As computer hackers get ever more sophisticated, governments and businesses are upping their spending on cybercrime prevention. Eoin Gleeson reports.
Richard A Clarke has a recurring nightmare. Our cities are under attack. A band of terrorists has launched an internet-borne virus, which is worming its way along the backbone of the economy. Traffic lights are scrambled. Cash machines freeze. The stockmarket sinks into a death spiral. Then, the lights go out. Wild panic spreads as trains derail and burned-out satellites plunge from the sky.
Clarke details this nightmare in his recent book, Cyber War: The Next Threat To National Security. The gravest threat, he says, stems from China. A small band of hackers could incapacitate an entire economy in just 15 minutes. They are already sizing us up. In The Wall Street Journal, Clarke warned that: “Chinese hackers are systematically infiltrating our networks, stealing trade secrets and probing our power grids for weaknesses.”
The rise of the military-cyber complex
It’s a disturbing vision. But as the counter-terrorism chief under three US presidents, Clarke knows all about stirring up fear for political gain. In America, cyber-security is now a $14bn-a-year industry. As Seymour Hersh points out in The New Yorker, “warnings from Clarke and others have helped to create what has become a military-cyber complex”. Yet Clarke’s views can’t simply be dismissed as propaganda to prop up funding for the US defence industry in an age of austerity.
The notion of a digital apocalypse may be extreme, but there’s no doubt that cybercrime poses an economic threat. In the last month alone, hackers have penetrated the defences of blue-chip firms from Lockheed Martin to Sony to Citigroup. In the case of Sony, hackers obtained the personal data of 77 million Sony users – a breach that will cost the company $170m to clean up. Indeed, according to a study by Britain’s Office of Cyber Security, the cost of cybercrime to Britain is £27bn a year, with most of that shouldered by business.
So governments are investing heavily in cyber-security – the British government set aside £650m in the recent defence budget. Spooked corporations are following suit. Research firm IDC expects the global network-security market alone to grow to $8.2bn in revenues this year – up 8% on 2010. Yet even spending all this money will still do very little to discourage hackers from launching repeated attacks. In this industry, the bad guys always win.
How hacking became a global menace
In the last week, a hacker collective called Lulz Security gained notoriety after launching a series of attacks that seriously embarrassed US authorities. First they crashed the website of the Senate. Then they took out the CIA. Just a few days later they knocked out the FBI.
What is Lulz Security? The Ministry of Defence (MoD) thinks it knows. On Wednesday, the MoD arrested a 19-year-old named Ryan Cleary in Essex, on suspicion of being involved in the cyber-attacks. But Cleary isn’t acting alone. Just like their prankster rivals, Anonymous, Lulz is likely to be a large, loose collection of hackers whose sole purpose is to embarrass the authorities. Indeed, these groups have become the public face of cybercrime. The smiling Guy Fawkes mask of Anonymous members was plastered across every major paper last week. But these people have little to do with the real business of cybercrime.
The real cybercriminals have no desire to attract public attention. The business came of age in the early 2000s as crime syndicates across the world realised the staggering profit potential. At the time, Russian hackers were so emboldened by their success that they formed two online clearing-houses to serve the needs of any aspiring cybercriminal. These communities offered online tutorials, hacking tools and, most crucially, a store for virtually anything that could be procured online – from credit cards to bank details. These clearing-houses helped make cybercrime what it is today: a business that’s cheap, lucrative and has very low barriers to entry. “In the past, you had to buy or develop something to start,” Dmitry Besthuzhev, a Russian security expert, told The Inquirer. But now the basic software for launching cyberattacks is “free and available on the internet”.
Typically these cybercriminals are after credit card or bank-account details, which they can easily strip from credulous email users and sell on the black market. But there are more subtle means of attack. Hackers will round up thousands of unwitting victims at a time using clever messages appearing to come from contacts in your address book.
They will then assume illicit control of these computers – grouping them in a “botnet”, which can then be sold on the black market for a handsome fee. “These botnets are the engines behind spam [junk email] and fraud on the internet,” says The Economist. They also allow gangs of computers to flood corporate servers with so much traffic that they can no longer function (an attack known as a “distributed denial of service”). A recent report from the security firm MessageLabs found that of the 130 billion spam messages dispatched every day, botnets are responsible for 92% of them.
