The year 2017 has seen a paradoxical evolution in cybersecurity threats. On the one hand, large, shocking breaches seem to be on the rise, such as the Equifax intrusion that compromised 143 million Social Security numbers. Massive damages have also been seen at the likes of FedEx and container shipping firm Maersk, both of which said attacks by the NotPetya ransomware would cost them up to US$300m.
Toppan Vintage, a trusted financial printing and communications company, in partnership with Mergermarket, is pleased to present the newest edition of M&A Pulse newsletter. This newsletter features responses from US-based senior corporate executives who shared their insights on the new age of cybersecurity.
Toppan Vintage question: Data breaches such as that of Equifax have become increasingly common across sectors and
geographies. Do you think hackers are becoming more sophisticated, or are companies’ systems more vulnerable? Or both? Leading experts weigh in...
According to David Hickton, Founding Director, University of Pittsburgh Institute for Cyber Law, Policy, and Security, it is always easier to play offense in this space than to play defense. That's part of the problem – purposeful, determined hacking will always have an advantage over a strong defense, because the environment is open by definition.
The second thing is that hackers are resilient. They adapt like a virus. You could see this in the cases I tried as
US Attorney for the Western District of Pennsylvania: if you look at Evgeniy Bogachev, my indictment of him was
for the Zeus 3.0 botnet, which means there were a couple of other versions before that. Zeus 1.0, for instance, was indicted in Nebraska in 2007.
So we need to treat the threat as a systemic risk to our communications. We can take steps today to address it, whether it's dual-factor authentication or segregating data or using encryption correctly. We need to look at the great work being done on security issues as well, such as the Cybersecurity Framework created by the National Institute of Standards and Technology (NIST) in 2013.
According to Ted Augustinos, Partner, Locke Lord, there’s no question that the threat landscape continues to evolve with increasingly sophisticated attacks. While defensive technologies, strategies, and techniques are also developing, and more and more companies are improving their cybersecurity profiles, the increased connectivity of systems and availability of data does increase vulnerability.
In other words, more companies are getting better at cybersecurity; but even if they kept up with the developing threat environment, they would be increasingly vulnerable as a result of the growing connections at most companies among people, systems, and data. For example, companies are increasingly expanding their technology infrastructure by implementing connected devices, expanded remote access and internet capabilities, and new relationships with third-party service providers. All of these and more represent additional vulnerabilities.
Devika Kornbacher, Partner, Vinson & Elkins weighs in - I would agree with Ted and say it’s both things. As far as the vulnerability of company systems, more and more companies are using tools such as open-source software, which was the point of vulnerability in the Equifax breach. As the use of open-source software and similar "open" tools increases, vulnerabilities will increase if a company is not diligent about installing updates and patches.
And as far as the sophistication of the parties that are doing the "hacking," I would say that even just five years ago, many cyber-attackers were just like common thieves. They would look for the door that was easiest to get into and go through that door. Their thinking was, "I'm going to attack points where there's not a lot of resistance." Now, there are people
whose full-time job is to hack particular institutions.
And it's not, "[Knock knock] – oh wait, the door didn't open, let me go to the next door." It's, "[Knock knock – wiggle
the door knob – try to get the hinges off] – okay, let’s go get a battering ram." So I do think it's a combination of that increased vulnerability and the change in the mode of these cyber attackers that has allowed these huge breaches to occur.
According to Michael Coden, Head of Cyber Security Practice, BCG Platinion (The Boston Consulting Group), cybersecurity is a risk – it's not a whole lot different from the risk of an earthquake or some other natural disaster, or an epidemic. At a bank, for instance, they do credit risk analysis. And cyber risk needs to be elevated into that kind of business thinking; businesses have to make preparations. We conduct cyberattack simulations for companies as part of our consulting practice that are basically like fire drills.
There is a lot of confusion at many companies, because it was historically thought that cyber risk was an IT risk. It's only in the last year or two that it's really become obvious that this is an existential business risk. It's probably the one risk that can put an entire company out of business. Just in the last five months, hundreds of companies suffered billions of dollars in lost revenue when their entire operations were shut down by the WannaCry and NotPetya attacks. In 2012, a similar malware attack on Saudi Aramco destroyed an estimated 35,000 computers in 45 minutes. Too many companies thought “it could never happen to me.” Now, five years later, it has.
There are very creative criminals out there who sell "malware as a service," complete with help desks and warranties. Moreover, billions of dollars are being spent by nation states on developing and stockpiling cyber weapons. It used to be that we had the navy for sea, the army for land, and the air force for air; then, space became a military command. Now, in every major country's military system – Russia, China, the United States, Iran, and North Korea, as well as probably all our European allies – there is a cyber command with both offensive and defensive parts.
There is a fascinating issue that BCG is working on with the World Economic Forum about what the public-private partnership needs to be in cyberspace. For instance, if some nation state were to send an airplane over your factory and try to bomb it, the United States Air Force would shoot it down. But in cyberspace, it's just not that easy. We’re trying to figure out how the government could help in equivalent situations like that.