By Doug Pollack, CIPP/US, chief strategy officer, ID Experts
doug.pollack@idexpertscorp.com
The nature and frequency of cyber attacks is evolving so fast that it’s worth taking a step back to examine that evolution and consider where we might be heading next, with the help of Ken Westin, senior security analyst for Tripwire.
Let’s start back in the 1980s, when data breaches and other cyber attacks were far less frequent and “data loss” often meant just that—data was lost when a laptop was left on a train, for example. It was way back then that we started to see a few larger and more sophisticated attacks, including a hack of TRW (now Experian) that exposed 90 million records.
More often, even the major cyber crimes of the 1980s were the result of “smash-and-grab” attacks by one or a few bad actors. For instance, in 1986 an unauthorized person stole 16 million vital records from Revenue Canada—it was simply a matter of scooping up a pile of microfiche.
1990s Through Early 2000s
Public awareness and concern about data breaches increased through the 1980s and 1990s. In 1986, Congress passed the Computer Fraud and Abuse Act, making it a crime to break into computer systems. And in the 1990s, privacy and security laws passed, including HIPAA in 1996.
The number of cyber attacks also accelerated through the 1990s and early 2000s (continuing to today), although it’s difficult to pin down precise figures because early attacks weren’t tracked as well as they are now.
In 1995, a U.S. General Accounting Office report stated that hackers attempted to break into U.S. Defense Department computer files some 250,000 times. And in 2001, an Industry Survey by Information Security found that 90 percent of surveyed companies had been infected by viruses, worms, Trojans, and other malware, and the number of Web server attacks had doubled in just one year, from 2000 to 2001.
Early 2000s to Today
From there, the pace of cyber attacks has only increased. In fact, according to a New York Times article, there has been a 10,000-fold increase in the number of new digital security threats since 2002.
For insight into the “why” of increasing data breaches and other attacks, we turned to Westin, a cyber expert with over 14 years of experience. Westin says, “The increase in breaches has been fueled by the increase of data that can be used to commit various types of fraud, or data that can be sold to nation-state actors, or other groups. So in reality, it is greed which is driving the demand for stolen data, which increases demand for tools and techniques which are also sold in underground markets.”
Ah, yes: underground markets. It’s not simply that the number of data breaches and other attacks has risen in recent decades. It’s that the sophistication has greatly increased. That 2001 Industry Survey said something that today sounds incredibly innocent: “Overall, ‘insider’ security incidents occur far more frequently than ‘external’ incidents.”
The days of worrying most about wayward employees have been replaced (although that remains a concern). Today, Westin notes that “hacking has become a big business.” Underground black markets have emerged to make millions of dollars off stolen data. Westin says, “The monetization of stolen data in the form of PII, credit cards, intellectual property, insider information, and other data has transformed criminal hacking into a team sport, where criminal syndicates operate like traditional businesses.”
Over just the past two years, we’ve seen a dramatic shift from innocuous, non-malicious data breaches to malicious, true-crime incidents. In 2013, Ponemon Institute’s Cost of Data Breach Study found that malicious or criminal attacks were the most frequent cause of data breaches worldwide, accounting for 37 percent of all attacks. In 2015—just two years later—Ponemon found that 47 percent of all breaches were due to malicious or criminal attacks. And criminal attacks in healthcare were up 125 percent from 2010.
The 1990s image of the solitary hacker is severely out of date, as Westin says businesses today are “facing a much more persistent and well-resourced adversary.” Today, we have nation-state attacks such as the Sony breach. We’re also seeing more and more stolen data traded for enormous profit on sophisticated black markets and on the secretive global marketplace of the “dark web”—both of which involve highly organized criminal networks.
The future
As for what the future holds for cyber attacks, Westin does not paint a pretty picture. “My biggest fear,” he says, “is that in the next few years we will see data breaches go beyond the theft of data and into kinetic attacks, where we will see cases of real cyber terrorism where machinery is damaged and people are injured or even killed.”
As the Internet of Things spreads and deepens online connections, Westin fears that we’ll see more attacks on critical infrastructure, such as power grids, water services, manufacturing, pharmaceutical and chemical plants.
Time will tell if that is indeed the future of cyber attacks. Certainly to this point we’ve seen no abatement to the rapid evolution in number, severity, and sophistication of attacks—which underscores our continuing need to develop better defenses and longer-term solutions to protect businesses and individuals.
[bctt tweet=”The Ever-Accelerating Evolution of Cyber Attacks @SCCE” via=”no”]