For those in need of a hard and fast reality check, a wake-up call, or simply more evidence to put in front of the doubters in their own organisations, Pete Mento, Vice President of Global Trade and Managed Services at Crane Worldwide Logistics has shared his own personal insight into the ‘Nature of the threat – cargo security & cyber in the new supply chain’ at TAPA conferences in the U.S. and Europe, warning that security professionals who do nothing are doing a massive disservice to the future of their businesses. Frankly, it’s a point of view from one of the world’s leading experts on International Trade Policy and Supply Chain Security that’s impossible to argue against. Earlier this month in Spain, Pete gave his latest presentation to delegates attending TAPA EMEA’s Palma conference … and this is what he had to say …
I’ve spent a lot of time looking at the real threat to security right now and what I’ve realised is that so much time and effort has been put into physical security and a lot of effort has been put into cyber security but, in reality, the money, time and effort put into cyber security, unfortunately, isn’t being put into the right places.
We’re very concerned about banking and we’re incredibly concerned about the security of personal information but we’re not looking at the broader scope of what it would mean if the western world’s networking infrastructure was to be attacked. So, it got me thinking about who would do these attacks and where they would hit.
Believe it or not, our infrastructure where supply is affected is probably one of the most likely places that would be hit. I started talking to the sort of people who protect it and I can tell you that one of the things they’re most concerned with is the cyber security work that’s being done by people in my industry, transportation. They regard one of the weakest areas in the entire cyber security net – regardless of industry – to be supply chains. They couldn’t tell us why because it would give up the way they determine security, but their message was chilling.
In the future, it’s not going to be about things like bombs, the real target will be the networks that secure the world we live and work in. It’s the people that are easily able to hack into them that we’re most concerned with because, let’s be honest, it’s a big, wide, scary world out there and the reality is whoever controls the networks is realistically going to control the world. So, when you’re looking at the funding and the amount of time and effort people are putting into network security, think about your own companies, think about the people you’re engaged with right now and the amount of time and effort they’re putting into it too.
We are now seeing terror organisations coming together and pledging their support to a new generation of central figures, to rally around one leader. Why is this important? It’s important because individual terror groups have realised that the physical war they have been engaged in for the past 20 years isn’t necessarily getting them any ground. They’re looking for secondary threats and more and more ways to be successful. One of the things one of these terror leaders is famous for saying is that he doesn’t intend to send his ‘soldiers’ into physical wars, he plans to arm jihadis with laptops. In his plan to cripple the west, he sees the future as going after our banks and infrastructure because we’re weak and we’re soft. Imagine, after 9/11, if someone was able to turn off the internet for the day. Imagine the financial impact that would have had.
Being able to hack into a network makes everyone concerned about using that network. It forces every business to consider how they’re using it. It slows down commerce worldwide. There is no question that there are terror leaders that intend to use cyber to its fullest to disrupt the business of the west. So, there’s a new threat and that threat feels like using cyber.
When I previously spoke at the TAPA conference in the Americas, I asked, ‘how many people that are engaged with TAPA have advanced degrees in computer science?’ and ‘how many people are there in TAPA who are fully engaged in cyber that are not former law enforcement – and that are not people who spend their days worrying about how we’re going to secure containers and manage physical security?’ Most of us come from that world.
The new Customs-Trade Partnership Against Terrorism (C-TPAT) standards are now just beginning to scratch the surface of cyber – but this threat, and the nature of this threat, is real, and we’re only just beginning to realise it. The latest threats that have been happening are only going to put a bigger spotlight on the failure of a lot of the physical cargo security that we have – but what we are beginning to see is a desire to make it better. The issue we face is that there are people who are involved in C-TPAT, in organisations giving advice to customs, that don’t want to see the program made any harder because they don’t want to make financial investments. They feel enough has been done, even though they understand it could be better.
AEO, on the other hand, continues to be a more robust program as it has always had some semblance of understanding the security of networks because it had a financial component to it.
Previously, we’ve been able to get our arms around all the massive gaps in cargo security because there’s something physical to get hold of. With cyber, you can’t do that.
The value of cybercrime is only going to get bigger because of what criminals are beginning to learn. One of the black-hat hackers I spoke with gave me a fascinating insight into how he makes his money by stealing other people’s money over the internet, how he steals people’s identities and takes their entire bank accounts. This is a guy who was a Russian national who used to steal prestige $100K cars for a living, take them to a chop shop, take all the risk, be constantly pursued by the police, and then walk away having earned $7-8,000. Now, he told me, he sits in a coffee shop in Odessa and works on his computer and can take a couple of hundred thousand dollars before his day’s over with. He doesn’t worry about the police and he makes nice pieces of software he can sell to other hackers too. As he said, ‘it’s a growth business, why wouldn’t I want to be involved?’
That growth business is coming from all the places you would imagine, from people in Russia, China, India, Pakistan, Turkey and the United States. And the number of attacks is only going to grow.
The whole idea that we’re in a globally networked world supply chain means there should be a greater attitude towards dealing with cyber because this is not a new concept. In America, we’ve been concerned with cyber security since the 1980s when people started hacking the U.S. Government. The Government started investing in it financially and putting people on it to look for intelligent ways to deal with it because, like everything else, the bad guys are crafty and are going to be able to work around the rules.
