The Cost of Cyberattacks 

 
Download Article Article in Digital Form

At the end of a previous article, I passed along a question asked by a correspondent with regard to the inhibitors to effective security: “Are there other explanations (to poor security) that we are not exploring?”1 In response, I received a message from Daniel Tan in Kuala Lumpur, Malaysia. Tan made the point that “the key issue lies in the difficult task of quantifying the true cost of an information breach.” As difficult as it may be, there have to be sources of information. The most widely quoted figures come from the Ponemon Institute. Its most recent survey on the cost of data breaches that I am aware of was released in 2011 with data gathered in 2010. The report states that:

Actual costs varied widely by country, but last year’s relative rankings remained unchanged. The US had the most expensive average cost of US $7.2 million. Germany came in second with US $4.7 million. The United Kingdom and France had nearly identical average costs at US $3.1 million apiece. Australia had the cheapest average cost of US $2 million.2

Now, US $7.2 million is a lot of money and US $2 million is still a lot. But in the great scheme of things, any organization that had enough capital tied up in data to lose that much money could probably withstand the financial impact of a loss of that magnitude. However, I submit that considering the cost of an information breach on individual organizations misses the most frightening point: What would be the cost of an attack that targeted an entire economy?

Let me say right here that I have no specific answer. But I do not think that the issue is an idle or hypothetical one. Without delving into the question of who wrote and released the Stuxnet worm, it is clear that it was intended to cause damage to Iran’s nuclear capabilities and that it was effective in doing so.3 Worse yet, an element of Stuxnet accidentally became public in the summer of 2010 because of a programming error that allowed it to escape Iran’s Natanz plant and sent it around the world on the Internet.4

What Would a Cyberattack Look Like?

So, from a purely financial standpoint, what would a widespread cyberattack look like should it be broadly targeted on the economy of an entire nation?

In trying to anticipate the moves of economic cyberwarriors, I would expect them to start by cutting the sinews that hold together commerce. In a digital sense, that would mean taking down the Internet. The decentralized nature of the Internet makes this particularly difficult to achieve on a wide scale, although local outages could be quite devastating. However, the features of the Internet that make it useful are more vulnerable. I am referring specifically to a so-called Domain Name System (DNS)5 bomb, which evidently is not just a theoretical threat. The US Federal Bureau of Investigation (FBI) recently announced action against a class of malicious software (malware) called DNSChanger, which changes a computer’s DNS server settings to direct World Wide Web searches to rogue servers operated by an attacker. The FBI stated that it had, in fact, uncovered a network of rogue DNS servers and has taken steps to disable it.6

Were such a DNS bomb or other malware to become widespread, e-commerce would come to a halt. Even assuming that it could be cleared away in a day, it is quite likely that many more organizations would lose much more than the US $7.2 million reported by the Ponemon Institute. Just to give a hint of the potential economic impact, if only 1,000 organizations lost only(!) the Ponemon figure, the losses could be more than US $7 billion in just one day.

It is even more likely, to my mind, that cyberwarriors would attack the central nervous system of an economy, those institutions that enable the flow of money and goods that keep society running. These would include central banks, clearinghouses, centralized freight tracking systems and air traffic control systems. If banks could not transfer funds and transportation systems could not move merchandise, the cost would be incalculable.

To give some idea of the scale of the potential cost, just one institution, the New York Federal Reserve Bank, in just one of its fund transfer activities, the Commercial Automated Clearinghouse, has a daily volume of 41.2 million items totaling US $70.9 billion.7 It would be crippling if none of that money could move.

Dealing With the Reality

Even though cyberweapons have apparently been used, there is still time to protect a nation’s critical infrastructure of systems and data. The first step is to accept the reality of the threat: Cyberweapons are real; cyberattacks are real; cyberwarfare is a distinct possibility. With that understood, information security in the commercial sector is a societal priority in all nations. And in fact, organizations have had countermeasures at hand for quite some time, so there is nothing really startling in my suggestions for protection:

  • The primary locus of cyberattacks is an operating system. So as security patches are released they should be disseminated and applied as quickly as possible.
  • Intrusion detection and prevention systems (IDPS) identify possible incidents, log information about them, attempt to stop them and report on them to security administrators.8 If there is any one safeguard that is intended to protect against cyberattacks, this is it. Even accepting the cost of implementing IDPS on all platforms, I see these tools as essential for those institutions that are central to a nation’s commercial infrastructure.
  • Firewalls are hardly new security devices, but they are only as good as the rule sets that determine what will be allowed to pass through a protected perimeter. Organizations, especially if they are probable targets, should review and tighten their rules. Then, they should enforce the rules, not lowering the firewall to the point that it really does not offer protection against a concerted attack.
  • Recognize the potential to transport cyberweapons via USB drives. Evidently, the initial version of Stuxnet was spread just that way.9 These drives should be kept away from critical systems.

There is one factor that may inhibit the use of cyberweapons. In the First World War, the Central Powers deployed mustard gas on the Western Front. It was deadly, but its effectiveness was limited by the fact that the gas could blow back on the attacker’s own troops. In the same way, a cyberweapon once unleashed is very difficult to control. Just as Stuxnet replicated itself all around the world, so any entity that might use a cyberweapon might well find it turned on itself.

This is scant comfort, but this article was not intended to provide much comfort. To return to Mr. Tan’s email, he also remarked that “cyberattacks are truly a serious topic that needs to be handled with the utmost priority. Like all other risk that has to be managed, every organization should integrate the risk of cyberattacks into its mainstream risk management program so that the issue will be handled with the appropriate gravity and sensible consideration. A more sober and rational approach devoid of hype will actually improve the information security posture of most organizations and should eventually lead to more robust defenses.”

Endnotes

1 Dormer, Stan cited in Ross, Steven J.; “This Should Not Be Happening,” ISACA Journal, USA, vol. 3, 2012,
2 Ponemon Institute, “2010 Annual Study: Global Cost of a Data Breach,” 2011, Symantec Corporation, p. 2
3 The Independent, “Iran’s Nuclear Agency Trying to Stop Computer Worm,” UK, 25 September 2010, www.independent.co.uk/news/world/middle-east/irans-nuclear-agency-trying-to-stop-computer-worm-2089447.html
4 Sanger, David E.; “Obama Order Sped Up Wave of Cyberattacks Against Iran,” New York Times, 1 June 2012
5 US Federal Bureau of Investigation defines DNS as “an Internet service that converts user-friendly domain names into the numerical Internet Protocol (IP) addresses that computers use to talk to each other.”
6 Federal Bureau of Investigation, “DNSChanger Malware,” USA, 2011, www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf
7 US Board of Governors of the Federal Reserve System, “Commercial Automated Clearinghouse Transactions Processed by the Federal Reserve—Annual Data,” www.federalreserve.gov/paymentsystems/fedach_yearlycomm.htm
8 Scarfone, Karen; Peter Mell; Guide to Intrusion Detection and Prevention Systems (IDPS), Special Publication 800-94, National Institute of Standards and Technology, USA, 2007, p. ES-1
9 Op cit, Sanger

Steven J. Ross, CISA, CISSP, MBCP, is executive principal of Risk Masters Inc. Ross has been writing one of the Journal’s most popular columns since 1998. He can be reached at stross@riskmastersinc.com.


Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2012 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.