Nortel’s security breaches, which may have gone back to the 1990’s were never mentioned to its creditors, the public, or to any of the companies that purchased its compromised technologies. Shame, and perhaps fear of liability, may play a more common role in corporate culture than previously realized.When Nortel Networks, founded in Montreal in 1895 as the Northern Electric and Manufacturing Company, filed for protection from its creditors in 2009, the pocket analysis of how one of the world’s largest telecom companies had gone bust was that the market had spoken.
Through a combination of supposedly slippery bookkeeping, excessive bonuses, and a lack of agility inherent to an overlarge ex-crown corporation, Nortel had fallen prey to the market’s circle of life. What assets were left at the end (approximately 6,000 patents and patent applications for technologies that had wireless, 4G, networking, optical, voice, and semiconductor applications) were sold to a consortium of other tech companies and spread around the world.
In 2012, reports emerged that Nortel had been hacked as early as the year 2000, and perhaps earlier than that. The passwords of seven top executives were stolen, after which it was open season on internal R&D reports, emails and replicable technical formulas, as good as blueprints for creating knockoffs. When I spotted a Nortel sign while wandering past their Beijing headquarters in 2001, my main thought was, “Geez, these guys are huge.” It’s difficult now to jar oneself to remember just how huge they were; at its peak, in 2000, Nortel had a market value of $350 billion. The stock once represented 36% of the entire value of the Toronto Stock Exchange and employed 90,000 people.
Eventually, Nortel’s senior security advisor, Brian Shields, undertook a six-month investigation to determine the depth of the problem. His conclusion was that the hackers ”…had access to everything… They had plenty of time. All they had to do was figure out what they wanted.” Shields states that the company discovered in 2004 that some of its computers were transmitting data to an IP address in Shanghai. Hindsight being 20/20, it seems incredible that Shields’ investigation wasn’t taken seriously by management and was quietly put down. In 2004, it would have been impossible not to notice that Huawei, a Chinese telecom giant which currently runs high-speed networks for Bell Canada, Telus, SaskTel and Wind Mobile, began producing replicas of Nortel products, right down to the instruction manuals.
What’s perhaps as surprising as the apparent naivety of Nortel during the open skies of the early 2000s, when it felt secure enough to conduct business as if they weren’t being hacked, is that the infiltration wasn’t even mentioned either to its creditors or to any of the companies that purchased its compromised technologies. It turns out that shame, and perhaps fear of liability, may play a more common role in corporate culture than previously realized.
Chemical giant Dupont Co. was hacked in 2009 and 2010 and didn’t tell anyone. In fact, most industrial hacks go unreported because the vulnerability may reflect badly on a company and tarnish its value among shareholders. For every publicized major attack against Google, Apple, Twitter, Facebook, The New York Times and the Washington Post, many more go unreported because of the fear of the economic damage such uncertainty might cause.
“I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly) with the great majority of the victims rarely discovering the intrusion or its impact,” says Dmitri Alperovitch, chief technology officer at Crowdstrike. Entities that refuse to confirm or deny whether they have been hacked include the International Olympic Committee, Exxon Mobile, Baker Hughes, VeriSign, Royal Dutch Shell, British Petroleum, and Coca-Cola. Bloomberg has taken the strategy of doubling down on its denial, despite the known and proven infection of its computers by hacker malware.
“We lose between $50-billion and $100-billion in Canada every year to economic espionage,” says security consultant Michel Juneau-Katsuya in an interview with the Financial Post. “They are stealing economic information from Canada in particular because Canada is a knowledge-based economy and intellectual property is the item of choice.”
Key to counteracting industrial attacks is the sharing of information between governments and businesses, something less likely to happen if the climate of secrecy surrounding security breaches is allowed to persist. In the United States, President Obama has just signed an Executive Order encouraging business to share information relating to online security. This is in response not only to the glut of denials made by companies reluctant to admit that have been hacked, but also to the case of Global Payments, a large payments processing company that was hacked in 2011 who then decided to go public. The company felt that their client base deserved to know the sensitive nature of the information that had been compromised. They did so against the advice of their lawyers.
Just as a consensus hardens that China is the villain in this story, some caution against a rush to judgement, pointing out that yes, “the data might have been transmitted to an IP address based in Shanghai, but it is possible that a computer in Shanghai has been compromised by, say, a remote hacker in Belgium. It’s all too easy to point a finger, but it’s dangerous to keep doing so without proof.” Even so, the sudden limelight thrust upon a nondescript building in Shanghai known as Unit 61398 of the People’s Liberation Army has forced the Chinese government’s hand, leading it to deny again that it “firmly opposes hacking”, covering for a building that employs hundreds of IT experts whose job it is to leverage an advantage against particular industries, the dominance of which are vital to the success of China’s current Five Year Plan for economic growth.
Even admitting that state-sponsored hackers may just as easily be Canadian or Iranian or Russian or Icelandic will not do anything to level a skewed playing field, in which the collateral damage to the business infrastructure of countries with a small population base may be catastrophic. Exhibit A: Nortel.