Right now, with the trade war that’s going on, America’s and the west’s economy is entirely based on something called innovation – the innovation economy. The physical product doesn’t matter anymore. Let’s put it like this; what would you rather own right now – shares in a company that makes the ideas other people come up with or stock in the company which comes up with the incredible ideas? You’d probably rather own a share of the company that comes up with the incredible ideas.
As economies, we’re moving from focusing on products to focusing more on the ideas because they are what matter most. Our new economy in America is entirely based on protecting these ideas, which is why we’re currently in a trade war with China. It’s not because of deficits, it’s not because we’re buying more from China than we’re selling. It has to do with protecting IP. And, the Europeans, of course, are just as concerned with that.
There have been wholesale thefts of western ideas through cybercrime, which involve hackers going into servers, stealing millions of dollars of research and either producing those goods themselves or selling the research to someone who wants to make the products in a foreign country. Yes, they have the scientists in these countries and intelligent people but it’s just that their innovation economy is not keeping up as quickly.
That’s why we’re being told to protect our intellectual property with hardened cyber security because more and more things are going to be stolen.
There’s also the concept of personal security and keeping the intelligent people safe, keeping their information safe. So much of who we are is held on servers now and makes it possible for hackers to blackmail individuals by threatening to use information against them to the point where they are willing to compromise themselves and give up data and information.
We are working in a very resource networked industry and whether you’re a customs house broker, a freight forwarder, a transportation provider or a port, since the dawn of network computing we’ve tried to work with one another because it makes us more efficient. But, you’re only as strong as the weakest link in your chain, so if you have tremendous cyber security but you have someone in a port who doesn’t, that virus is going to find its way across. And, as you know, many people in the logistics industry have been hit. Recently, another couple of ocean carriers were hit again and it’s not going to stop.
There’s nothing stopping someone with the will and wherewithal from taking over the navigational abilities of a vessel at sea. Vessels are networked. They are attached to the internet and much of a modern vessel’s control systems are networked to the internet. So, it is possible to take over the navigation controls, the engine controls, the life support controls of a vessel. It’s only a matter of time before something happens. Ports are also networked, not only to the internet but to each other, and, of course, to government systems as well. Think of the type of debilitating attack that could happen. We’re also very concerned about autonomous cars, trucks and planes because as soon as someone can hack into them, they will.
All of the moving pieces and how they inter-connect with one another brings us to what the big fear is. We are constantly seeing terror groups using cybercrime to their advantage, such as to take down parts of security systems in order to cross borders. They’re using cybercrime to steal cash and launder money. They also see the use of cyber as a way to create chaos. This is what they want. It’s about trying to find some way to crush the will of western people, and that can certainly be done by crushing the supply chain, by breaking down the way we move goods and services.
The numbers are quite ridiculous. In 2016, $228 million of cargo was stolen – in fact this number could be worse. But in 2016, $450 billion was stolen by cybercrime and in 2019, that number is expected to go to $2 trillion.
So, what are we going to do to control that ‘back door’? The worst part is there doesn’t appear to be any real work done by most companies to deal with cyber threat. And a lot of this is because it requires every individual in your company to become a zealot to cope with these problems, and that takes a lot more time and energy than people are willing to invest.
However, by not doing something, you’re doing your business a disservice. Think of what has to happen for someone to steal your cargo physically and resell it versus someone who’s able to go in and steal an idea, steal your research, and steal your money online. It’s actually a lot easier – and in some cases companies don’t even know how much is being stolen. When they find someone has stolen their research, many companies are now hiring hackers to steal it back, which is illegal but they’re doing it anyway. In many cases, crimes are not reported because companies don’t want to expose the fact that they were exposed. They don’t want to let people know they were a soft target and got hit.
Almost all of this stuff is avoidable, but companies don’t want to do the simple things to avoid it. So, we’re waiting for an absolutely terrible event to take place to prove once and for all that people aren’t paying attention.
We are now in a situation where we are seeing more and more people hacking – the newest frontier of hacking is mobile phones because people are not doing a good job of securing them. And, the reason for this is because hacking, in the west, has become a hobby for young people where they think it’s fun to break into people’s mobile phones, devices and laptops, and if they find something interesting, they sell it.
In many respects, you have to admire the initiative of some hackers. I heard an incredible story of hackers taking a mobile phone, putting it on a drone and then flying it up and down outside hotel rooms at night, while people are asleep, looking for laptops that are still connected to the secured networks of companies, and then trying to hack in through these open connections.
The fact is, however, that so much can be done to prevent this by doing so little. You can protect your company leaps and bounds by doing the bare minimum, but people have to make a conscious effort. If you do the right thing, people are not going to bother to go after you because there are so many other companies that aren’t. All you have to do is convince your companies to do the basics – but, in reality, that’s going to be hard because they don’t feel they’re a target.
We spend so much arming the front door because we think people are going to physically steal what makes our companies special. They’re going to come in and take our products, our cargo away. But we’re leaving the back door completely unsecured, allowing people to come in and steal our ideas, our innovation, the future of our companies.
I applaud all of you for the amazing work that you do keeping your physical plants, people and products secure but if you don’t start paying attention to cyber, there won’t be those things to take care of in 15-20 years because the future of security is in stealing ideas and concepts in those ones and zeros.