Yesterday, C. Frank Figliuzzi, the head of the U.S. Federal Bureau of Investigation’s counterintelligence division, testified [PDF] that based on the FBI's pending case load, "economic espionage losses to the American economy total more than $13 billion" and that the threat, which is coming from foreign governments, corporations, hackers and insiders, is growing. In his testimony to the Intelligence Subcommittee of the House Homeland Security Committee, he indicated that one primary cause has been the continuing global economic financial crisis.
Figliuzzi said that:
"With each year, foreign intelligence services and their collectors become more creative and more sophisticated in their methods to undermine American business and erode the one thing that most provides American business its leading edge; our ability to innovate..."
"What we're seeing is that foreign nations and their intelligence services are understanding more than ever before that it's cheaper to steal our technology than to use their budget resources in this time of economic crisis to develop it themselves."
Figliuzzi also told the Los Angeles Times that while the FBI and others are becoming better at identifying who is behind electronic espionage, there is still no consensus on what to do once a culprit is identified. "That's a big question," Figliuzzi was quoted as saying. Given previous history, it won't likely be answered anytime soon.
Of course, it doesn’t help matters when U.S. companies illegally sell banned software to foreign countries, like United Technologies admitted to doing. The software helped China develop its first modern attack helicopter, according to Reuters. United Technologies paid only a $75 million penalty for doing so, which is paltry considering that the company makes $58 billion a year and that it deliberately sold the software to gain economic favor with the Chinese government. The cost to the U. S. military is hard to quantify, but it is probably a lot higher than $75 million.
Another thing that doesn’t help is the IT security carelessness of employees. Even at the U.S. Department of Homeland Security, where employees really should know better, the Inspector General found that they routinely log onto DHS networks with unapproved electronics including e-readers, thumb drives, MP3 players, GPS units, external drives, etc., and regularly fail to encrypt sensitive information on their government-issued Android devices, according to Government Executive magazine. Gov Exec goes on to say that the DHS officials claim that "they have no way of stopping personnel from hooking up devices to their workstations" and that they try "to block the electronics from the network by distributing only government-procured devices and by educating employees not to use such [unauthorized] devices on government computers."
It doesn’t look like the IT security education is sticking very well.
Of course, the $13 billion figure for economic espionage given by Figliuzzi is only an educated guess since corporations are often loath to reveal that they have been hacked. That may change soon, if Sen. Jay Rockefeller, chairman of the Senate Commerce, Science and Transportation Committee, has his way.
As you may recall, last year the US Security and Exchange Commission (SEC) Division of Corporation Finance issued guidance "... regarding disclosure obligations relating to cybersecurity risks and cyber incidents." The SEC wants public companies to disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.
However, the requirement isn’t mandatory, and there are enough loopholes in the guidance that most companies can safely ignore it. What Rockefeller wants, according to the Associated Press, is for the SEC to make it crystal clear when public companies must disclose breaches as well as tell investors what they are doing to keep cyber threats at bay. It is too soon to tell whether he will be successful, but I think it is a long overdue requirement.
Contributing Editor Robert N. Charette is an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Along with being editor for IEEE Spectrum’s Risk Factor blog, Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.