IT giants should make cyber security a corporate social responsibility
Updated: 2016-09-12 07:27
By Lau Wing-cheong and Zhang Kehuan(HK Edition)
For a city that likes to see itself as modern and high-tech, public awareness about cyber security in Hong Kong has largely stayed at a rather basic level where people are told they should regularly change their passwords. Yet cyber security is very fragile, as was dramatically exposed in a recent controversial London art exhibition that featured images captured from unsecured webcams in homes and businesses in Hong Kong.
Indeed, cyber security risks are latent in everyday online activity; they can be so dangerous because they are not well understood. For instance, single sign-on (SSO) services, which allow people to use one name and password across different platforms, are not without security loopholes, even if they have been widely adopted by mainstream identity providers (IdPs) such as Facebook, Google, Tencent and Sina, as well as their third-party application developers worldwide.
Similarly, many users take it for granted that apps distributed on the platforms of IT giants are safe - to provide some context, an average of around 1,500 new apps appeared on Apple App and Google Play stores, respectively, every day between 2015 and 2016 - yet they should realize that not all of these apps are immune to viruses or malwares.
For companies, even top IT brands, it is always a matter of priorities between ensuring the security or privacy of users and fulfilling other objectives. The reason is simple: Limited business resources require a trade-off between providing "visible" product characteristics such as affordable prices and advanced functionalities, and invisible security properties which are often sacrificed. For an app store, their priority is to provide a large set of timely and popular apps for download, rather than performing thorough security checks of the apps it hosts.
Equally, any requirements of third-party developers to guarantee the security of their apps will increase costs and ultimately deter supply. And the reality is that most app developers are not necessarily resourceful - even technically trained personnel or computer science majors may not have sufficient ability or even the awareness to take cyber security seriously. As Apple CEO Tim Cook starkly pointed out, even a 9-year-old can write an app today. Therefore, it cannot be expected that app developers, most of whom will have little reputation at stake, will get too exercised about security failings in their designs.
One may therefore wonder if third-party independent checks of apps can represent a solution if neither companies nor developers can take care of the security of what they sell. However this is easier said than done. Security checks are a huge challenge for the technical community. For instance, how extensive should the checks be for them to be deemed satisfactory? Yet, it is a double-edged sword to put any inspection criteria up for public scrutiny because that would be an open invitation to hackers to find ways to circumvent the checks.
Despite the apparent conundrum, there is scope for cyber-security protections to improve. For a start, consumers should not expose themselves to risks by shopping at unofficial app stores. At the same time, they should not expect there are no vulnerabilities in apps that are distributed on the most reputable platforms. If this security awareness is turned into consumer pressure, IT giants will be compelled to more robustly vet the security of the apps they put in their stores. Big companies such as Apple and Google have a corporate social responsibility to protect the privacy and security of their users. With recent reports that security loopholes fill 900 million Android devices, IT giants should do more to safeguard the security of everyday services and mobile applications.
Locally, researchers are involved in efforts to provide new cyber-security solutions. For instance, academics at a key university in Hong Kong have been developing a technology that will enable IdPs to perform systematic security testing of their SSO services so that previously unknown vulnerabilities can be detected. Likewise, a tool is being designed to help both Android app developers and users evaluate and fix the risks of information leakage through shared storage.
In the long run, if users become more informed about the importance of cyber security, companies will be able to market good security as a selling point of their products or services. And if the Hong Kong government harbors aspirations of making fintech a major industry, it will have to vastly increase the resources it puts into cyber security. Make your own turf safe if money is to be made.
Professors Lau Wing-Cheong and his co-author Zhang Kehuan are with the Department of Information Engineering, Faculty of Engineering at the Chinese University of Hong Kong.
(HK Edition 09/12/2016 page10)