The growing threat of cybercrime

published 2 October 2016

16-9-29-Yahoo-1200 — Yahoo suffered a massive data breach

What's happened at Yahoo?

Yahoo announced last week that it had fallen prey to the biggest cyberattack in corporate history. The security breach, which took place in 2014 but has only now come to light, saw hackers steal data such as names, birth dates and telephone numbers for a staggering 500 million users, including around eight million in the UK.

The data stolen were not as sensitive as they could have been: credit card data was spared, while account passwords were encrypted. Nevertheless, Yahoo faces serious questions about why it waited so long to make an announcement, while the immense scale of the attack highlights the vulnerability of major companies and the data they hold on us to hostile action.

How big a problem is cybercrime?

Large and growing. In the last 12 months prominent companies and websites such as TalkTalk, LinkedIn and Dropbox have all been hit and data about their users sold on or made public. The biggest bank heist last year was entirely electronic, with $1bn stolen from over 100 banks in 30 countries after thieves used infected phishing emails to get user account details.

Subscribe to MoneyWeek

Subscribe to MoneyWeek today and get your first six magazine issues absolutely FREE

Get 6 issues free

https://cdn.mos.cms.futurecdn.net/flexiimages/mw70aro6gl1676370748.jpg

Sign up to Money Morning

Don't miss the latest investment and personal finances news, market analysis, plus money-saving tips with our free twice-daily newsletter

Banks are especially susceptible to attacks. LogRhythm reports that up to 90% of Asia-Pacific banks experienced an attack this year, sharply up on the year before. The Asian banking system is particularly poorly prepared for the fraud threat, but the UK has its own problems: internet banking fraud cost the UK economy £134m in 2014.

Who is behind cyberattacks?

The internet allows attacks to be mounted from anywhere by geographically dispersed accomplices, making it difficult to identify the original source. A hallmark of the cyberattack era is thus the shadowy and uncertain nature of perpetrators. Criminal gangs are responsible for many of the thefts of bank details, but money is not the sole motivation.

Hacktivist collectives such as Anonymous have made headlines in the past for their "denial-of-service" attacks against groups such as the Church of Scientology and the KKK, in which they inundate targeted websites with requests for service until they crash.

Do politics play a role?

Several major recent data thefts and leaks certainly seem to have been pursued for political ends. World Anti-Doping Agency (Wada) records of athlete's medical data were leaked soon after the organisation banned Russia's track and field team from participating in Rio, while the Philippines' justice department servers came under attack this summer during the dispute with Beijing over sovereignty in the South China Sea.

Are states responsible for this?

Though security experts often point the finger at Russia and China after these attacks, it is hard to determine who is ultimately responsible. The Russian group "Fancy Bears' Hack Team" has been implicated in both the Wada hack and the assault on the Democratic National Committee's email servers this summer.

The group even has its own website, but some question whether the operation is as professional as one would expect of a Kremlin-directed effort or whether the hackers are simply enthusiastic or patriotic amateurs without direct connections to the Russian state. Though it is often hard to determine the ultimate source of an attack, it is clear that states are building up their capabilities in the cyber-security sphere (see below).

What do the attacks cost?

Professional services company Grant Thornton estimates that $315bn in business revenues were lost globally to cyberattacks in the 12 months to September 2015. The reputational price can be a serious as the value of the stolen data itself. The aftermath of a major hack can be devastating for a business: TalkTalk lost 95,000 customers and saw profits halve after bank details and sort codes of its customers were stolen last year.

Consultancy McKinsey & Company has calculated that the total costs of the cybersecurity threat worldwide could have mounted to $3trn by 2020. We are often promised that big data and mobile applications will bring big economic rewards, but the increasingly complex security required to keep such technologies safe has been identified as a choke point for many new ventures, and the world economy may struggle to fully realise the promised value of recent innovations. If so, we will all pay the price.

A threat to national security and the internet

Fears over cyberattacks go beyond the theft of data theycould affect national security and even the continuedfunctioning of the internet. As the rate and sophisticationof cyberattacks increase, governments are taking steps tobolster their cybersecurity defences. In the UK, the incominghead of the Government Communications Headquarters'(GCHQ) cybersecurity division has said it is considering a"national firewall" to halt incoming attacks a measurepreviously associated with authoritarian regimes such asChina.

Meanwhile, the US is studying the potential threat thatcyberattacks could pose to internet-connected driverless carsand new medical devices in the future. What's more, there arerecent signs that some hackers have been testing the defencesof companies that provide critical internet infrastructure, sayssecurity expert Bruce Schneier. Verisign, the registrar forinternet domains such as .com and .net, reported that in Q22016 attacks continued to become more frequent, persistent,and complex. It seems that some entities probably statebacked might be trying to develop the capability "to takedown the internet" if it suited their needs.