Cybercrime is a rapidly growing threat, and one that businesses and consumers don’t seem to fully appreciate. As more and more business is conducted virtually — on computers and mobile devices — the opportunity for criminals to steal valuable information expands. At the same time, cyberattacks are growing in sophistication with signs that some efforts, including the recent Flame virus, may be sponsored by nation states. And while law enforcement is focusing more attention on the matter, observers say corporate America is not doing all it can to meet the threat. “The problem has been growing exponentially for the last 10 years,” says Andrea Matwyshyn, a Wharton professor of legal studies and business ethics. “As technology advances, the speed and potency of attacks can also increase exponentially.”
According to the Privacy Rights Clearinghouse, a nonprofit group focused on consumer privacy rights, there were 591 data breaches in 2011 involving 31.1 million records, including Social Security numbers and financial account information. In 2010, there were incidents involving 12.8 million records. The PRC notes that these figures are conservative and do not include breaches that have gone unreported publicly.
And the number of unnoticed intrusions is likely significant. “A lot of times, you find that companies don’t even know they have been compromised,” says John Brosnan, assistant special agent in charge at the FBI’s Philadelphia office. If complete figures remain elusive, it is clear that the cost of cybercrime is growing. Research sponsored by technology giant HP found that the average cost of resolving a cyberattack was $416,000 in 2011, up from $250,000 in 2010.
No surprise that the issue is becoming a larger priority in law enforcement circles. In a June 3 op-ed in The New York Times, Preet Bharara, U.S. Attorney for the Southern District of New York, wrote: “I have come to worry about few things as much as the gathering cyber threat.” Later that month, according to The Economist, Jonathan Evans, the director-general of MI5, the security service in the United Kingdom, also sounded the alarm over the issue, disclosing that a major firm listed on the London stock exchange had lost revenue of $1.2 billion to a state-sponsored cyberattack.
The reason why cybercrime is growing is fairly straightforward: As Willie Sutton famously said about robbing banks, “That’s where the money is.” “Information security has been a serious issue for decades, ever since computers started storing valuable data,” notes Wharton legal studies and business ethics professor Kevin Werbach. “With the rise of electronic commerce over the past 15 years, there is both far more data to steal and far more ways to steal it. As the Internet becomes more pervasive in daily life and the value of digital transactions increase, the scope of security threats will keep growing.”
The origin of the Internet — with its open architecture — has made keeping the criminals at bay difficult. “The idea was to create a military communications network that was invulnerable to an attack on a central point in the way that a telephone network is,” says Michael Levy, chief of computer crimes in the U.S. Attorney’s Office for the Eastern District of Pennsylvania and an adjunct professor at the University of Pennsylvania Law School. “So the Internet has no center and is filled with redundancies. There is no way to predict which way information will travel. You can bomb one node and [the data] will go another way. They didn’t design security into it because the people using it were trusted. Then we opened it up to researchers a bit later and they were still trusted. And when we opened it up in the 1990s [to everyone], we didn’t put enough security around it.”
A Long — and Prolific — Hit List
The list of victims of cyberattacks has been growing rapidly. Among the recent hits: Sony’s PlayStation network was hacked in 2011 and 77 million accounts were affected. Online marketing firm Epsilon was hit with an intrusion last year with an undisclosed number of consumer names and email addresses being stolen. Such information is a gold mine to criminals who can use it to target people with scam email messages. And the creativity of hackers makes the job of protecting against such intrusions exceedingly difficult. Tools today “are not as good at detecting targeted malware, stuff that’s custom-developed specifically for a given attack,” notes Matthew Green, assistant research professor at the Johns Hopkins Information Security Institute. “Unfortunately, nobody’s really good at this. In part, that’s because every piece of custom malware is brand new — it’s never been seen before, so it’s hard to recognize.”
Even more worrisome, experts say, are recent, highly-sophisticated cyberattacks that do not appear to be the work of only a few individual hackers. In 2009, Google, Yahoo and a number of other Silicon Valley companies were victims of a significant attack, with Google disclosing that some of its intellectual property had been stolen. After receiving indications that the attack originated in China, Google ultimately stopped doing business in that country. In 2010, the Stuxnet computer worm surfaced, with experts believing the worm was aimed at crippling the uranium infrastructure in Iran. And another virus, Flame, designed to infiltrate computers using the Microsoft Windows operating system, was found in 2012 and also targeted groups in the Middle East. Reports in the Washington Post and other media outlets linked the malware to Israel and the U.S.
