Cyber-attacks and Data Breaches Pose Huge Threat to U.S. Economy

By the Curmudgeon with Victor Sperandeo

The Threat is Real and Increasing!

"At around 8:15 a.m. the Monday before Thanksgiving, that black screen of death came on (all the office PCs). They shut down the entire network. We couldn’t really work the rest of the week, which seemed OK because it was a holiday week. But as Tuesday and Wednesday progressed, it became clear that this wasn’t a simple hack...It wasn’t until Monday or Tuesday of the following week when we realized the extent of it. That’s when we got word that it might take weeks to get (our PCs and Data Centers) back up." Those words from an employee of Sony Pictures Entertainment who talked to Fortune.

As everyone now knows, Sony Pictures Entertainment revealed that it had been hacked by a group calling itself the Guardians of Peace, which the FBI claims was an agent of North Korea. Apparently, that repressive Communist country was using cyber-terrorism in an attempt to repress free speech in the United States. More on this in Victor's comments.

Few remember that between April and May 2011, Sony Computer Entertainment’s online gaming service, PlayStation Network, and its streaming media service (Qriocity), along with Sony Online Entertainment (the company’s in-house game developer and publisher), were hacked by LulzSec - a splinter group of Anonymous, the hacker collective.

The latest Sony cyberattack comes after many years where China's government has been accused of hacking into U.S. State Department, Postal Service, military contractors/government agency computer networks.

A U.S. Congress advisory group has declared China "the single greatest risk to the security of American technologies" and that "there has been a marked increase in cyber intrusions originating in China and targeting U.S. government and defense-related computer systems."

Iran has tried to disrupt American banks with denial-of-service attacks, and conducted a destructive attack on a Saudi oil company’s computers in 2012. For years, organized crime groups in Russia have used cyberespionage to commit financial fraud, while the Russian government does nothing to stop it.

Expect to hear of more of our government networks infiltrated by rogue foreign states. A Georgia Institute of Technology report on Emerging Cyber Threats in 2015 states, “Low-intensity online nation-state conflicts become the rule, not the exception.”

"The security of our military operations are what's at stake," said Senator Carl Levin (D., Mich.), chairman of the Armed Services Committee, at a news conference. "What we found is very disturbing," he added.

It's not only Sony and the U.S. government being targeted. Let's not forget the cyber-attacks and data breaches on Target, JP Morgan Chase, Home Depot, Apple, EBay, P.F. Chang (restaurants), Domino's Pizza, Montana Health Department, Google, etc.

This terrific interactive map from anti-virus software maker Kaspersky, depicts all the current cyber-attacks occurring around the world in real time. It clearly shows the growing intensity of hacks as the year progresses.

In its most recent State of the Internet Security report, Akamai states that there were a record setting number of DDoS (Distributed Denial of Service) attacks on websites in Q3 2014. The 22% increase in total DDoS attacks marked an 80% increase in average peak bandwidth compared to Q2 2014 and a 389% increase from the same period a year ago (Q3 2013). That means the largest companies with the highest bandwidth websites are being targeted by hackers.

Expert Opinion:

"Security will never be the same again. It's a losing battle," said Martin Casado, PhD during his Cloud Innovation Summit keynote speech on March 27, 2014. Currently, cyber security spending is outpacing IT spending, and the only thing outpacing security spending is security losses.

A recent survey by the Ponemon Institute indicated the average cost of cyber-crime for U.S. retail stores more than doubled from 2013 to an annual average of $8.6 million per company in 2014.The annual average cost per company of successful cyber-attacks increased to $20.8 million in financial services, $14.5 million in the technology sector, and $12.7 million in communications industries.

Clearly this isn’t an issue of investment, innovation, or priorities as huge industries are built around security. Mr. Casado believes there is a fundamental architectural issue: that we must tradeoff between context and isolation when implementing security controls.

With today's huge "cloud" resident data centers (Google, Amazon, Facebook, Yahoo, eBay, etc.), there is a very large potential "attack surface" or "threat footprint" for malware and other cyber threats. It's a huge issue for "cloud computing" and the "Internet of Things."

The mega trend to replace hardware functions by software (known as open networking, software defined networking, and network function virtualization) greatly compound the security problem by exponentially expanding the cyber-attack surface.

U.S. Infrastructure May Be Targeted Next:

Information security experts say the greatest danger is that foreign governments and cyber terrorists will go after the nation’s critical infrastructure — airports, water treatment plants, power companies, oil refineries and chemical plants.

Cyber terrorists could turn off the lights for millions of Americans by attacking power grids, shut down the nation’s airports by seizing control of air-traffic control systems or blow up an oil pipeline from thousands of miles away, experts say.

“This is a much bigger threat over time than losing some credit cards to cyber-criminals,” said Derek Harp, lead instructor at the recent training conference run by SANS Institute, which provides cyber security education and certification for people who run industrial control systems.

Maryland Rep. Dutch Ruppersberger, the senior Democrat on the House Intelligence Committee, said cyber-attacks will be “the warfare of the future.”

“Just think what could happen down the future if North Korea wanted to knock out a grid system, an energy system, knock out air- traffic control,” he said in a December 22nd interview on CNN.

U.S. Government Response to Cyber-Attacks- Too Little Too Late?

What will the Obama administration and Congress do to stop cyber-attacks on U.S. companies and critical U.S. infrastructure? So far, not much! Business concerns about overregulation, among other factors, have played a role in the collapse of efforts in Congress in recent years to pass legislation that would create incentives for companies to take additional security precautions and share information.

