Economic cyberwarfare is on the rise as cyberattacks on U.S. companies are increasing in both frequency and severity. And costs are mounting.
Much like a computer virus compares to an infectious virus in humans, there is a battle between treating the symptoms versus treating the disease when it comes to funding; along with a sheer lack of knowledge and concern by some. Companies must do more to increase their resiliency from attack, and fight to stay ahead in cybersecurity.
Over the last year, cyberattacks have compromised financial and personal data — both corporate and consumer — maintained by big-name companies such as Target, Home Depot, J.P. Morgan Chase, eBay, Apple, Yahoo!, UPS, P.F. Chang’s and Dairy Queen. Malware, such as the Backoff malware, has infected more than 1,000 U.S. businesses. According to FBI Director James Comey, “There are two kinds of big companies in the United States. There are those who’ve been hacked and those who don’t know they’ve been hacked.”
Corporations are both the leading source of new technology and the backbone of growth through innovation. It is imperative that they continue to play a leading role in cybersecurity. By sharing information and working cooperatively with each other, government entities and international partners, U.S. companies can help mitigate cyberthreats. Congress and the administration must help to create an environment where cyberthreats are taken seriously and corporations willing to help can share security-enhancing information risk-free.
Like giving blood, information-sharing is a noble and valuable activity that should be voluntary for companies. Cyberattacks are easily repurposed to target similar systems. The Backoff malware, for example, was able to affect so many businesses because it exploited the same point-of-sale system used across multiple U.S. companies, such as Michaels and Aaron Brothers, to track purchases.
Companies who find themselves early targets of such attacks can help others using similar systems to prepare for and repel such attacks by sharing the knowledge they have gained in the course of identifying and dealing with the assault.
Rule makers must be wary of saddling companies with overbearing cybersecurity regulation, as this can be counterproductive. Just before convening last week’s Third Annual Cybersecurity Summit, the U.S. Chamber of Commerce penned a letter to the U.S. Securities and Exchange Commission warning that increased regulation would damage the relationship between U.S. businesses and government and their ability to counter persistent attacks.
Cyberthreats extend beyond national boundaries, and so must cybersecurity cooperation. According to a PwC survey, global IT security incidents grew 48 percent, to 42.8 million, in 2014. The recent attack on J.P. Morgan reportedly originated in Russia. The attacked that compromised 4.5 million patient records at Community Health Services is thought to have come from China. Recent reports by network security company FireEye and cyber analytic company Novetta tell of the very real threat from two sophisticated cybergroups: Russia’s APT28 and China’s Axiom.
To help stop known cyberaggressors from abroad, the U.S. government must work closely with international partners, sharing information and collaborating on cybercrime investigations within our borders.
The costs associated with cyberthreats vary widely, but they are significant at any level. From intellectual-property theft to denial-of-service attacks, the cost of cybercrime in the U.S. can vary from $1.6 million to $60 million per company, and is growing every year. Meanwhile, the global cost of cybercrime is estimated as high as $575 billion in 2013. Yet, there is no 100 percent security against loss. Cyberinsurance is becoming an important tool for businesses to mitigate losses from the increasing number of breaches and attacks by sophisticated, state-sponsored aggressors.
Cyberrisks have become pandemic. They threaten all of us on a daily basis, whether we are aware of it or not. By promoting information sharing, cybersecurity insurance, and collaboration in combatting cyber crime, Congress and the administration can help create an environment for improved commercial cybersecurity. Cybercriminals will only continue to expand their activities. Cooperative, voluntary partnerships are the most nimble, effective means of fighting back.
• Riley Walters is a researcher in the Heritage Foundation’s Douglas and Sarah Allison Center for Foreign and National Security Policy.