“Most malware is written by criminals, and criminals are all about making money,” notes Green. “This means stealing credit card numbers and bank accounts from your computer, sending spam and occasionally knocking over a website.” But these more high-tech intrusions are something entirely different. “Flame and Stuxnet have a lot of superficial resemblances to your typical criminal malware, but beneath that they are a whole different animal: They’re weapons,” Green says. “Stuxnet famously destroyed centrifuges at Iran’s Natanz facility. Flame appears to have been acting as a spying tool at the time it was discovered, but it may have been capable of other things. We may never really know, since it self-destructed before we found out.” Green adds that the highly complex work behind Flame indicates that this was not the work of a couple of hackers. “This means that top mathematicians were involved in Flame’s creation,” Green states. “Governments have these resources. Criminals don’t.”
As attacks mount, businesses in the computer security field are racing to offer tools to ward off such assaults. Michael Callahan, vice president of worldwide product and solution marketing in HP’s enterprise security products group, says the market for security products and services is about $70 billion currently and growing at a healthy clip. “The historic approach has been to buy another solution and then another solution,” notes Callahan. “It is almost like trying to plug holes in a dam.” These days, he says, companies are looking instead to understand their systemic weaknesses and address those proactively. “They want to understand the broader exposure they have. They will look across all of their systems and [try to] understand what the most critical issues are.”
A War with the ‘Bean Counters’
But while some companies are moving aggressively to address any vulnerability, Wharton’s Matwyshyn suggests that too many companies are not taking the threat seriously enough. “Security has traditionally been a space that has triggered culture wars in companies,” Matwyshyn says. “When you have good security in place and you spend money to maintain it, that doesn’t show up in the bottom line. You are preventing a negative, so it doesn’t show up as a positive [financially]. The privacy and security champions find themselves at war with the bean counters who are most concerned with the positive rates of return on internal resource allocation. They are forced to compare situations where, for example, there may be an expected additional $20 million in revenue from an allocation of resources to project A versus allocating the same resources to project B to fund a significant improvement in information security — but these improvements will result in no easily visible short-term increase in revenue.”
The failure to appreciate the risks of cybercrime can have costly consequences. For companies in the Internet space, the ability to protect information on customers is central to how investors value a particular firm. “If you rely heavily on digital information, and if that information’s value is derived from your control of it, if that information is widely available because of criminality, it no longer becomes a scarce resource,” Matwyshyn points out. “In that case, the value-add that you as a company provide is diminished.”
At the same time, she expects to see an increase in legal action where consumers and businesses demand compensation from companies that failed to put in adequate security measures and were hacked. “The ability of harmed parties to get recourse from companies that choose not to invest in information security will be a critical piece of the puzzle,” Matwyshyn says. “We have banks that have had to reissue credit cards due to breaches starting to sue retailers who have inadequate security in place. We are talking about who should bear the cost of a company’s choice not to invest in good security.”
Of course, it is not just individual customer information that is at stake. Hackers can also gain access to intellectual property and trade secrets. Penn’s Levy points out that if companies have lax cyber security systems, they may find it difficult to prevail against hackers in court. “The definition of a trade secret includes that you have taken reasonable steps to keep it a secret,” Levy says. “So if you haven’t taken steps to do that, the government may not be able to bring a criminal case because they can’t prove it is a trade secret.”
Compounding the challenges of fighting cybercrime is the fact that some laws in the U.S. have not been updated to reflect technological advances. “Many of the laws in the U.S. dealing with information security are outdated,” notes Wharton’s Werbach. “They assume old configurations of technology. For example, the Electronic Communications Privacy Act, passed in 1986, gives law enforcement access to your private email without a search warrant after a webmail provider such as Gmail holds it for 180 days. No one left their messages on a remote server in the 1980s, but now that’s how most users [manage] their email.”
Levy agrees that there are some gaps in the law that should be addressed. One major one, he says, involves wrongdoing by employees. According to Levy, the law is clear that it is a crime to access a computer without authorization. But what about an employee who is authorized to access certain information for business purposes? In that case, he notes, the courts have been split on whether individuals who have the right to access certain information can be prosecuted for misusing that information. “I think we need legislation to fix that,” Levy argues.
At the same time, Levy worries that the law enforcement resources aimed at the cyber threat are insufficient. “The FBI is well staffed and does a great job and in some parts of the country, the Secret Service is the lead on [cybercrime],” notes Levy. “But there are a lot of groups that don’t have the resources to do a computer forensic analysis — so waiting six to eight months to get a forensic analysis is not unusual. Most law enforcement agencies just don’t have the resources.” That sort of weakness will likely only invite more attacks by an army of increasingly bold hackers.