So the weapons used to perpetuate cybercrime are becoming ever-more sophisticated and also increasingly easy to use. These facts have not been lost on governments. In 2007, hackers launched a three-week wave of cyber attacks on Estonia, crippling government and private servers. At the peak of the crisis, bank cards and mobile-phone networks were frozen, and emergency services ground to a halt. Many suspected the Kremlin of facilitating the attack – especially when the same tactics were used just before the Russian military invaded Georgia months later.
Last year, cyber-warfare broke new ground with the attack of the Stuxnet worm – a virus that targeted the control systems of an Iranian nuclear plant. It was highly sophisticated. One part of the worm was designed to send the plant’s nuclear centrifuges out of control. The other secretly recorded what normal operations at the nuclear plant look like, in order to play those readings back to unsuspecting plant operators. “The US and Israel have been accused of designing the worm,” notes Matthew Kalman in the MIT Technology Review. “It disabled the Iranian nuclear plant at Natanz by causing extreme temperature variations that went undetected for months.”
“Stuxnet has acted as a starting gun in a long-distance cyber arms race,” says Misha Glenny in The Guardian. Right now, the US is in the lead. But most Western governments are investing heavily in cyber-security personnel and systems. Spook central in Britain is the Government Communications HQ – a purpose-built circular structure on the outskirts of Cheltenham that houses 5,000 ‘cyber-securocrats’ – “a peculiar hybrid of spook and geek proliferating quietly in governments throughout the West”.
Meanwhile, US defence groups such as Raytheon and Lockheed Martin are making aggressive moves to sell their cyber-war expertise. “Raytheon has identified Europe as a £35bn-a-year market,” says Tom McGhie in The Mail on Sunday. With £650m allocated for cyber-security investment in the latest budget, the MoD can afford a great deal of that expertise in the year ahead.
The weak points in cyberspace
Perhaps the most interesting prospects lie in the private sector. While governments invest heavily in cyber-security and weapons, private companies are battling to shore up their security. But they are fighting a losing battle. For one, they are reckoning without foreign governments with the means to launch sophisticated attacks on their servers. As Paul Hill points out in his Precision Guided Investments newsletter, “British businesses bear the brunt with a £21bn hit each year”. These costs are due to intellectual property theft (£9.2bn), industrial espionage (£7.2bn) and even extortion. But they also suffer because of the insecurity of the internet. More than 90% of internet traffic travels through undersea fibre-optic cables. These are all bunched up at a few choke points – notably New York, the Red Sea and the Luzon Strait in the Philippines. We’ve made it easy for the cybercriminals. The reality is that securing cyberspace would require a complete overhaul of internet infrastructure.
So what can corporations do? Well, a decade ago, a company looking to secure its data would have purchased antivirus software and a firewall. The growing sophistication of attacks has given rise to nearly 70 different security niches. The most critical area is in intrusion protection systems. These are watchdogs designed to monitor suspicious activity on a firm’s network by identifying malicious packets of data. Another critical investment is in “virtual private networks”. These are secure private networks that companies can install, freeing them from the open country of the internet.
Companies that sell these systems (see below) are enjoying huge sales. And it’s sent the industry into a feeding frenzy. According to the 451 Group, an analysis firm, Symantec has spent $2.7bn in the past three years to scoop up ten companies. McAfee acquired seven, including email security firm MX Logic, for $1.1bn during the same period.
Yet still the bad guys will win
The ugly truth is that it is impossible completely to secure your data from cybercriminals. There are too many weak spots in our networks for them to exploit. The growing number of devices that connect to the internet, from smartphones(such as Apple’s iPhone) to electricity meters, will create ever-expanding markets for internet security groups. Smartphones in particular are already being heavily targeted. The market in security software for mobile devices is predicted to reach $4bn by 2014, according to ABI Research.
The drive towards cloud computing – which concentrates huge amounts of data in a centralised location (such as those data centres that support the London Stock Exchange) – also offers criminals a very attractive target. As an internet security expert recently confided to MoneyWeek’s Tom Bulford on a plane to America: “We build the walls around the internet higher and higher. But the criminals just extend their ladder.” We look at ways to profit from this ongoing battle below.
