize its decision-making processes to reduce its vulnerability to cyberattacks. “We are now following a more centralized, more coordinated way of addressing some of the risks that are out there,” said Mr. Stelmakh.

Otsuka manufactures “most of its products” in Japan and packages them in the U.S. The company hasn’t looked at the implication of potential tariffs on its operations yet, said Mr. Stelmakh, but is watching any changes to the U.S.’s relations with major trade partners closely. “We are in this business for the long term,” said Mr. Stelmakh.

Advertisement

More From Dow Jones

Senators Move to Sink Trump’s ZTE Deal

By Siobhan Hughes

The U.S. Senate will vote on a measure this week that would undo last week’s White House deal to save Chinese telecommunications company ZTE Corp., lawmakers said, REUTERS

WASHINGTON—In a rare rebuke of President Donald Trump, Republican Senate leaders set up a vote for this week that would undo the White House deal to revive Chinese telecommunications company ZTE Corp.

Commerce Secretary Wilbur Ross was on Capitol Hill late Monday to lobby against the move. But Democratic and Republican lawmakers said that an agreement had been reached to wrap into the National Defense Authorization Act an amendment that would ban ZTE from buying components from U.S. suppliers. The Commerce Department in mid-April had banned exports to the company as punishment for breaking a settlement to resolve sanctions-busting sales to North Korea and Iran.

In private meetings with Republicans last week, the president argued in favor of the agreement, which saved ZTE by allowing the Chinese company to resume buying components from U.S. suppliers.

The Trump administration agreed to lift the ban as part of a larger deal in which ZTE would pay a $1 billion fine and allow U.S. enforcement officers inside the company to monitor its actions. Cutting off access to U.S. components was essentially a death knell for the company.

“Great news! Our bipartisan amendment restoring penalties on #ZTE is included in the #NDAA bill the Senate will be advancing to later this evening,” said Sen. Marco Rubio (R., Fla.) on Twitter.

The defense-authorization bill is a must-pass measure that typically clears Congress with bipartisan support.

As a result, language that is tucked in the defense bill is much harder to block than legislation introduced independently or tied to other, less popular bills.

Senate Majority Leader Mitch McConnell (R., Ky.) said earlier on Monday that passing the defense measure is at the top of his to-do list this week.

If the ZTE language passes in the Senate bill, the measure would move to a conference committee with the House, which has already passed its own version of the defense authorization bill that doesn’t address the China deal.

Senators predicted that the measure would clear Congress and be signed into law by Mr. Trump because the underlying defense measure contains many popular items. Ultimately, “I would expect that there wouldn’t be a ZTE,” said Sen. Tom Cotton (R., Ark.) “The death penalty is an appropriate punishment for their behavior.”

The two chambers must agree on final language before the defense authorization bill can be sent to the White House for the president’s signature into law, or a veto.

With a vote looming, the Trump administration released details of the agreement and dispatched Mr. Ross to Capitol Hill to make a case to skeptical lawmakers.

The agreement, released in full on Monday by the Commerce Department, requires ZTE to pay a $1 billion fine, replace its entire board of directors and senior leadership team, and fund a team of U.S. compliance officers to monitor the company for 10 years.

In return, ZTE can resume buying from U.S. suppliers. ZTE depends on U.S. companies for components to make its smartphones and to build telecommunications networks.

Under the terms of the settlement, ZTE must pay for an “independent special compliance coordinator” chosen by U.S. officials. That individual will report jointly to ZTE’s chief executive and board of directors as well as the Commerce Department, the document says. ZTE will also pay for as many staff as the compliance coordinator needs, which will likely be at least six, the settlement says.

If there is a dispute between ZTE and the U.S. compliance chief, the Commerce Department will have the final say, it adds.

As part of its deal with the Commerce Department, ZTE will also be required to “identify in detail” all Chinese government ownership and control of the company, including both public and private holdings, the settlement document says.

If ZTE fails to honor the agreement, the Commerce Department can once again ban ZTE from buying from U.S. exporters and claim an additional $400 million it is requiring ZTE to hold in escrow.

