The Next Page: Price of cyberattacks against America is like paying for 9/11 every year
Updated: Jun 2
The good news is that the North Korean attack on Sony Pictures has the nation discussing cybersecurity issues. The bad news is that neither the press nor the government has placed the attack in context.
Considering the Sony case in isolation is equivalent to looking at a single piece on a chessboard, hardly an effective way to evaluate our predicament or assess what we need to do to prevent further losses.
So let’s take a step back and review the big picture, economically, militarily and politically.
FBI Director James Comey has said that there are two kinds of U.S. corporations: “Those that know they’ve been hacked and those that don’t.” The Ponemon Institute tracked 56 U.S. companies and determined that they “experienced 102 successful attacks per week and 1.8 successful attacks per company per week.” The average annualized cost was $8.4 million per company.
Indeed, penetrations of corporate information systems are so widespread, persistent and severe that government agencies and cybersecurity firms independently estimate that America is losing hundreds of billions of dollars in intellectual property per year. A more modest and recent estimate by the Center for Strategic and International Studies places the figure at $100 billion annually. Gen. Keith B. Alexander, retired director of the National Security Agency, has described these losses as “the greatest transfer of wealth in history.”
To put this massive hemorrhage of proprietary data in context, the stateside damage of the World Trade Center attacks and the first year of the war in Afghanistan are estimated to have cost roughly $200 billion. Hence, if some of the higher estimates of data theft are correct, the United States is suffering the economic equivalent of a 9/11 terror attack every year.
In addition to the theft of sensitive information by foreign states, such as China and Russia, there is a burgeoning criminal industry preying on U.S. merchants and consumers. Justice Department statistics show that more than 7 percent of households suffered some form of identity theft last year. The total loss from identity theft exceeded $24 billion in 2014, nearly double the 2010 figure.
From even this brief overview, Sony’s economic losses take on a new light. By some estimates, the costs to Sony could total $100 million. At most, this is perhaps 1 percent of the costs U.S. companies will incur this year due to computer compromises. Sony’s losses are neither surprising nor unprecedented, merely a salient example of corporate vulnerability and the fact we are continuing to erect our massive information economy on sand.
National security risks
By design, the U.S. military is more dependent on information technology than any potential adversary. During the Cold War, policymakers recognized that America could not hope to defeat a Soviet invasion of Western Europe by matching our adversary man for man or tank for tank. Fighting halfway around the world — with extended logistics lines and a numerically superior enemy — required the substitution of technology for mass. Thus began the commitment to improved intelligence and communications technologies, stealth aircraft and precision weaponry.
If the United States ever is forced to fight on a major foe’s turf or adjacent seas, and the information technology that underpins this high-tech approach to warfare is compromised, disaster could follow. Regrettably, this already is happening.
For example, the massive compromise of NSA programs by Edward Snowden — due to the agency’s inadequate network safeguards — has undermined a stunning range of intelligence-collection programs and capabilities, alienated some of our closest allies, severely damaged U.S.-industry cooperation and caused communications vendors around the world to adopt encryption standards that make U.S. intelligence collection more difficult and expensive.
As this case demonstrates, even a single network breach can have a profound impact on national security. It is ironic that this breach happened at NSA, America’s premier electronic intelligence-gathering organization and the agency charged with managing cybersecurity for the military. Although the damage was unprecedented, neither Congress nor the president has made any effort to hold the NSA director or his subordinates accountable, another sign that we are not serious about cybersecurity.
Other national security compromises related to data loss are less prominent but potentially just as significant. One of the crucial reasons for the stunning success of the U.S. military, when confronting adversaries such as Saddam Hussein, has been our detailed understanding of our adversaries’ weapons systems. So, confronted by Saddam’s Russian-made missiles, tanks and aircraft, the odds tilted in our favor. Now the tables are turning. According to the Pentagon, Chinese hackers have stolen design information for more than 24 major U.S. weapons systems, including Army and Navy missile defense systems, the Navy’s new littoral combat ship and the $1.4 trillion F-35 Joint Strike Fighter. The loss of this information places U.S. weapons systems and personnel at risk while saving China billions in weapons development costs.
Meanwhile, other countries have been electronically probing the infrastructure facilities — power generation, energy production, electrical grids, etc. — typically targeted in strategic bombing campaigns. It’s far easier to target and penetrate corporate networks via email, web exploits and other means than it is to penetrate and manipulate infrastructure systems, but the effort to do so is ongoing. Last year alone, the government responded to 256 incidents involving penetrations of industrial-control systems.
