Why the Cyber Attacks on Sony May be a Game Changer

Why the Cyber Attacks on Sony May be a Game Changer

By Scott Shackelford
Published in the Washington Times


One of the biggest identity thefts in history took place during three days this past April. Cyber criminals penetrated Sony’s PlayStation and Entertainment Networks and made off with the personal information of more than 102 million Sony customers—a figure close to the population of Japan. Names, addresses, passwords and, possibly, credit card information were stolen.



This disaster has cost Sony 4 percent of its stock price and has led to calls for its CEO to resign. While the final cost is still being tallied, it is known that data breaches cost U.S. companies on average $204 per lost consumer record. That means Sony may be liable for an eye popping $20 billion in damages.



Few firms understand how widespread and dangerous cyber attacks have become. Over 75% of respondents to Symantec survey reported experiencing a cyber attack during the past year. Those attacks cost on average more than $2 million per organization.



Overall, identity theft costs consumers more than $5 billion and firms $48 billion per year according to the Federal Trade Commission. Fraud is also a huge problem, with more than 700,000 complaints and over $1.7 billion in claims in 2009. More than 60% of these cases are from email scams and Internet websites.



Victims of cyber attacks and breaches in cyber security in recent years have included the likes of AT&T, Bank of America, Citigroup, General Electric, Nikon, Starbucks, Wachovia, the University of Chicago, and the States of Florida and New York, to name a few. A single incident involving the theft of a laptop owned by the Veterans Administration led to the loss of 26 million social security numbers of retired and active duty military personnel resulting in a class action lawsuit claiming more than $26.5 billion in damages.



Although the significant damage caused by some of these cyber attacks has been well publicized, few companies have taken action. A recent Carnegie Mellon study involving interviews with board members of companies with revenues between $1 billion and $10 billion found that 56 percent considered improving financial risk management a top priority, but 0 percent considered improving computer and data security to be a priority.



But there is an effective tool to manage liabilities ranging from identity theft to cyber crime and even sophisticated State-sponsored industrial espionage—cyber risk insurance policies. These policies have been available for years. They are expensive—costing anywhere from $5,000 to $30,000 per year for $1 million in coverage—which probably explains why they have not been adopted in a big way.



Even so, more companies are turning to the insurance market. In a survey conducted last fall by Betterley Risk Consultants, 30 percent of respondents indicated they had cyber insurance. Among respondents from companies with $250 million to $500 million in revenue, the number is 80 percent. Another 25 percent said they plan to buy it in the next 18 months.



Cyber risk insurance is a prudent move, but it is not necessarily the most productive business strategy. The costs are passed off to customers. This reduces the incentive to improve cyber security—leaving that challenge more in government hands.



Perhaps the Sony attack will be the tipping point in getting businesses to view cyber attacks not as a corporate nuisance, but a serious threat to the survival of firms and the long-term competitiveness of economies built on intellectual property. In the meantime, one of the world’s most trusted brands has been tarnished and is being punished in the financial marketplace.



Scott Shackelford is an assistant professor of business law and ethics at the Indiana University Kelley School of Business. He is also author of the forthcoming Cyber Peace: Managing Cyber Attacks in International Law, Business, and Relations (Cambridge University Press).

Government's Earlier Failure to Act Clouds the Facts

by Art Coviello

Recent disparaging comments about private sector engagement in U.S. national cyber defense misrepresent collaboration and hard-won progress with the U.S. government and public sector. In an interview that aired on National Public Radio, a former Bush administration official applauded Estonia's emerging citizen-based cyber army while casting aspersions at the contributions of our own nation's corporate security experts.

Not only are those assertions untrue, it's a ridiculous comparison. The U.S. is certainly not Estonia and the issues are more complex with more risk to us from criminals, terrorists and nation states. With the advent of cloud computing and new degrees of openness on the Internet, our problems could become even more complex. The characterization of private enterprise as 'standoffish' by a former government insider, whose focus was not cyber, highlights the heart of the problem. The fact is, until recently we've not had sufficient expertise in the government to secure our critical infrastructure from cyber attacks.

The U.S. has a long history of fits and starts in its public/private partnership going back to the 1990s when the NSA sought to hold encryption keys and limit the strength of encryption used in the US commercial marketplace. Regulation prevented the sale of encryption technology abroad enabling foreign companies to develop their own technology and industry. President Clinton relaxed encryption controls in 1999 and since that time, the NSA has been very cooperative with the private sector and has shown great leadership on cyber security.

In late 2001, the Council of Europe and the U.S. agreed to a cybercrime convention that would enable cross-country investigation and prosecution of cybercriminals. Despite industry lobbying efforts, it took the U.S. Senate over five years to ratify that treaty -- hardly internet speed.

In February 2003, a national strategy to secure the critical infrastructure of the U.S. was released. In December of that year, then DHS Secretary Tom Ridge convened a diverse group of private sector companies to develop a framework for a more effective public/private partnership to execute the strategy. In April 2004, after several months of work, the private sector released multiple recommendations from several task groups. In the ensuing years few, if any, of those recommendations were acted on by the federal government.

When Michael Chertoff took over DHS in 2005, he elevated the position of cyber security from a director to an assistant secretary, an action widely supported by industry. However, three years later there were still limited operational capabilities and staff.

Recently, again despite strong industry support, legislation to update the Federal Information Security and Management Act has still not passed, nor has Congress passed legislation to establish federal standards for data breach notification and for protecting sensitive information, while almost all states have enacted such laws.

Nevertheless, as we enter 2011, we're starting to make significant progress. Late in the Bush Administration, and continued in the Obama Administration, significant hiring of competent people commenced in DHS and other agencies, bolstering cyber security operational capabilities in civilian government. In addition, the positions of Federal CIO and Cyber Security Coordinator were established with Vivek Kundra and Howard Schmidt, respectively. Kundra and Schmidt teamed up last year to issue important White House guidance to federal agencies for implementing more effective risk management practices using continuous monitoring -- another important industry recommendation.

In the meantime, there's work done every day by private sector companies who run our Critical Infrastructure. Industries such as finance, retail and healthcare have made enormous strides in protecting financial transactions and personal information. The security and telecommunications industries consistently share information with the government about known threats, viruses and sources of attacks. Further, the security industry is exploiting innovative technologies like virtualization, the enabling technology of the cloud, to actually reduce complexity and create better security than exists today.

Next month the information security industry will converge for the 20th annual RSA Conference, the largest security gathering in the world. Each year, the conference hosts leaders from government who are sincerely interested in improving cyber security and advancing collaboration with the private sector. Federal government speakers in the last few years have included the NSA Director, General Keith Alexander; FBI Director Robert Mueller; and current DHS Secretary Janet Napolitano. Next month, the Conference will welcome current Department of Defense Deputy Secretary William Lynn, and former President Clinton will present the closing keynote.

So let us not be misinformed about our nation's ability and desire to harness the knowledge and experience of the private sector to defend our critical infrastructure. We stand ready to help.

Art Coviello is the President of RSA, the security division of EMC, the world's leading provider of information infrastructure.