Democrats and many Republicans are wary of the deal. They are skeptical that the U.S. will be able to police ZTE’s actions even with U.S. employees monitoring company. They are concerned about the technological challenge posed by big Chinese firms.

Defense officials also have warned for years that the telecom firm’s equipment, along with equipment made by rival Huawei, could be used to spy on Americans, accusations that both companies have denied.

In a briefing late Monday with GOP senators, Mr. Ross defended the settlement with ZTE, arguing that $1 billion was a stiff penalty for violating sanctions, lawmakers said. But senators argued that the issue went beyond violating sanctions and touched on U.S. national security.

“China is using its telecommunications companies as means to conduct espionage,” said Sen. John Cornyn (R., Texas). “We need to solve the larger puzzle of trade and national security in addition to the enforcement action for the violation of sanctions.”

“He was there to explain that from the Commerce side, the penalties were severe, but I don’t think there’s any debate about that,” Mr. Rubio said. “For me it was more than that.”

The primary advocates of reimposing penalties on ZTE are Mr. Cotton, along with Senate Minority Leader Chuck Schumer (D., N.Y.), Mr. Rubio, and Sen. Chris Van Hollen (D., Md.) The lawmakers are part of a group that last week unveiled an amendment to restore penalties on ZTE and said they would push to attach it to the defense-authorization measure.

The timing of the negotiations appears particularly fraught given the role of ZTE in larger geopolitical negotiations. Last week, Sen. David Perdue (R., Ga.)—who supports Mr. Trump’s position—said that “this is a very sensitive, complex situation” because the settlement was “part of trying to get Xi Jinping to help us with North Korea.”

Mr. Trump was set to hold a potentially historic summit with North Korea’s leader Tuesday to push for complete, verifiable and irreversible denuclearization.

Peter Navarro, a White House trade aide, over the weekend cast the agreement with ZTE as a tough deal that represented a last chance for the Chinese telecom company.

“The president did this as a personal favor to the president of China as a way of showing some goodwill for bigger efforts, such as the one here in Singapore,” Mr. Navarro said on Fox News Sunday. “But it will be three strikes you’re out for ZTE. And everybody understands that within this administration. So they’re on notice.”

Write to Siobhan Hughes at siobhan.hughes@wsj.com

Advertisement

Editor's News Picks

Britain fines Yahoo UK for 2014 hack: The U.K. Information Commissioner’s Office on Tuesday said it fined Yahoo UK Services Ltd. £250,000 for its data security practices, Reuters reported. Yahoo said in 2016 that more than 500 million accounts had been hacked two years earlier. An ICO investigation into the matter determined Yahoo U.K. Services had failed to take the necessary steps to protect data before that incident, Reuters said.

Questioning Kaspersky move: Antivirus software maker Kaspersky Lab’s move to open a transparency center in Switzerland has failed to impress U.S. intelligence officials, CyberScoop reported Tuesday. A spokesperson for the Russian company told CyberScoop that U.S. and U.K. officials are welcome to visit the facility to review Kaspersky source code, updates and other data to assess whether the firm presents a national security threat. U.S. officials previously banned Kaspersky software from government networks, and a number of companies have followed suit, CyberScoop said.

Some Monero mined with malware: At least 5% of the Monero cryptocurrency now in circulation was mined with malicious software, according to ZDNet. Cryptojacking malware infiltrates victims’ computers and forces the machines to mine for cryptocurrency on the hackers’ behalf. It’s an increasingly common form of cybercrime, which preys on users who don’t question why their machine seems to be working harder than before, ZDNet reported.

Dark web drug dealer pleads guilty: Gal Vallerius, a 36-year-old French citizen, pleaded guilty Tuesday to conspiring to distribute drugs and commit money laundering as part of his involvement with an online drug marketplace, according to the Miami Herald. Mr. Vallerius worked as a moderator on a site called Dream Market, where he managed transactions dealing in narcotics paid for with cryptocurrency, the Herald reported. He faces 20 years in prison.

Cyber Security