“Cyber security” is the new buzzword sending millions of Americans into a panicked frenzy as they find themselves vulnerable to numerous attacks by cyber criminals. And with the forward march of digitalization over the last two decades cutting across all segments of society, hackers have their work cut out for them.
In the 21st century America, “internet” is the name of our new addiction. Information-hungry, tech-savvy users are now empowered to capture, create, and spread content across a variety of mediums and industries, including entertainment, social interaction, education, communication, and even health care. Our tech-infused lives are nothing like they used to be: we now use phones to take pictures, iPods to listen to music, game consoles to entertain our friends; we read books on Kindles and transfer gigabytes of information per minute using USB technology. Modern advancements are making life easier, but they’re also rewiring our brains as they get us more and more hooked.
Expectedly, this full-blown digital revolution isn’t only affecting the average user. Every process, in every industry, across all segments of society – from automobiles to education and national security – is transformed in this massive shift towards paperless and wireless. Our banking systems, utilities, telecommunications, and national security have all moved online. An important and immediate effect? With all the information in the world at our fingertips, digitalization makes everyone powerful – the nature of authority is changing in a transparent world without barriers. Businesses, the media, or state institutions can no longer hide anything from the omnipresent eye of the public – or that of hackers’.
A report published last year internet security firm Symantec revealed that cybercrime – hacking, identity theft, cyber stalking, malicious software, child pornography and abuse – costs the world an estimated $113 billion per year. On average, American companies have to fork over $277 for every customer’s account put at risk by malicious attacks, cost much higher than that of information leaks caused by employee negligence or software failure. The number of victims is well into the hundreds of millions.
Spending More Money, a Viable Solution?
For the second year, the Ponemon Institute released an in-depth report titled 2013 Cost of Cyber Crime Study: United States that analyzes the costs associated with fighting computer criminal activity directed at individuals, the private business sector, and the national infrastructure. Here were some of the study highlights:
- Cybercrime continues to drain businesses’ resources. Researchers found that, in 2013, the 60 companies surveyed had an annual expense of $11.6 million per year, ranging between $1.3 million and almost $60 million. This is a 26 percent increase compared to last year’s figures, when the average annualized cost didn’t exceed $9 million.
- Cyberattacks are now a common sight. If, in 2012, the surveyed companies reported a total number of 102 successful attacks on average every week, in 2013, the number increased at 122.
- All industries are vulnerable to cybercrime, but not to the same extent. Companies in retail and consumer products spend far less on fighting computer crime compared to financial companies, defense, and utilities.
- The types of attacks that demand the biggest expenditures include web-based attacks and malicious software. Addressing these major problems efficiently, and mitigating costs would require organizations to implement intrusion prevention systems, risk management and compliance solutions, application security testing, enterprise governance, and others.
Clearly, cybersecurity is a real and pressing problem, threatening the entire world. And certain steps are already being made by the government to decrease the risks of attack and secure critical information. The question is, is this new war against computer crime turning into the expensive, ineffective, and resource-draining waste of time that was the war on drugs? Americans certainly aren’t looking forward to footing the bill of yet another utter failure that will result in billions of tax dollars wasted, overcrowding jails, and millions of lives destroyed.
Spending more money is a solution, according to research from Bloomberg, which estimates that businesses who want to increase their level of security must fork over 9 times more than what they’re currently spending on cyberattack prevention. That is, in order to prevent 95 percent of all attacks, companies will have to increase their budgets from $5.3 billion to $46.6 billion.
On the other hand, many experts believe that putting more money into strategies that aren’t currently working will not increase their efficiency in fighting cybercrime. And yet, many business managers still choose to invest in antivirus solutions that can barely detect malware and virus threats, out of fear of being held personally liable in the eventuality of a security breach.
Excessive Punishment for Hackers: History Repeating?
Take the case of Eric Wosol, the 38 year old man from Wisconsin who helped the notorious activist group Anonymous to overload Kochind.com’s server, and was given a two-year probation sentence and a $183,000 fine, even though he participated in the attack for no longer than 60 seconds. Or the high-profile case of Matthew Keys, a former social media editor at Reuters, who is accused of having turned the login information for the Tribune Company to the same Anonymous, which proceeded to make a prank and change one of the headlines to read “Pressure builds in House to elect CHIPPY 1337.” For this minor act of vandalism, Keys got indicted on three felony charges, and he’s looking at a sentence between 21 and 21 months in jail and possibly a huge fine.
Andrew Auernheimer will spend 41 months in federal prison for having found and exploited a minor AT&T flaw, while Aaron Schwartz will never see the light of day again, committing suicide after being sentenced to 35 years in jail for multiple violations of the Terms of Service agreement.
This trend is not new; excessive punishment was fairly common in the war on drugs. But according to Marvin Ammori from Wired, “We need to question whether locking people up for long periods of time — without addressing the root concerns about concentrated political power, civil liberties abuses, and transparency — will have the effect of deterrence or worse yet, a hardened cynicism that perpetuates the endless cycle of punishment. That’s true of even non-politically motivated cybercrime, or really, all crime … whether it involves a computer or not.”
Are We Winning or Losing the War?
The short answer is: we are definitely losing it. The Federal Bureau of Investigation appears to be overwhelmed by the craft and skills of tech-savvy hackers, according to former executive assistant director Shawn Henry, who was interviewed by the Wall Street Journal: “”I don’t see how we ever come out of this without changes in technology or changes in behavior, because with the status quo, it’s an unsustainable model. Unsustainable in that you never get ahead, never become secure, never have a reasonable expectation of privacy or security.”
More and more often are FBI agents encountering situations where the data breach had occurred months or even years before company executives learned about their security issues. Henry says most of them are shocked at the thought of having had all business operations fully exposed to ill-intended individuals. In the meantime, aside from the daily thousands of crashing websites and virus-infected networks, attacks are now the cause of 18 percent of U.S.-based data center outages. The average cost/outage is $630,000, and the crash can interfere with other vital services based there, such as telephone systems and industrial facilities.
Part of the reason why FBI is often overwhelmed by this disturbing trend is because the organization is outnumbered: there are too many hackers and too many access points to organizations and agencies the FBI wants to protect. On the other hand, the number of agents is not the only shortcoming. According to Reuters, attacks are becoming more commonplace than in past years and also much more sophisticated and targeted. Nowadays, it is not uncommon for wireless printers or smartphones to be “co-opted into attacks;” as they become ever more complex and frequent, cyberattacks are leaving automated detection systems far behind.
Ironically, the FBI is itself the target of cyber criminals: “Over more than a decade, the federal government has struggled to implement a mandate to protect its own IT systems from malicious attacks. As we move forward on this national strategy to boost the cybersecurity of our nation’s critical infrastructure, we cannot overlook the critical roles played by many government operations, and the dangerous vulnerabilities which persist in their information systems.”
The only way to save precious time and resources is for the government to learn from its own mistakes. Enforcing prohibition, excessive punishment, and the reckless wasting of tax dollars will not make our country more protected in the face of cyber criminals. Rather, efforts should continue to be focused on building a database with information of previous attacks (similar to a fingerprint repository) or updating the agency about data security breaches, thus keeping the “cyber panic” under control.
About the Author
Andrew M. Weisberg is a criminal defense attorney in Chicago, Illinois. A former prosecutor in Cook County, Mr. Weisberg,is a member of the Capital Litigation Trial Bar, an elite group of criminal attorneys who are certified by the Illinois Supreme Court to try death penalty cases. He is also a member of the Federal Trial Bar. Mr. Weisberg is a sole practitioner at the Law Offices of Andrew M. Weisberg.