Cyberattacks are top of mind today, with recent news about high profile incidents involving the Democratic National Committee and Yahoo dominating the headlines.
While such incidents certainly lead to much handwringing, cyberattacks perpetrated on individuals, companies and countries can have significant fallout that outlasts the current news cycle.
At best, cyberattacks can be a nuisance, and at worst, they can have devastating and long-lasting negative implications.
The Individual Level
On an individual level, cyberattacks can have various degrees of impact.
One common cyberattack scenario – a hacker steals credit card information and uses the account to make fraudulent purchases. These types of incidents are certainly disruptive but are more of a nuisance if a card holder reports the charges in a timely fashion, typically within 60 to 90 days.
This may be among the largest cybercrime issues, says Brad Gross, an attorney based in Weston, Fla., who has served as a prosecutor of Internet and technology-based crimes for many years. Indeed, according to the Javelin Strategy & Research 2015 Data Breach Fraud Impact Report, nearly 32 million U.S. consumers had their credit cards breached in 2014.
Despite that figure, “the real issue is one for the credit card company and not so much for the individual who isn’t going to be responsible for fraudulent charges,” says Gross. For the credit card companies, fraud is a big problem – in 2014, 90 percent of consumers who were victimized received new cards at a cost of up to nearly $13 each, according to the Javelin report.
In response, card issuers have turned to EMV chips for increased transactional security. However, one of the unintended consequences of this move, says Shaun Murphy, inventor, founder, and CEO of Sndr.com, a provider of an encrypted app for communications, is that cybercriminals have turned their attention to other kinds of attacks against individuals.
“Credit card information is very valuable to hackers, but other things like your best friend’s name in high school, your first pet’s name – that type of information is extremely beneficial,” Murphy says. To perpetrate financial fraud, hackers need in-depth knowledge of individuals often gained through doxing – the process of capturing pieces of personal information from social media and other online sources and aggregating that information to create a virtual profile.
“This concept of doxing is one step in the process of figuring out who you are online and how to get access to information,” Murphy says.
One aim of doxing efforts: cybercriminals take over an individual’s social media and email accounts – freezing access to these accounts until individuals pay ransom. These doxing actions can also allow cybercriminals to gain access to bank accounts or incur debts in an individual’s name – financial losses that can fall solely on the wallets of individuals.
In addition to monetary losses, such doxing incidents can lead to credit problems which can have long-term implications. In effect, says Murphy, such attacks are the equivalent of a digital mugging – the victim is left to deal with the loss if the breach isn’t discovered and reported promptly.
What is more unsettling for individuals is that credit card and bank information usually are accompanied by personal information including address, medical data and social security numbers – ultimately the kind of data that leads to identity theft. In these situations, an individual’s very identity is high-jacked by thieves, potentially wreaking havoc on a person’s ability to get a credit card, take out loans – even get a job.
Identity theft is particularly nefarious, says Gross.
“First there is the actual damage – such as accounts opened or debts incurred in an individual’s name,” he says. “Then there is the personal impact that can’t be overlooked. The amount of time an individual has to invest in getting his or her identity back is staggering.”
That said, individuals are not likely to abandon social media nor keep their cash under their mattresses since every aspect of personal lives is increasingly digital and connected. Joseph Carrigan, a senior security engineer on the staff at the Johns Hopkins Security Information Institute in Baltimore, says it behooves individuals to up their security hygiene which currently is at a sorry state. This should begin with “establishing strong passwords that are diverse across sites,” he explains. Individuals also shouldn’t assume that websites where they have entered their passwords offer adequate protection – and hence they should change their passwords frequently. As for personal information, keep backups to ensure that important data is not held hostage.
In short, says Carrigan, individuals need to be constantly vigilant and take a certain amount of ownership for securing their own data.
The Company Level
For companies, cyberattacks are a constant threat.
Target, TJX and Home Depot are among the high-profile companies that have had their systems breached and consumer data exposed. In the short term, such breaches can negatively affect those businesses that are victims of large and well-publicized hacks.
At Target, for example, both the CEO and CIO were replaced following the 2014 breach that exposed security vulnerabilities. And Yahoo’s most recent revelation in December of a breach resulted in an immediate hit to its stock price and called into question whether a proposed merger with Verizon would take place. Yet security experts say that such negative fallout is often short term.
“I haven’t stopped shopping at Target, nor have most consumers as the company is doing well,” says Carrigan.
Consumers may be appeased by the monitoring and credit reporting companies are typically required to provide in the event of a data breach. In effect, the backlash from consumers is temporary, particularly at those big box retailers that offer convenience and pricing advantages.
