Can businesses protect themselves from computer crime?

Executive Summary

As fast as Internet use has grown over the past two decades, so too has the cybersecurity challenge for businesses and governments that are fighting to keep their data and networks safe from intruders. Today, they face an unprecedented assault from a powerful global army of sophisticated, well-organized and well-financed hackers who vigilantly seek vulnerabilities to exploit. In the past couple of years alone, these shadowy figures have stolen personal information on hundreds of millions of U.S. customers and employees and have cost enterprises close to $500 billion. With each new device or product connected to the Internet, the possibility of hackers wreaking economic chaos has grown. Despite the mounting threat, most enterprises have failed to implement the kind of rigorous security protocols necessary to keep out even low-tech efforts to penetrate networks. Among the questions being debated: Are companies responding adequately to cybercrime? Should the United States encourage American companies to “hack back” when they think they've been hacked? Can information sharing between businesses and government help fight cybercrime?

Resources

Bibliography

Books

Brenner, Susan W., “Cybercrime: Criminal Threats From Cyberspace,” Praeger, 2010. A law and technology professor traces the emergence and evolution of cybercrime from 1950 to the present.

Jordan, Tim, “Hacking: Digital Media and Technological Determinism,” Polity, 2008. A university professor provides an introduction to the culture of hackers.

Lapsley, Phil, “Exploding the Phone: The Untold Story of the Teenagers and Outlaws Who Hacked Ma Bell,” Grove Press, 2013. An engineer and author chronicles how Apple founders Steve Wozniak and Steve Jobs were among the early hackers who got their start in the technology field by stealing telephone service from monopoly AT&T.

Articles

“Cybercrime will Cost Businesses $2 Trillion by 2019,” Security, May 12, 2015, http://tinyurl.com/q4xdojo. A technology research company says that by 2019, the global cost of cybercrime will top $2 trillion, or almost four times the estimated cost of breaches in 2015.

“Hackers Inc.,” The Economist, July 12, 2014, http://tinyurl.com/jdwamzj. Hackers now work for corporate-like organizations, with an infrastructure allowing them to be persistent and almost unstoppable.

Ashford, Warwick, “Sony hack exposes poor security practices,” Computer Weekly.com, Dec. 4, 2014, http://tinyurl.com/zw49jjx. A computer-security journalist details how Sony failed to fix problems that led to data breaches.

Boyd, Aaron, “OPM breach a failure on encryption, detection,” Federal Times, June 22, 2015, http://tinyurl.com/zde47hs. A congressional hearing shows that the failure to perform simple updates led to the data breach at the Office of Personnel Management (OPM).

Chacos, Brad, “Meet Darknet, the hidden, anonymous underbelly of the searchable Web,” PCWorld, Aug. 12, 2013, http://tinyurl.com/nxh5ou5. The “Dark Web” has become a playground for hackers of all intentions.

Griffin, Andrew, “Sony hack: Who are the Guardians of Peace, and is North Korea really behind the attack?” The Independent, Dec. 17, 2014, http://tinyurl.com/q56kglo. A politically motivated hacker organization reportedly based in North Korea takes responsibility for hacking Sony Pictures, but some experts believe the group is not working alone.

Groll, Elias, “The U.S. Hoped Indicting 5 Chinese Hackers Would Deter Beijing's Cyberwarriors. It Hasn't Worked,” Foreign Policy, Sept. 2, 2015, http://tinyurl.com/jotp2gz. The United States pressures China to rein in its cyberespionage activities.

Hesseldahl, Arik, “FireEye Identifies Chinese Group Behind Federal Hack,” Re/Code, June 19, 2015, http://tinyurl.com/pcu8te8. Cybersecurity investigative firm FireEye uncovers the group that hacked OPM.

Krebs, Brian, “Email Attack on Vendor Set Up Breach at Target,” Krebs on Security, Feb. 12, 2014, http://tinyurl.com/oab53g7. The security blogger who first reported the hack at Target reveals that the attackers breached the retailer's network through a vendor's system.

Mathews, Anna Wilde, “Anthem: Hacked Database Included 78.8 Million People,” The Wall Street Journal, Feb. 24, 2015, http://tinyurl.com/h59kk5p. Information on almost 80 million customers and employees was stolen from Anthem, the second-largest U.S. insurer.

Moritz, Bob, and David Burg, “How corporate America can fight cybersecurity threats,” Fortune, Feb. 17, 2015, http://tinyurl.com/jhfsxh5. The chairman of PricewaterhouseCoopers and a global cybersecurity leader outline what companies should do to deter hackers.

Nakashima, Ellen, “Chinese government has arrested hackers it says breached OPM database,” The Washington Post, Dec. 2, 2015, http://tinyurl.com/hjluugw. The Chinese government surprises the United States by arresting the people allegedly responsible for the data breach at OPM, indicating that U.S. diplomatic pressure is beginning to yield fruit.

