In 2009, Google, Yahoo and a number of other Silicon Valley companies were victims of a significant attack, with Google disclosing that some of its intellectual property had been stolen. After receiving indications that the attack originated in China, Google ultimately stopped doing business in that country. In 2010, the Stuxnet computer worm surfaced, with experts believing the worm was aimed at crippling the uranium infrastructure in Iran. And another virus, Flame, designed to infiltrate computers using the Microsoft Windows operating system, was found in 2012 and also targeted groups in the Middle East. Reports in theWashington Post and other media outlets linked the malware to Israel and the US.
“Most malware is written by criminals, and criminals are all about making money,” notes Green. “This means stealing credit card numbers and bank accounts from your computer, sending spam and occasionally knocking over a website.” But these more high-tech intrusions are something entirely different. “Flame and Stuxnet have a lot of superficial resemblances to your typical criminal malware, but beneath that they are a whole different animal: They’re weapons,” Green says. “Stuxnet famously destroyed centrifuges at Iran’s Natanz facility. Flame appears to have been acting as a spying tool at the time it was discovered, but it may have been capable of other things. We may never really know, since it self-destructed before we found out.” Green adds that the highly complex work behind Flame indicates that this was not the work of a couple of hackers. “This means that top mathematicians were involved in Flame’s creation,” Green states. “Governments have these resources. Criminals don’t.”
As attacks mount, businesses in the computer security field are racing to offer tools to ward off such assaults. Michael Callahan, vice-president of worldwide product and solution marketing in HP’s enterprise security products group, says the market for security products and services is about $70 billion currently and growing at a healthy clip. “The historic approach has been to buy another solution and then another solution,” notes Callahan. “It is almost like trying to plug holes in a dam.” These days, he says, companies are looking instead to understand their systemic weaknesses and address those proactively. “They want to understand the broader exposure they have. They will look across all of their systems and [try to] understand what the most critical issues are.”
But while some companies are moving aggressively to address any vulnerability, Wharton’s Matwyshyn suggests that too many companies are not taking the threat seriously enough. “Security has traditionally been a space that has triggered culture wars in companies,” Matwyshyn says. “When you have good security in place and you spend money to maintain it, that doesn’t show up in the bottom line. You are preventing a negative, so it doesn’t show up as a positive [financially]. The privacy and security champions find themselves at war with the bean counters who are most concerned with the positive rates of return on internal resource allocation. They are forced to compare situations where, for example, there may be an expected additional $20 million in revenue from an allocation of resources to project A versus allocating the same resources to project B to fund a significant improvement in information security – but these improvements will result in no easily visible short-term increase in revenue.”
The failure to appreciate the risks of cybercrime can have costly consequences. For companies in the internet space, the ability to protect information on customers is central to how investors value a particular firm. “If you rely heavily on digital information, and if that information’s value is derived from your control of it, if that information is widely available because of criminality, it no longer becomes a scarce resource,” Matwyshyn points out. “In that case, the value-add that you as a company provide is diminished.”
At the same time, she expects to see an increase in legal action where consumers and businesses demand compensation from companies that failed to put in adequate security measures and were hacked. “The ability of harmed parties to get recourse from companies that choose not to invest in information security will be a critical piece of the puzzle,” Matwyshyn says. “We have banks that have had to reissue credit cards due to breaches starting to sue retailers who have inadequate security in place. We are talking about who should bear the cost of a company’s choice not to invest in good security.”
Of course, it is not just individual customer information that is at stake. Hackers can also gain access to intellectual property and trade secrets. Penn’s Levy points out that if companies have lax cyber security systems, they may find it difficult to prevail against hackers in court. “The definition of a trade secret includes that you have taken reasonable steps to keep it a secret,” Levy says. “So if you haven’t taken steps to do that, the government may not be able to bring a criminal case because they can’t prove it is a trade secret.”
Compounding the challenges of fighting cybercrime is the fact that some laws in the US have not been updated to reflect technological advances. “Many of the laws in the US dealing with information security are outdated,” notes Wharton’s Werbach. “They assume old configurations of technology. For example, the Electronic Communications Privacy Act, passed in 1986, gives law enforcement access to your private email without a search warrant after a webmail provider such as Gmail holds it for 180 days. No one left their messages on a remote server in the 1980s, but now that’s how most users [manage] their email.”
Levy agrees that there are some gaps in the law that should be addressed. One major one, he says, involves wrongdoing by employees. According to Levy, the law is clear that it is a crime to access a computer without authorisation. But what about an employee who is authorised to access certain information for business purposes? In that case, he notes, the courts have been split on whether individuals who have the right to access certain information can be prosecuted for misusing that information. “I think we need legislation to fix that,” Levy argues.
At the same time, Levy worries that the law enforcement resources aimed at the cyber threat are insufficient. “The FBI is well staffed and does a great job and in some parts of the country, the Secret Service is the lead on [cybercrime],” notes Levy. “But there are a lot of groups that don’t have the resources to do a computer forensic analysis – so waiting six to eight months to get a forensic analysis is not unusual. Most law enforcement agencies just don’t have the resources.” That sort of weakness will likely only invite more attacks by an army of increasingly bold hackers.
