The Hacktivist Gunslinger
If cyberspace is the world’s
new wild, wild West, the hacktivist is the new
What costs more than the $288 billion black market for
marijuana, cocaine and heroin combined? You expose yourself to
it every day, at your home and at your office, every time you
log in to your computer. It’s cybercrime, of course, and
its cost in time, money and reputation is enormous and
Norton, an Internet security firm, says the cost of global
cybercrime reached $388 billion last year. The Ponemon
Institute estimates the average
cost of a data breach hit $7.1 million last year—$214 for
each compromised data record. Sony estimates that data breaches
it suffered last year will cost $200 million (some think it
will be much more). The software firm McAfee estimates that, in
2008, “companies worldwide lost more than $1 trillion
from IP and data theft.”
No one is immune. Every 19 seconds someone somewhere is
victimized by cybercrime. Small and large businesses,
governments, nonprofits and individuals have all been targets.
Cyber risks come in many forms, from malicious hacking to
identity theft to espionage and terrorism.
Last year McAfee uncovered a massive cyber spying operation,
likely carried out by China, dubbed “Operation
Aurora.” The malware attacked Google, Adobe, Northrop
Grumman, Dow Chemical, the United Nations and dozens more
companies, governments and nonprofits around the world. The
attacks were systematic, sophisticated and well
resourced—the type of attack often launched by a
government or an organized crime group.
Loose-knit hacktivist groups, such as Anonymous and LulzSec,
recently wreaked havoc on some very high-profile targets,
including the Vatican, Sony and the CIA. A LulzSec leader who
threatened to burn down the White House was recently arrested.
Hacktivists are not just computer geeks living in their
parents’ basements looking for some excitement. They can
attack anytime, anyplace and anyone.
Even scarier, the world’s most critical
infrastructures—oil, gas and electric grids—are at
risk. A 2010 report by McAfee and the Center for Strategic and
International Studies, “In the Crossfire: Critical
Infrastructure in the Age of Cyberwar,” said nearly 70%
of those surveyed frequently found malware designed to sabotage
What’s troubling is how few are prepared. In a 2011
follow-up report, McAfee found only a handful of those
responding to the survey use sophisticated off-site security
measures, a quarter have tools in place to monitor networks,
and only 36% use tools to detect anomalies. Yet nearly 40%
expect a major attack within the year. To make matters worse,
recession-driven cutbacks in security have left many companies
With the threat to consumers, industry, the infrastructure
and national security growing, you would think governments
would place a priority on cyber risks. Interestingly, China,
Italy and Japan have twice the security measures in place as
Brazil, France and Mexico. The U.S. and the EU lag behind. The
most vulnerable to attack are the U.S., Russia and China.
Governments are stepping up, but not soon enough. The EU is
considering a new directive to harmonize data privacy laws
across Europe, but the process could take several years to
ratify. A number of EU countries are acting on their own and
adopting data privacy regulations that require data breach
notification to customers.
U.S. privacy laws vary state-to-state, but 46 states require
organizations to notify customers of data breaches. There is no
federal law, but the Obama administration supports one. Last
October the Securities and Exchange Commission issued new
guidelines on corporate responsibility for disclosing cyber
attacks and their cost to shareholders. The guidelines also
require companies to disclose “a description of relevant
Cyber liability insurance is a new frontier. Advisen
research found that only a third of the companies it surveyed
had a cyber insurance policy. Despite the increase in cyber
risks and the potential harm an attack can do to customers and
a company’s reputation, many companies don’t think
they need it or figure other policies will cover their losses.
The bad news is they often don’t. Sony is still battling
with its insurers over coverage of its cyber attack.
Emily Freeman, a cyber insurance broker at Lockton, says
most policies cover the “twin risks of privacy and
security.” Policies can include business interruption,
notification costs, class-action lawsuits, IT forensic
auditing, legal costs, fines and extortion.