The report underscores the growing dangers that ransomware attacks by foreign criminal enterprises posed to American industries. Lawmakers have been deeply concerned about the impact of such attacks, including on the financial and health-care sectors, in the pandemic.
The coronavirus inspired an unprecedented number of online scams preying on the fears of both consumers and businesses – and a mass migration of employees to remote work created a perfect storm.
“When workers move to home environments, they are essentially becoming their own I.T. support,” said Steve Grobman, senior vice president and chief technology officer at McAfee. “It's really about understanding that this is a different environment and building a security strategy to effectively defend it.”
This is their fourth such report on global cybercrime. It “surveyed publicly available information on national losses, and, in a few cases, we used data from not-for-attribution interviews with cybersecurity officials,” the report said.
The increase in cybercrime stems in part from the dramatic shift in the threat landscape in just the past two years, said Grobman, as hackers move from targeting specific machines or users to whole organizations, using human operators to make the attacks even more effective.
“The reason that is so costly to organizations is it's much more difficult to investigate and recover when an organization doesn't necessarily know the full scope of a cyberattack and therefore has to do a much more in-depth investigation,” he says. Global spending on cybersecurity is expected to exceed $145 billion in 2020, researchers note.
Not all cyberattacks are successful at stealing money. But they can still have devastating impact.
The average ransomware attack knocks a company's systems offline for 18 hours — more than enough time to have serious consequences for productivity.
“Most of the incidents are not always successful in the sense of getting money out, but they're successful in the sense of disrupting operations, disrupting networks,” says the CSIS's James Lewis, who directed the report. “It's not just your monetary losses in the sense of, you know, ‘they took this cash from me.’ It's also the opportunity cost.”
Companies tend to underestimate those costs, Lewis says. The average cost to organizations from their longest amount of time their systems were disrupted in 2019 was $762,231, CSIS researchers found. In the case of ransomware attacks where hackers demand a payment in return for unlocking a company's systems, the disruption can often cost more than the ransom, incentivizing companies to pay up.
Business interruption costs can be anywhere from five to 100 times larger than the cost of a ransom itself, Bill Siegel, chief executive of ransomware recovery firm Coveware, testified to the Senate Homeland Security and Governmental Affairs last week in a hearing on ransomware.
There can also be a residual impact when a company is a part a supply chain, Grobman notes. A 2017 attack on Danish shipping company Maersk disrupted operations for two weeks and cost the company $300 million. More recently, hackers targeted companies involved in the supply chain to distribute coronavirus vaccines, IBM's Security X-Force reported.
Other costs can include the loss of intellectual property.
Cybersecurity officials have warned of an increase in efforts by Chinese hackers to steal U.S. business secrets and research. Putting a price tag on that kind of loss is difficult for companies, Lewis says.
More companies are reporting cybercrime losses than when researchers at CSIS started looking at the problem eight years ago.
High-profile incidents such as a 2017 hack of Equifax that exposed the data of 147 million Americans have put a spotlight on the business and legal risks of bad security. Equifax paid a $700 million dollar settlement to the Federal Trade Commission for the breach, the largest settlement for a data breach in agency history.
“Cybersecurity is a board-level issue now,” Lewis says. “So when these incidents occur, there's a lot more attention, there's a lot more reporting.” Government agencies like DHS have also put more effort into tracking, Lewis says.
Despite a spike in crime, many companies lack a clear plan for dealing with cyberattacks.
More than half of the 1,500 organizations surveyed for the report said they lack plans to both prevent and respond to an incident. Only a third of the organizations that had plans said their plans were actually effective.
The uneven approach stems from different regulatory standards for different industries. The financial and health-care sectors — two leading targets for cybercriminals — are more heavily regulated than other sectors.
Lewis says the discrepancy is one that regulators should be looking at.
“Ransomware is the new way for criminals to monetize hacking. And so that is going to be one of the big stories of the covid episode,” Lewis says. “And so that leads to the question of do we need more regulation because the regulated sectors tend to be better prepared than the unregulated sector.”
The incoming administration could also play a role in deterrence.
President-elect Joe Biden could also step in with stronger warnings against foreign governments who enable hackers.
The U.S.-China cyber agreement under President Barack Obama deterred some cybercrime, Grobman noted, even though the full impact remains unclear. A stronger position against foreign nations that turn a blind eye to hackers, such as China and Russia, could make a difference, they argue.
“How we establish trade and other economic agreements with countries should absolutely comprehend the level of focus and cooperation that they put on enforcing laws against cyber criminal actors within their borders,” Grobman tells me.
Military intelligence leaders will begin meeting with Biden's transition team today.
The announcement of the meetings came one day after The Washington Post reported that the Pentagon had rejected or failed to approve transition meetings at key intelligence agencies, Greg Miller and Missy Ryan report. The Pentagon had been uncooperative in scheduling the meetings despite a Nov. 23 decision by the General Services Administration clearing the way for federal agencies to begin coordinating with the incoming administration, sources told The Post.
“Current and former officials, who spoke on the condition of anonymity to discuss a sensitive matter, said the delays have impaired the Biden team’s ability to get up to speed on espionage operations against Russia, China, Iran and other U.S. adversaries,” Greg and Missy reported.
The Defense Department denied that it acted outside protocol. “The accusation by anonymous sources that [the Defense Department] has not been fulfilling its commitment” to the transition “is demonstrably false and patently insulting,” the department said.
Biden advisers met last week with officials at the Office of the Director of National Intelligence and the CIA, intelligence agencies that are independent of the Defense Department.
A representative of the Biden transition team declined to comment on discussions with the Pentagon.
Georgia's lieutenant governor says the state will not call a special session to overturn election results.
The remarks by Lt. Gov. Geoff Duncan (R) came one day after Trump called Gov. Brian Kemp (R), urging him to persuade the state's legislature to overturn Biden's victory, Felicia Sonmez reports.
“We’re certainly not going to move the goal posts at this point in the election,” Duncan said in an interview on CNN's “State of the Union.”
Both Duncan and Secretary of State Brad Raffensperger (R), who appeared on ABC News's “This Week,” say they have received death threats as Trump continues to spread false claims about the election.
The Treasury Department will allow the deadline for TikTok to sell to pass without enforcement.
The Treasury Department declined to give the app's Chinese owners another extension on its deadline to divest its U.S. assets, Jay Greene reports.
But the agency won't force a sale either, it said. Instead, the two parties will continue to work on ironing out a deal that would meet regulatory approval, the Treasury Department said.
A Treasury-led interagency committee determined earlier this year that the company's Chinese ownership posed a national security risk, and ByteDance would have to divest if the app wanted to continue U.S. operations. Trump threatened to ban the app by executive order, but the effort has been tied up in the courts.
The U.S. government claims TikTok could be compelled to share U.S. user data with the Chinese government, a claim it denies. TikTok has been in talks to launch a new company with investments from American companies Oracle and Walmart. The deal appeared to have the president's blessing but negotiations stalled.
More cybersecurity news:
Adding this to my Christmas list.
- The Atlantic Council will hold an event on the incoming U.S. administration and the future of supply chains in the Americas on Dec. 9 at 2 p.m.
Secure log off
Come for the Star Wars Christmas decorations, stay for the humor.
ICYMI: Chris Krebs appeared on Stephen Colbert.