In a decade characterized by economic instability, sluggish wage growth, and job outsourcing, the ability of hackers to destabilize companies should concern us all.
America’s leadership and influence in the world traditionally stems from a combination of hard power, such as military strength, and soft power, or a diverse, robust, and highly globalized economy that provides significant leverage in diplomacy. Unfortunately, a rapidly growing prevalence of sophisticated cyber attacks on government and the private sector threaten this economic prowess. While the public may be more naturally inclined to worry about theft of government secrets, cyber attacks on US companies also greatly threaten national security and American livelihoods in numerous ways.
Cybercrime poses a grave threat to the US economy, labor force, and its global competitive advantage. Cyber attacks cost the global economy approximately $445 billion in 2014, with this number expected to reach $2.1 trillion by 2019. This translated to an average annual cost of $15.4 billion (2015) to US companies. Furthermore, in 2014, the Center for Strategic and International Studies estimated that, due to the US private sector’s heavy reliance on intellectual property, cybercrime could cost as many as 200,000 jobs, and a 0.9% drop in GDP in a given year.
In 2013 the US company, Mandiant, revealed that China’s PLA Unit 61398, a covert military division, conducted cyber hacks over seven years on 115 US companies across various industries, with hackers remaining inside companies’ networks for one year on average before detection. On average, companies still take 146 days to detect intrusions, meaning investors or creditors could be misled for months about a company’s value or stability. Once discovered, a breach can impact revenue, based on the stolen data or denial of service. Customers may also sue for loss of personal information or demand identity theft insurance. The following examples show how cyber attacks harm the US economy, companies, and stakeholders:
Stock Market – In 2013, the Syrian Electronic Army hacked the Associated Press Twitter account and tweeted that a White House explosion had injured President Obama. Secret Service debunked the claim two minutes later, but the Dow Jones had already lost $136 billion in market equity value.
Steel – In April 2016, U.S. Steel Corp. filed a complaint with the International Trade Commission accusing the Chinese steel industry of using its government to steal trade secrets and produce advanced products, then flooding the market with cheaper prices.
Internet of Things – In 2015, Fiat Chrysler recalled 1.4 million Jeep Cherokees after hackers took control of a vehicle through its internet-connected entertainment system. While the ‘white hat’ hackers sought to expose vulnerabilities, not to cause harm, their actions cost Fiat Chrysler hundreds of millions of dollars.
These examples highlight how hacks aimed at specific entities could spiral into more expansive adverse impacts on the US economy and public safety. In 2016, stock exchanges and financial institutions rely heavily on digital commerce. A prolonged denial of service (DoS) attack can cause investors to rapidly sell company stock, threatening hundreds of thousands of jobs and collapse of banks where millions of Americans entrust their savings and investments. The US Steel example demonstrates how China can use cyber tools to bypass decades of research and development and gain a competitive advantage over an entire US industry. Lastly, the Fiat Chrysler example raises the frightening specter of terrorists gaining control of thousands of vehicles on US highways simultaneously.
The rapid surge in digital commerce and international trade has simultaneously created both economic benefits and security risks for the United States. The Internet generated 21% of GDP growth in mature economies from 2006-2011. Additionally, approximately 67% of US companies own technology assets: in many cases intellectual property. International trade agreements and technology have enabled more companies to globalize and improve operational efficiency. However, digitized commerce also allows criminals to steal from companies at higher volumes, and with less risk, than traditional crime. Employees now only need five minutes and a thumb drive to steal billions. Cyber attacks can occur from anywhere, meaning a company has little recourse against hackers operating abroad. International expansion by companies requires them to deepen their supply chains, which creates more points of entry for hackers.
How can we sustain the positive contributions of these trends and also protect US companies and consumers from security and economic risks posed by cyberattacks?
Last December, the Senate introduced a Cybersecurity Disclosure bill, which would require companies to state in SEC filings whether any member of its Board has cybersecurity expertise, or, what other cybersecurity measures have been taken to protect the company. This would simply mandate at the federal level what 47 states require, in some form, regarding disclosure. Most publicly traded companies already disclose material cybersecurity risks in their annual Form 10-K and unscheduled material events, such as cyber intrusions, in Form 8-Ks. This legislation can reduce liability on both sides. However, government must also offer something in return. This can include sharing more of its sophisticated cyber defensive and offensive tools.
Corporate boards must lead cybersecurity governance, as protection of company assets constitutes a fiduciary responsibility. Those with deep supply chains must develop systematic data protection at all levels. According to Peter Iannone, Managing Director at Alsbridge, Inc. and Dr. Ayman Omar, Professor of International Business at American University, “a business seeking to responsibly manage cybersecurity threats should analyze every third party for its potential impact to the company if that third party were compromised.” Companies can segment suppliers and distributors based on exposure and develop safeguards accordingly. Lastly, before entering foreign markets, companies should conduct enterprise risk management that considers cyber threats. International trade, despite benefits, also expands the scope of risks for businesses.
It is easy to lack sympathy for large businesses. The ‘too big to fail’ argument about banks angered many Americans in 2008-2009. However, in a decade characterized by economic instability, sluggish wage growth, and job outsourcing, the ability of hackers to destabilize companies should concern us all. Think what might have happened had the Chinese stolen algorithms developed by Google in the late-90s. I would like to keep as many of these innovations as possible here in America.