Peterson, Andrea, “The Sony Pictures hack, explained,” The Washington Post, Dec. 18, 2014. http://tinyurl.com/hqn9bql. A timeline of the Sony Pictures data breach.

Riley, Michael, et al., “Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It,” Bloomberg Businessweek, March 13, 2014, http://tinyurl.com/ox6z3sv. Target was warned about suspicious activity but failed to act just before 40 million credit card numbers were stolen.

Schwartz, Mathew, “Report Claims Russians Hacked Sony,” Bank Info Security, Feb. 4, 2015, http://tinyurl.com/z9vkky2. Cybersecurity investigators say Russian hackers also are behind the Sony Pictures hack, working in concert with the North Koreans or independently piggybacking on their efforts.

Townsend, Matt, Lindsey Rupp and Jeff Green, “Target CEO Ouster Shows New Board Focus on Cyber Attacks,” Bloomberg News, May 6, 2014, http://tinyurl.com/gmaah6k. Several high-ranking executives are losing their jobs in the wake of data breaches.

Reports and Studies

“APT1: Exposing One of China's Cyber Espionage Units,” Mandiant, February 2013, http://tinyurl.com/bjnsvjo. Cybersecurity research firm exposes an operation in Shanghai, believed to be part of the Chinese military, that hacked into many corporate and governmental networks in the United States and other Western nations.

“Car Cybersecurity: What do automakers really think?” The Ponemon Institute, 2015 Survey of Automakers and Suppliers, http://tinyurl.com/gul2sx4. An information-security research group surveys automakers, developers and engineers about the role of cybersecurity in the design of software for automobiles.

“Comprehensive Study on Cybercrime,” United Nations Office of Drugs and Crime, February 2013, http://tinyurl.com/bncy969. A U.N. report documents how hacking has become an organized activity, particularly in Eastern Europe, Asia and emerging economies.

“Cybersecurity and the Internet of Things,” Ernst and Young, March 2015, http://tinyurl.com/hfgd3ar. A consulting firm investigates the cyber vulnerabilities posed by the Internet of Things.

“Forewarned Is Forearmed: 2015 Ponemon Institute of Cyber Crime Study,” The Ponemon Institute, http://tinyurl.com/gln32aq. Survey provides up-to-date costs of cybercrime globally and shows the differences among various regions.

“Net Losses: Estimating the Global Cost of Cybercrime,” The Center for Strategic and International Studies, June 2014, http://tinyurl.com/hsfpaca. A national security think tank looks at the difficulty of quantifying the global cost of cybercrime.

“Security in Development: The IBM Secure Engineering Framework,” IBM Redbook, March 18, 2010, http://tinyurl.com/hqxt4yo. In a guide to software engineering, IBM outlines an approach that encourages developers to design with security in mind and anticipate vulnerabilities.

The Next Step

Company Strategy

Sposito, Sean, “PayPal, others buy stolen data from criminals to protect users,” San Francisco Chronicle, Jan. 8, 2016, http://tinyurl.com/h8t3azw. Online commerce company PayPal is among the many firms that pay middlemen or use undercover employees to purchase stolen data from cybercriminals after breaches to determine what types of data were compromised or where information is being sold.

Weinstein, Ira, and Bill Huber, “How the CFO can act as any cybersecurity team's ‘quarterback,’” Baltimore Business Journal, Jan. 12, 2016, http://tinyurl.com/hf77m89. Chief financial officers can uniquely identify and communicate about their companies’ valued assets to information technology staff, allowing for more targeted security strategies, say top managers of accounting and consulting firm CohnReznick.

Cyberwarfare

Behn, Sharon, “Could IS Turn Next to Cyber War?” Voice of America, Dec. 18, 2015, http://tinyurl.com/j2uc4lt. Islamic State hackers would likely be less interested in stealing government agency data than in attacking and disrupting U.S. industrial control systems such as energy and manufacturing structures, according to a former U.S. Defense Intelligence Agency official.

Davenport, Christian, “Raytheon wins $1 billion cybersecurity contract to battle attacks on U.S. agencies,” The Washington Post, Sept. 29, 2015, http://tinyurl.com/qztxgks. The Department of Homeland Security awarded defense contractor Raytheon a $1 billion contract to protect federal civilian agencies from cyberattacks, a growing number of which originated from outside countries in the last year.

Williams, Katie Bo, “US, China negotiating cyber warfare agreement,” The Hill, Sept. 21, 2015, http://tinyurl.com/jz3tz2s. The United States and China are negotiating a code of conduct that would prohibit either nation from launching a cyberattack against the other's critical infrastructures and would generally apply basic international law to cyberwarfare.

