The 60 Minutes' feature titled "Swiping Your Card" and the alleged North Korean attack against Sony have brought cyber risks into sharper focus than ever before.
60 Minutes outlined the trail a credit card swipe can take to the dark side of the Web where an active market in stolen account information exists. In addition to theft, cyber attacks can be launched for political reasons. Most recently Sony claims its servers were hacked "in apparent retaliation for the Kim Jong-un baiting comedy The Interview," reports The Guardian.
For insight into the current state of cyber security we asked Anders Corr, Ph.D who is a global authority on the subject and founder of Corr Analytics, a risk advisor to government and industry. The interview with Dr. Corr first appeared in the current edition of FCM360 Forex Summit.
Q. Can you tell our readers about Corr Analytics and how you got into the cyber security business?
A. As security moves from physical structures to algorithms in the cloud, we believe there will be tremendous growth in cyber-security technologies, budgets, and contracts. We are exploring teaming agreements with lawyers and technologists who specialize in cyber-security, cyber-insurance, and actuarial approaches to cyber-risk.
Q. We’ve heard the term Cyber-War. Is it a war?
A. Yes. The United States, China, and Russia are putting resources into cyber-defense. An estimated 3% of the US defense budget is spent on cyber-defense, including public and black-budget expenditures. The US almost certainly has the most powerful cyber capabilities of any government. While the military possibilities of cyber strategies are barely known, military use of cyber strategies will grow exponentially in the coming decades.
The US and Israel developed the Stuxnet virus, which they used to take control of and overheat Iranian centrifuges sometime before 2010. Stuxnet was thought to have destroyed up to 20% of Iranian uranium enrichment capacity. Attacks like this could take control of nuclear arsenals or asset trading algorithms, with potentially disastrous results.
Q. What motivates cyber attacks and who are the players?
A. Cyber attacks are launched by governments, criminals, terrorists, and teenagers. Unfortunately, these categories overlap. The motivations for cyber-attacks range from stealing data to disruption of enemy processes.
Q. What can the US do to protect us from cyber attacks?
A. The US and NATO needs to spend much more on cyber defense -- on the order of 5 to 10% of total defense spending -- to both defend against cyber attacks and to take the offensive if necessary. We need to get ahead of the Chinese and Russians, and determine whether cyber is an offense-dominant technology in warfare. If it is offense dominant, then the first mover has an advantage, and we need to consider going on the offensive rather than passively building cyber defenses as the French built the Maginot line prior to WWII.
At the very least the US needs to hit back against offending countries for not keeping their cyber-criminals and cyber-troops under control. If a cyber attack emanating from Russia results in a major loss to the United States economy, then cyber tactics can be used to recoup those costs, plus penalties, from Russia. No penalty invites further attacks.
Q. What about out and out theft?
A. On July 25, 2013, the worst cyber theft to date was announced -- a loss of $300 million. Ukrainian and Russian hackers stole 160 million credit card numbers from Visa, J.C. Penney, Jet Blue, and Carrefour, selling the data for $10 to $50 per card. The costs were never recouped from Russia or Ukraine.
Q. What is out government doing to thwart attacks?
A. The U.S. needs to do more against autocratic regimes that are targeting the United States and our allies. Russia has flown nuclear bombers near Europe recently, and China frequently harasses Japanese planes and ships in their own 200-mile Exclusive Economic Zone. The U.S. should be using its cyber superiority to degrade the abilities of the Russian and Chinese militaries, and bring them to the negotiating table on issues that matter to us -- including nuclear proliferation, the China Seas, and Ukraine.
Q. Retailers, financial institutions, governments and the rich and famous have become cyber targets. Can an small companies—PR firms included—expect to fly under the radar?
A.Small businesses need to educate themselves on cyber-hygiene, and practice due diligence by asking their partners, suppliers, and contractors to disclose their cyber-security practices and preparedness. Small businesses, however, need to team with larger businesses to lobby government and provide greater cyber-security protections to the companies that compose the U.S. economy.
