The Cost of Hacking: From Dollars to Identity
Prominent tech bloggers, hackers, crackers and even government officials are warning that the warfare of the 21st century won’t take place on the battlefield, but on the servers and mainframes of corporations, banks and governments around the world. The expenditures reported by the Pentagon have seen continual increases in budgets to protect against cyber warfare attacks. In 2013, the Pentagon had a budget of $3.9 billion. In 2014, the budget grew to $4.7 billion. Now finally, in 2015, the budget is estimated at $5.1 billion. With this degree of spending, it’s obvious that the government is taking the need for advanced threat defense and cyber warfare capabilities very seriously.
The U.S. Cyber Command was initiated in 2010. Based in Fort Meade, the agency was set up to consolidate the intelligence and cyber warfare capabilities of the main military branches in one centralized command unit. The operations of these units have been kept fairly secretive, and little is known about the true capabilities of the United States when it comes to thwarting and launching their own cyber attacks to protect American interests. In 2013, Army General Keith Alexander appeared before Congress to address the growing need for increase vigilance in the realm of advanced threat defense, detection and cyber warfare techniques. He stated that, “every world event, crisis and trend now has a cyber-aspect to it” and warned that our ability to defend ourselves will affect the physical capabilities of the United States.
The growing threat of cyber terrorism and cyber warfare is likely going to continue, as organizations with limited military means may resort to attempting to infiltrate and destroy military defense networks. These threats have already affected nuclear computers, as shown in 2012 when Iran’s centrifuge machine was damaged by the Stuxnet worm. The result was significant damage to five Iranian organizations, and caused significant physical damage to Iran’s nuclear program. Gary Samore, The White House Coordinator for Arms Control, acknowledged the attack in 2011. He stated that the United States and it’s Allies were pleased with the attack and doing whatever they could to complicate matters for Iran.
Threats Beyond the Military
It’s not just the military that is at risk though. Cyber warfare is a threat that affects everyday civil liberties and the world economy. A single targeted attack could bring down the stock market, upend the banking establishment or render a critical company or agency incapable of functioning in an effective way. The Sony hack of 2014 shows that even a typically impotent state like North Korea can inflict real damage if motivated to wage an attack. One of the primary issues involved with cyber warfare is tracking the source and applying blame once an attack has been launched. In most cases, this can be done through evaluating the type of attack, pinpointing the location and determining the level of sophistication of the attacker. In the case of North Korea, the U.S. National Security Agency reportedly infiltrated China-based networks and systems used by North Korea. The agency has been tracking their capabilities since 2010, and based on undisclosed “bread crumbs” left by the attackers, the threat could be traced back to systems used by North Korea.
Cyber warfare affects everyone in large-scale, sweeping ways that take personal liberties from individuals and replace them with an increased ability for the government to monitor communications. With the large-scale security breaches of Target, Home Depot, Chase, and Neiman Marcus, the public is placing increasing pressure on the government to enact legislation that punishes companies for not reporting security breaches. In 2014, the Personal Data Protection and Breach Accountability Act of 2014, attempted to address these concerns by imposing civil and criminal penalties on companies that put personally identifiable information at risk. The plan outlined several policies that companies must follow to protect consumer information, and it exempts certain industries like financial institutions that are already covered under other acts.
Hacking is big business, and cyber attackers can take down the websites of large companies and extort them for money to get the sites back online. This “protection money” is seen as a cost of doing business, and in some cases, the attacks even come from a company’s competitors. These types of attacks have sparked debates in Washington about how much information a company is obligated to share with the government. Privacy concerns and civil liberties are compromised when information-sharing amongst private companies to protect company interests increases. In some cases, private companies may share information that would typically require a search warrant, and all of this is in an attempt to remain compliant, protect the assets of the company and avoid penalties through increased cooperation. Information that is shared may contain protected free speech, personally identifiable information and private email correspondence from customers.
In 2013, over 600 data breaches personally affected consumers. The typical response from a company is to send a letter notifying the customer, and provide them with a time-limited credit monitoring service to help them identify identity theft before it becomes an issue. Companies like Sony, are attempting to argue that data theft in itself doesn’t harm consumers. The reasoning is that in order for data theft to be harmful, the attackers have to use the information in some way to negatively affect an individual’s financial situation. Without a financial burden, companies are attempting to reason that there is no real penalty. However, this is taking the eyes off the real issue, which is that a company is responsible for protecting the integrity of any personally identifiable information provided by customers. Advanced threat defense is an important aspect of any company’s IT security, and unless companies take the steps necessary to protect consumers, they should not be storing customer information to begin with.
