Cyber Attacks: A Growing Threat to the U.S. Economy
The cost of ubiquitous cyber attacks and cyber probes in the United States and the rest of the world is a staggering, ever-growing challenge. Antivirus firm Symantec estimated the 2011 global price tag of direct financial loss and the cost of remediating attacks at $338 billion, excluding the theft of intellectual property and damage from data breaches. When theft of intellectual property is factored in, the figure soars past $1 trillion, according to former head of the NSA, General Michael Hayden.
In fact, General Hayden has been quoted as describing the theft of intellectual property from the United States as the “largest transfer of wealth in the history of mankind.” Taken together, the real costs of cyber breaches represent an enormous external financial threat to the U.S. economy. And it seems headed only higher as bellicose nations like Iran step up cyber attacks on America and elsewhere.
IT security has been a problem for years, threatening core economic drivers such as intellectual property, commerce, banking and the Internet. But it has become far more serious as foreign government spy organizations and organized crime have escalated their attacks and replaced young hackers as the chief perpetrators. Unlike politically motivated hackers, state actors are motivated by state agendas to do damage or steal intellectual property, while organized criminals are driven by financial motives. We have also moved far more deeply into a digital world of ubiquitous computer networks, with well over 10 billion vulnerable devices now connected to the Internet today and forecasts of more than 25 billion devices by 2020. When breaches occur, damage is done at the speed of light.
IT Security: The Fourth Leg of the Stool
In response, IT security has become the fourth leg of the computing stool, supplementing processors, communications, and storage as gating factors for deploying IT solutions. As the costs and risks of cyber threats have come into sharp focus, IT security has become a “must have” for all access points to ubiquitous data networks underlying the transition from an analog to a digital economy.
While this is clearly an essential and critical step in the right direction, it will take time for the benefits to be realized as we reinvent our technology foundation for a more secure future. In the interim, today’s decades-old computing constructs—originally developed for a much less connected and hence, more secure world—will continue to be highly susceptible to inherent vulnerabilities.
Today’s cyber challenges have become analogous in many ways to an arms race in which the bad guys have the same technology, as well as a motivational edge over the good guys. They are as well-financed and as smart as the good guys, and they only have to be right once in a while. The good guys, on the other hand, have to be right every time.
While complete statistics for attacks on US industry can be hard to come by—no one is anxious to report a breach—statistics for the U.S. government are more readily available. The U.S. Cyber Command says there are 250,000 probes/attacks on U.S. government networks an hour, or 6 million a day, and among the attackers are some 140 foreign spy organizations. According to the federal Government Accountability Office, the number of actual breaches grew from 5,503 in 2006 to 41,776 in 2010, or 650 percent, the latest figure available.
Since then, major attacks have continued to escalate domestically and abroad. In August, Iran was the suspected perpetrator behind the launch of a cyber time bomb on Saudi Oil company Aramco, which destroyed 30,000 corporate computers. In September, Iran was again believed to be the culprit behind a slew of massive attacks that took down a string of U.S. banks’ web sites. Only a month later, a breach in the South Carolina Department of Revenue resulted in the theft of 3.6 million Social Security numbers.
So far, no one has managed to seriously damage or disrupt critical U.S. infrastructure networks. But it doesn’t take much to imagine the consequences of a hugely successful cyber attack, one that outgoing defense secretary Leon Panetta has said could amount to a “cyber-Pearl Harbor.” In a future conflict, an adversary unable to match our military supremacy might seek to exploit our computer vulnerabilities domestically. Scuttling vital banking systems could trigger a financial crisis. The lack of clean water or functioning hospitals could spark a public health emergency. Or there could be power blackouts that bring business, cities and entire regions to a standstill. Imagine the impact of electronic banking networks that ceased to function.
We must avoid this future. Americans rightfully expect basic security protection. That’s why water treatment plants must test their water regularly for containments, why airplanes have secure cockpit doors and why nuclear power plants have fences and other defenses to thwart a terrorist attack. Much better cyber security must be added to the list.
Possible Solutions: Cyber Collaboration Between Industry and Government
While I am not usually an advocate of legislation as a foundation for addressing critical commercial challenges, cyber is one area where the nature of the threat transcends a clear government/free-market divide. The threats and challenges raise to the level of National Security threats and any point of failure could have catastrophic consequences. It is time for close collaboration and cooperation between government experts—some of the most talented cyber defenders in the world—and operators of critical commercial infrastructure in the free-market economy.
This will require trust between groups that are not normally comfortable with one another, as well as legislation that will allow for collaboration while ensuring legitimate privacy concerns. Further, a standard for data security and identify management must be implemented to insure that confidential and sensitive data is not vulnerable to external threats. Access control, authentication, data integrity, and accountability must be the minimal expectations for data (and networks) at risk.
Legislation should extend to ensuring that cyber breaches cannot be swept under the rug as a “cost of doing business.” Given the risks—for individuals, enterprises, the economy, and the government—transparency may be the most effective motivation to ensuring the sufficient attention is paid to cyber vulnerabilities in advance of a successful breach. Ubiquitous access demands ubiquitous security. Where security is not ensured, access must be restricted.
The possibility of a U.S. economic Armageddon is too high not to pursue such goals. Cyber attacks have grown well beyond a Washington problem of securing our bases and defense from penetration. They have started to affect Main Street and the bank accounts of millions of individuals and small businesses. The trillion-dollar theft of our intellectual property will seem like small potatoes when the derivatives of stolen IP are focused on competing with US industry in the global economy. The threats are real and the consequences ominous if we do not move to aggressively address and reverse the current trends.