The American homeland has been shielded from foreign attack by our military and the vastness of the oceans since the war of 1812. Those barriers will not protect us from cyberattacks. Here, the Sony case is relevant, because if one of the world’s most isolated and backward nations could successfully seize control of the networks of a leading U.S. corporation, and intimidate an entire industry to the point of suppressing the release of a feature film, one can well imagine what havoc a more sophisticated adversary might wreak in wartime.
Warfare is the pursuit of political objectives by military force. When nations can achieve their objectives by less costly means, including deception and covert action, they naturally do so. In that regard, America’s massive cyber vulnerabilities provide a wealth of opportunities for other nations to exploit in efforts to influence or manipulate our government and institutions. North Korea’s attack on Sony is a case in point.
In short, as long as our information systems remain porous, opportunities for foreign intelligence services to secretly influence U.S. policy will abound. For example, a foreign government wanting to silence a prominent American critic or policymaker might task its intelligence services to search the private communications of that individual for improprieties that could provide leverage, or if exposed, damage or discredit the individual.
If the target is clean, no problem. Having gained access to the target’s computer, the perpetrators can simply use it to visit child porn sites, then, while still concealing their role, ensure that the information is provided to law enforcement officials or the press. Today, policymakers in every branch of the U.S. government as well as the press are vulnerable to such attacks if the devices they use connect to the Internet. Of course, access to corporate and government networks provides a far wider range of opportunities for mischief. In general, just as the United States maintains a nuclear arsenal for deterrence but generally employs highly precise drones and special operations forces in combat, so the future use of cyber operations primarily will be surgical, aimed at achieving political objectives by manipulating specific individuals and institutions.
Regrettably, it sometimes takes a bloody disaster to spur the nation to confront emerging threats. For example, nothing was done to strengthen airline or border security, much less go on the offensive against al-Qaida, until America saw the destruction of the World Trade Towers and the loss of 3,000 lives. The impact of cybersecurity shortfalls is massive, corroding our economy and institutions and placing a mortgage of uncertain interest on the future, but there is no gruesome footage to display on the news.
As one pundit has pointed out, about twice as many Americans have been married to Larry King as have contracted the Ebola virus, yet the public is terrified of Ebola while seemingly unconcerned by the fact that our society is dependent on a highly penetrated and grossly insecure technology.
No matter how many millions of Americans suffer identity fraud, no matter how many companies suffer extensive financial losses or how many vital intelligence or military programs are compromised, most citizens simply won’t engage until they feel their personal safety is threatened. This is where leadership makes all the difference. Policymakers and leading citizens who have the time and temperament to dig into this arcane issue, and weigh the national interest, must lead.
There are a number of actions that can readily enhance our security. For example:
Congress might pass cybersecurity legislation to facilitate information sharing between the U.S. government and the private sector. This is utterly non-partisan and clearly in the national interest.
We have highly detailed fire and construction standards even for small public buildings. I recently visited a three-room day care center for 10 children that was required to install a $50,000 sprinkler system. Yet no one has mandated safety and security standards for the information systems of even our largest public corporations. The federal government ought to do so. Short of that, it could at least mandate that corporate websites display a symbol showing an information security ranking so consumers and business partners could make a risk assessment before sharing data or engaging in transactions. Criteria might include such things as double authentication, end-point security and malware detection technology.
The federal government can and should put more pressure on foreign states that engage in widespread hacking and/or harbor cyber criminal organizations. If these states are unwilling to extradite suspects or crack down on such groups, we might limit their leaders’ travel, elevate the issue in bilateral discussions or more aggressively retaliate against the perpetrators with cyber counterattacks.
We’re the nation that first landed on the moon. There is little we can’t achieve when we make it a national priority. Increased spending on cybersecurity research and a national program aimed at strengthening Internet security should be a priority.
There will be some cost and inconvenience, just as we now have to remove our shoes at the airport. But we all recognize the unfortunate necessity of airport security, and these measures have proven very effective. This really isn’t so difficult. America can do this if we recognize the need.
The Sony case is interesting and, in some respects, unique. It represents an escalation in that North Korea publicly humiliated Sony, rather than merely pilfering its data as most hackers do. But in the big picture, it’s barely a blip, just a drop from the massive flow of household, corporate and government data losses plaguing the nation. We can act now to stem the tide, or, as we did in the summer of 2001, wait until some disaster befalls the nation.
Read the original article on the Pittsburg Post-Gazette.