The Cybersecurity Challenge: Corporate Cybercrime and Government Cybercrime

As I mentioned in the first of three installments on the Cybersecurity Challenge, there are two broad areas of cybercrime to consider: corporate cybercrime and government cybercrime. In this installment of the article, I will address each one of these threats in turn.

Corporate Cybercrime

We know from published statistics that corporate cybercrime has become a very significant issue all across the world, from people stealing credit card and phone cards and using them across the globe, all the way to breaking into very proprietary, sensitive business and personal information that’s held in large databanks in corporations all over the world. While it’s likely that U.S.-based corporations have a better track record of defending against cybercrime than those in other countries, the picture is very sketchy because most corporations are reluctant to even report this unless it’s something particularly major, where they believe they need to contact law enforcement.

Based on the statistics published by the major credit card companies alone — the Visas and MasterCards of the world — corporate cybercrime is a multi-million-dollar problem — probably hundreds of millions of dollars, if not more — and people are hacking into the corporate systems regularly, whether it be credit card companies, large banks, travel companies, the Procters and Gambles of the world, or medical healthcare records. Within the United States, from January 1, 2008 to December 31, 2008, the FBI’s Internet Crime Complaint Center (IC3) website received 275,284 complaint submissions. This is an increase of 33.1 percent over 2007, when 206,884 complaints were received. According to the FBI’s data, these filings were composed of complaints primarily related to fraudulent and non-fraudulent issues on the Internet.

The complaints registered by the IC3 website comprised many different fraud types such as auction fraud, non-delivery, and credit/debit card fraud as well as non-fraudulent complaints such as computer intrusions, spam/unsolicited e-mail, and child pornography. All of these complaints have been made accessible to federal, state, and local law enforcement to support active investigations, trend analysis, and public outreach and awareness efforts.

From the submissions received via its website, IC3 referred 72,940 complaints of crime to federal, state, and local law enforcement agencies around the country for further consideration. The majority of reported cases involved fraud and a financial loss on the part of the complainant. The total dollar loss from all referred cases of fraud was $264.6 million with a median dollar loss of $931.00 per complaint. According to IC3 figures, this is up from $239.1 million in total reported losses in 2007.

There’s good reason to believe that this is just a small fraction of the sum of corporate cybercrime within the United States in 2008.

Of particular concern are two specific Internet security issues: DNS hijacking and routing security. DNS can be hijacked — you go to eBay at ebay.com, but you actually end up at a spoof site. Or you’re trying to go to your bank and end up at a bank that’s actually an impostor specifically designed to capture your login information — user name and password. A newer threat is the hijacking of routing information underneath it so that you could have legitimate set of IP addresses going through a third party — either to eavesdrop or to host content that could look exactly the way it was supposed to.

Beyond the taking of customer information, hackers are stealing company-proprietary information — including designs, business plans, intellectual property, and financial and budgeting information — and selling it to the highest bidder. People in every major corporation and even smaller companies — from the CIOs of companies to the security guys — are very concerned about this issue and are spending a lot of time and effort trying to figure out how to fight the attacks and defend their websites and computer networks. And it’s a good thing they are — there are countless documented cases where company websites have been shut down or diverted, and huge quantities of data taken.

Government Cybercrime

At the government level, there is cybercrime of both the state-sponsored and non-state-sponsored cybercrime varieties. Of particular note is the relatively quick evolution of the cyberprotection initiative under the Bush administration. From what’s been published, it’s apparent that the United States government has spent many billions of dollars during the course of the Bush administration trying to thwart such attacks, including consolidating networks so there are fewer ways for people to get into federal agency computer networks.

And there is great reason to be concerned.

A recent Business Week article documented how cybercriminals had hacked into NASA’s “super-secure” Kennedy Space Center computers in April 2005 and used a malignant software program by the name of stame.exe data to gather about 30 million pages worth of data about the Space Shuttle. This data was then shipped off to Taiwan by the software program, where it presumably was then forwarded to China. There have been endless, repeated, ongoing attacks on the Department of Defense and key databases all through most of the military services. Again, all of this has been publicly made known in the press. However, much remains unreported due to its sensitivity.

Most of the civilian agencies in the United States did little or nothing about cybercrime until four or five years ago. Now they see that everything from Social Security data, medical healthcare records, defense data, and so on has been penetrated or there are repeated attempts to penetrate their databases. So the United States government is today very serious about it — or at least they tell us they are.

State-sponsored cyberterrorism is a subcategory of the government cybercrime business and there are documented situations where actual state-sponsored groups are active, especially out of China and Russia. We certainly know that this was the case with Russia and Georgia recently but China, it appears, has been one of the most active sources of what is being called state-sponsored cybercrime. These are attempts to penetrate databases all over the world — not just the United States — that have defense, intelligence, and personal data. It’s the just next kind of a level that we’ve all worried about for years of espionage, of getting everything from munitions designs to airplane designs to rocket designs, etc. It’s taken, if you will, into the cyberworld.

The Department of Homeland Security (DHS) is a place where the Bush administration has placed a lot of responsibility for guarding the government against cybercrime. Clearly, the Department of Defense has its own capability (witness the recent announcement of the creation of the U.S. Cyber Command, which will be tasked to defend DoD cyberspace under STRATCOM), as does the intelligence community. However, the place where the cyberinitiatives and counter cyberterrorism have been built up on the civilian side of the government is DHS. My understanding is that Barack Obama is very close to selecting a chief technology officer — a technology czar of sorts — to try to coordinate a lot of technology initiatives at the White House level. There’s been discussion that that person would even be a cabinet officer which is significant. Our country has never had anything like that in any previous administration, but the growing threat seems to merit this high level of attention going forward.

In the third and final installment of this article on cybersecurity, I will look forward to what can and should be done to defend our nation.

* * *

My birthday July 26th was celebrated several different times with cakes and one candle. On the actual day, the family and I went to the La Jolla Beach and Tennis Club and had our final outing. Thank God it’s over.

— Bob