“Cybercrime is a growth industry. The returns are great, and the risks are low.”
“Net Losses: Estimating the Global Cost of Cybercrime,”
McAfee and the Center for Strategic and International Studies, 2014
Are you a good witch, or a bad witch?
We know from The Wizard of Oz that witches come in two types: good and bad. (Pretty simple.) And from physics we know that elementary quantum particles come in varieties of flavours — twelve in all, six for leptons and six for quarks. (Okay, a bit more complicated.) It turns out that hacking has its own colorful taxonomy with a degree of difficulty somewhere in between two and twelve.
White Hat Hackers
The Glen Fords and Henry Fondas of cybersecurity: computer experts who play the role of hacker on behalf of a company to expose system vulnerabilities before they can be detected by real criminals or malicious invaders. For instance, Apple recently announced that it would be paying “bounties” anywhere from $25,000 to $200,000 to hackers who could detect critical and crucial vulnerabilities in the company’s software. Ironically, Apple earlier had denied FBI requests for assistance in a criminal case that it unblock access to its iPhone. Frustrated by Apple’s stonewalling, the FBI paid $1 million to its own hackers to find a “back door” into the iPhone state-of-the-art privacy protocols (which they did, and apparently rather more easily than Apple might have expected).
Black Hat Hackers
Exactly: these guys are the opposite of white hat hackers. Their motive for breaking into your system is almost always monetary. Show me the money! By the way, there is an entertaining and highly instructive scene in The Wolf of Wall Street when the FBI is closing in on Jordan Belfort, the brilliant rogue trader played by Leonard DiCaprio; they meet on his tricked-out yacht, and the FBI agent concedes to being impressed by the ostentatious display of wealth. He seems to epitomize the cliché of the very small fish. Belfort grills the agent on his salary and snottily reminds him that he could never afford anything like a yacht on what he is paid. It’s a classic standoff: on one side is the FBI; it has the authority. On the other is Belfort; he has the big money. So who has the real power? The upside moral of this classic American story or rags to riches to rags is that crime pays (up to a certain point). And it pays big.
Well, the web is the new Wall Street but this is different because the game is global and hundreds of billions of dollars of confidential assets and proprietary data is (almost literally) up for grabs to whichever cybercriminal is smart enough and clever enough to steal. It’s where the real money is. And for every Henry Fonda out there fighting for truth, justice, and fair play there will be five, ten, or two hundred Jordan Belforts who couldn’t care less about the morality or the ethics: they want the money and they don’t care how they get it or who (or what) gets trampled in the process. The list below is in relative order of posed magnitude of threat. Meaning, even the least sophisticated cyberattack can do you or your company a world of hurt.
As the name suggests, this group is less interested in purely monetary rewards than in the visceral thrills of inciting fear, terror, mayhem, chaos, and even bloodshed. The attack could be motivated by social, religious, political, or other ideological beliefs, and that is a reason cyberterrorism is so difficult to defense against. The threat could be anything and directed at any one at any time. The world runs on software and the goal of the cyber terrorist is to forcibly bring the world — or at least critical parts of it — to a crashing halt. The self-aggrandizing image of the cyberterrorist as all-powerful is directly proportional to his demonstrating his adversary’s weakness.
Experts tell us to imagine a Pearl Harbor attack only digital. The target could be anything: a military, law enforcement or other high-ranking intelligence or security agency; telecommunications, power grids, air control systems, airport and harbor, bridge and tunnel facilities, and so on. The basics of a nation state attack are that it is originated and executed by entities working for and with the approval of a government essentially against another government. The FBI accused North Korea, for instance, for the massive email hack of Sony Pictures Entertainment a couple of years back, and this year Russia is suspected of being behind the hacks that embarrassed the Democratic National Party on the even of its convention.
For reasons we will discuss further later, the hacking by one company on a rival may end up having the greatest overall financial threat in the years ahead; not only in terms of overall losses to the economy but losses in opportunity and innovation. As bad as it may be, the loss of financial assets can be measured and steps can be taken to recoup and recover; the same cannot be said of the theft of intellectual property or of missed opportunities. What we are talking about here is any kind of hack targeted at stealing trade secrets or confidential information whose disclosure represents a significant opportunity loss for a company. Data is not the only tradable commodity when it comes to the costs of cyberattacks: one of the costliest is theft of intellectual property. The theft of Irreplaceable IP assets, however, can be extremely difficult to detect and even more difficult to monetize. For the really smart and sophisticated hacker, IP is where the money is.
