Arms trading is as old as recorded history. Whether it was bows and arrows, swords, or rifles, entire countries have lived and died (sometimes literally) by their access to and profits from the sale of weaponry. Sometimes these sales produce sad ironies --- American Hiram Maxim, inventor of the first real machine gun, found his most reliable customers in the German and Russian armies, not the American military. At other times, sales of arms are more about political influence and strategy.
C.J. Chivers in his excellent book “The Gun” notes how the sale of the AK-47 was as much about extending Soviet influence as it was about making a ruble or two. A consistent element, however, in arms trading over the past 100 years was that sales of truly destructive weapons (tanks, guided missiles, attack aircraft, etc.) was a fairly controlled process. Less-developed nations had to rely on more powerful countries to acquire true state of the art weaponry, as their only other choice was to buy used or inferior copies that would not ultimately do the job.
Today, sadly, the situation is very different thanks to the explosive emergence of cyber attacks. Thanks to thriving cyber black market, individuals and governments alike can engage in incredibly sophisticated cyber attacks that steal valuable information or, worse yet, cripple critical systems. The challenge in all of this is the math -- the cost of engaging in cyber attacks is becoming unfathomably low, while the cost of defending against those attacks grows inexorably more expensive.
Until we find a way to rebalance that equation, the cyber problem will only grow.
One thing we know for sure is that cyber attacks are expensive, even if their true cost is at issue. The Center for Strategic and International Studies has said that the true cost of cyber-attacks is near impossible to accurately capture, and so it offers a broad range of somewhere between $25 billion and $140 billion, with $100 billion being a consensus figure among its experts.
The C-suite is rapidly recognizing these costs and the associated peril. Lloyd’s of London recently released its biennial Risk Index, which assesses corporate risk priorities and attitudes among business leaders across the world. Based on a global survey of 588 C-suite and board level executives it found that cyber risks were the No. 3 worry in that group, falling just behind taxes and loss of customers. This was a massive leap from its previous positions of 12 in 2011 and 19 in 2009.
The cost of cyber attacks isn’t the real problem, however. What really should make us all uneasy is how cheap cybercrime is becoming. McAfee recently released a report entitled “Cybercrime Exposed” and it is a more terrifying read than anything you will find in the horror section.
McAfee described four “cybercrime as a service” categories: (1) Research — which involves seeking out (whether legally or illegally) and selling previously undiscovered cyber vulnerabilities; (2) Crimeware — this is the identification and development of the exploits and ancillary support materials for attacks; (3) Cybercrime Infrastructure — this gives attackers methods to deliver their attacks, and (4) Hacking — the name says it all, hackers for hire.
The most disturbing part of this cyber-underworld is the associated costs. “Research” services can provide anyone with a “zero-day” exploit. A “zero-day” exploit is one where a previously undiscovered software or hardware vulnerability is discovered, allowing the creation of a custom-made attack that will not be detected except by the most sophisticated of cyber security tools, if at all. One would think should devastating attacks would cost more than a mere $5,000 to create, but that’s the starting number.
Crimeware is similarly cheap, as harmful files can be rented for $150 a day. Alternatively, for $30 a month individuals will regularly check malware against major antivirus vendors’ solutions. For the plain lazy you can hire someone take down a website for $2 an hour (Paypal and wire service transfer accepted, of course). If all else fails, stolen credit cards can be had starting for $15 in order to conduct shopping sprees that would make a Kardashian blush.
So, the math is bad here. Really bad. Those numbers reflect the very definition of asymmetric cyberwarfare. Should we raise a white flag? Hardly. First, the C-suite and boards need to start enforcing common sense cybersecurity measures. Simple solutions, like stronger passwords, could stop upwards of 80% of cyberattacks. Other small steps include reminding people that if you find a USB “flash drive” on the ground, don’t use it. They are the dirty needles of the information technology world, yet people cannot resist plugging them in when found.
Another suggestion making the rounds is companies going on the cyber “offensive”, whereby companies strike back against the individuals and machines attacking them. Such tactics are of dubious legality, however, and more importantly a company runs the risk of raising the ire of the attacker, often a very sophisticated criminal organization or even a nation-state. That calls to mind a comment made by Field Marshal Bernard Montgomery, who at the end of World War 2 was told that Wermacht troops were asking only to surrender to American or British troops, as falling into Russian hands would lead to unpleasant outcomes. "The Germans should have thought of some of these things before they began the war,” Monty replied, “particularly before attacking the Russians."
There is no escaping the reality that the consequences of cyber attacks are costly, on the rise, and uncomfortably cheap to conduct. It is more important than ever then for companies – especially at the C-suite level – to become knowledgeable cybersecurity consumers. Defensive plans have to be implanted, as to do response plans for when the inevitable successful attack. Such efforts are not folly – shareholders and investors are getting smart about cyber threats, and if a company has a porous information technology system, the odds of someone doing business with you is going to significantly decrease. So, beware the cyber math, and act accordingly.
Brian E. Finch is a partner Dickstein Shapiro LLP and an adjunct professor at The George Washington University Law School. He can be followed on Twitter at @BrianEFinch.