Tuesday, June 7, 2011

Analysis: The hidden cost of cybercrime

By Kevin Voigt, CNN
June 7, 2011 -- Updated 0304 GMT (1104 HKT)
The first three months of 2011 has seen a record number of new malicious software, or "malware," released on the internet. Accounting the cost of cyber attacks, however, remains difficult as the crime is underreported, analysts say.
  • The cost of cybercrime has come into focus due to a recent spate of high profile attacks
  • McAfee and SAIC estimates that firms lost $1 trillion to computer crime in 2008
  • Analysts say computer-related security breaches often go unreported
  • As computer devices proliferate, so do the opportunites for cyber criminals
(CNN) -- A few years ago a disgruntled employee for a large multinational automotive firm left the company -- but when he walked out the door, he also walked out with plans for a new car model under development on a cheap USB drive.
When the plans were leaked, the cost to the company was an estimated $1 billion in lost sales and increased research and development costs, according to a security expert who worked on the case.
"The information ended up being published, which saw sales plummet for the existing model as customers decided to wait for the new model," said the expert, who asked not to be named due to confidentiality agreements with the automaker.
China's 'Blue Army' of hackers
Yet that theft will never showed up in criminal statistics, nor will the cost be listed in public ledgers as cost due to "cybercrime." Murky by nature, cybercrime losses are difficult to categorize. That helps keep them hidden from the public eye by companies leery of publicizing breaches in corporate security.
The cost of cybercrime has come into focus due to a recent spate of high profile computer crimes: a hacker attack on Sony in May took its PlayStation Network down for 23 days after confidential information on tens of millions of network subscribers was breached; the company estimated the cost of that attack will total $171 million.
The aerospace and defense titan Lockheed Martin announced it had "a significant and tenacious attack" on May 21 using data stolen from security token maker RSA, which was hacked itself in March. Google last week announced a scam that appeared to emanate from China that stole Gmail passwords in a targeted attack of hundreds of high profile U.S. and South Korean government officials, as well as journalists and
The amount of new malicious software, or "malware," unleashed on the internet during the first three months of this year hit six million programs, according to a report last week by McAfee, the computer antivirus maker. "It's been a busy start to 2011 for cybercriminals," Vincent Weafer, senior vice president of McAfee Labs, said in a statement.
A 2009 study by computer antivirus maker McAfee and SAIC, a technology security firm, estimated that computer crime cost companies $1 trillion across the globe, but analysts say the actual total is sure to be higher as computer security breaches are underreported.
"I think all the service providers are victims of this type of issue, it's just whether the company has a public interface to warn users of this type of problem is the big question," Andrew Lih, author and professor at the University of Southern California, told CNN.
"Google has been pretty good at being forthcoming in having this kind of dialogue with its users," Lih said. "It's very possible to probable that these other service providers, from Yahoo to Microsoft to any of these other ones, have had these types of attacks, it's just that Google has been very public in trying to combat this."
Sign of the Times
The increase in computer attacks is a sign of the times in a post-September 11 world of "asymmetric attacks," analysts say -- the ability for a small group of people to do disproportionate damage on governments and large companies. Just as WikiLeaks damaged U.S. foreign policy through thousands of confidential cables apparently stolen by one U.S. soldier and released to the media in November, companies are increasingly under risk by rogue attacks from employees or by outside attack.
"Especially now with the proliferation of devices," says Thomas Parenty, a former U.S. National Security Agency employee and author of "Digital Defense."
"The number of locations and devices that information can be stored makes the task of keeping track of this more difficult for an organization," Parenty says.
The increased difficulty in protecting data comes as the value of intellectual property is skyrocketing for companies. In 2009, 81% of the value of S&P 500 companies was "intangible assets" such as patented technology, proprietary data and market plans, according to an estimate by Ocean Tomo Intellectual Capital Equity. In 1985, only 68% of the S&P 500 market value was from intangibles, according to Ocean Tomo.
When bandits make off with intellectual property, the cost to the company does not equal the money made by cybercriminals.
"It's like in the Cold War -- the amount of money spies got paid to give away state secrets was absolutely inconsequential compared to the cost of the damage," Parenty says.

No comments:

Post a Comment