Hacker meets activist. Pretty much any individual or group that uses the Internet to digitally avenge a business, institution, or government entity for what it perceives to be an unfair, unjust, ethical or moral or economic activity or position. The great news for the hacktivist and his ideological fellow travellers is that hacking can create a massive amount of chaos for a modest investment and basically from a remote and protected “sitting position.”
The bad news for the person or company hacked is that you simply have no idea who is upset with you, why, when they will strike, or how. For instance, one would not have been wrong to assume that the hackers who breached the cheating website Ashley Madison (see below) and demanded it be shut down were defenders of traditional marriage. Not so much, it seems. In fact, the cheating and deception that so much upset the hackers was not the infidelity associated with cheating on a spouse but a case of simple false advertising: the site was charged with fabricating hundreds of fake female profiles. In other words, it’s okay for an individual to cheat on a spouse, but not okay for an on-line cheating-facilitation service to cheat about who is available to the individual to cheat with? Again, the reason doesn’t have to make sense and that is the reason everyone needs to be alert: it doesn’t matter if you don’t think you are a target; what matters is that all it takes is just one person “out there” to decide you are a target and turns you into the victim.
The cost of the hack often goes beyond the hack itself, as well. The hacktivist employs the language of the morally or ethically self-justified; having your company portrayed as the “bad guy” can have residual and costly consequences for your brand. When hackers breached Ashley Madison they threated to dump personal data of from 30 million users unless the site was shut down. The company was rocked to its core by the hack; no asset had more value to the company than customer privacy and anonymity. Despite its morally challenged business model, the company had no choice but to attempt to position itself alone on the moral high ground: “This event is not an act of hacktivism, it is an act of criminality. It is an illegal action against the individual members of AshleyMadison.com, as well as any freethinking people who choose to engage in fully lawful online activities. The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society.”
Did it work? It’s too early to tell. But we do know that the company has two new executives, a new name, losses in the millions, the threat of class-action lawsuits and even in it most recent incarnation still faces and investigation by the FCC.
This is the least experienced and least sophisticated class of hacker. Essentially, script kiddies use software they don’t have the talent, experience, and know-how to build on their own mostly to harass victims purely for the cheap thrills. On the other hand, it’s you who ends up paying.
More a motive than a method, revenge hacks often originate with an angry or unhappy employee (former or current) and are a serious business. In fact, many business leaders and security experts agree that a disgruntled employee can pose a greater corporate risk than an outside hacker (even an outside hack from a “well-funded, external criminal organization”). Almost 30 percent claimed their “top concern” was insider threats but only 6 percent said it was hackivists and about 14 percent were worried most about hacks for profit. Why so much concern about insiders? It could be the long-term damage to a network system and widespread service disruption from a revenge attack by an insider familiar with a company’s structure, as well as the threat of loss of intellectual property. In other words, an insider knows his or her way around your network. Another obvious source of concern is that unhappy employees are “mules” for criminals who will pay for access into the network.
A disgruntled studio employee is suspected as the source of the Sony Pictures cyberhack, and most recently a former French Navy officer is suspected of leaking 22,400 pages of top-secret design and operations plans for six Scorpène-class diesel-electric submarines that cost almost $40 billion. “It looks like a case of hacking,” authorities said.
More concerning than the theft itself is the timing: the stolen data surfaced in 2016 with an “unknown and unnamed” company in South Asia, but authorities now have reason to believe the naval officer stole the data in 2011 and there is no way to determine how many parties have been privy to the plans between then and now.
A revenge cyberhack is a stark reminder that while it may be true that a business has walls high and strong enough to defend itself from an outside attack, it’s the potential bomb under the desk that is the real worry.
Please reach out to me by email (arodov at qaconsultants.com) or via LinkedIn.
Alex Rodov is the Founder and Managing Partner at QA Consultants.