Cybersecurity: crimes and consequences
As hacking threats grow in sophistication, here’s a look at what companies are doing to protect themselves and their clients.
Whether it’s Yahoo’s user data, Marriott’s customer lists, highly sensitive credit information held by Equifax, or the federal Office of Personnel Management’s employee records, internet hackers have proven that almost nothing is beyond their reach. “Any person, any company; everybody could be hacked or breached,” says Meredith Amdur, MBA ’03, CEO of Rhetorik, a U.K.-based marketing data analytics company that supplies business customer intelligence to global enterprise technology vendors.
“You can really get philosophical around the Pandora’s box that was opened with the rise of the internet,” Amdur says. “We love all the good stuff. Now we have to figure out: How do we manage it?”
In fact, managing security risks associated with our increasing reliance on digital platforms, mobile devices, and the Internet of Things, or IoT, is a ballooning, high-value industry. Cybersecurity is a major corporate concern, affecting many aspects of a company’s operations and ultimately its bottom line. The cybersecurity market is forecast to climb from $120 billion in 2017 to $300 billion by 2024, according to a report this year by Global Market Insights. Driving its growth is an increase in spending by large enterprises and government organizations. So vast is the threat and so high are the stakes that Jamie Dimon, CEO of JP Morgan Chase, warned in an interview on CNBC that cybercrime could well pose the gravest threat to the U.S. financial system. In his annual letter to shareholders, Dimon revealed the bank allotted almost $600 million this year for cyber defense.
“The risks are persistent and pervasive,” says Jason Hogg, MBA ’02, CEO of Aon Cyber Solutions and visiting senior lecturer of entrepreneurship and innovation at the Samuel Curtis Johnson Graduate School of Management. “Businesses are increasing their touchpoints with their consumer bases and their customer bases through endpoint technologies and digitization. The cost of storage has become minimal, and they’re storing much more data.” That means more valuable personal and business information is floating in the digital world, instead of on printed paper where it can be physically locked up and protected. There’s also been a shift in who the perpetrators are, says Hogg. The lone hacker working out of a basement is being replaced by sophisticated cybercriminal rings and hostile state actors.
Cyber defense requires constant vigilance
“Security continues to be the largest and fastest-growing spend area when it comes to IT,” says Nima Baiati, MBA ’15, head of global security strategy and corporate business development at Lenovo, the world’s largest digital device and PC manufacturer. “I was brought into the company to address this opportunity and challenge.” Specifically, Baiati was tasked with helping Lenovo take advantage of an obvious business opening, developing a strategy that would give its customers a complete security offering beyond what’s included in its hardware. “Whether it’s a consumer purchasing a device for home or college, all the way through purchases for the biggest banks in the world, they want to know how we can help them secure their digital experience.”
Baiati’s “build, partner, and buy” approach has him seeking strategic partnerships with innovative technology companies, finding attractive M&A targets in the security space, and building on Lenovo’s already strong hardware security foundation. “We want to become a trusted adviser when it comes to our customers’ security,” he says. His aggressive plan reflects the urgency of the moment and the risks of being left behind in what’s already being called the cyber arms race. Whether the goal is to destabilize a government, disrupt a business, or steal valuable personal information for financial gain, the digital space offers bad actors the cover and precision that conventional weapons lack.
A 2018 report published by the cybersecurity arm of the Council on Foreign Relations warned that emerging cyber threats could lead to massive economic and societal damage. Among other cases, the report cited the May 2017 WannaCry ransomware attack that crippled hundreds of thousands of computers around the world. The total cost to business, government, and individuals was estimated at more than $1 billion. The cybersecurity firm Recorded Future found that at least 170 county, city, or state government systems in the United States have been attacked since 2013, including hospitals, police offices, and the cities of Atlanta and Baltimore. A Lloyd’s of London report, cited in the same analysis, predicted that a major cyberattack on a provider of cloud services such as Amazon could result in more than $50 billion in losses, similar to those caused by a natural disaster.
As a result, cyber expertise has become a priority in the C-suite and among corporate directors: increasingly, public companies are requiring at least one board member have a background in tech. They’re partnering with outside providers, like Aon’s Cyber Solutions, that offer bundled packages featuring risk assessment, data protection, loss mitigation, and insurance. And they’re sharing more knowledge and best practices across sectors, industries, and oceans. NATO, as just one example, has established the Cooperative Cyber Defense Centre for Excellence, bringing together multinational experts from the military, government, industry, and academia.