A number of issues complicate efforts to fortify and defend American companies against hackers and cyber-criminals. The government’s approach has been piecemeal, often confounding intelligence sharing and making it difficult to coordinate a response. Businesses, meanwhile, want more government help but also want to limit government intrusion.

At a news conference last week, President Obama urged Congress to try again next year to pass “strong cybersecurity laws that allow for information-sharing. … Because if we don’t put in place the kind of architecture that can prevent these attacks from taking place, this is not just going to be affecting movies, this is going to be affecting our entire economy.”

As noted above, a top U.S. government concern is the threat of a cyberattack on critical infrastructure such as electric grids, control turbines, power plants, and telecommunications networks. A front page article in the December 26th Wall Street Journal reported "that (U.S. government) officials have held a series of briefings on the issue in 13 cities across the country advising companies not to connect industrial control systems to the Internet."

That's an admission that the U.S. government can't protect the Internet from cyber-attacks!

In a December 26th WSJ op-ed, Senator Mike Rogers (R-MI) wrote:

"The U.S. government has an obligation to help those companies defend themselves by sharing any actionable intelligence the government has to warn them when and where they can expect an attack to come from.

Congress must update the law to expand the private-sector’s access to government-classified cyber threat intelligence. The law must also be updated to knock down the many barriers, such a concerns about legal liability or action by government regulators, that currently impede or stop companies from sharing cyber threat information with each other and the government....Congress and the Obama administration must heed these warnings and take decisive action to defend the country and American businesses from these growing threats."

Victor's Comments:

Let's examine this important cyber-terror issue from a philosophical, political perspective.

As noted by the Curmudgeon above, Sony Pictures Entertainment (SPE), an American Company (formerly known as Columbia Pictures Entertainment), was hacked by a group linked to North Korea, according to U.S. government sources. Hacking confidential information and private property is a crime in the U.S. North Korea allegedly hacked into SPE to retrieve private property, sensitive personal details of the company, and personnel to be used to stop the release of "The Interview" film.

"The Guardians of Peace" threatened bodily harm to movie viewers and the theaters that showed the film. The stars of the movie cancelled media appearances, SPE and the big chain theaters cancelled its release.

That's blackmail by an agent of a foreign country! It certainly puts the onus on the federal government to protect the people of the U.S., as that is one of its core duties. To add emphasis to this point, "National Defense*" is the primary reason why the government was given power by the people, so as to protect them!

* In 2013, 19% of the federal budget (=$643 billion) was for defense and security-related international activities.

President Obama called this act "cyber-vandalism," not an act of war.

Vandalism is an offense that occurs when a person/entity destroys or defaces someone else's property without permission e.g. broken windows, graffiti, and damage to vehicles. Was this really an act of vandalism? Or something else?

“This is not vandalism," Senator (R-Arizona) John McCain told ABC’s This Week. “It is a new form of warfare. And we have to counter that form of warfare with a better form of warfare.”

What powers properly belong to each and every person in the absence of and prior to the establishment of any organized governmental form? A hypothetical question? Yes, indeed! But, it is a question which is vital to an understanding of the principles which underlie the proper function of government.

I strongly believe that it's the U.S. government's primary responsibility, duty and obligation to protect SPE and all the people who wish to see "The Interview" movie in theaters. We should not permit this kind of blackmail by a nation with GDP about 3% that of New Jersey.

It is why the people have granted certain limited powers to allow governments to use force to protect our national interests. The U.S. spends ~$3.6 trillion dollars a year and we pay taxes primarily for the government to protect us.

As the Honorable Ezra Taft Benson (Secretary of Agriculture in the Eisenhower Admiration) put it: "In general terms, therefore, the proper role of government includes such defensive activities, as maintaining national military and local police forces for protection against loss of life, loss of property, and loss of liberty at the hands of either foreign despots or domestic criminals."

It seems our government evidently can't do the job it was created for and doesn't take responsibility for its failures. In this case, President Obama blamed SPE for acquiescing to terror threats ("They should've talked to me first," he said) by cancelling release of the film.

Perhaps, Obama should heed his own words from an August 28, 2006 speech at Kenya University:

"If the people cannot trust their government to do the job for which it exists - to protect them and to promote their common welfare-all else is lost." Amen!

Till next time......

The Curmudgeon
ajwdct@sbumail.com

Follow the Curmudgeon on Twitter @ajwdct247

Curmudgeon is a retired investment professional. He has been involved in financial markets since 1968 (yes, he cut his teeth on the 1968-1974 bear market), became an SEC Registered Investment Advisor in 1995, and received the Chartered Financial Analyst designation from AIMR (now CFA Institute) in 1996. He managed hedged equity and alternative (non-correlated) investment accounts for clients from 1992-2005.

Victor Sperandeo is a historian, economist and financial innovator who has re-invented himself and the companies he's owned (since 1971) to profit in the ever changing and arcane world of markets, economies and government policies. Victor started his Wall Street career in 1966 and began trading for a living in 1968. As President and CEO of Alpha Financial Technologies LLC, Sperandeo oversees the firm's research and development platform, which is used to create innovative solutions for different futures markets, risk parameters and other factors.

Readers are PROHIBITED from duplicating, copying, or reproducing article(s) written by The Curmudgeon and Victor Sperandeo without providing the URL of the original posted article(s).