Cyber Attacks Expose CEOs, Corporate Boards
GATINEAU, Que.—CEOs and business leaders often ignore cyber intrusions or even cover them up, allege IT experts who attended an espionage conference near Ottawa this week.
But those actions leave publicly listed companies and their corporate boards exposed to massive legal liabilities when cyber attacks leak customer info or damage the company’s competitive value.
While customers who had their data leaked would have a tougher time proving their losses, shareholders have much more width to win class-action lawsuits that could haunt corporate leaders long after they’ve left their post, warns a University of Ottawa law professor.
What happened with Nortel should, by this point, be a warning to other Canadian companies. That’s certainly the best that Brian Shields, former Nortel senior systems security adviser, could hope for.
He watched from the inside as executives ignored systematic hacking or made it impossible for him to uncover attacks or better secure the company.
Shields laid out in excruciating and technical detail how Nortel was hacked for years.
He believes Nortel was brought to its knees by the fact it faced competitors who undercut it with cutthroat pricing. He also believes Chinese telecom Huawei’s rise was proportional to Nortel’s fall and that ongoing cyber espionage played a key role.
Nortel was Canada’s crown jewel in the tech space, and now it’s gone. Others will follow suit if nothing changes, warns Shields.
“We have an economic war going on here, and we are losing,” he said.
Report after report in the U.S. and Canada detail the scope of the problem. The figures tossed around can reach trillions in losses as research and development paid for by North American companies fuels the rise of competitors—often Chinese competitors.
Shields was one of over 20 speakers at the International Conference on Corporate Espionage and Industrial Security held at the Hilton Hotel in Gatineau on Dec. 1 and 2.
An ongoing theme of the conference was that espionage is rampant and companies are ill-prepared or unwilling to address the problem. Many of the IT security experts in attendance said company executives either don’t understand or don’t care about cyber intrusions.
After Shields’ post-mortem on Nortel, Eric Parent, founder and CEO of Logicnet & EVA-Technologies, told the room that the exact same thing is happening now.
“Everything you just described there is still going on today,” he said.
Parent said work for a major client recently revealed the same attacks, same chronology, same executive indifference.
“One major difference, it wasn’t going to a China telecom, it was going to two different universities in China.”
Parent’s firm had to drop the client after they refused to address the security holes. He didn’t want his firm associated with inevitable future breaches. In fact, Parent’s firm tries its best to avoid working for publicly listed companies.
All too often, CEOs would rather hide problems than address them, worried about hurting short-term share prices or losing their annual bonus. Parent and one of his staff, Sylvie Guérin, a lead auditor at EVA-Technologies, say CEOs will even hide attacks from their corporate boards and fire top IT security staff to keep word from getting out.
Parent has now joined with others to create the Canadian Cyber Defense Network (CCDN), a kind of whistleblower website for “white hat” hackers, people who uncover vulnerabilities and want to see them fixed rather than exploited.
IT experts will receive the details of a serious security issue through an anonymous channel and issue a case reference number that will be published online, but not the details of the vulnerability. Then CCDN will attempt to brief the CEO of the vulnerability and monitor whether it is addressed. On their website they will pass judgement on whether the issue was resolved and note that beside the reference number.
Boards, Companies Liable
That slightly convoluted process is meant to ensure that people who uncover vulnerabilities can point them out without facing prosecution, a problem that now exists. Those reporting the vulnerability could be the company’s own IT staff, notes Parent.
But there is another way to compel company executives and corporate boards to fix security holes, says Errol Mendes, a law professor at the University of Ottawa, who also spoke at the espionage conference.
“Tell them about the potential legal liability,” he said. “Use the legal stick.”
The problem for many boards of corporations is that they don’t have the expertise to understand the technical aspect of cyber security and the challenges companies face.
Whether they understand it or not, though, they are legally liable for mistakes that happen under their watch.
Case law both north and south of the border is evolving quickly, putting the onus for appropriate cyber security on boards as part of their fiduciary duty to stockholders.
While they may not understand and act on every threat, they must have mechanisms to ensure the information is reaching them and they exercised sound judgement.
Failure to do so can make the company, or board members themselves, liable for fines and lawsuits.
Canadian board members can’t escape those lawsuits even after leaving the company, said Mendes.
“If you resign after something happened, it is not a get-out-of-jail card,” he said.
Because the problem is complex and few board members can be expected to understand the scope and technical details of the problem, he recommends boards set up special committees with the necessary expertise.
He also advises that boards hire third parties to assess their internal security and that their IT staff are up to the demands facing them.
For the IT experts in the room, Mendes said this legal angle could be just the lever they need to push boards and executives to action. And ignorance is no defence, he said, even if CEOs hide those breaches from their boards.
With headlines recording alarming breaches—like the hack against JPMorgan Chase that has exposed 76 million households and 7 million small businesses to the spectre of identity theft—it’s not something that can be left unaddressed.
Parent said companies have a duty to their customers and their shareholders to make a determined effort to improve cyber security.
“Security and ethics go hand in hand,” he said.