“There have been tremendous advances in collaboration,” Hogg says. “Even the most sophisticated Fortune 500 organizations work with outside third parties to assess and test constantly. You see where the threats are popping up and what types of attacks are out there.”
Hiding in Plain Sight
The challenges are limitless and seem almost impossible to overcome. And they’re not only attacking from the outside. “Insider threat is the big one,” says Michael Bruce ’84, MBA ’88, vice president at Leidos and SaaS cybersecurity expert. “A bad actor inside your organization means that person’s already been vetted, credentialed, and is inside your network.”
Guarding against an inside attack requires a different line of defense. Bruce recommends keeping an eye on strange patterns of activity, such as employees logging into the system at odd hours or trying to access systems or data outside their normal range. Outbound traffic can offer other crucial clues, such as information that is being transmitted to unfamiliar places. Some businesses require employees to disconnect from their networks while they are away on vacation. And some prohibit the use of personal phones or other devices on company property.
“Your employees could go home every day with your company’s entire database accessible via their phone,” says Amdur, whose company tracks databases it licenses out and often finds files in the possession of businesses that didn’t pay for them or [that] violate licensing terms. “When we notify them, they say, ‘That’s impossible.’ And we say they probably have an employee who brought it from another company because we can see the origin.”
Businesses, service providers, and device makers are adding biometrics (including facial recognition or fingerprints) and two-factor authentication as extra layers of security. But a lax approach to privilege-granting processes in the workplace is an often overlooked source of trouble. “A common problem in many cases is a new employee joins a company, and IT gives them access to a system which they frankly do not need access to,” Baiati says. “Even if that employee is trustworthy, he or she can be breached or phished, and from there an attacker can move laterally in an organization and escalate their privileges.”
The increasingly decentralized nature of the workplace complicates matters even further. That’s obvious the minute you walk into any urban coffee shop during a weekday, where tables are filled with people using their own personal devices and logging into a public Wi-Fi system to communicate with their employers or access the cloud remotely. “If you’re using Starbucks Wi-Fi, do you really know if it’s Starbucks or someone who’s created what’s called a ‘Wi-Fi pineapple’?” asks Baiati. A Wi-Fi pineapple might show up on your Wi-Fi list as Starbucks (or another legitimate network), but in reality it’s a rogue access point that enables an attacker to intercept all of your information. And Baiati is one of an increasing number of experts, including the FBI, warning that our cellphones are likely to be the next big target. “The largest gap we have in security today is on mobile devices,” he says. “Whether you’re a consumer or an employee, a lot of our digital experience is through them. That’s a tremendous area to redress.”
Your Phone, Your Car, the Power Grid
And then, there’s the Internet of Things, or IoT: Thanks to the increasing level of interconnection between the internet and physical devices or objects — such as our cars, refrigerators, or light fixtures — we may be at risk without even intentionally accessing a network. “The IoT doesn’t just mean your phone or your PC,” says Bruce. “Your Tesla is on the internet. The traffic light camera is on the internet. The RFID for tolling and the GPS on your phone and FitBit.” And because they are all on the internet and can be accessed remotely, all of these “things” are now potential targets — for a marketer who wants to know how you spend your time, for example; or worse, for a criminal who wants to harm you, or a hostile nation that wants to cripple your infrastructure. “What if I hacked into your Tesla and changed the self-driving feature so you couldn’t stop at the stop sign?” Bruce asks, before drawing another terrifying scenario. “What if I hacked into the online monitoring system for a dam, and now the dam that should have been opened isn’t opening, and it causes a major flood or the dam breaks?”
In fact, it’s already happened. Several years ago, members of Iran’s Islamic Revolutionary Guard Corps hacked into the computerized controls of a small dam in Rye Brook, N.Y. With remote access, they should have been able to release water from behind the dam, but their plans were stymied by a sluice gate that had been manually disconnected for maintenance. “Power grids, medical systems, supply chains — those attacks are typically from very sophisticated criminal enterprises or nation states,” Bruce says.
Preparing for 2020
As we learned after the 2016 elections, voting machines and digitized voter data are also tempting marks. With confirmation that hackers managed to breach several local voting systems, and as yet no coordinated national security plan for 2020, experts are raising urgent concerns. “The presidential election is particularly vulnerable to the problem of targeted interference,” says Bryce Corrigan, a lecturer in Cornell’s Department of Government, whose research interests include statistical methodology and campaigns and elections. One of his classes, Win, Lose or Cheat, looks at the normative standards for judging elections and the statistical detection of fraud. “To actually hack a U.S. election is to hack thousands of local elections under close scrutiny, and that’s really hard to get away with,” Corrigan says. “It’s much more likely that really small-scale efforts succeed, then that’s amplified by the media and people become even more distrusting of government and the process itself.”
