Are cyber capabilities tilting the global power structure?

comments 0

Comment

share

Share

0

Rate

Sevinj Ismayilova's picture

GLOBAL CYBERCRIME RACE AND REVENGE STRATEGY

A few of the most remarkable cyber breach stories of the last year have been a series of attacks victimizing well-known companies (Target, Home Depot, JP Morgan Chase) nearly holding customer data as one of their major assets in the balance sheet. In both Target and Home Depot breaches, it’s announced that data chasers have gained access to treasury through third-party vendor. In the case of JP Morgan, however the reason that ultimately led the giant with cyber security budget of 250 million dollars to give ground was a basic one - lack of requirement of second one-time password to access protected data. (1)

According to Centre for Strategic and International Studies, the global annual cost of cybercrime is estimated to be between 375 – 575 billion dollars, more than GDP of most countries. In four countries alone: USA, China, Japan, Germany, losses from cybercrime are estimated to be 200 billions of dollars. Another estimate claims that around 15-20% of the 2-3 trillions of dollars in internet revenue are extracted by cyber crime. Also, the report indicates that rather than striving to eliminate cyber attacks entirely, companies are eager to accept cyber costs at a reasonable level as a cost of efficiency of doing business. Currently cybercrime cost accounts for 0.8% of Global GDP which is lower than the higher level of accepted rate (2%).  However, in addition of financial effect for enterprises in terms of cost increase and theft of Intellectual Property and sensitive business information, cybercrime has also a devastating effect on unemployment leading to estimated 350,000 lost jobs in the U.S. and EU alone, though, it has to be noted that accuracy of estimating the direct effect of cybercrime on unemployment increase is still questionable. (2)

According to survey by PwC, 76% of the respondents consisting of 500 U.S. executives are more concerned about cybercrime, up from 59% in the previous year. Among the respondents, 38% of retail companies, 17% of banking and finance industry and 15% of healthcare companies have indicated over 20% increase in security spending. Top priorities leading to increase in security spending are purchase of new technologies, audits and assessments, developing new skills and capabilities, redesigning cyber security strategy, redesigning processes and participating in knowledge sharing. Regarding the reporting issues in security, there is a closer relationship between top security executive and CEO in small companies than in large ones backed up with the fact that in large companies board members are not involved in security issues as much as they should despite claiming increased concerns. (3)

 It has to be noted, however, that most incidents go unreported due to potential reputational damage. It leads to further damages since the criminals proceed to their activities without any prosecutions or charges. It also makes it harder to collect accurate statistics to help companies and individuals to make savvier decisions on improving security systems. It’s expected to change, however, as governments are improving regulatory requirements. For example, the Personal Data Notification and Protection act requires that all companies dealing with sensitive personally identifiable information of more than 10,000 individuals notify all the individuals whose data have been stolen or are reasonably believed to be stolen as well as the relevant entity designated by Secretary of Homeland Security within 30 days. That agency holds the right to notify the FBI and United States Secret Service only in certain circumstances described in the law. This is supposed to reassure business entities hesitant to notify relevant authorities due to further investigations. (4)

Although commercial effects of cyber crime are indisputably high, a more dangerous purpose of it which obviously frightens governments more is global cyber competition between countries in the form of sensitive data theft. One of the most recent examples is hacking of personal data of 4 million (according to some sources reaching to shocking 32 million) (5) federal employees affecting the Office of Personnel Management responsible for most federal security clearances. Although the White House has not responded by blaming any country, Mike McCaul, chairman of House of Representatives homeland security committee believes that China is responsible for the hacking, because of the sophistication involved and non-commercial characteristic of data. (6) Another shocking hack that has taken place recently targeting the U.S. government was gaining unauthorized access to private data of White House including the President Barack Obama’s schedule claimed to be implemented by Russian hackers according to U.S. officials. (7) Sony’s hack is also believed to be done by foreign government to be exact by North Korea as a warning to the company after announcements of the release of “the Interview”, the movie depicting a fictional assassination of North Korean leader Kim Jong Un. (8)

The actions taken by governments of targeted countries though extend beyond accusation of interested parties. In response to Chinese attacks, for example U.S. Senators Charles E. Schumer and Lindsey O. Graham urged IMF to reject Chinese currency as reserve currency as a way of punishment. (9) North Korea’s bad behavior in the Sony attack has been punished by the U.S. more extremely in the form of sanctions against 10 individuals and 3 agencies of North Korea to have access to U.S. financial services. (10) A more systematic approach to responding cyber crime activities taken by the U.S. government is a directive giving authority to the Secretary of Treasury to freeze assets and block financial transactions of individuals and entities involved in malicious activities against financial stability, national security and economic health of the United States. This sanction will only target the bad guys excluding the victims whose devices have been compromised by hackers and professional cyber security researchers. (11) It’s also claimed by North Korea that the U.S. stands behind its complete internet outages for nine hours as a part of its proportionate retaliation plan mentioned by White House speaker, Josh Earnest. (12)

Although, news stories about attacks taken by foreign governments against U.S. are continuing to make headlines, it’s definitely not a country of complete innocence. The black budget of the U.S. has been 52.6 billion dollars in 2013 providing jobs for 107,035 people and with CIA, NRO and NSA making the top 3 agencies comprising 68% of the total spending. The main categories of the black budget have been data collection, data analysis, management, facilities and support, data processing and exploitation with its top 5 missions being warning U.S. leaders about critical events, combating terrorism, stopping spread of illicit weapons, conducting cyber operations, defending against foreign espionage. (13)

 

References: 

1. 2014: The year in Cyber attacks
http://www.newsweek.com/2014-year-cyber-attacks-295876

2. Net losses: Estimating the Global Cost of Cybercrime, June 2014, page 2
http://csis.org/files/attachments/140609_rp_economic_impact_cybercrime_report.pdf

3. US cyber security: Progress stalled
Key findings from the 2015 US State of Cybercrime Survey
http://www.pwc.com/en_US/us/increasing-it-effectiveness/publications/assets/2015-us-cybercrime-survey.pdf

4. The Personal Data Notification & Protection Act
http://www.privacyandsecuritymatters.com/files/2015/01/Final-Updated-Data-Breach-Notification.pdf

5. OPM hack may have affected 32 million government employees
http://www.marketwatch.com/story/opm-hack-may-have-affected-32-million-government-employees-2015-07-08

6. China likely behind hack of US data, says House homeland security chair
http://www.theguardian.com/technology/2015/jun/07/us-government-hacking-china-mike-mccaul

7. Official: Russia suspected in Joint Chiefs email server intrusion
http://edition.cnn.com/2015/08/05/politics/joint-staff-email-hack-vulnerability/

8. Timeline: North Korea and Sony Pictures hack
http://www.usatoday.com/story/news/nation-now/2014/12/18/sony-hack-timeline-interview-north-korea/20601645/

9. Senators want China kept out of currency club over hacking
http://www.washingtonpost.com/news/post-politics/wp/2015/06/09/senators-want-china-kept-out-of-currency-club-over-hacking/

10. U.S. Sanctions North Korea over Sony hack
http://time.com/3652479/sony-hack-north-korea-the-interview-obama-sanctions/

11. Sanctions: America’s best new weapon against cyber crime
http://fortune.com/2015/04/02/us-cyber-crime-sanctions/

12. Obama looking for ‘proportional’ retaliation over hack of Sony Corporation, White House says
http://www.ibtimes.com/obama-looking-proportional-retaliation-over-hack-sony-corporation-white-house-says-1763286 

13. The black budget
http://www.washingtonpost.com/wp-srv/special/national/black-budget