More Cyberattacks or Just More Media Attention?
We've failed to take cybersecurity seriously. Now we're paying the piper
This has been a banner year for high-profile cybersecurity disasters, with no letup in sight. So far, there have been 251 data breaches—a record-setting pace. Sony's PlayStation and Entertainment Networks have been repeatedly hacked, with more than 100 million of the company's user accounts compromised and its online gaming halted for several weeks. A security breach at the Internet marketing company Epsilon resulted in millions of customers' e-mail addresses being taken from about 100 major corporations, including Disney Destinations in the United States and Dell in Australia. A cyberintrusion at Nonghyup, South Korea's main agricultural cooperative, crashed its banking systems for a week and kept 30 million customers from accessing their accounts. Blackmailers broke into the financial systems of Hyundai Capital, accessed the personal details of 1.75 million customers, and then demanded US $460 000 to keep the purloined information from being made public.
Then there are the targeted attacks against security vendors like Comodo and RSA. A hacker fooled a Comodo group affiliate into issuing Internet SSL certificates to some of the world's largest websites, including Google, Microsoft, Mozilla, Skype, and Yahoo. A partially successful attack against RSA's two-factor authentication security product SecurID, which is used by 30 000 organizations around the world, has led to "significant and tenacious" attacks against a number of major U.S. defense contractors, including the world's largest, Lockheed Martin.
There have also been successful cyberintrusions against government computer systems in Australia, Canada, France, and the United States. The Canadian breach caused its treasury board as well as its department of finance to restrict access to the Internet for months, while the breach in Australia apparently allowed access to the personal e-mail accounts of several top officials, possibly even that of Prime Minister Julia Gillard.
So are the number of cyberattacks increasing, or are we just more aware of them? The answer seems to be both.
Data from organizations monitoring cybersecurity activity indicate significant increases in the frequency of attacks over the past five years—especially against government IT systems. Last year British government systems saw more than 650 attempted intrusions per day, while U.S. government systems received 15 000 suspicious hits per day, or about one every 6 seconds. A typical bank like Citigroup, which was breached in May, sees an average of about 30 000 probes a day.
While the cyberattack trend is going up, the impact of these attacks has also increased. This year's cyberintrusions are international in nature, long lasting, and economically material, generating prolonged media attention.
Furthermore, tens of millions of individuals around the world have been made personally aware of many of the attacks. Millions of people, for example, received apologetic e-mails from the companies affected by the Epsilon breach; I received five such e-mails in one week. Social media like Twitter have increased the reporting of these cyberincidents.
No one should be surprised by the number or the magnitude of successful cyberintrusions. The Internet was not built with security in mind.
Regrettably, most IT systems and applications that connect to the Internet were not developed with security in mind either, nor has there been much incentive to do so. A recent survey of cloud-computing providers by the Ponemon Institute, for example, indicates that the majority of providers don't believe security is their responsibility, nor do they see their customers demanding security or being willing to pay for it.
It's important to keep the relative risk in perspective. It will be a while before a cybersecurity incident by itself will be able to create damage on a par with a Joplin, Mo., tornado, let alone a Fukushima tsunami. Right now, as Howard Schmidt, the White House cybersecurity coordinator, says, cyberattacks are just the risk of doing business. Sadly, only when the risk of cyberattacks becomes unaffordable will cybersecurity be taken seriously.
About the Author
Robert N. Charette, an IEEE Spectrum contributing editor, is a self-described "risk ecologist" who investigates the impact of the changing concept of risk on technology and societal development.
This article is adapted from several posts Charette wrote for Spectrum's Risk Factor blog.