The great data robbery: Modern capers can leave US broke, vulnerable

The great data robbery: Modern capers can leave US broke, vulnerable
© Getty

Why rob a bank?

“Because that’s where the money is.” Willie Sutton claimed he never uttered those words. Regardless, it makes for good lore and a cautionary tale. The reality is bank robbery is down almost 50 percent from 2003, and the amount taken has dropped from $73 million in 2003 to $28 million by 2015 according to the FBI.

What’s gone up?

Data breaches. Ransomware. Intellectual property theft. According to the 2017 IBM and Ponemon Cost of Data Breach Study, the average cost of a data breach was $7.35 million. With a reported 1,579 breaches, the potential impact just to recover was $11.6 billion.

The business sector accounted for 91.3 percent of all breaches.

Damage from ransomware attacks (not just the ransom, but downtime, lost business, etc.) was $325 million in 2015. In 2017 it’s expected to top $5 billion.

The average cost per capita of a breached record in 2017 was $225, up from $188 in 2013. With over 178 million records exposed last year, that means the impact was over $40 billion. A billion here and a billion there and pretty soon we’re talking serious money.

The profile of the attacker has also changed. Instead of individual hackers and small-time criminal organizations, Russia, China, North Korea and Iran now make up the quartet of adversaries the United States should be most concerned with when it comes to cybersecurity. The resources and technical capability of nation states can easily overwhelm the vast majority of private sector cyber defenses.

According to the Commission of the Theft of Intellectual Property (the IP Commission), the cost to American business annually of the theft of trade secrets could reach as high as $600 billion.

When these ill-prepared companies are hacked, the CEOs get punished. Failures in leadership are being dealt with faster than ever when it comes to a breach or intrusion. The massive Equifax hack was reported on Sept. 7, 2017. On Sept. 12, two senior security executives “retire” — a euphemism for quitting before getting fired. On Sept. 26 the CEO, Richard Smith, also “retired”.

Disasters have consequences.

The times they are a-changing

The penalties for stealing intellectual property usually result in litigation and a settlement. For example, Uber was sued by Waymo for a variety of offenses, including theft of trade secrets from the self-driving car division at Alphabet.

Try suing China, or Russia. Forget North Korea or Iran. It won’t stop or deter them. Criminal indictments mean nothing to state actors. The threat of the insider working for one of our adversaries, combined with the resources of an entire nation, change the nature and complexion of the problem for the private sector.

After the debacle at the Office of Personnel Management (OPM) where China stole 21 million records, OPM got relieved of their duties. The system was transferred to the newly created NBIB – National Background Investigations Bureau.

In an announcement on Jan. 22, 2016, then-President Obama explained the reasons:

“To leverage the latest modern technology, protect the sensitive information … bring the fullest security resources to bear against increasing sophisticated and evolving threats, NBIB’s information technology systems will be designed, built, secured and operated by DOD (Department of Defense) … This approach will leverage DOD’s significant national security, IT and cybersecurity expertise.”

Taking the DOD approach

Granted, DOD will not come build your next system. This points to the idea that fundamental changes need to be made in the thinking around building and improving current systems.

Cybersecurity needs to become as important a mission as returning profits to shareholders. We’re not talking about ringing a bank with tanks and armed soldiers. But in cyberspace you can do something similar.

The government and DOD need to continue to share information, intelligence (where they can) and provide access to cutting-edge technologies developed with the kind of R&D budgets only the military and intelligence community can command.

Had Equifax effectively protected their consumer resolution database from Internet access through segmentation, they would have had a fighting chance to stop the hackers in their virtual tracks instead of being digital roadkill.

There’s an old saying asking when the best time to plant an oak tree is. The answer is 20 years ago. The next best time? Right now. Here’s what the private sector can do right now:

  • Separate what is most important from what is most exposed (think of the online consumer dispute portal of Equifax — none of the records were encrypted);
  • Protect and defend against the insider threat with more comprehensive and mandatory training;
  • Learn to uncover hidden threats and identify anomalies with powerful analytics, and;
  • Add artificial intelligence, automation and emerging blockchain technologies.

Apple famously launched the “Think Different” ad campaign. It helped revolutionize an entire market and put the company on track to become the first trillion-dollar company. When’s the best time to “think differently” about cybersecurity?

Right now.

Morgan Wright is an expert on cybersecurity strategy, cyberterrorism, identity theft and privacy. He’s currently a Senior Fellow at the Center for Digital Government. Previously Morgan was a senior advisor in the U.S. State Department Antiterrorism Assistance Program and senior law enforcement advisor for the 2012 Republican National Convention. Follow him on Twitter @morganwright_us.