Evan, Ellen, Andrew, Lillian
When it comes to protecting ourselves as individuals from cyberattacks, regardless of how diligent and proactive any one of us may be, much of our cybersecurity will always rest in the hands of corporations. Corporate entities store gigabytes upon gigabytes of our personal information and provide such necessities as electricity or running water. A well-executed cyberattack against a corporation can threaten any one of these things. This blog post will explore the intersection of corporations and cybersecurity by examining the history of hacking and corporate hacks, what can and is being done to protect consumers, how hackers can threaten critical infrastructure by targeting corporations, and what the future of corporate hacking looks like.
History of Hacking
Programmers began “hacking” in the 1960s to develop “shortcuts” aimed at improving the operation of computer systems, especially by reducing run times and amending inaccuracies in their programs. At that time, the verb “to hack” entailed something entirely different than what it involves today.[i]
The first conception of hacking as it is known today arrived towards the end of the 20th century. In the 1970s, John Draper invented the “blue box,” a device that allowed him to access long distance phone calls illegally. Also in the 1970s, Steve Wozniak and Steve Jobs learned the art of “phreaking,” or hacking into telecommunication systems. In the 1980s, the largest European association of hackers was formed, known as The Chaos Computer Club.[ii] Around this time hacking, as we understand it today, started to become an issue. In response, the United States government passed the Computer Fraud and Abuse Act in 1986.[iii]
Two years after the law was passed, two important developments occurred. First, Kevin Poulsen hacked a federal computer network. Then, in the same year, Robert Morris developed what was called the “Morris Worm,” which was the first computer worm to infect the Internet. This self-propagating virus spread so aggressively that it succeeded in closing down much of the Internet for a period of time. The early nuisance attacks that followed kicked off the struggle we are familiar with today: companies now had to deal with and respond to cybersecurity attacks. This back and forth ultimately led to the birth of the cybersecurity industry, including the establishment of CERTs (Computer Emergency Response Teams) as a central actor for coordinating responses to cyber emergencies. The initial reaction from the industry was ‘prevention is better than a cure’, giving rise to preventative and detective security products.[iv]
In 1994, Vladimir Levin accesses the accounts of Citibank’s customers and stole around $10 million.[v] From then on, we have seen a proliferation in the number of corporate hacks affecting both consumers and sellers (please see Table 1).
Corporate hacking in the 21st century includes the theft of many different pieces of private and vital information belonging to citizens and noncitizens alike. Social security numbers and credit card information have especially been at risk. Small and large corporations alike have fallen prey to cyberattacks, including Sony, Target, and JPMorgan. The effect has almost always been a drop in share prices and the loss of consumer confidence.[vi] We now live in a world where consumers’ information is always at risk.
Given the recent hacks at major corporations like Yahoo and Sony, it is not surprising that companies are taking proactive steps to strengthen their security measures. One approach has been to educate employees to ensure that they understand how to protect their data. Many companies host a “privacy day” or “privacy week” to raise awareness and reinforce institutional values regarding individual data protection. Microsoft, Google and Twitter, for example, celebrate Data Privacy Day on January 28, the same day as the U.S. government’s Data Privacy Day, to raise awareness of privacy and data protection issues. Other companies like Yelp and Facebook have implemented bug bounty programs to strengthen their security. Bug bounty programs give hackers an avenue to report vulnerabilities to tech companies in exchange for cash, incentivizing them to disclose problems instead of exploiting them.
In addition to taking preemptive measures to boost security and privacy systems, it is important for companies to collaborate with other companies to combat hackers and build consumer trust. On September 7, 2000, American Express, one of the largest US credit card issuers, announced a new suite of tools developed to safeguard members’ privacy when shopping online. The very next day, another financial services company reported that hackers had gained access to more than 15,000 card numbers and related customer information. After the hack, American Express responded quickly and ended up joining forces with industry peers to create the Worldwide E-Commerce Fraud Prevention Network. Creating the network bolstered American Express’ reputation as a privacy leader and instilled greater trust in the eyes of consumers.
Hacking Critical Infrastructure
We rely on critical infrastructure (CI) every day. According to the Department of Homeland Security, there are sixteen CI sectors, including food and agriculture, transportation systems, water and wastewater systems, and nuclear reactors, materials, and waste. Private corporations dominate these sectors, and a successful cyberattack on a corporation in control of CI may carry with it far more serious consequences than one against the average business.
CI is vulnerable. Almost three-quarters (67%) of the respondents to a 2015 Ponemon Institute survey of CI corporations admitted to having had at least one security compromise that led to the loss of confidential information or disruption of operations in the last 12 months. Of those attacks, 26% targeted industrial control systems, systems which regulate heavy equipment. Taking control of such systems allows hackers to wreak physical havoc, as in the case of a 2014 attack against a German steel mill in which attackers dealt with extensive damage by shutting down a blast furnace in an unsafe manner.
Corporations and governments are aware of and responding to the risks posed by cyberattacks against CI. In the 2015 Ponemon Institute survey, a full 64% of respondents described themselves as “committed to preventing or detecting advanced persistent threats.” The US Department of Homeland Security has founded the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), an organization committed to “reduc[ing] the risk to the Nation’s critical infrastructure.” However, with the number of attacks against CI on the rise, only time will tell if current efforts are sufficient.
The Future of Corporate Hacking
The future of corporate hacking, and more generally cyber-attacks, is an interesting one. Attacks are expected to become more sophisticated, and the trend we have seen will continue into the future, as brute force attacks are upgraded for more elegant, clandestine versions. The first major implementation of this type of hack was Stuxnet, and further applications of programs like these are endless. Corporations will start to see subtle, virtually unnoticeable tweaks within their systems, trying to disrupt them or siphon our money, for example. Criminals will stray away from stealing credit card numbers in bulk to stealing small amounts of money that, over time, will accumulate to a sizeable amount.
Data sabotage will also see an uptick: “A key piece of such cyber events will probably be some form of data sabotage, the subtle tweaking of data within transactions to gain some type of benefit. It’s a concept that U.S. intelligence officials and security firms have identified as one of ‘cybercrime’s next big fronts for 2016.’” Hackers will increasingly be used to devalue companies, whether by competitors, third parties, or someone with a vendetta. We will see creditability attacks on companies aimed at affecting public support and destabilizing their position in the economy. James R. Clapper, the Director of National Intelligence, warns that “We foresee an ongoing series of low-to-moderate level cyberattacks from a variety of sources over time, which will impose cumulative costs on US economic competitiveness and national security.”
Consumer interests are seriously compromised when corporations are hacked. However, by studying past hacks, reviewing current security protocols, understanding the risk to nations’ critical infrastructure, and looking to the future, the risks presented by corporate hacking can begin to be mitigated. If CEOs and policymakers everywhere will take this threat seriously and deploy forces to combat it, then consumers can be protected.
History of Hacking
Protecting Consumer Data
Hacking Critical Infrastructure
The Future of Corporate Hacking