Cybercrime is a rapidly growing threat, and one that businesses and consumers don’t seem to fully appreciate.
As more and more business is conducted virtually – on computers and mobile devices – the opportunity for criminals to steal valuable information expands. At the same time, cyberattacks are growing in sophistication with signs that some efforts, including the recent Flame virus, may be sponsored by nation states. And while law enforcement is focusing more attention on the matter, observers say corporate America is not doing all it can to meet the threat.
“The problem has been growing exponentially for the last 10 years,” says Andrea Matwyshyn, a Wharton professor of legal studies and business ethics. “As technology advances, the speed and potency of attacks can also increase exponentially.”
According to the Privacy Rights Clearinghouse, a nonprofit group focused on consumer privacy rights, there were 591 data breaches in 2011 involving 31.1 million records, including Social Security numbers and financial account information. In 2010, there were incidents involving 12.8 million records. The PRC notes that these figures are conservative and do not include breaches that have gone unreported publicly.
And the number of unnoticed intrusions is likely significant. “A lot of times, you find that companies don’t even know they have been compromised,” says John Brosnan, assistant special agent in charge at the FBI’s Philadelphia office. If complete figures remain elusive, it is clear that the cost of cybercrime is growing. Research sponsored by technology giant HP found that the average cost of resolving a cyberattack was $416,000 in 2011, up from $250,000 in 2010.
No surprise that the issue is becoming a larger priority in law enforcement circles. In a June 3 op-ed in The New York Times, Preet Bharara, US Attorney for the Southern District of New York, wrote: “I have come to worry about few things as much as the gathering cyber threat.” Later that month, according to The Economist, Jonathan Evans, the director-general of MI5, the security service in the United Kingdom, also sounded the alarm over the issue, disclosing that a major firm listed on the London stock exchange had lost revenue of $1.2 billion to a state-sponsored cyber attack.
The reason why cybercrime is growing is fairly straightforward: As Willie Sutton famously said about robbing banks, “That’s where the money is.” “Information security has been a serious issue for decades, ever since computers started storing valuable data,” notes Wharton legal studies and business ethics professor Kevin Werbach. “With the rise of electronic commerce over the past 15 years, there is both far more data to steal and far more ways to steal it. As the internet becomes more pervasive in daily life and the value of digital transactions increase, the scope of security threats will keep growing.”
The origin of the internet – with its open architecture – has made keeping the criminals at bay difficult. “The idea was to create a military communications network that was invulnerable to an attack on a central point in the way that a telephone network is,” says Michael Levy, chief of computer crimes in the U.S. Attorney’s Office for the Eastern District of Pennsylvania and an adjunct professor at the University of Pennsylvania Law School. “So the internet has no center and is filled with redundancies. There is no way to predict which way information will travel. You can bomb one node and [the data] will go another way. They didn’t design security into it because the people using it were trusted. Then we opened it up to researchers a bit later and they were still trusted. And when we opened it up in the 1990s [to everyone], we didn’t put enough security around it.”
A long – and prolific – hit list
The list of victims of cyberattacks has been growing rapidly. Among the recent hits: Sony’s PlayStation network was hacked in 2011 and 77 million accounts were affected. Online marketing firm Epsilon was hit with an intrusion last year with an undisclosed number of consumer names and email addresses being stolen. Such information is a gold mine to criminals who can use it to target people with scam email messages. And the creativity of hackers makes the job of protecting against such intrusions exceedingly difficult. Tools today “are not as good at detecting targeted malware, stuff that’s custom-developed specifically for a given attack,” notes Matthew Green, assistant research professor at the Johns Hopkins Information Security Institute. “Unfortunately, nobody’s really good at this. In part, that’s because every piece of custom malware is brand new – it’s never been seen before, so it’s hard to recognise.”
Even more worrisome, experts say, are recent, highly-sophisticated cyberattacks that do not appear to be the work of only a few individual hackers.