Summary: Cyber Risks When Doing Global Business

Speakers:

• Brian Fox, Cyber Security Specialist, PricewaterhouseCoopers
• Marcos Mazoni, Director-President, SERPRO – Brazilian Federal Data Processing Service
• Christopher Painter, Coordinator of Cyber Issues, U.S. Department of State
• Carolina Paschoal, Assistant General Counsel, DIRECTV Latin America
• Neal Pollard, Director, Forensic Technology Solutions, PwC
• Ambassador Daniel A. Sepulveda, Deputy Assistant Secretary, Bureau of Economic and Business Affairs, U.S. Department of State
• Lisa J. Sotto, Partner, Hunton & Williams LLP

Summary

On January 23, AS/COA and the Brazilian-American Chamber of Commerce hosted a program on developments in the cyberspace environment. Participants discussed ways to help organizations develop practical solutions to cyber investigations, digital forensics, threat management, legal challenges, and asset protection while doing business online.

Defining Cybercriminals

PricewaterhouseCoopers’ Neal Pollard identified three types of cybercriminals: state-funded groups, organized criminals, and hacktivist groups. He noted that the first group is “not after an instant cash-out” but rather “after something that will give them a jump start to get ahead of the competitor.” In the United States alone, this type of espionage is the “largest transfer of wealth in history,” costing U.S. industries almost $300 billion a year. Organized criminals however, want to steal data that they will be able to turn over for cash. “They’re not hackers that found these exploits, but rather, they are criminals that know where the money is,” said Pollard. Finally, hacktivists are motivated by certain issues, and want to gain attention and embarrass the target. 

Developing Tools to Respond to Cybercrime

When a corporate breach happens, Lisa Sotto of Hunton & Williams LLP is the type of person who manages and works with the CEO to begin an investigation. First, she organizes a team to implement an incident response plan. The team is comprised of the various company representatives such as the IT department, the chief privacy officer, and senior counsel. Groups are kept small so no information is leaked to the public. The group conducts a legal analysis, which looks at the different notification laws in order to effectively address the security breach issues. This way, investigators have a sense of what happened before regulators conduct their own investigation.

DIRECTV’s Carolina Paschoal noted that preparation is key when it comes to cybercrime. She first looked at her company’s vulnerabilities and identified areas of improvement, and then created a crisis manual. “This is a risk mitigation plan,” said Paschoal. “You will experience an attack at some point or another, so you need to find a plan that will minimize the damaging effects the best you can.”

McLarty Associates’ Kellie Meiman Hock addressed public sector responses to cybercrime. “From a government response standpoint, you do see varying ways to respond, given the politics that are behind each attack,” she explained. When a government examines which policies to implement, it must protect its economic interests. In her case study of Brazil, Meiman shed light on the role that the country is playing with respect towards internet governance, noting that the country is well prepared for cyber attacks. Brazil is creating proprietary email, and is working on localizing data. The government also plans to modernize the mutual legal assistance treaties process. However, Sotto disagreed with the notion of data localization and argued that data “needs to be able to move to intervene in moments of crisis.”

Strategies for Preventing Cybercrime

Brazilian Federal Data Processing Service’s Marcos Mazoni spoke about the ways his company has played a role in preventing cybercrime. It was the first institution in Brazil authorized to operate as a certification authority of the Brazilian public key infrastructure. Ever since, it has worked to guarantee protection, preservation, integrity, and authenticity of stored data. The company deals with risk management, automated monitoring, backup, and recovery procedures, among other activities.

Banco do Brasil’s Nelson Murilo de Oliveira Rufino highlighted the ways in which the bank has been handling recent attacks. Given the growing number of attacks against financial institutions, Banco do Brasil has developed unique solutions. For example, criminals make false ATM screens that trick people into entering their personal information, which is then stolen. The bank developed a mobile app that verifies the customer’s identity and protects him or her from these imitation ATMs. In doing so, the bank has been effective in reducing the number of these types of attacks.

EMC’s Irina Simmons said that a crisis was a good place to start in terms of preventing cybercrime, since it can force companies to implement a new strategy. She suggested that businesses should be given monitoring and reporting tools and should build transparent lines of communications to all members of the company. Paschoal, meanwhile, said one of the best ways for a company to prepare itself is to keep an eye on industry trends and plan new strategies. She also recommended conferring with other companies in the same industry.