How to cash in on the fight against cybercrime
Cyberattacks are rampant, yet companies and governments have been slow to wake up to the need to bolster their digital security. That spells opportunity for investors in cybersecurity, says Stephen Connolly
With more people doing more online than ever before, these are good times for cybercrime. The spread of homeworking and online shopping – trends given a huge fillip by the pandemic – mean the internet has never been a better hunting ground for data, money and weak access points in corporate networks. Cybersecurity is now a top national-security issue at the White House. It’s a perpetual war growing in size and complexity all the time. That makes it a compelling long-term investment theme.
The stakes are high. Intercepting and selling someone’s credit-card details is one thing. Forcing a fuel pipeline to shut down so that thousands can’t fill their cars is a different level of threat. Banks have been hit by fraud for years, but now policymakers are grappling more seriously with attacks in which foreign states are accessing sensitive data and bad actors anywhere can target and potentially cripple the infrastructure supporting an entire economy. Shiny fighter jets don’t do much for a country that can’t turn its lights on. The time for serious action is long overdue. Politicians have been talking about tackling cybersecurity for years, but there has been little concrete action.
A proliferating problem
Criminals looking to cash in online are in clover. It’s a long-running joke that cybercrime has already been built into a multibillion dollar industry. Using the internet to extort cash from businesses in so-called ransomware attacks (see box below for a definition), for example, is said to have reaped $18bn last year according to Emsisoft, a cybersecurity software business.
Some payments can be very high and the average ransom is around $150,000, so ransomware is a burgeoning subsector. Operations are becoming increasingly professional, with the bigger online crime syndicates even “renting out” their viruses to less technically sophisticated newcomers seeking a piece of the action.
In May this year US homeland security secretary Alejandro Mayorkas said that the number of ransomware attacks was up by 300% in 2020 compared with the previous year. US-Israeli IT security group Check Point Software, which carries out regular reviews of online safety, believes the number of ransomware attacks in the first half of this year was nearly double that in the same period of 2020. Furthermore, the crimes are becoming more elaborate. Not only is the target company hit, but its clients and suppliers, all of whom are of course connected across the internet, are also affected.
Meantime, an analysis of over 500 companies by IBM focusing on data breaches shows that the average recovery and clean-up cost after an attack has now reached $4.2m, the highest amount ever in the report’s 17-year history.
In the UK, government statistics show two in five businesses experienced cybersecurity breaches last year, alongside one in four charities. These numbers are probably understated as not all crime is reported for fear of reputational damage. The most common attacks are “phishing” (see box) and some attacks are a weekly occurrence. The government estimates that businesses are nonetheless spending too little on security monitoring, underscoring the need for action.
No wonder, then, that in August, US President Joe Biden held a meeting at the White House about bolstering cybersecurity with leaders of the country’s top technology companies, including Microsoft, Amazon and Apple. The fact that it went ahead amid the US withdrawal from Afghanistan perhaps further underlines the priority top policymakers are now attaching to fending off digital attacks, particularly when it comes to critical infrastructure.
The move follows July’s publication of a US presidential national security memorandum encouraging federal agencies to develop cyberdefence standards and targets that companies providing critical infrastructure can work towards. In doing so the US government is making increasingly clear its view that safeguarding services vital to keeping the country running is a shared responsibility. Although the guidelines are voluntary at present, the government has made clear that it could make them mandatory.
The Russian plot to breach US IT infrastructure
Making internet defences more robust became a growing policy priority for America following the discovery of a sophisticated online Russian spy plot uncovered just before President Trump left office. It became known as “SolarWinds” and was named after a software firm whose products were said to have been exploited – initially at least – by hackers who broke into a wide range of government and private computer networks, accessing emails, data and documents.
Vulnerabilities across Microsoft’s online offering of applications to users were exposed. In fact, those responsible were apparently even able to penetrate Microsoft’s own corporate network and access proprietary program and application coding. Many companies, as well as US government departments, including Homeland Security, Energy, and the Treasury, were breached.
Attacking a petrol pipeline
Since then there has been more high-profile online crime, helping to keep cybersecurity in the spotlight. Ransomware attacks in particular have been in the news. These attacks have featured victims as diverse as electronics giant Toshiba and Ireland’s Health Service.
But two stand out for their potentially destabilising national impact on day-to-day life. The first was in May, when Colonial Pipeline, which distributes petrol and other fuels, was forced to shut down after the computers controlling its pipeline were attacked. Subsequent shortages sent pump prices to multi-year highs, causing panic buying and leading to declarations of emergency in some US states. Colonial Pipeline paid a $4.4m ransom in bitcoin (of which just over half was said to have been recovered) to the alleged perpetrators, an eastern European cyber-extortion group known as DarkSide.
In another attack that occurred soon after, JBS, a Brazil-based business that supplies 20% of global meat, saw its US slaughterhouse operations shutdown for a short period, unsettling wholesale food markets and pricing. It handed over an $11m ransom, again in bitcoin. The attack is believed to have originated in Russia and the prime suspect, a group called REvil, has since reportedly vanished from the internet. The case was apparently raised in direct discussions about cybercrime between US president Joe Biden and Russia’s president Vladimir Putin in July.
Why we are so vulnerable
Far-reaching and well-organised attacks raise at least two fundamental and connected questions about modern computing networks that will dictate how defences are improved in the future. The first centres on how willingly companies seem to put trust in their IT partners, even though these third parties can in fact be the weak link that opens the door to a direct attack.
And secondly, how can we ever secure the modern computing structure, given that it has come to rely on so many diverse third-party IT companies, both big and small, being freely able to access hugely important networks? Criminals can operate remotely from around the world whenever they like under the cover of all sorts of apparently legitimate activities, such as boosting performance, updating programs and, ironically, patching-up security weaknesses.
Presidential intervention should engender a more co-ordinated response and prompt companies behind the curve to put the issue at the top of their own agendas. Cybersecurity businesses that can help should be their first ports of call. But companies themselves have not been idle. The cybersecurity sector has benefited even if it is not yet fully recognised as a potential investment hotspot.
To read the whole of this article, subscribe to MoneyWeek magazine
Subscribers can see the whole article in the digital edition available here
Stephen Connolly writes on markets and finance, and has worked in investment banking and asset management for nearly 30 years (firstname.lastname@example.org).