Three ways to fend off the hackers
1. Don’t use public networks
Public wifi networks are ubiquitous. As a result, scammers are setting up open networks in busy locations, such as train stations or coffee shops, and then lifting the data of oblivious users. The data for Facebook, Twitter, and other popular accounts are at serious risk. Your best solution is to adjust your smartphone’s settings to switch off automatic wifi connection and rely instead on your carrier’s network.
2. Secure your passwords
Adding numbers, special characters and capital letters helps to make a password more secure. Deliberately misspelling words also helps to defeat dictionary-based hacking programs.
3. Don’t buy ID theft insurance
Banks and insurers capitalise on fears over fraud by offering ‘identity theft insurance’. For £90-£150 a year, banks offer assistance if you are a victim of fraud, including your own dedicated expert, access to your personal credit report, and insurance protecting you from losses. But according to the banking code, you are not liable for losses resulting from identity theft unless it can be shown that you have acted “fraudulently or without reasonable care”. This negates the value of the insurance cover; whether the premium is justified by access to a personal ID theft czar is questionable.
The best cyber-security firms to buy now
The recent high-profile cyber-attacks have drawn attention to our vulnerability to cybercrime. But in fact, these breaches have been escalating for some time. Industry experts estimate that in 2007 there were nearly 35 million data records breached. As of 2010, data breaches have soared to 285 million. In response, companies are investing heavily to shore up their security – and we’re not just talking about banks or telecoms firms. Utility companies, for example, will spend $21bn by 2015 to improve cyber-security for the shift towards ‘smart’ grids.
As a result, the cyber-security sector has recently seen a frenzy of buying activity, with Symantec and McAfee spending billions on small specialists. But this is a fragmented industry. Last year the top five security software companies accounted for 47% of the industry’s revenues, down from 55% in 2007, according to IT research company Gartner. This buying spree is likely to continue – especially as so many of these “internet cops” already turn a decent profit.
Tom Bulford of Red Hot Penny Shares likes the look of London-listed Corero Network Security (LSE: CNS). Corero is a ‘buy-and-build’ network security group. The firm specialises in intrusion prevention and firewalls – serving the business and education sectors in particular. Group trading profit for 2010 amounted to £223,000, with cash balances of £7.2m. Its Business Systems unit has been winning contracts in the education sector, scooping 70 new deals in 2010, from 25 in 2009. The company recently bought Massachusetts-based Top Layer – a specialist in safeguarding networks, which also has a strong foothold in the UK. Corero is now pushing its products outside the US, with the aim of doubling its annual sales. According to Tom, “it has a respected management team, who have committed £4.5m of their own cash into the venture. They’re going to work hard to get this business working well.”
Juniper Networks (NYSE: JNPR) also looks interesting. The networking firm is one the few companies offering secure remote access for iPhones. It’s also available on other smart phones, such as the Android. This is sure to be a fast-growing market as companies like to make sure phone use for their employees is secure (so that you can access your work email from your smartphone without jeopardising the whole network). Juniper is a leading innovator for security in virtual private networks. It has also partnered with internet security group Websense to build high-security networks. Juniper trades on a forward p/e of 16.
If you really want to invest at the forefront of cybercrime, says MoneyWeek’s Paul Hill, you have to go with the big defence contractors. He points to the likes of BAE Systems (LSE: BAE) and Raytheon (NYSE: RTN), which are securing huge investment from their respective governments. “It’s very difficult to get on the bidders’ list for the US and UK governments,” says Paul. “And the potential for exporting their expertise is not priced into their valuations.” Raytheon trades on a forward p/e of 8.9, offers a 3.5% dividend, and it could secure massive international contracts as it outsources its cybercrime expertise to foreign governments. In Europe, for example, the company sees a $35bn-a-year market to sell to.
In terms of government spending, US space agency Nasa has recently partnered with defence contractor SAIC (NYSE: SAI) to upgrade its security systems. The contract was valued at $1.3bn. As a trusted contractor for the US government, more could follow. The company just reported a 12% increase in first-quarter operating income on last year, most of which was due to new cyber-security contracts. It trades on a forward p/e of 11.1.
• This article was originally published in MoneyWeek magazine issue number 543 on 24 June 2011, and was available exclusively to magazine subscribers. To read all our subscriber-only articles right away, subscribe to MoneyWeek magazine.