How a robot heist exposed a blindspot in cybersecurity management
As cybersecurity threats become increasingly frequent and sophisticated, organisations of all stripes require the expertise to remain secure. The case of Huawei vs T-Mobile exposes the need to extend the existing technology lens in cybersecurity to better include the business perspective and its management practices if organisations are to avoid future significant security breaches.
The target: a robot named Tappy
In 2006, leading US mobile telephone and wireless broadband operator, T-mobile, engineered a robot arm nicknamed ‘Tappy’, to test software glitches in mobile phones and tablets procured from suppliers. Featuring a rubberised tip designed to mimic the human hand and operate device screens, Tappy is driven by software that uses a wide range of scenarios to test a device’s functionality for glitches before sending them out to the consumer.
A huge success, the introduction of Tappy reduced T-Mobile’s device returns reduced by up to 75 per cent. As expected, T-mobile competitors set about developing their own testing robots. What was not expected however was that Huawei China’s efforts would eventually snowball into an incident of industrial espionage, and a series of legal indictments.
The heist: elaborately planned, consisted of four events
Event A: The Line of Questioning
According to the legal indictment, Huawei employees, on several occasions, asked T-Mobile personnel detailed, and at times ‘intrusive’ and ‘pointed’ questions about Tappy.
Event B: The Photographs
Huawei China personnel gained access (despite being explicitly denied such access), via the Huawei USA team, who had permission to be in the general area as part of an alliance agreement with T-mobile. The Huawei China team then photographed Tappy using a smartphone, and these photographs were then forwarded to Huawei’s R&D team in China.
Event C: Theft of a Physical Artifact
While alone in the lab, Huawei personnel concealed and then removed a significant physical artefact, which was then taken to Huawei’s USA offices and used to provide measurements to Huawei China’s R&D division during a conference call.
Event D: Theft of Software
Huawei employees accessed and sent proprietary sequencing files via email to other Huawei personnel, despite being explicitly forbidden from doing so by T-Mobile.
Tappy exposes a glitch – but not in the way you think
Cybersecurity is widely considered a technical problem that is best delegated to the operational ‘IT Support’ unit. As a result, cybersecurity professionals are siloed away from broader business operations, so that business information assets (such as intellectual property) which do exist, the form they take, where they are located, and the potential business risk of leakage, is largely unknown to them.
Further adding to the problem is that IT operations are considered a cost-centre and not a revenue generator, hence resourcing constraints and the structural limitations of working in an operational unit make it difficult for cybersecurity professionals to develop an understanding of the value of business assets. This is particularly an issue for innovative organisations that make their profits from Intellectual Property as their IT support tends to focus on the availability of digital platforms and neglect Intellectual Property protection. The same issue of ‘fit’ between business needs and cybersecurity management extends to organisations with sensitive information such as trade secrets, business strategies, product or service-related knowledge and confidential client information.
In the case of T-mobile there were a number of likely reasons why T-mobile was left exposed. Tappy does not fit the definition of an IT asset so cybersecurity professionals in IT operations were unlikely to have considered securing Tappy to be their responsibility. Additionally, the presence of Huawei USA was likely to have been negotiated outside of the purview of security professionals, so it is likely they did not ‘connect the dots’ to recognize the threat posed by third-party contractors and their relationship with threat actors with a track record of Intellectual Property theft.
The lesson: ensuring a cybersecure future
The need to better understand business risk led Atif Ahmad Deputy Director at the University of Melbourne’s Academic Centre of Cybersecurity Excellence (ACCSE), to create a new microcredential. The microcredential will teach aspiring cybersecurity leaders how organisations with valuable information and knowledge assets can expand their narrow technology lens to include a broader enterprise business lens.
According to Deputy Director Atif Ahmad, developing a cybersecurity capability that supports broader business objectives comprises three key steps:
Firstly, understand business risk and the threat landscape within which the business operates. Where there are threat actors with the means and motivation to impact the business, threat intelligence must be actively collected and play a greater role in directing the activities of the security function.
Secondly, it is necessary to create a governance structure which supports business objectives. This may mean a change to the way security is organised and valued. For example, the security reporting structure may be transformed to allow a Chief Security Officer with an integrated cyber-physical-people perspective to be elevated to the same level as the Chief Financial Officer. Also, security can be better integrated into business operations through partnership development and moving security services outside of IT operations to its own dedicated structure.
Thirdly, organisations must leverage both management and technology controls so that they work in tandem, including both formal controls (strategy, policy and risk management), informal controls (i.e. training), and technological controls such as firewalls, intrusion detection systems, anti-malware solutions, access controls and authentication.
According to Ahmad, “organisations need to address how to transform the way they perceive, resource, structure and use their information security function”. Failure to adopt a full 360 view on a company and its assets, processes, and therefore potential vulnerabilities, means that elaborate plots comprising multiple breaches are difficult to prevent, detect and recover from.
If you want to be at the forefront of this change and lead your organisation into a more cybersecure future, our Microcredential in Cybersecurity in Organisations will equip you with an increased understanding of the evolving cyber-threat landscape and role of cybersecurity in protecting information resources in organisations.