Vulnerability of Internet Data Spells Trouble for Insurers
Insurance Experts' Forum, November 22, 2010
For some time now, I have been noticing and reporting on threats to Internet traffic and data—threats that could compromise individuals, companies and even governments. Yet it seems that in the insurance and financial services universe, these dangers are repeatedly ignored or shoved aside as insignificant. I’m really starting to feel like a lone voice crying out in the wilderness.
But someone has to deliver the news that—when it comes to the security of virtually anything on the Internet—the emperor is indeed cavorting about in his birthday suit. And that someone might as well be yours truly.
USA Today reported recently that state-owned China Telecom had briefly “hijacked” massive volumes of Internet traffic worldwide in April—including U.S. government and military traffic—and diverted it through servers in China, according to the U.S.-China Economic and Security Review Commission. The italics are mine; just to point out that another country is capable of such an otherwise unthinkable intrusion.
The Commission is a group that was set up by Congress to monitor the national security implications of U.S. trade with China. For those of you who don’t see the connection, the U.S. insurance industry in particular is begging for the opportunity to do business in China. In fact, as I’ve written previously, the documented online incursions into U.S. military (Department of Defense) and commercial (Google) sites from China seem to make little difference in our level of pleading with the Chinese government to allow us to sell policies to some 1.3 billion potential consumers there.
USA Today goes on to point out that although the Commission has no way to determine what, if anything, Chinese telecommunications firms did to the hijacked data (or with it), “incidents of this nature could have a number of serious implications.” Indeed, as the report notes, “This level of access could enable surveillance of specific users or sites.”
The Commission says the diversion lasted for 18 minutes, the report says. It took advantage of the fact that worldwide Internet traffic is constantly shifted around to the most efficient route between two points. In this case, the Commission says, Chinese Telecom manipulated the system to signal to other servers that China was the most efficient route, prompting other servers to begin routing all traffic to about 15% of Internet's destinations through servers in China.
That is a staggering number. As of December 2009—a year ago—there were 234 million websites on the Internet. Even discounting the reality that the new websites are added daily, that means that for those 18 minutes, the Chinese government controlled traffic to or from more than 3.5 million websites.
The commission says the incident affected traffic to and from U.S. government (.gov) and military (.mil) sites, including those for the Senate, the Army, the Navy, the Marine Corps, the Air Force, the Office of the Secretary of Defense, NASA, the Department of Commerce and many others, says USA Today. (Just as an aside: Did you ever wonder why the U.S. military would leave its systems open to such dangerous access?)
Of course, China Telecom has denied the report, but there is one thing neither they nor anyone else has denied: that they—and others—have the ability to, in essence, control a significant amount of what happens on the Internet.
So the question I have for those of us in this industry is simply this: Is it worth handing over control of our enterprises and our sensitive data to get those juicy China insurance contracts? Are we just assuming that “someone” will do “something” about this?
Maybe they will, but don’t hold your breath.
Ara C. Trembly (www.aratremblytechnology.com) is the founder of Ara Trembly, The Tech Consultant, and a longtime observer of technology in insurance and financial services.
Readers are encouraged to respond to Ara using the “Add Your Comments” box below. He can also be reached at firstname.lastname@example.org.
This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.
The opinions of bloggers on www.insurancenetworking.com do not necessarily reflect those of Insurance Networking News.
Add Your Comments...
If you have already registered to Insurance Networking News, please use the form below to login. When completed you will immeditely be directed to post a comment.
You must be registered to post a comment. Click here to register.