Like individuals, companies have also been victims of ransomware – and have paid to have their systems unlocked. While Carrigan doesn’t advocate paying a ransom (as it often serves to invite further such attacks), he understands the propensity for doing so; often the ransom is less than what it would cost to hire consultants to unlock data.
Of more concern to companies is the theft of intellectual property, such as trade secrets, copyrighted material, product designs, customer lists, inventions and the like. Such information is valuable, both in terms of present revenue and future potential revenue. The loss of IP today can adversely affect a company’s profits, stock price and very existence long-term, yet the depth of threat is likely unknown.
For one thing, IP can have intangible value – what is the cost of the inability to forge business contracts due to the loss of a trade secret? Then there’s the bad publicity in the cases where insiders – employees or former employees – have stolen IP. In these situations, companies often opt not to share embarrassing details – IP theft is not party to the same disclosure revelations as is the theft of patient or consumer data. In addition, companies themselves are unaware that they have been victimized.
“I suspect in the majority of situations, businesses don’t know they’ve had their IP stolen,” says Kevin Beaver, principle information security consultant at Principle Logic LLC in Atlanta. “If you don’t have the proper security controls to detect it, then you won’t know when it happens.”
Yet on a larger scale, IP theft is a serious and far-reaching issue that costs U.S. businesses billions of dollars annually according to 2014 statistics from the FBI. In response, the FBI and the Department of Justice have teamed up on a collaborative strategy enlisting online marketplaces, payment service providers, and online advertising platforms aimed at combatting online theft of IP.
As security experts see it, the growing incidence of IP theft may serve as a wakeup call for businesses to take a more thorough approach to securing important corporate data.
“Various studies have shown that IT and security pros don’t know where their sensitive information is located nor do they know what services are being used and what information is being sent out to the cloud,” Beaver says.
A recent case highlights the problem at two prestigious New York law firms after Chinese nationals were charged with hacking into their email systems to access confidential data about mergers and acquisitions and profiting through trades. Certainly, the law firms’ reputation to maintain client/attorney privilege has been compromised – at least for the short term. However, such breaches serve to highlight vulnerabilities that often point to more serious system issues.
“The migration to the cloud, storing all of our files and messages and some provider’s systems and trusting that provider to take care of it is not adequate,” says Murphy.
With potentially millions of their own money at risk, companies need to take a more proactive and comprehensive approach to information security encompassing not only technology but people and processes as well.
The Country Level
On a country level, “the U.S. has been a target of cyberattacks for decades — 99 percent of which you will never know about nor ever know what the fallout or resolution will be,” says Gross.
The recent situation involving the Democratic National Committee and alleged Russian meddling may seem surprising to the general population, but are fairly commonplace activities, says Gross. If nation states can perpetrate attacks on each other, it is not much of a theoretical stretch to think that terrorists can perpetrate cyber-terrorists attacks as well.
“For the foreseeable future, cyberattacks are the biggest risk for the country,” says Murphy. While the threat of a conventional attack is ever-present, “there’s a certain level of luck involved in pulling off a terrorist attack in terms of the timing and escaping detection,” Murphy explains. “But with a cyberattack, you can have a room with three people in it and a $200 laptop and they can bring down a country’s critical infrastructure overnight.”
A small cyberterrorist group can take down a power grid, disrupt financial transactions or hack into government systems to expose sensitive information. The goal of such attacks is often not to cripple the infrastructure for the long term.
Bringing down a power grid for a few hours – “a quick hit if you will, is enough to undermine the confidence and security of the American public,” says Gross. “And that in and of itself has far reaching effects.” Taking down a power grid for a bit longer – say two or three days –can have a cascading effect on the food supply, water system and economic activity.
One of the challenges with cyberterrorism incidents as opposed to state-sponsored cyberattacks is that they are asymmetrical, says Carrigan. When nations are involved in cyber warfare, both sides have infrastructure that can be targeted in retribution – hence they are symmetrical.
That is not the case for terrorists – a group can take down a power grid and there is nothing commensurate that the U.S. can target in response. That makes fighting cyberterrorism particularly challenging, says Carrigan. In particular, he is concerned about vulnerabilities in the energy and financial sectors, a situation that is exacerbated given that systems today are so interconnected.
It is the vulnerabilities within the critical infrastructure systems that give Carrigan the most concern. As with cyberattacks on individuals and companies, increased security measures can certainly mitigate some threats, but they must be combined with policies and vigilance to ensure the best safeguards.