Extracting value from the computers of unsuspecting companies and government agencies is a big business for criminals. The past 12 months has seen a continued increase in the number and complexity of advanced malware threats affecting business and government operations. The impact of cybercrime and cyber espionage is no longer a conversation amongst information security professionals, today no company or government is immune to intellectual property theft and some countries are highlighting this as a leading risk to national security.
In a recent particularly sinister attack campaign, the perpetrators not only looked to access information from the victim’s computers, they looked to carry out significant destruction of the network at the same time leading to many calling it “one of the most destructive hacker strikes against a single business”. The malware used in this attack, of which McAfee Labs has identified 600,000 samples, carries a ‘wiper module’ designed to steal information and wipe the computer and its network – a devastating event for any business or government. While the victims are busy rebuilding their systems, they are distracted from investigating the security breach and identifying the stolen information.
The types of data of interest to cybercriminals and potentially the first sign of loss to the organization could include loss of customer personal information, network and online application passwords, financial data such as customer credit card details, and budgets and supplier information. In more complex cases, cyber criminals are looking to steal corporate secrets and intellectual property with the goal of re-use, or even re-sale of this extremely valuable information to an interested party.
The scope of the resulting losses to victims of these attacks ranges from reputational damage, loss of customer trust, financial penalties, cost of remediation and repair, to greater competition arising from the stolen information. The loss could be extreme because the crime may be conducted over a long period of time, some times over several years making it extremely difficult to quantify and even recover.
This is the first part of a three part blog series looking at the costs of cybercrime and the state of economic espionage. Attempting to measure the true cost of cyber-crime must consider many facets, not just the direct dollar losses sustained by victims, and it’s that greater impact that deserves greater attention. Doing so can lead business, policy and technology leaders towards setting appropriate priorities and strategies for how their organizations, industries, and communities should best manage cybersecurity threats.
The Components of Malicious Cyber Activity
At McAfee, we see the damage from malicious cyber activity falling into six distinct categories:
- Account Costs. The theft of millions of dollars in illegal account transfers and withdrawals
- Innovation Costs. The loss of intellectual property and business confidential information
- Operational Costs. The loss of sensitive business information specific to present organizational operations
- Opportunity Costs. The financial losses from service and employment disruptions, and reduced trust for online activities
- IT Costs. The additional cost of securing networks, insurance, and recovery from cyber attacks
- Reputation Costs. Reputational damage to the hacked company among its immediate and extended business audiences or communities.
Cyber theft of intellectual property and business-confidential information probably costs developed economies billions of dollars—how many billions is an open question. These losses could just be the cost of doing business or they could be a major new risk for companies and nations as these illicit acquisitions damage global economic competitiveness and undermine technological advantage.
The cost of malicious cyber activity involves more than the technical damage to the asset or intellectual property. There are opportunity costs, damage to brand and reputation, consumer losses from fraud, the opportunity costs of service disruptions “cleaning up” after cyber incidents, and the cost of increased spending on cybersecurity.
Data collection is complicated by definitional difficulties. Should cybercrime, for example, include all crimes committed using cyber means or only those crimes that could only be committed with cyber tools, leaving out crimes that would have otherwise been committed via traditional criminal means.
One way to think about this is to ask, if there was no internet, would this crime have occurred?
Two important caveats shape this comprehensive view. First, we will try to estimate net loss, which is particularly important for estimating the effect of a temporary disruption of service. A store knocked offline for a day may lose $10,000, but if customers wait or go to another store, the net loss to the economy is much smaller.
Second, we will try to use market values rather than a value assigned by the victim. A company may spend a billion dollars on research, but it is the expected return on this investment that determines its worth, not the expenditure.
But this begs several important questions about the full benefit to the acquirers and the damage to the victims from the cumulative effect of continuous losses in cyberspace. This question of the effect and consequences of the loss is more important than any actual number and it is one we continue to investigate.
My next posts in this series will dig deeper into the costs of intellectual property losses and the theft of business confidential data.