While there may not be a nationwide battle plan, Corrigan is reassured by activity at the local government level, where he says officials are taking the threats seriously and working on addressing them, and in the private sector, where Microsoft recently unveiled an end-to-end encryption system for ballot tracking and vote verifications. The free, open-source software development kit, called ElectionGuard, will be available to election officials and election technology suppliers in the United States and elsewhere. “I do think that technology is one of the short-term answers, since we’re unlikely to see a lot more public money allocated to solving this problem at present,” Corrigan says. “Microsoft is a bright spot, and I expect we’ll see others try to create competitive systems.”
Indeed, if there’s any good news in this anxiety-provoking picture, it’s that government, private enterprise, and individuals are mobilizing. Device-making giants like Lenovo are working to ensure that their hardware manufacturing and supply chains are secure from end to end. SaaS platform providers such as Salesforce, Azure, Google, and Amazon offer their own security controls, enabling companies like Meredith Amdur’s Rhetorik to rely on their solutions and not have to worry about creating their own systems. “You set yourself up in business, you go through your checklist,” Amdur says. “Who’s my IT vendor? Do I have data security? Do I have endpoint security? Do I have HR software? Do I have CRM software? You can literally set it up in a day, though it still requires constant diligence.”
And owners of smaller businesses — who may have the most to lose if they are attacked — can hand off the security burden to an outside consultant. “There are resellers making millions of dollars selling stuff,” says Aon’s Jason Hogg. If they don’t have the right security plan in place, one ransomware attack could shut them down. “The nice thing is there are turnkey solutions so you don’t have to be an expert,” Hogg says. “Assess where the holes are, what it costs to remediate those risks compared to what would happen if you left those risks exposed, then have a plan to mitigate it.”
Calls for federal regulation over data privacy have increased in the wake of a couple of high-profile scandals, including Facebook’s failure to prevent Cambridge Analytica from collecting information from millions of its users and then bombarding them and their friends with targeted political messaging. Several congressional committees and the Federal Trade Commission have held hearings on the issue. And in February 2019, after consulting with some 200 organizations, the U.S. Chamber of Commerce released its own model privacy legislation. “Voluntary standards are no longer enough,” the Chamber concluded. “It’s time for Congress to pass a federal privacy law.”
The United States already lags behind Europe, which enacted its General Data Protection Regulation last year; and California, where the state’s stringent California Consumer Privacy Act will take effect next January. Both pieces of legislation aim to give individuals much tighter control over their data, including how it’s collected, what’s being stored, and how it’s used once it’s been surrendered. And both are already impacting how some U.S. companies handle customer data, including by updating privacy notices, increasing data privacy budgets, and hiring data protection officers.
Strict oversight is already a fact of life for Meredith Amdur’s Rhetorik, based in the U.K. As a business that services the direct-marketing industry across Europe, the Middle East, and Africa (EMEA), Amdur says Rhetorik is “bound and obliged to live and die by the rules. All of our processes are audited, and that includes having the right security and data privacy measures.” Even though her company functions in the B2B space and collects business-pertinent rather than personal data, Amdur says the approach to privacy is still very careful. “A lot of the data we collect has nothing to do with individuals. It’s [about] companies and their purchasing behaviors. It’s not really protectable, but if a company says they don’t want to be in our database, we’ll take them out.”
It’s unclear whether Europe’s regulations will ultimately lead to similarly stringent controls over data management practices in the United States, according to Vitaly Shmatikov, professor of computer science at Cornell Tech and an international expert on data privacy and security. While most technology companies have come out in favor of federal legislation, some argue in favor of a more business-friendly framework that would allow users to decide how much privacy control they want to exercise.
“The internet privacy landscape is evolving, if ever so slowly, toward greater transparency and accountability, so I expect users will be able to learn more about what’s happening with their data,” Shmatikov says. “Gatekeeper companies like Google, Facebook, and Twitter are already making it significantly harder for third parties to gain direct access to user data, so this should mitigate some of the disinformation campaigns we saw in 2016.”
While federal legislation will provide some guardrails, Shmatikov cautions no law can guarantee complete protection. “But that’s okay. It’s a matter of mitigating the most serious risk and finding the right tradeoff between individual privacy and technological innovation,” he says. “As a society, we have to adjust to living in a post-privacy world.”