The Pentagon made an embarrassing admission this summer. In mid-July, as it announced a comprehensive new cybersecurity strategy, the Department of Defense acknowledged that it had been hacked earlier in the year by a “foreign intelligence service” that came away with 24,000 sensitive files related to missile tracking systems and unmanned aerial vehicles.
That breach, as disturbing as it was, is just another in a string of recent cyber attacks on government agencies and big businesses. Companies including Citibank and Sony have weathered damaging and very public hacks in recent months. Sony, for example, estimates it will lose roughly $170 million after hackers attacked the company’s PlayStation Network and got hold of the credit card information of 12 million account holders. Hackers also attacked Citibank in May, accessing the data of roughly 360,000 bankcard holders.
The rash of attacks underscores the steadily rising costs of such breaches in recent years. The increasing frequency and sophistication of attacks, cyber security experts warn, could make 2011 the busiest—and most expensive—year yet for U.S. businesses. And while attacks on companies can be costly, when hackers poach files from the CIA and FBI, our national security could be at stake.
A study released this week by the Intelligence and National Security Alliance details the growing threat these electronic attacks pose to both business and government, noting that hackers’ goals may include reconnaissance, theft, sabotage or espionage. “The impact on business, government, and individuals from cyber attacks has progressed significantly from distraction and moderate disruption to an inability to operate or communicate for days,” says the non-partisan group, which is chaired by former Bush Homeland Security Adviser Frances Townsend. “We have advanced beyond mere ‘acceptable levels of loss’ to levels where effective ownership of an individual’s, company’s, or country’s finances, operations and intellectual property may be at stake. The impact has increased in magnitude, and the potential for catastrophic collapse of a company has grown.”
Although the report warns that “it is not yet clear that the business community understands or accepts this increase in risk,” it is clear that businesses have been spending more and more to fend off—and clean up after—hackers. The steadily increasing volume of attacks on U.S. businesses have turned cyber crime into a multi-billion dollar industry and given rise to a burgeoning cyber security industry, despite a global economic recession.
The cost of global cybercrime, at $114 billion annually,
is significantly more than the annual
global market for marijuana, cocaine and heroin
Security breaches have already cost U.S. companies an estimated $96 billion in 2011, according to the Ponemon Institute, an internet security research group. A recent study from Symantec, the anti-virus software manufacturer, estimates the cost of global cybercrime at $114 billion annually, significantly more than the annual global market for marijuana, cocaine and heroin combined.
Hackers are displaying a higher level of expertise than in years past and engineering more complex attacks, experts say. And those attacks are increasingly aimed at stealing sensitive business secrets. “Cyber crime has become much better organized and more business-like over the last several years,” said Scott Borg, director of the U.S. Cyber Consequences Unit, an independent, non-profit research institute. “Cyber crime is now being optimized for longer-term returns. People expert in business, often with MBAs, are now choosing the targets and strategies for attack.”
A separate Ponemon Institute analysis of cybercrime underscores the steadily rising cost of cybercrime for companies operating in the United States. Businesses based in the U.S. spent $61.5 billion on security and data breaches in 2006. By 2010, those costs had spiked to $101.4 billion, according to the institute, and are forecasted to pass $130 billion in 2011.
“Despite the economic downturn experienced by our country, the security industry continues to flourish,” said Larry Ponemon, chairman of the Ponemon Institute. “I believe the industry is still relatively young and, hence, has the potential for substantial growth over the next several years.”
State and Federal Bills
State and federal government are also expected to ramp up their spending on cyber security in the coming years. The federal government is expected to spend nearly $12 billion on cyber security by 2014. Individual states, in addition to increasingly guarding against attacks, are also pursuing cyber security businesses. The Maryland legislature recently approved a bill authorizing a commission to review cyber security laws and policies and to develop a comprehensive defense plan. The law also directs the commission to recommend ways the state can attract private investment in cyber security. Texas recently created the Cyber Security Education and Economic Development Council. Comprised of business leaders and government officials, the council will recommend cyber security technology improvements and recommend ways to foster growth in the statewide cyber security industry.
In response to the growing amount and costs of cyber attacks, U.S. Sens. Kristen Gillibrand (D-NY) and Orin Hatch (R-UT) introduced legislation last month that would require the president to provide a global assessment of cybercrime, identify foreign threats and work with foreign countries to crack down on their cyber criminals.
“Cybercrime must be a top priority for our national security," Gillibrand said in a statement announcing the bill. “If we're going to protect our networks, our infrastructure, our economy and our families, we have to go after cyber criminals wherever they may be – and it must be an international effort.”
A separate federal bill would create a national cyber security center that would have the power to direct federal efforts to secure governmental and private sector cyber networks. The bill, authored by Sens. Joe Lieberman (I-Conn), Susan Collins (R-Maine), and Tom Carper (D-Del), would also give the Department of Homeland Security authority to work with the private sector to identify risks to the nation’s cyber infrastructure.
But security experts and new laws aimed at curtailing cyber crime are often several steps behind hackers, warns Borg of the U.S. Cyber Consequences Unit.
“Most of the cyber-security industry is selling yesterday's remedies for yesterday's problems,” says Borg. “We still need those remedies, because those problems are still with us, but the industry is in a rut because it has defined its problems and its solutions too narrowly.”
That makes it unlikely that cyber criminals will go off the grid any time soon. “We are still a long way from having any lasting answers in this field,” says Borg. “If there was ever an industry that needed creative, entrepreneurial problem solving, cyber security is it.”