Information Sharing

Brandom, Russell, “Congress passes controversial cybersecurity bill attached to omnibus budget,” The Verge, Dec. 18, 2015, http://tinyurl.com/z57dwbf. As part of a larger budget bill, Congress passed cybersecurity legislation that will allow corporations and agencies to more easily share information without being encumbered by privacy laws.

Gregg, Aaron, “Venture capitalists flock to cybersecurity information-sharing platforms,” The Washington Post, Dec. 2, 2015, http://tinyurl.com/zltam2f. Investors are pouring more money into start-ups that develop information-sharing platforms to improve companies’ cybersecurity in hopes that they will profit from funding the next popular cybersecurity service.

Smith, Mat, “The FDA wants improved cybersecurity for medical devices,” Engadget, Jan. 19, 2016, http://tinyurl.com/zdtrkqg. The Food and Drug Administration released draft guidelines encouraging medical device manufacturers to coordinate and share data to reduce cybersecurity vulnerabilities.

Risk Management

Boyd, Aaron, “IG: Energy Department missing mark on risk management,” Federal Times, Nov. 12, 2015, http://tinyurl.com/hbrm9kb. The Department of Energy has been slow to identify which of its information systems should be included in a new risk-management framework and has not effectively classified some of its websites by risk priority, according to a department inspector general's report.

Joyce, Stephen, “Cybersecurity Insurance Explosion Poses Challenges,” Bloomberg BNA, Dec. 22, 2015, http://tinyurl.com/gs3htcc. The cybersecurity insurance industry has seen rapid revenue growth from insurance premiums since 2012 as more companies purchase policies to manage risks, but specialists say the industry still lacks standards for pricing, terms and policy language.

King, Rachael, “Cybersecurity Startup QuadMetrics Calculates Odds a Company Will be Breached,” The Wall Street Journal, Jan. 12, 2016, http://tinyurl.com/zelssua. An analytics company that collects clients’ data to help them manage cybersecurity risks says it can forecast the likelihood of a data breach for the ensuing three to 12 months with at least 90-percent accuracy.

Organizations

Center for Applied Cybersecurity Research at Indiana University
2719 E. 10th St., Suite 231, Bloomington, IN 47408
812-856-8080
http://cacr.iu.edu/
Founded in 2003 to help the United States balance public needs, homeland security concerns and individual privacy rights when seeking cybersecurity solutions and setting policy; organizes the annual National Science Foundation Cybersecurity Summit for Large Facilities and Cyberinfrastructure and provides policy advice to the White House's 60-day cybersecurity review.

Center for Internet Security
31 Tech Valley Drive, Suite 2, East Greenbush, NY 12061 (Northeast Headquarters)
518-266-3460
https://www.cisecurity.org
International organization with 180 members in 17 countries that focuses on enhancing the cybersecurity readiness and response of public- and private-sector enterprises.

Center for Strategic and International Studies
1616 Rhode Island Ave., N.W., Washington, DC 20036
202-887-0200
http://csis.org/
Bipartisan policy think tank that specializes in the study of defense and security, regional stability and transnational challenges, including cybersecurity

CERT
4500 Fifth Ave., Pittsburgh, PA 15213-2612
412-268-5800
www.cert.org/
Division of the Software Engineering Institute (SEI) at Carnegie Mellon University that coordinates responses to Internet security incidents.

Information Systems Security Association
12100 Sunset Hills Road, Suite 130, Reston, VA 20190
866-349-5818
https://www.issa.org/
International organization of information security professionals that promotes management practices that will ensure the confidentiality, integrity and availability of information resources.

National Cybersecurity Center of Excellence
9600 Gudelsky Drive, Rockville, MD 20850
240-314-6800
http://nccoe.nist.gov
Division of the National Institute of Standards and Technology that provides businesses with cybersecurity solutions, based on commercially available technologies.

National Cybersecurity and Communications Integration Center
Mailstop 0635, 245 Murray Lane, S.W., Building 410, Washington, DC 20598
888-282-0870
www.us-cert.gov/nccic
Division of the Department of Homeland Security that serves as a 24/7 cyber monitoring, incident response and management center; analyzes cybersecurity and communications information, shares timely and actionable information, and coordinates response, mitigation and recovery efforts.

Pew Research Center
1615 L St., N.W., Suite 800, Washington, DC 20036
202-419-4300
http://www.pewresearch.org/
Research organization that has conducted numerous surveys on the public's attitudes on cybercrime and the global cyberthreat.

Ponemon Institute
2308 U.S. 31 N., Traverse City, MI 49686
231-938-9900
www.ponemon.org/
Research think tank dedicated to privacy, data protection and information security policy; has done extensive work documenting the cost of data breaches.

SANS Institute
8120 Woodmont Ave., Suite 310, Bethesda, MD 20814
301-654-7267
www.sans.org
Research and education organization that is the world's largest source for information security training and security certification.

DOI: 10.1177/237455680203.n1